Risk Factors - EFX

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

$EFX Risk Factor changes from 00/02/24/22/2022 to 00/02/22/24/2024

Item 1A. Risk Factors,” and elsewhere in this report and those described from time to time in our future reports filed with the United States Securities and Exchange Commission (“SEC”). As a result of such risks and uncertainties, we urge you not to place undue reliance on any such forward-looking statements. Forward-looking statements speak only as of the date when made. We undertake no obligation to publicly update or revise any forward-looking statements, whether as a result of new information, future events or otherwise, except as required by law.

Available Information Detailed information about us is contained in our annual reports on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K, proxy statements and other reports, and amendments to those reports, that we file with, or furnish to, the SEC. These reports are available free of charge at our website, www.equifax.com, as soon as reasonably practicable after we electronically file such reports with or furnish such reports to the SEC. However, our website and any contents thereof should not be considered to be incorporated by reference into this document. We will furnish copies of such reports free of charge upon written request to Equifax Inc., Attn: Office of Corporate Secretary, P.O. Box 4081, Atlanta, Georgia, 30302. These reports are also available at www.sec.gov.ITEM 1A.14ITEM 1A.

RISK FACTORS All of the risks and uncertainties described below and the other information included in this Form 10-K should be considered and read carefully. RISK FACTORSAll of the risks and uncertainties described below and the other information included in this Form 10-K should be considered and read carefully. The risks described below are not the only ones facing us. The occurrence of any of the following risks or additional risks and uncertainties not presently known to us or that we currently believe to be immaterial could materially and adversely affect our business, financial condition or results of operations.

This Form 10-K also contains forward-looking statements and estimates that involve risks and uncertainties. Our actual results could differ materially from those anticipated in the forward-looking statements as a result of specific factors, including the risks and uncertainties described below.Technology and Data Security RisksSecurity breaches and other disruptions to our information technology infrastructure could compromise Company, consumer and customer information, interfere with our operations, cause us to incur significant costs for remediation and enhancement of our IT systems and expose us to legal liability, all of which could have a substantial negative impact on our business and reputation.We are a global data, analytics and technology company. In the ordinary course of business, we collect, process, transmit and store sensitive data, including intellectual property, proprietary business information and personal information of consumers, employees and strategic partners. In the ordinary course of business, we collect, process, transmit and store sensitive data, including intellectual property, proprietary business information and personally identifiable information of consumers, employees and strategic partners. The secure operation of our information technology networks and systems, and of the processing and maintenance of this information, is critical to our business operations and strategy. Because our products and services involve the storage and transmission of personal information of consumers, we are routinely the target of attempted cyber and other security threats by outside third parties, including technically sophisticated and well-resourced bad actors attempting to access or steal the data we store. Additionally, we could experience service disruptions or a loss of access to critical data or systems due to ransomware or other destructive attacks. Insider or employee cyber and security threats are also a significant concern for all companies, including ours. Despite our substantial investment in physical and technological security measures, employee training and contractual precautions, our information technology networks and infrastructure (or those of our third-party vendors and other service providers) are potentially vulnerable to unauthorized access to data, loss of access to systems or breaches of confidential information due to criminal conduct, attacks by hackers, employee or insider malfeasance and/or human error. 14The techniques used to obtain unauthorized access, disable or degrade service or sabotage systems are constantly evolving and often are not recognized until launched against a target, or even some time after. We may be unable to anticipate these techniques, implement adequate preventative measures or remediate any intrusion on a timely or effective basis even if our security measures are appropriate, reasonable, and/or comply with applicable legal requirements. Certain efforts may be state-sponsored and supported by significant financial and technological resources, making them even more sophisticated and difficult to detect. Further, we are in the process of transforming our applications and infrastructure technologies, and this transition to cloud-based technologies may expose us to additional cyber threats as we migrate our data from our legacy systems to cloud-based solutions hosted by third parties. Although we have developed systems and processes that are designed to protect our data and customer data and to prevent data loss and other security breaches, and expect to continue to expend significant additional resources to bolster these protections, these security measures cannot provide absolute security. We previously experienced a material cybersecurity incident in 2017 and if we experience additional breaches of our security measures, including from incidents that we fail to detect for a period of time, sensitive data may be accessed, stolen, disclosed or lost. Any such access, disclosure or other loss of information could subject us to business interruption, significant litigation, regulatory fines or penalties, any of which could have a material adverse effect on our cash flows, competitive position, financial condition or results of operations. Any such access, disclosure or other loss of information could subject us to significant litigation, regulatory fines or penalties, any of which could have a material adverse effect on our cash flows, competitive position, financial condition or results of operations. While we maintain cybersecurity insurance, we cannot ensure that our insurance policies in the future will be adequate to cover losses from any security breaches.Security breaches and attacks, and the adverse publicity that may follow, can have a negative impact on our reputation and our relationship with our customers. For example, our reputation with consumers and other stakeholders and our customer relationships were damaged following the cybersecurity incident in 2017, resulting in a negative impact on our revenue for a period of time. For example, our reputation with consumers and other stakeholders and our customer relationships were damaged following the 2017 cybersecurity incident, resulting in a negative impact on our revenue for a period of time. If we experience another material cybersecurity incident or are otherwise unable to demonstrate the security of our systems and the data we maintain and retain the trust of our customers, consumers and data suppliers, we could experience a substantial negative impact on our business.If we fail to achieve and maintain key industry or technical certifications, our customers and business partners may stop doing business with us and we may not be able to win new business, which would negatively affect our revenue.We are required by customers and business partners to obtain various industry or technical certifications. Such certifications are critical to our business because certain of our current and potential customers and the contracts governing certain customer relationships, as well as certain of our data suppliers, require us to maintain them as a requirement of doing business. For example, as a result of a prior material cybersecurity incident, we lost certain key certifications which caused certain customers and business partners to stop or pause doing business with us and temporarily limited our ability to win new business. For example, as a result of the 2017 cybersecurity incident, we lost certain key certifications which caused certain customers and business partners to stop or pause doing business with us and temporarily limited our ability to win new business. We had to spend significant resources on remediation activities in order to obtain these key re-certifications. If we fail to achieve or maintain key industry or technical certifications as a result of another cybersecurity incident or for other reasons, customers and business partners may stop doing business with us and we may not be able to win new business, which would negatively affect our revenue.Strategy and Market Demand RisksThe failure to realize the anticipated benefits of our technology transformation strategy could adversely impact our business and financial results.We expect our technology transformation strategy, including our transition to cloud-based technologies, will significantly increase our efficiency, our productivity, and the stability and functionality of our products and services, as well as decrease the cost of our overall systems infrastructure, all of which we expect will drive growth and have a positive effect on our business, competitive position and results of operations.We expect our technology transformation strategy, including our transition to cloud-based technologies, will significantly increase our efficiency, our productivity and the stability and functionality of our products and services, as well as decrease the cost of our overall systems infrastructure, all of which we expect will drive growth and have a positive effect on our business, competitive position and results of operations. This initiative is a major undertaking as we replace many of our previous operating systems with cloud-based systems. This complex, multifaceted and extensive initiative is expensive and has caused, and may cause in the future, unanticipated problems and expenses. This complex, multifaceted and extensive initiative is expensive and may cause material unanticipated problems and expenses. If the transition causes errors or adversely impacts system processes, our new systems do not operate as expected, or the data we transition to the cloud changes in a material way, we may have to incur significant additional costs to make modifications and could lose customers and we may suffer reputational harm as a result. Moreover, we