Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - EFX

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A. Risk Factors,” and elsewhere in this report and those described from time to time in our future reports filed with the United States Securities and Exchange Commission (“SEC”). As a result of such risks and uncertainties, we urge you not to place undue reliance on any such forward-looking statements. Forward-looking statements speak only as of the date when made. We undertake no obligation to publicly update or revise any forward-looking statements, whether as a result of new information, future events or otherwise, except as required by law.

Available Information

Detailed information about us is contained in our annual reports on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K, proxy statements and other reports, and amendments to those reports, that we file with, or furnish to, the SEC. These reports are available free of charge at our website, www.equifax.com, as soon as reasonably practicable after we electronically file such reports with or furnish such reports to the SEC. However, our website and any contents thereof should not be considered to be incorporated by reference into this document. We will furnish copies of such reports free of charge upon written request to Equifax Inc., Attn: Office of Corporate Secretary, P.O. Box 4081, Atlanta, Georgia, 30302. These reports are also available at www.sec.gov.

ITEM 1A. RISK FACTORS

All of the risks and uncertainties described below and the other information included in this Form 10-K should be considered and read carefully. The risks described below are not the only ones facing us. The occurrence of any of the following risks or additional risks and uncertainties not presently known to us or that we currently believe to be immaterial could materially and adversely affect our business, financial condition or results of operations. This Form 10-K also contains forward-looking statements and estimates that involve risks and uncertainties. Our actual results could differ materially from those anticipated in the forward-looking statements as a result of specific factors, including the risks and uncertainties described below.

Technology and Data Security Risks

Security breaches and other disruptions to our information technology infrastructure could compromise Company, consumer and customer information, interfere with our operations, cause us to incur significant costs for remediation and enhancement of our IT systems and expose us to legal liability, all of which could have a substantial negative impact on our business and reputation.

We are a global data, analytics and technology company. In the ordinary course of business, we collect, process, transmit and store sensitive data, including intellectual property, proprietary business information and personal information of consumers, employees and strategic partners. The secure operation of our information technology networks and systems, and of the processing and maintenance of this information, is critical to our business operations and strategy. Because our products and services involve the storage and transmission of personal information of consumers, we are routinely the target of attempted cyber and other security threats by outside third parties, including technically sophisticated and well-resourced bad actors attempting to access or steal the data we store. Additionally, we could experience service disruptions or a loss of access to critical data or systems due to ransomware or other destructive attacks. Insider or employee cyber and security threats are also a significant concern for all companies, including ours. Despite our substantial investment in physical and technological security measures, employee training and contractual precautions, our information technology networks and infrastructure (or those of our third-party vendors and other service providers) are potentially vulnerable to unauthorized access to data, loss of access to systems or breaches of confidential information due to criminal conduct, attacks by hackers, artificial intelligence-powered attacks, employee or insider malfeasance and/or human error.

The techniques used to obtain unauthorized access, disable or degrade service or sabotage systems are constantly evolving and often are not recognized until launched against a target, or even some time after. For example, artificial intelligence can automate and hyper-personalize existing attack vectors like phishing and deepfakes. We may be unable to anticipate these techniques, implement adequate preventative measures or remediate any intrusion on a timely or effective basis even if our security measures are appropriate, reasonable and/or comply with applicable legal requirements. Certain efforts may be state-sponsored and supported by significant financial and technological resources, making them even more sophisticated and difficult to detect. Although we have developed systems and processes that are designed to protect our data and customer data and to prevent data loss and other security breaches, and expect to continue to expend significant additional resources to bolster these protections, these security measures cannot provide absolute security.

We have previously experienced a material cybersecurity incident and if we experience additional breaches of our security measures, including from incidents that we fail to detect for a period of time, sensitive data may be accessed, stolen, disclosed or lost. Any such access, disclosure or other loss of information could subject us to business interruption, significant litigation, regulatory fines or penalties, any of which could have a material adverse effect on our cash flows, competitive position, financial condition or results of operations. While we maintain cybersecurity insurance, we cannot ensure that our insurance policies in the future will be adequate to cover losses from any security breaches.

Security breaches and attacks (including those that impact our third-party vendors and other service providers) and the adverse publicity that may follow, can have a negative impact on our reputation and our relationship with our customers. If we experience another material cybersecurity incident or are otherwise unable to demonstrate the security of our systems and the data we maintain and retain the trust of our customers, consumers and data suppliers, we could experience a substantial negative impact on our business.