have experienced issues with customer migration, as some of our customers may not migrate to cloud-based technologies on a timely basis or at all or may choose not to utilize our products and services during and after our transition to cloud-based technologies, which could negatively impact our revenue. Moreover, we may experience issues with customer migration, as many of our customers may not migrate to cloud-based technologies on a timely basis or at all or may choose not to utilize our products and services during and after our transition to cloud-based technologies, which could negatively impact our revenue. We cannot assure you that our technology transformation strategy will be beneficial to the extent, or within the timeframes expected, or that the estimated efficiency, cost savings and other improvements will be realized as anticipated or at 15all. Market acceptance of cloud-based offerings is affected by a variety of factors, including information security, reliability, performance, the sufficiency of technological infrastructure to support our products and services in certain geographies, customer and data provider concerns with entrusting a third party to store and manage its data as well as the customer’s ability to access this data once a contract has expired, and consumer concerns regarding data privacy and the enactment of laws or regulations that restrict our ability to provide such services to customers. If we are unable to correctly respond to these issues, we may experience business disruptions, damage to our reputation, negative publicity, diminished customer trust and relationships and other adverse effects on our business. Even if the anticipated benefits and savings are substantially realized, there may be consequences, internal control issues or business impacts that were not expected. Our transition and migration to cloud-based technologies may increase our risk of liability and cause us to incur significant technical, legal, regulatory or other costs.The loss of access to credit, employment, financial and other data from external sources could harm our ability to provide our products and services.We rely extensively upon data from external sources to maintain our proprietary and non-proprietary databases, including data received from customers, licensors, furnishers, strategic partners and various government and public record sources. This data includes the widespread and voluntary contribution of credit data from most lenders in the U.S. and many other markets as well as the contribution of data under proprietary contractual agreements, such as employers’ contribution of employment and income data to The Work Number® and telecommunications, cable and utility companies’ contribution of payment and fraud data to the National Cable, Telecommunications and Utility Exchange (NCTUE). For a variety of reasons, including concerns of data furnishers arising out of legislatively or judicially imposed restrictions on use, security breaches or competitive reasons, our data sources could withdraw, delay receipt of or increase the cost of the data they provide to us. Where we currently have exclusive use of data, the providers of the data sources could elect to make the information available to competitors. We also compete with several of our third-party data suppliers. If a substantial number of data sources or certain key data sources were to withdraw or be unable to provide their data, if we were to lose access to data due to government regulation, if we lose our right to the use of data, or if the collection, disclosure or use of data becomes uneconomical, our ability to provide products and services to our customers could be adversely affected, which could result in decreased revenue, net income and earnings per share and reputational loss. If a substantial number of data sources or certain key data sources were to withdraw or be unable to provide their data, if we were to lose access to data due to government regulation, if we lose exclusive right to the use of data, or if the collection, disclosure or use of data becomes uneconomical, our ability to provide products and services to our customers could be adversely affected, which could result in decreased revenue, net income and earnings per share and reputational loss. There can be no assurance that we would be able to obtain data from alternative sources if our current sources become unavailable.Negative changes in general economic conditions, including interest rates, the level of inflation, unemployment rates, income, home prices, investment values and consumer confidence, could adversely affect us.Our customers, and therefore our business and revenues, are sensitive to negative changes in general economic conditions, including the demand and availability of affordable credit and capital, the level and volatility of interest rates, the level of inflation, employment levels, consumer confidence and housing demand, both inside and outside the United States. Business customers use our credit information and related analytical services and data to process applications for new credit cards, automobile loans, home and equity loans and other consumer loans, and to manage their existing credit relationships. Demand for our services tends to be correlated to general levels of economic activity and to consumer credit activity, which can be impacted by changes in interest rates and the level of inflation. Banks’ and other lenders’ willingness to extend credit are adversely affected by elevated consumer delinquency and loan losses in a weak economy. Consumer demand for credit (i.e., rates of spending and levels of indebtedness) also tends to grow more slowly or decline during periods of economic contraction or slow economic growth. Our customer base suffers when financial markets experience volatility, illiquidity and disruption, and the potential for disruptions going forward presents considerable risks to our business and revenue. Our customer base suffers when financial markets experience volatility, illiquidity and disruption, and the potential for increased and continuing disruptions going forward presents considerable risks to our business and revenue. High or rising rates of unemployment and interest, declines in income, home prices or investment values, lower consumer confidence and reduced access to credit adversely affect demand for many of our products and services, and consequently our revenue and results of operations, as consumers may postpone or reduce their spending and use of credit, and lenders may reduce the amount of credit offered or available.In 2024, we expect the U.In 2022, we expect U. S. mortgage market, as measured by credit inquiries, to decline by approximately 16% compared to 2023. Any weakening in the U. Any change in the U. S. mortgage market resulting in a significant reduction in mortgage originations could have a corresponding negative impact on revenue and operating profit for our business, primarily within the Workforce Solutions and USIS operating segments. mortgage market due to a significant change in mortgage inquiries could have a corresponding negative impact on revenue and operating profit for our business, primarily within the Workforce Solutions and USIS operating segments. To the extent inflation results in higher interest rates and has other adverse effects upon the securities markets and upon the value of financial instruments, it may adversely affect our financial position and profitability. To the extent inflation results in rising interest rates and has other adverse effects upon the securities markets and upon the value of financial instruments, it may adversely affect our financial position and profitability. 16Our markets are highly competitive and new product introductions and pricing strategies being offered by our competitors could decrease our sales and market share or require us to enhance our products and services or reduce our prices in a manner that reduces our revenue and operating margins.We operate in a number of geographic, product and service markets that are highly competitive. Competitors may develop products and services that are superior to or that achieve greater market acceptance than our products and services. New competitors may choose to enter and compete in our markets, or existing competitors may choose to introduce new products and enter markets that we serve and that they do not currently serve. The size of our competitors varies across market segments, as do the resources we have allocated to the segments we target. Therefore, some of our competitors may have significantly greater financial, technical, marketing or other resources than we do in one or more of our market segments, or overall. As a result, our competitors may be in a position to respond more quickly than we can to new or emerging technologies and changes in customer requirements, or may devote greater resources than we can to the development, enhancement, promotion, sale and support of products and services, or some of our customers may develop products of their own that replace the products they currently purchase from us, which would result in lower revenue. In addition, many of our competitors have extensive consumer relationships, including relationships with our current and potential customers. Moreover, new competitors or alliances among our competitors may emerge and potentially reduce our market share, revenue or margins. We also license our information to competing firms, and license information from certain of our competitors, in order to sell “tri-bureau” and other products, most notably into the U. We also sell our information to competing firms, and buy information from certain of our competitors, in order to sell “tri-bureau” and other products, most notably into the U. S. mortgage market. Changes in prices between competitors for this information and/or changes in the design or sale of tri-bureau versus single or dual bureau product offerings may affect our revenue or profitability.Some of our competitors may choose to sell products that compete with ours at lower prices by accepting lower margins and profitability, or may be able to sell products competitive to ours at lower prices, individually or as a part of integrated suites, given proprietary ownership of data, technological superiority or economies of scale. Price reductions by our competitors could negatively impact our revenue and operating margins and results of operations and could also harm our ability to obtain new customers on favorable terms. Historically, certain of our key products have experienced declines in per unit pricing due to competitive factors and customer demand. Since a significant portion of our operating expenses is relatively fixed in nature due to sales, information technology and development and other costs, if we were unable to respond quickly enough to changes in competition or customer demand, we could experience further reductions in our operating margins.If our relationships with key customers are materially diminished or terminated, our business could suffer.We have long-standing relationships with a number of our customers, many of whom could unilaterally terminate their relationship with us or materially reduce the amount of business they conduct with us at any time. Many of our material customer agreements can be terminated by the customer for convenience on limited advance written notice, which provides our customers with the opportunity to renegotiate their contracts with us or to award more business to our competitors. Many of our material customer agreements can be terminated by the customer for convenience on advance written notice, which provides our customers with the opportunity to renegotiate their contracts with us or to award more business to our competitors. There is no guarantee that we will be able to retain or renew existing agreements, maintain relationships with any of our customers or business partners on acceptable terms or at all, or collect amounts owed to us from insolvent customers or business partners. The loss of one or more of our major customers or business partners could adversely affect our business, financial condition and results of operations.If we do not introduce successful new products, services and analytical capabilities in a timely manner, or if the market does not adopt our new services, or if new technologies are introduced by competitors that are more effective or at lower costs than ours, our competitiveness and operating results will suffer.We generally sell our products in industries that are characterized by rapid technological changes, including the introduction of new innovative technologies, frequent new product and service introductions and changing industry standards. In addition, certain of the markets in which we operate are seasonal and cyclical. Without the timely introduction of new technologies, products, services and enhancements, our products and services will become technologically or commercially obsolete over time, in which case our revenue and operating results would suffer. The success of our new products and services will depend on several factors, including our ability to properly identify customer needs; innovate and develop new technologies, services and applications; successfully commercialize new technologies in a timely manner; produce and deliver our products in sufficient volumes on time; differentiate our offerings from competitor offerings; price our products competitively; anticipate our competitors’ development of new products, services or technological innovations; and control 17product quality in our product development process. Our resources have to be committed to any new products and services before knowing whether the market will adopt the new offerings.We may face risks associated with our use of certain artificial intelligence and machine learning models.We use artificial intelligence and machine learning models in the development of some of our products. The models that we use are developed or trained using various data sets. If the models are incorrectly designed, the data we use to train them is incomplete, inadequate, or biased in some way, or if we do not have sufficient rights to use the data on which our models rely, the performance of our products and business, as well as our reputation, could suffer or we could incur liability through the violation of laws, third-party privacy, or other rights, or contracts to which we are a party. In addition, these risks include the possibility of new or enhanced governmental or regulatory scrutiny, litigation, or other legal liability, ethical concerns, negative consumer perceptions as to artificial intelligence, or other complications that could adversely affect our business, reputation, or financial results. In particular, our use of artificial intelligence in credit decisioning could lead to enhanced scrutiny. Further, our competitors or other third parties may incorporate artificial intelligence into their products more quickly or more successfully than us, which could impair our ability to compete effectively and adversely affect our results of operations.The demand for some of our products and services may be negatively impacted to the extent the availability of free or less expensive consumer information increases.Public or commercial sources of free or relatively inexpensive consumer credit, credit score and other information have become increasingly available, and this trend is expected to continue.Public or commercial sources of free or relatively inexpensive consumer credit, credit score and other information have become increasingly available, particularly through the internet, and this trend is expected to continue. Free sources of consumer employment and income information, such as paystubs, have always existed and could impact demand for our products and services in the event that customers determine such data is sufficient to meet their needs. In addition, governmental agencies in particular have increased the amount of information to which they provide free public access and these or other sources of free or relatively inexpensive consumer information from competitors or other commercial sources may reduce demand for our services. Recently, there also has been an increase in companies offering free or low-cost direct-to-consumer credit services (such as credit scores, reports and monitoring) as part of alternative business models that use such services as a means to introduce consumers to other products and services. To the extent that our customers choose not to obtain services from us and instead rely on information obtained at no cost or relatively inexpensively from these other sources, our business, financial condition and results of operations may be adversely affected.We rely, in part, on acquisitions, joint ventures and other alliances to grow our business and expand our geographic reach. The acquisition, integration or divestiture of businesses by us may not produce the expected financial or operating results or IT and data security profile we expect. In addition, if we are unable to make acquisitions or successfully develop and maintain joint ventures and other alliances, our growth may be adversely impacted.Historically, we have relied, in part, on acquisitions, joint ventures and other alliances to grow our business. Any transaction we do complete may not be on favorable terms, may involve greater-than-expected liabilities and expenses, potential impairments of tangible and intangible assets or significant write-offs, and the expected benefits, synergies, revenue and growth from these initiatives may not materialize as planned. Any acquisitions we do complete may not be on favorable terms, may involve greater-than-expected liabilities and expenses, potential impairments of tangible and intangible assets or significant write-offs and the expected benefits, synergies and growth from these initiatives may not materialize as planned. We may have difficulty assimilating new businesses and their products, services, technologies, IT systems and personnel into our operations. IT and data security profiles of acquired companies may not meet our technological standards and may take longer to integrate and remediate than planned. This may result in significantly greater transaction, remediation and integration costs for future acquisitions than we have experienced historically, or it could mean that we will not pursue certain acquisitions where the costs of integration and remediation are too significant. We may also have difficulty integrating and operating businesses in geographies and markets or market segments where we do not currently have a significant presence, and acquisitions of businesses having a significant presence outside of the U.S. will increase our exposure to risks of conducting operations in international markets. These difficulties could disrupt our ongoing business, distract our management and workforce, increase our expenses and adversely affect our operating results and financial condition. Despite our past experience, opportunities to grow our business through acquisitions, joint ventures and other alliances may not be available to us in the future. In addition, our focus on data security and our technology transformation strategy, including our migration to cloud-based technologies, may limit our ability to identify and complete acquisitions as our stringent technological criteria and standards for acquisition candidates may continue to increase.If our government contracts are terminated, if we are suspended from government work, or if our ability to compete for new contracts is adversely affected, our business could suffer.18We derive a portion of our revenue from direct and indirect sales to U.S. federal, state and local governments and their respective agencies. We also derive a portion of our revenue from sales to foreign governments and related agencies. Such contracts are subject to various procurement laws and regulations, and contract provisions relating to their formation, administration and performance. Failure to comply with these laws, regulations or provisions in our government contracts could result in the imposition of various civil and criminal penalties, termination of contracts, forfeiture of profits, suspension of payments or suspension of future government contracting. A number of our U.S. federal and state government contracts receive enhanced scrutiny and media attention due to the sensitive nature of the data we handle and due to the importance of the government programs we support. A number of our federal government contracts have received enhanced scrutiny and media attention due to the sensitive nature of the data we handle and due to the importance of the government programs we support. If we experience another material cybersecurity incident, if public or legislative scrutiny and pressure leads to reduced use of data by government agencies, or if we experience uptime issues or performance problems, our ability to maintain existing or acquire new government contracts may be substantially impacted. If we experience another material cybersecurity incident, if public scrutiny and pressure related to government services we support turns negative or if we experience uptime issues or performance problems, our ability to maintain existing or acquire new government contracts may be substantially impacted. If our government contracts are terminated, if we are suspended from government work, if the services we provide are no longer needed due to government program change or termination, or if our ability to compete for new contracts is adversely affected, including by our failure to achieve certain government certifications, our business could suffer.If our government contracts are terminated, if we are