If we fail to achieve and maintain key industry or technical certifications, our customers and business partners may stop doing business with us and we may not be able to win new business, which would negatively affect our revenue.

We are required by customers and business partners to obtain various industry or technical certifications. Such certifications are critical to our business because certain of our current and potential customers and the contracts governing certain customer relationships, as well as certain of our data suppliers, require us to maintain them as a requirement of doing business. For example, as a result of a prior material cybersecurity incident, we lost certain key certifications which caused certain customers and business partners to stop or pause doing business with us and temporarily limited our ability to win new business. We had to spend significant resources on remediation activities in order to obtain these key re-certifications. If we fail to achieve or maintain key industry or technical certifications as a result of another cybersecurity incident or for other reasons, customers and business partners may stop doing business with us and we may not be able to win new business, which would negatively affect our revenue.

Strategy and Market Demand Risks

The failure to realize the anticipated benefits of our technology transformation could adversely impact our business and financial results.

We are in the final stages of migrating the vast majority of our applications and systems infrastructure from legacy on-premises systems to cloud-based solutions hosted by third parties. We expect that our cloud technology transformation will continue to increase our efficiency and productivity, enhance our ability to deliver new and differentiated products, improve the stability and functionality of our products and services, decrease the cost of our overall systems infrastructure, and enable the delivery of advanced artificial intelligence-based products and internal processes, all of which we expect will drive growth and have a positive effect on our business, competitive position and results of operations.

If we are unable to correctly respond to these issues, we may experience business disruptions, damage to our reputation, negative publicity, diminished customer trust and relationships and other adverse effects on our business. We have made significant investments in our technology transformation, and if we were to change a primary cloud-based service provider, we may incur additional costs in connection with a transition.

This data includes the widespread and voluntary contribution of credit data from most lenders in the U.S. and many other markets as well as the contribution of data under proprietary contractual agreements, such as employers’ contribution of employment and income data to The Work Number® and telecommunications, cable and utility companies’ contribution of payment and fraud data to the National Cable, Telecommunications and Utility Exchange, Inc. (NCTUE) database we manage. In addition, a significant portion of our revenue is derived from products and services that incorporate intellectual property licensed from third party business partners. For a variety of reasons, including concerns of data furnishers arising out of legislatively or judicially imposed restrictions on use, security breaches or competitive reasons, our data sources could withdraw, delay receipt of, or increase the cost of, the data they provide to us. If a substantial number of data sources or certain key data sources withdraw or become unable to provide their data, if we lose access to data due to government regulation, if we lose our right to the use of data, if the collection, disclosure or use of data becomes uneconomical, or if we lose the right to use certain intellectual property, our ability to provide products and services to our customers could be adversely affected, which could result in

decreased revenue, net income and earnings per share and reputational loss. There can be no assurance that we would be able to obtain data from alternative sources if our current sources become unavailable.

Negative changes in general economic conditions, including interest rates, the level of inflation, unemployment rates, income, home prices, investment values and consumer confidence, could adversely affect us.

Our customers, and therefore our business and revenues, are sensitive to negative changes in general economic conditions, including the demand and availability of affordable credit and capital, the level and volatility of interest rates, the level of inflation, employment levels, consumer confidence, and housing demand, both inside and outside the United States. Demand for our services tends to be correlated to general levels of economic activity and to consumer credit activity, which can be impacted by changes in interest rates and the level of inflation. Banks’ and other lenders’ willingness to extend credit are adversely affected by elevated consumer delinquency and loan losses in a weak economy. Consumer demand for credit (i.e., rates of spending and levels of indebtedness) also tends to grow more slowly or decline during periods of economic contraction or slow economic growth.

Our customer base generally suffers when financial markets experience volatility, illiquidity and disruption, and the potential for disruptions going forward presents considerable risks to our business and revenue. Conversely, certain of our businesses, such as our unemployment claims management business within the Workforce Solutions segment, are countercyclical and may experience negative impacts on revenue and operating profit during periods of improving economic conditions or lower unemployment.