suspended from government work, if the services we provide are no longer needed due to government program change or termination, or if our ability to compete for new contracts is adversely affected, including by our failure to achieve certain government certifications, our business could suffer. Our business has been and may continue to be negatively impacted by health epidemics, pandemics and similar outbreaks. We face various risks related to health epidemics, pandemics and similar outbreaks. For example, the COVID-19 pandemic and the mitigation efforts by governments to attempt to control its spread adversely impacted the global economy and led to reduced consumer spending and lending activities. The COVID-19 pandemic and the mitigation efforts by governments to attempt to control its spread have adversely impacted the global economy, leading to reduced consumer spending and lending activities. Our customers, and therefore our business and revenues, are sensitive to negative changes in general economic conditions. We experienced significant revenue declines in several of our markets as a result of COVID-19 and we may experience similar revenue declines as a result of future health epidemics, pandemics and similar outbreaks. We experienced significant revenue declines in several of our markets as a result of COVID-19. Our reputation and/or business could be negatively impacted by ESG matters and/or our reporting of such matters. Over the past several years, regulators, certain investors, and other stakeholders have focused on various environmental, social and governance ("ESG") matters, both in the United States and internationally. We communicate certain ESG-related initiatives, goals and commitments regarding climate, diversity, responsible sourcing and social investments, and other matters, on our website, in our filings with the SEC and elsewhere. These initiatives, goals and commitments could be difficult to achieve and costly to implement. For example, we have announced our commitments to reduce our greenhouse gas emissions, the achievement of which relies, in large part, on the accuracy of our estimates and assumptions around the availability and cost of renewable energy sources and technologies, the availability of suppliers that can meet our sustainability and other standards, and other factors. If the transition causes errors or adversely impacts system processes, our new systems do not operate as expected, or the data we transition to the cloud changes in a material way, we may have to incur significant additional costs to make modifications and could lose customers and we may suffer reputational harm as a result. We could fail to achieve, or be perceived to fail to achieve, our greenhouse gas reduction commitments or other ESG-related initiatives, goals and commitments. In addition, we could be criticized for the timing, scope or nature of these initiatives, goals and commitments, or for any revisions to them. To the extent that our required and voluntary disclosures about ESG matters increase, we could be criticized for the accuracy, adequacy or completeness of such disclosures. Our actual or perceived failure to achieve our ESG-related initiatives, goals and commitments could negatively impact our reputation or otherwise materially harm our business. Operational RisksOur technology transformation strategy places a significant strain on our management, operational, financial and other resources.19Operational RisksOur technology transformation strategy places a significant strain on our management, operational, financial and other limited resources. As part of our technology transformation strategy, we are transitioning and migrating our data systems from traditional, on premises data centers to cloud-based platforms. This initiative places significant strain on our management, personnel, operations, systems, technical performance, financial resources, internal financial controls and reporting function. Our technology transformation strategy requires management time and resources to educate employees and implement new ways of conducting business. The dedication of resources to our technology transformation strategy and cloud-based technologies limits the resources we have available to devote to other initiatives or growth opportunities, or to invest in the maintenance of our existing internal systems. We cannot guarantee that our strategy is the right one or that investments in alternative technologies or other initiatives would not be a better use of our resources.Additionally, as a result of our cloud migration efforts in connection with our technology transformation strategy, we may experience a loss of continuity, loss of accumulated knowledge or loss of efficiency during transitional periods. Reorganization and transition can require a significant amount of management and other employees’ time and focus, which may 19divert attention from operating activities and growing our business. If we fail to achieve some or all of the expected benefits of these activities, it could have a material adverse effect on our competitive position, business, financial condition, results of operations and cash flows.Our transition to cloud-based technologies could expose us to operational disruptions.We rely on the efficient and uninterrupted operation of complex information technology systems and networks, some of which are managed internally within the Company and some of which are outsourced to third parties. As part of our technology transformation strategy, we are upgrading a significant portion of the information technology systems used to operate our business and replacing them with cloud-based solutions. This transition will continue to require substantial changes to our software and network infrastructure, which could lead to system interruptions, affect our data systems and further expose us to operational disruptions, and cause us to lose customers, all of which could have a material adverse effect on our results of operations.Upon implementation of the new cloud-based solutions, much of our information technology systems will consist of outsourced, cloud-based infrastructure, platform and software-as-a-service solutions not under our direct management or control. Any disruption to either the outsourced systems or the communication links between us and the outsourced supplier could negatively affect our ability to operate our data systems and could impair our ability to provide services to our customers. We may incur additional costs to remedy the damages caused by these disruptions.Our customers' decisioning may be adversely affected if we provide inaccurate or unreliable data, which could adversely affect our financial condition, cause loss of customer trust and contribute to non-compliance with certain laws and regulations.Data accuracy is an essential component of data quality and is the foundation of our business model. Accurate data increases predictive ability and improves confidence in decisions for our customers. Inaccurate or unreliable data could adversely affect customer decisioning and poses reputational, compliance and financial risk to our company. Although we have developed internal processes and controls to maintain and continually improve data accuracy, these processes and controls cannot ensure absolute accuracy and the complexity of our technology transformation may introduce additional risk until it is completed. We have experienced data accuracy issues, including errors in connection with our technology transformation. To date, none of these issues have had a material impact on our operations or financial results. However, any future data accuracy issues arising during the technology transformation or otherwise could have a material adverse effect on our business or results of operations, including through the incurrence of additional costs or the loss of customers and harm to our reputation.If our systems do not meet customer requirements for response time or high availability, or we experience system constraints or failures, or our customers do not migrate to the cloud or modify and/or upgrade their systems to accept new releases of our products and services, our services to our customers could be delayed or interrupted, which could result in lost revenues or customers, lower margins, service level penalties or other harm to our business and reputation.Our customers expect high system availability and response time performance, as well as a very high degree of system resilience. We depend on reliable, stable, efficient and uninterrupted operation of our technology network, systems and data centers to provide service to our customers. Many of the services and systems upon which we rely have been outsourced to third parties. In addition, many of our revenue streams are dependent on links to third party telecommunications providers. These systems and operations, and the personnel that support, service and operate these systems, could be exposed to interruption, damage or destruction from power loss, telecommunication failures, computer viruses, denial-of-service or other cyber attacks, employee or insider malfeasance, human error, fire, natural disasters, war, terrorist acts or civil unrest. We may not have sufficient disaster recovery or redundant operations in place to cover a loss or failure of systems or telecommunications links in a timely manner, which may be exacerbated by any delays in obtaining equipment due to supply chain or other impacts. In addition, as part of our technology transformation, we are seeking to migrate our customers from traditional data platforms to cloud-based products and services. Some of our customers may not migrate to cloud-based technologies on a timely basis or at all, or may choose not to utilize our products and services during and after our transition to cloud-based technologies. If our customers’ timelines prevent them from migrating to cloud-based technologies quickly enough, they will remain on our legacy infrastructure, which could expose them to system availability, response time and performance issues.20Any significant system interruption or series of minor interruptions could result in the loss of customers and/or lost revenues, lower margins, service level penalties or other significant harm to our business or reputation.Dependence on outsourcing certain portions of our operations may adversely affect our ability to bring products to market and damage our reputation. Dependence on outsourced information technology and other administrative functions may impair our ability to operate effectively.As part of our technology transformation, we have outsourced various components of our application development, information technology, operational support and administrative functions and will continue to evaluate additional outsourcing. If our outsourcing vendors fail to perform their obligations in a timely manner or at satisfactory quality levels including with respect to data and system security, or increase prices for their services to unreasonable levels, our ability to bring products to market and support our customers and our reputation could suffer. Any failure to perform on the part of these third-party providers could impair our ability to operate effectively and could result in lower future revenue, unrealized efficiencies and adversely impact our results of operations and our financial condition. Some of our outsourcing takes place in developing countries and, as a result, may be subject to geopolitical uncertainty.Our business will suffer if we are not able to retain and hire key personnel.Our future success, including our ability to implement our technology transformation strategy, depends partly on the continued service of our key development, sales, marketing, executive and administrative personnel. Increased retention risk exists in certain key areas of our operations, such as IT and data security, which require specialized skills, such as migrating legacy computer systems to the cloud, data security expertise and analytical modeling. If we fail to retain and hire a sufficient number of these personnel, we will not be able to maintain or expand our business. As part of our technology transformation strategy, we have hired or contracted with a significant number of new employees and contract workers. Hiring, on-boarding training, motivating, retaining and managing employees with the skills required is time-consuming and expensive. There is intense competition for certain highly technical specialties in geographic areas where we continue to recruit, and it may become more difficult to retain our key employees. If we are not able to hire sufficient employees to support our business, including our technology transformation, or to train, motivate, retain and manage the employees we do hire, it could have a material adverse effect on our business operations or financial results. If we are not able to hire sufficient employees to support our technology transformation, or to train, motivate, retain and manage the employees we do hire, it could have a material adverse effect on our business operations or financial results. Global Operational RisksEconomic, political and other risks associated with international sales and operations could adversely affect our results of operations.Sales outside the U.S. comprised 23% of our total revenue in 2023. As a result, our business is subject to various risks associated with doing business internationally and these risks may differ in each jurisdiction where we operate depending on the particular product or service we offer in the jurisdiction. As a result, our business is subject to various risks associated with doing business internationally and these risks may differ in each jurisdiction we operate depending on the particular product or service we offer in the jurisdiction. In addition, many of our employees, suppliers, job functions and facilities are located outside the U.S. Accordingly, our future results could be harmed by a variety of factors including:•changes in specific country or region political, economic or other conditions;•trade protection measures;•data privacy and consumer protection laws and regulations;•antitrust and competition laws;•difficulty in staffing and managing widespread operations;•differing labor, intellectual property protection and technology standards and regulations;•business licensing requirements or other requirements relating to making foreign direct investments, which could increase our cost of doing business in certain jurisdictions, prevent us from entering certain markets, increase our operating costs or lead to penalties or restrictions;•difficulties associated with repatriating cash generated or held abroad in a tax-efficient manner;•implementation of exchange controls;•geopolitical instability, including terrorism and war and international conflict, including the Russia-Ukraine war and the Israel-Palestine conflict;•foreign currency changes;•increased travel, infrastructure, legal and compliance costs of multiple international locations;21•foreign laws and regulatory requirements;•terrorist activity, natural disasters, pandemics and other catastrophic events;•restrictions on the import and export of technologies;•difficulties in enforcing contracts and collecting accounts receivable;•longer payment cycles;•failure to meet quality standards for outsourced work;•unfavorable tax rules;•the presence and acceptance of varying level of business corruption in international markets; and•varying business practices in foreign countries. Accordingly, our future results could be harmed by a variety of factors including:•changes in specific country or region political, economic or other conditions;•trade protection measures;•data privacy and consumer protection laws and regulations;•difficulty in staffing and managing widespread operations;•differing labor, intellectual property protection and technology standards and regulations;•business licensing requirements or other requirements relating to making foreign direct investments, which could increase our cost of doing business in certain jurisdictions, prevent us from entering certain markets, increase our operating costs or lead to penalties or restrictions;•difficulties associated with repatriating cash generated or held abroad in a tax-efficient manner;•implementation of exchange controls;•geopolitical instability, including terrorism and war, including the evolving situation involving Ukraine and Russia;•foreign currency changes;•increased travel, infrastructure, legal and compliance costs of multiple international locations;•foreign laws and regulatory requirements;21•terrorist activity, natural disasters, pandemics and other catastrophic events;•restrictions on the import and export of technologies;•difficulties in enforcing contracts and collecting accounts receivable;•longer payment cycles;•failure to meet quality standards for outsourced work;•unfavorable tax rules;•the presence and acceptance of varying level of business corruption in international markets; and•varying business practices in foreign countries. We earn revenue, pay expenses, own assets and incur liabilities in countries using currencies other than the U.S. dollar, including among others the British pound, the Australian dollar, the Canadian dollar, the Argentine peso, the Chilean peso, the Euro, the New Zealand dollar, the Costa Rican colon, the Singapore dollar, the Brazilian real and the Indian rupee. Because our consolidated financial statements are presented in U.S. dollars, we must translate revenue, income and expenses, as well as assets and liabilities, into U.S. dollars at exchange rates in effect during or at the end of each reporting period. Therefore, increases or decreases in the value of the U.S. dollar against major currencies will affect our operating revenues, operating income and the value of balance sheet items denominated in foreign currencies. We generally do not mitigate the risks associated with fluctuating exchange rates, although we may from time to time through forward contracts or other derivative instruments hedge a portion of our translational foreign currency exposure or exchange rate risks associated with material transactions which are denominated in a foreign currency. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Accordingly, fluctuations in foreign currency exchange rates, particularly the strengthening of the U.S. dollar against major currencies, may materially affect our consolidated financial results.Compliance with applicable U.S. and foreign laws and regulations, such as anti-corruption laws, tax laws, foreign exchange controls and restrictions on repatriation of earnings or other similar restraints, data privacy requirements, operational resilience requirements, sustainability reporting, labor laws and anti-competition regulations increases the cost of doing business in foreign jurisdictions. and foreign laws and regulations, such as anti-corruption laws, tax laws, foreign exchange controls and restrictions on repatriation of earnings or other similar restraints, data privacy requirements, labor laws and anti-competition regulations increases the cost of doing business in foreign jurisdictions. Although we have implemented policies and procedures to comply with these laws and regulations, a violation by our employees, contractors or agents could nevertheless occur. Legal and Regulatory RisksAs part of a global settlement, we entered into agreements with various parties to settle the U.S. Consumer MDL Litigation and certain federal and state government investigations arising out a material cybersecurity incident in 2017. Consumer MDL Litigation and certain federal and state government investigations arising out of the 2017 cybersecurity incident. If we are unable to comply with our obligations under these agreements, it could have a material adverse effect on our financial condition.In July 2019, the Company entered into multiple agreements that resolve the U.S. consolidated consumer class action cases, captioned In re: Equifax, Inc. Customer Data Security Breach Litigation, MDL No. 2800 (Consumer Cases) (the “U.S. Consumer MDL Litigation”), and the investigations of the FTC, the CFPB, the Attorneys General of 48 states, the District of Columbia and Puerto Rico (the “MSAG Group”) and the NYDFS (collectively, the “Consumer Settlement”) relating to a material cybersecurity incident in 2017. The Consumer Settlement became effective on January 11, 2022. As part of the Consumer Settlement, we agreed to implement certain business practice commitments related to consumer assistance and our information security program, including third party assessments of our program. These business practice commitments are extensive and require a significant amount of attention from management. To the extent we are unable to comply or we are viewed as not being in compliance with these business practice commitments or other requirements of a relevant order, we could face an enforcement action or contempt proceeding that could potentially result in fines, penalties and new business practice commitments, which, depending on the amount and type, could have a material adverse effect on our financial condition.We and our customers are subject to various current laws and governmental regulations, and could be affected by new and evolving consumer privacy and cybersecurity or other data-related laws or regulations, compliance with which may cause us to incur significant expenses and change our business practices, and if we fail to maintain satisfactory compliance with certain laws and regulations, we could be subject to civil or criminal penalties.22We are subject to a number of U.S. federal, state, local and foreign laws and regulations relating to consumer privacy, cybersecurity, data and financial protection. See “Item 1.

Business—Governmental Regulation” in this Form 10-K for a summary of the U.S. and foreign consumer and data protection laws and regulations to which we are subject. These regulations are complex, change frequently, have tended to become more stringent over time, and are subject to administrative interpretation and judicial construction in ways that could harm our business. In addition, new laws and regulations at the state and federal level are enacted frequently, such as amendments to the FCRA, cybersecurity and other requirements promulgated by the FTC, New York Department of Financial Services and SEC, and data privacy laws in several U.S. states.We expect there to be a continued focus on laws and regulations related to our business, because of policy concerns in the U.S. with regard to the operation of consumer reporting agencies, the collection, use, accuracy, correction and sharing of personal information, and the use of algorithms, artificial intelligence and machine learning in business processes. For example, in September 2023, the CFPB issued an outline of proposed changes to the FCRA which would expand the application of the FCRA to certain business practices not currently subject to the FCRA and would require the removal of medical collection debt from consumer credit reports. Further, in October 2023, California passed the DELETE Act, a first-in-the-nation data broker deletion tool which creates a centralized mechanism to allow consumers to request brokers to delete their personal information, rather than submitting individual requests to brokers registered in the state.There are a number of legislative proposals pending before the U.S. Congress, various state legislative bodies and foreign governments concerning privacy or cybersecurity that could affect us. The Canadian and Australian governments have initiated reviews of their consumer privacy laws, and several U. The Canadian government has initiated a review of consumer privacy laws, and several U. S. states have introduced varying comprehensive privacy laws modeled to some degree on the CCPA and/or the GDPR. In the U.S. and other countries, there have also been new legislative proposals to regulate business use and development of artificial intelligence and machine learning technologies which, if enacted, could impose new legal requirements addressing among other issues, privacy, discrimination and human rights. The specifics of such legislation and the number of jurisdictions that will introduce legislation in this area remain unclear at this time. In addition, a growing number of legislative and regulatory bodies have adopted consumer notification and other requirements in the event that consumer information is accessed or acquired by unauthorized persons and additional regulations regarding the use, access, accuracy and security of such data are possible. In the U.S., state laws provide for disparate notification regimes, all of which we are subject to. Further, any perception that our practices or products are an invasion of privacy, whether or not consistent with current or future regulations and industry practices, may subject us to public criticism, private class actions, reputational harm, or claims by regulators, which could disrupt our business and expose us to increased liability.We devote substantial compliance, legal and operational business resources to strive for compliance with applicable regulations and requirements. In the future, we may be subject to significant additional expenses related to compliance with applicable laws and regulations, including new laws and evolving interpretations that have varying requirements and/or are difficult to predict, and to the investigation, defense or remedy of actual or alleged violations. In the future, we may be subject to significant additional expenses related to compliance with applicable laws and regulations, including new laws and evolving interpretations that are difficult to predict, and to investigate, defend or remedy actual or alleged violations. Additionally, we cooperate with CFPB supervisory examinations and respond to other state, federal and foreign government examinations of, or inquiries into, our business practices. In particular, legislative activity in the privacy area may result in new laws that are applicable to us and that may hinder our business, for example, by restricting use or sharing of consumer data, including for marketing or advertising or limiting the use of, limiting our ability to provide certain consumer data to our customers, or otherwise regulating artificial intelligence and machine learning, including the use of algorithms and automated processing in ways that could materially affect our business, or which may lead to significant increases in the cost of compliance. In particular, legislative activity in the privacy area may result in new laws that are applicable to us and that may hinder our business, for example, by restricting use or sharing of consumer data, including for marketing or advertising or limiting the use of, or otherwise regulating artificial intelligence and machine learning, including the use of algorithms and automated processing in ways that could materially affect our business, or which may lead to significant increases in the cost of compliance. Any failure by us to comply with, or remedy any violations of, applicable laws and regulations, could result in new costs for our operations, the curtailment of certain of our operations, the imposition of fines and penalties, liability to private plaintiffs as a result of individual or class action litigation, restrictions on the operation of our business and reputational harm. It is difficult to predict the impact on our business if we were subject to allegations of having violated existing laws. For example, in Europe, the GDPR, which includes extensive regulations for certain security incidents, could result in fines of up to four percent of annual worldwide “turnover” (a measure similar to revenues in the U.S.). In addition, because many of our products are regulated or sold to customers in various industries, we must comply with additional regulations in marketing our products. Moreover, our compliance with privacy laws and regulations and our reputation depend in part on suppliers’ or customers’ adherence to privacy laws and regulations and their use of our services in ways consistent with consumer expectations and regulatory requirements. Moreover, our compliance with privacy laws and regulations and our reputation depend in part on customers’ adherence to privacy laws and regulations and their use of our services in ways consistent with consumer expectations and regulatory requirements. Additionally, we may not succeed in adapting our products to changes in the regulatory environment in an efficient, cost effective manner. We cannot predict the ultimate impact on our business of new or proposed rules, supervisory examinations or government investigations or enforcement actions. The CFPB has supervisory authority over our U.S. business and supporting operations and may initiate enforcement actions with regard to our compliance with federal consumer financial laws.23The CFPB, which was established under the Dodd-Frank Act and commenced operations in July 2011, has broad authority over our business. This includes authority to issue regulations under federal consumer financial protection laws, such as under the FCRA and other laws applicable to us and our financial customers. This includes authority to issue regulations under federal consumer financial protection laws, such as under FCRA and other laws applicable to us and our financial customers. The CFPB is authorized to prevent “unfair, deceptive or abusive acts or practices” through its regulatory, supervisory and enforcement authority.The CFPB conducts examinations and investigations, issues requests for information and subpoenas and brings civil actions in federal court for violations of the federal consumer financial laws, including the FCRA. The CFPB conducts examinations and investigations, and may issue subpoenas and bring civil actions in federal court for violations of the federal consumer financial laws including FCRA. In these proceedings, the CFPB can seek relief that includes: rescission or reformation of contracts, restitution, disgorgement of profits, payment of damages, limits on activities and civil money penalties of up to $1.0 million per day for known violations. The CFPB conducts periodic examinations of our business and the consumer reporting industry, which could result in new regulations or enforcement actions or proceedings. The CFPB conducts periodic examinations of us and the consumer credit reporting industry, which could result in new regulations or enforcement actions or proceedings. Actions by the CFPB could result in requirements to alter or cease offering affected products and services, making them less attractive and restricting our ability to offer them.Although we have committed resources to enhancing our compliance programs, actions by the CFPB or other regulators against us could result in financial or reputational harm. Our compliance costs and legal and regulatory exposure could increase materially if the CFPB or other regulators enact new regulations, change regulations that were previously adopted, modify through supervision or enforcement past regulatory guidance, or interpret existing regulations in a manner different or stricter than have been previously interpreted.Regulatory oversight of our contractual relationships with certain of our customers may adversely affect our business.The federal banking agencies, including the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System and the CFPB, as well as many state banking agencies have issued guidance to insured depository institutions and other providers of financial services on assessing and managing risks associated with third-party relationships, which include all business arrangements between a financial services provider and another entity, by contract or otherwise, and generally requires banks and financial services providers to exercise comprehensive oversight throughout each phase of a bank or financial service provider’s business arrangement with third-party service providers, and instructs banks and financial service providers to adopt risk management processes commensurate with the level of risk and complexity of their third-party relationships. This guidance requires more rigorous oversight of third-party relationships that involve certain “critical activities.” In light of this guidance, our existing or potential bank and financial services customers subject to this guidance may continue to revise their third-party risk management policies and processes and the terms on which they do business with us, which may adversely affect our relationships with such customers and/or increase our expenses in servicing such customers.We are regularly involved in claims, suits, government investigations, enforcement actions and other proceedings that may result in adverse outcomes.24We are regularly involved in claims, suits, government investigations, supervisory examinations and other proceedings that may result in adverse outcomes. We are regularly involved in claims, suits, government investigations, enforcement actions and regulatory proceedings arising from the ordinary course of our business, including actions with respect to consumer protection and data protection, including purported class action lawsuits.We are regularly involved in claims, suits, government investigations, supervisory examinations and regulatory proceedings arising from the ordinary course of our business, including actions with respect to consumer protection and data protection, including purported class action lawsuits. Such claims, suits, government investigations and proceedings are inherently uncertain and their results cannot be predicted with certainty. Regardless of their outcome, such legal proceedings can have an adverse impact on us because of legal costs, diversion of management and other personnel, and other factors. In addition, it is possible that a resolution of one or more such proceedings could result in reputational harm, liability, penalties or sanctions, as well as judgments, consent decrees or orders preventing us from offering certain features, functionalities, products or services, or requiring a change in our business practices, products or technologies, which could in the future materially and adversely affect our business, operating results, and financial condition. The FCRA contains an attorney fee shifting provision that provides an incentive for consumers to bring individual and class action lawsuits against a consumer reporting agency for violation of the FCRA, and the number of consumer lawsuits (both individual and class action) against us alleging a violation of the FCRA and our resulting costs associated with resolving these lawsuits have increased substantially over the past several years. The FCRA contains an attorney fee shifting provision that provides an incentive for consumers to bring individual and class action lawsuits against a CRA for violation of the FCRA, and the number of consumer lawsuits (both individual and class action) against us alleging a violation of the FCRA and our resulting costs associated with resolving these lawsuits have increased substantially over the past several years. Third parties may claim that we are infringing on their intellectual property and we could suffer significant litigation or licensing expenses or be prevented from selling products or services.There has been substantial litigation in the U.S. regarding intellectual property rights in the information technology industry. From time to time, third parties may make claims that one or more of our products or services infringe their intellectual property rights. We analyze and take action in response to each such claim on a case by case basis. A dispute or 24litigation regarding patents or other intellectual property can be costly and time-consuming due to the complexity of our technology and the inherent uncertainty of intellectual property litigation, could divert our management and key personnel from our business operations, and we may not prevail. A claim of intellectual property infringement could force us to enter into a costly or restrictive license agreement, which might not be available under acceptable terms or at all, or could subject us to significant damages or to an injunction against development and sale of certain of our products or services. Our intellectual property portfolio may not be useful in asserting a counterclaim, or providing commercial leverage for negotiating a license, in response to a claim of intellectual property infringement. In certain of our businesses we rely on third-party intellectual property licenses and we cannot ensure that these licenses will be available to us in the future on favorable terms or at all. Although our policy is to obtain licenses or other rights where necessary, we cannot provide assurance that we have obtained all required licenses or rights. Third parties may misappropriate or infringe on our intellectual property and we may suffer competitive injury or expend significant resources enforcing our rights.Our success increasingly depends on our proprietary technology and its ability to differentiate us from our competitors. We rely on various intellectual property rights, including patents, copyrights, database rights, trademarks and trade secrets, as well as contract restrictions, confidentiality provisions and licensing arrangements, to establish and protect our proprietary rights. The extent to which such rights can be protected varies in different jurisdictions. If we do not protect and enforce our intellectual property rights successfully, our competitive position may suffer which could harm our operating results. Our pending patent and trademark applications may not be allowed or competitors may challenge the validity or scope of our intellectual property rights. In addition, our patents, copyrights, trademarks and other intellectual property rights may not provide us a significant competitive advantage.We may need to devote significant resources to monitoring our intellectual property rights and we may or may not be able to detect misappropriation or infringement by third parties. Our competitive position may be harmed if we cannot detect misappropriation or infringement and enforce our intellectual property rights quickly or at all. In some circumstances, enforcement may not be available to us because a third party has a dominant intellectual property position or for other business reasons. In addition, competitors might avoid infringement by designing around our intellectual property rights or by developing non-infringing competing technologies. Intellectual property rights and our ability to enforce them may be unavailable or limited in some countries, which could make it easier for competitors to capture market share and could result in lost revenue.Financial Market RisksA downgrade in our credit ratings could increase our cost of borrowing under our credit facilities and have an adverse effect on our ability to access the capital markets.Credit ratings reflect an independent agency’s judgment on the likelihood that a borrower will repay a debt obligation at maturity. The ratings reflect many considerations, such as the nature of the borrower’s industry and its competitive position, the size of the company, its liquidity and access to capital and the sensitivity of a company’s cash flows to changes in the economy. A security rating is not a recommendation to buy, sell or hold securities and may be changed or withdrawn at any time by the assigning rating agency.A downgrade in our credit ratings would increase the cost of borrowings under our commercial paper program, $1.5 billion revolving credit facility and $700.0 million delayed draw term loan, and could limit or, in the case of a significant downgrade, preclude our ability to issue commercial paper. If our credit ratings were to decline to lower levels, we could experience increases in the interest cost for any new debt. In addition, the market’s demand for, and thus our ability to readily issue, new debt could become further affected by the economic and credit market environment. Our retirement and post-retirement pension plans are subject to financial market risks that could adversely affect our future results of operations and cash flows.25Financial Market RisksOur retirement and post-retirement pension plans are subject to financial market risks that could adversely affect our future results of operations and cash flows. We have significant retirement and post-retirement pension plan assets and obligations. The performance of the financial markets and interest rates impact our plan expenses, expected returns, and funding obligations. The performance of the financial markets and interest rates impact our plan expenses and funding obligations. Significant decreases in interest rates, decreases in the fair value of plan assets and investment losses on plan assets will increase our funding obligations, and adversely impact our results of operations and cash flows.25ITEM 1B.ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 1C.ITEM 1B. CYBERSECURITYRisk Management and StrategyWe are a global data, analytics and technology company. In the ordinary course of business, we collect, process, transmit and store sensitive data, including intellectual property, proprietary business information and personal information of consumers, employees and strategic partners. In the ordinary course of business, we collect, process, transmit and store sensitive data, including intellectual property, proprietary business information and personally identifiable information of consumers, employees and strategic partners. The secure operation of our information technology networks and systems, and of the processing and maintenance of this information, is critical to our business operations and strategy.Equifax has invested significantly to develop and maintain an information security program with processes, technology and controls to protect the information, systems and resources of the Company. The secure operation of our information technology networks and systems, and of the processing and maintenance of this information, is critical to our business operations and strategy. We have a Security team operating under the leadership of our Chief Information Security Officer (“CISO”), including approximately 400 cybersecurity professionals. The key elements of our information security program, including our cybersecurity risk management strategy, are described below.Security Controls FrameworkEquifax has implemented a unified security and privacy controls framework as our primary mechanism to establish strategic priorities related to cybersecurity, assess cybersecurity risk across the enterprise, comply with regulatory requirements and enhance security program maturity. Our unified security and privacy controls framework is based upon the National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF) and Privacy Framework (NIST PF). Cybersecurity Incident Detection and Response ProcessOur information security program is based on five key functions as set forth in the NIST CSF: (i) identify; (ii) protect; (iii) detect; (iv) respond; and (v) recover. As part of that program, we maintain an incident detection and response process that is designed to ensure we appropriately identify, investigate, respond to, and recover from, cybersecurity incidents in order to protect our information, systems and resources. As part of our process, we maintain operational plans for incident response and recovery activities. We regularly review our incident response process and conduct multiple incident response exercises each year, including sessions with management, to test and assess our preparedness to respond to a cybersecurity incident.As part of our incident detection and response process, we have established internal teams to investigate and escalate notification of cybersecurity incidents. Pursuant to this process, cybersecurity incidents are reported to appropriate personnel within Equifax (including the CISO and the CEO) and to the Board of Directors based on incident severity. We track incidents through resolution, conduct post-incident analysis and update our processes and procedures if areas for improvement are identified. On a monthly basis, a summary of prior period cybersecurity investigation escalations is reviewed by management, including our head of Internal Audit, our CISO, our Chief Financial Officer and our Chief Legal Officer.To inform our incident detection and response process, our cyber intelligence operations team regularly performs exercises to simulate real threat scenarios that would be carried out by a perpetrator by utilizing the actual tools and methodologies that would be deployed in such an attack (so called “red team” activities). Because our products and services involve the storage and transmission of personal information of consumers, we are routinely the target of attempted cyber and other security threats by outside third parties, including technically sophisticated and well-resourced bad actors attempting to access or steal the data we store. Risk Management•Cybersecurity Incorporated into Enterprise Risk Management Program. We have implemented an enterprise risk management (“ERM”) program that operates under the leadership of our Chief Privacy and Compliance Officer. Each business unit and corporate support unit has primary responsibility for assessing and mitigating risks within its respective areas of responsibility, and the ERM team is responsible for oversight and reporting to management and the Board.Under our ERM program, we conduct an annual enterprise risk assessment, which produces an enterprise risk scorecard. Cybersecurity is one of nine primary risk categories identified within the scorecard. The cybersecurity risk rating is based on a detailed enterprise security risk assessment performed by the Security team. The enterprise risk scorecard is reviewed with management and the Board of Directors on an annual basis.26•Security Risk Assessment. The Security team performs an annual enterprise security risk assessment of the information security program that is provided to management, the Board of Directors and other relevant parties. The security risk assessment provides a detailed understanding of the information security program in order to inform decisions and support risk response. The security risk assessment process evaluates the program’s control domains through various analyses and testing methods to determine the overall level of risk present within the environment over the period evaluated. The risk assessment identifies risks and considers observations from multiple business process- and system-level assessments.We leverage NIST guidance to inform our process for conducting the security risk assessment. The risk management program and processes can be described in four steps: (i) frame risk; (ii) assess risk; (iii) respond to risk; and (iv) monitor risk. •Third Party Risk Management. We have a governance process in place to oversee our third-party vendors who have access to our network or who hold or store personal information on our behalf (“risk vendors”). Our risk vendor contracts contain provisions requiring our suppliers to maintain a program that meets our information security standards. We periodically assess risk vendor compliance with our information security program requirements. One such requirement is the obligation that our risk vendors must notify Equifax within a designated time period upon identifying certain cybersecurity events.•M&A Due Diligence and Integration Process. Our Security team has implemented a due diligence and integration process for entities we acquire through mergers and acquisitions (“M&A”). This process is designed to protect our information systems, align acquired entities with our security controls, and comply with applicable legal and regulatory requirements, without interrupting critical business processes. Our M&A security integration status is reported regularly to management and the Technology Committee and annually to the Board of Directors.•Employee Training and Awareness. In order to help bolster our cybersecurity defenses and mitigate the risk presented by insider or employee cyber and security threats, Equifax has incorporated employee training into our security program. On an annual basis, all employees are required to complete mandatory security training. In addition, each Equifax employee receives training customized to his or her role or function, and has visibility into his or her individual security performance. We continually measure and assess key employee behaviors, including secure browsing and sensitive data handling. In order to promote a Company-wide focus on data security and reinforce overall security program goals, Equifax includes an individual security performance measure as one of the metrics used to evaluate the performance of all bonus-eligible employees under our annual incentive compensation program.•Cybersecurity Insurance. We maintain cybersecurity insurance under our errors and omissions/professional liability policy, which provides coverage for certain costs related to cybersecurity incidents. Review and Assessment of Information Security ProgramWe conduct regular audits of our information security program, including third party assessments and review by our internal audit department.•Third Party Assessments of Security Program Maturity. Equifax has a formal process in place to annually assess our security program maturity, which is a measure of our ability to adapt to cyber threats and manage risk over time. Under the oversight of the Technology Committee of the Board of Directors, Equifax engages a third party research and advisory firm to conduct an annual analysis of the maturity of our security program and identify potential initiatives to enhance maturity. On an annual basis, the Technology Committee reviews the results of this analysis with management, including a review of Company performance against relevant benchmarks.•Controls Testing. Equifax has a formal process in place to periodically assess the effectiveness of controls in our security controls framework. These controls assessments are performed by the Security team. Results are regularly reported to management and the Technology Committee and annually to the Board of Directors.•Internal Audit Review. Our internal audit department is responsible for providing the Audit and Technology Committees and management with an independent assessment and assurance regarding the design and effectiveness of the risk management framework related to cybersecurity. As part of the assessment of our cybersecurity program, the internal audit department has a “red team” that regularly performs testing to simulate real threat scenarios that would be carried out by a perpetrator. On a quarterly basis, our head of Internal Audit provides an update to management and the Audit and Technology Committees of the Board on audit activities pursuant to the IT and security portions of the 27internal audit plan. Our head of Internal Audit reviews the IT and security audit reports issued, including a summary of IT and security audit findings by inherent risk and residual risk rating.Cybersecurity Risks to our BusinessAs a global data, analytics and technology company, our products and services involve the storage and transmission of personal information of consumers. As a result, we are routinely the target of attempted cyber and other security threats presented by outside third parties, as well as security threats presented by employees and other insiders.In 2017, we experienced a material cybersecurity incident following a criminal attack on our systems that involved the theft of personal information of U. In 2017, we experienced a cybersecurity incident following a criminal attack on our systems that involved the theft of personally identifiable information of U. S., Canadian and U.K. consumers. If we experience additional significant compromises of our security measures, including from incidents that we fail to detect for a period of time, sensitive data may be accessed, stolen, disclosed, altered or lost. If we experience additional significant breaches of our security measures, including from incidents that we fail to detect for a period of time, sensitive data may be accessed, stolen, disclosed or lost. Any such access, disclosure, alteration or other loss of information could subject us to significant litigation, regulatory fines or penalties, any of which could have a material adverse effect on our cash flows, competitive position, financial condition or results of operations. Any such access, disclosure or other loss of information could subject us to significant litigation, regulatory fines or penalties, any of which could have a material adverse effect on our cash flows, competitive position, financial condition or results of operations. Cybersecurity incidents, and the adverse publicity that may follow, can have a negative impact on our reputation and our relationship with our customers.Security breaches and attacks, and the adverse publicity that may follow, can have a negative impact on our reputation and our relationship with our customers. For example, our reputation with consumers and other stakeholders and our customer relationships were damaged following the cybersecurity incident in 2017, resulting in a negative impact on our revenue for a period of time. For example, our reputation with consumers and other stakeholders and our customer relationships were damaged following the 2017 cybersecurity incident, resulting in a negative impact on our revenue for a period of time. If we experience another material cybersecurity incident or are otherwise unable to demonstrate the security of our systems and the data we maintain and retain the trust of our customers, consumers and data suppliers, we could experience a substantial negative impact on our business.For additional information related to the cybersecurity-related risks relevant to our business, see “Risk Factors—Technology and Data Security Risks—Security breaches and other disruptions to our information technology infrastructure could compromise Company, consumer and customer information, interfere with our operations, cause us to incur significant costs for remediation and enhancement of our IT systems and expose us to legal liability, all of which could have a substantial negative impact on our business and reputation” in Part I, Item 1A.

of this annual report on Form 10-K.GovernanceBoard Oversight of CybersecurityThe Equifax Board of Directors monitors our “tone at the top” and risk culture and oversees principal risks facing the Company. On an annual basis, the Board reviews an enterprise risk assessment prepared by management that describes the principal risks and monitors the steps management is taking to map and mitigate these risks. The Board then sets the general level of risk appropriate for the Company through business strategy reviews. Risks are assessed throughout the business, focusing on nine primary risk categories, including cybersecurity. In addition, the Audit and Technology Committees of the Board coordinate on risk management oversight with respect to cybersecurity, including through quarterly joint meetings that cover the following topics:•Regular reports from the internal audit department regarding the security and technology portions of the internal audit plan•Regular reports from our CISO and Chief Technology Officer regarding the cybersecurity control environment, including remediation updates, control posture analyses and other recurring items•Regular reports from our Chief Privacy and Compliance Officer regarding our global privacy, risk management and compliance programs, including matters related to cybersecurityThe Technology Committee of the Board oversees our information security program, including:•Reviewing with management our technology investments and infrastructure associated with risk management, including policies relating to information security, disaster recovery and business continuity•Receiving quarterly reports directly from our CISO, including updates on our enterprise cybersecurity threat level•Overseeing the engagement of outside advisors to review our cybersecurity program•Reviewing the results of our annual information security program maturity assessment performed by a third party•Reviewing the results of our annual security program risk assessment prepared by management28Management Oversight of Cybersecurity RiskOur information security program is managed through implementation, monitoring and continuous improvement of the security program with active participation of management as described below.•Senior Leadership Team. The Equifax senior leadership team, consisting of our CEO and his direct reports (“SLT”), sets the tone for strategic growth, effective operations and risk mitigation at the management level. The SLT supports the management of the information security program through proper resource allocation and decision-making involving high risk issues. The SLT has overall managerial responsibility for confirming that the information security program functions in a manner that meets the needs of Equifax.•Chief Information Security Officer. Equifax has a CISO who is a member of the SLT and reports directly to our CEO. Our CISO has more than two decades of experience in cybersecurity-related roles, including serving as CISO at other large, multinational companies. Our CISO is responsible for oversight of the global Security team and the implementation and execution of the information security program. Our CISO helps ensure that the program is strategically aligned to Equifax’s business strategy and is responsible for reporting on the effectiveness of the program to the SLT and the Board of Directors.•Global Security Team. The Equifax global Security team is responsible for supporting the CISO in the execution of the information security program to meet the program’s objectives. The Security team is directly responsible for the day to day program activities such as planning, implementation, monitoring and reporting on operational capabilities..