We remain in a period of economic uncertainty in the U.S. and the international markets in which we operate, including uncertainty regarding expectations for inflation and interest rates. Our current planning for 2026 assumes that U.S. economic activity, as measured by GDP, will grow at a rate consistent with 2025, and that economic activity in the international markets in which we operate will grow at levels below those experienced in 2025. The direction of global economies, inflation and interest rates has an impact on the demand for our services.

In particular, we expect U.S. mortgage credit activity in 2026 to be below the levels of activity seen in 2025. Any weakening in the U.S. mortgage market resulting in a significant reduction in mortgage originations could have a corresponding negative impact on revenue and operating profit for our business, primarily within the Workforce Solutions and USIS operating segments. To the extent inflation results in higher interest rates and has other adverse effects upon the securities markets and upon the value of financial instruments, it may adversely affect our financial position and profitability.

Our markets are highly competitive.

We operate in a number of geographic, product and service markets that are highly competitive. Competitors may develop products and services that are superior to or that achieve greater market adoption than our products and services. New or existing competitors may choose to introduce new products or business models or enter and compete in markets that we serve where they do not currently serve.

The size of our competitors varies across market segments, as do the resources we have allocated to the segments we target. Therefore, some of our competitors may have significantly greater financial, technical, marketing or other resources than we do in one or more of our market segments, or overall. As a result, our competitors may be in a position to respond more quickly than we can to new or emerging technologies and changes in customer requirements, or may devote greater resources than we can to the development, enhancement, promotion, sale and support of products and services, or some of our customers may develop products of their own that replace the products they currently purchase from us, which would result in lower revenue. In addition, many of our competitors have extensive customer relationships, including relationships with our current and potential customers.

We also license our information to competing firms, and license information from certain of our competitors, in order to sell “tri-bureau” and other products, most notably into the U.S. mortgage market. Changes in prices between competitors for

this information and/or regulatory changes that impact the use of the tri-bureau credit report in the U.S. mortgage market may affect our revenue or profitability.

Some of our competitors sell products that compete with ours at lower prices by accepting lower margins and profitability, or may be able to sell products competitive to ours at lower prices, individually or as a part of integrated suites, given proprietary ownership of data, technological superiority or economies of scale. Price reductions by our competitors could negatively impact our revenue and operating margins and results of operations and could also harm our ability to obtain new customers on favorable terms. Historically, certain of our key products have experienced declines in per unit pricing due to competitive factors and customer demand. If we are unable to respond quickly enough to changes in competition or customer demand, we could experience reductions in our operating margins.

We have long-standing relationships with a number of our customers and business partners, many of whom could unilaterally terminate their relationship with us or materially reduce the amount of business they conduct with us at any time. Many of our material customer agreements can be terminated by the customer for convenience on limited advance written notice, which provides our customers with the opportunity to renegotiate their contracts with us or to award more business to our competitors.

In addition, a significant portion of our revenue is derived from products and services that incorporate intellectual property licensed from key business partners. Our existing license agreements have fixed terms and are subject to periodic renewal. If these agreements expire or are not renewed on acceptable terms that allow us to continue to sell these products and services as currently provided, our customers could reduce their business with us in order to obtain these products and services from our competitors or directly from our business partners, which could have a material adverse effect on our business, financial condition and results of operations.

There is no guarantee that we will be able to retain or renew existing agreements, maintain relationships with any of our customers or business partners on acceptable terms or at all, or collect amounts owed to us from insolvent customers or business partners.

We generally sell our products and services in industries that are characterized by rapid technological changes, including the introduction of new innovative technologies and analytical capabilities, frequent new product and service introductions and changing industry standards. In addition, certain of the markets in which we operate are seasonal and cyclical. The success of our products and services will depend on several factors, including our ability to: (i) properly identify and respond to customer needs; (ii) innovate and develop new technology and analytical capabilities, including advanced artificial intelligence-based capabilities; (iii) successfully commercialize new products and services in a timely manner; (iv) produce and distribute our products and services in sufficient volumes on time; (v) differentiate our offerings from competitor offerings; (vi) price our products competitively; (vii) anticipate our competitors’ development of new products, services or technological and analytical innovations, including artificial intelligence-based innovations; (viii) control product quality in our product development process; and (ix) provide adequate support for our products and services. Our resources have to be committed to any new products and services before knowing whether the market will adopt the new offerings. Recently, we have accelerated our introduction of new products and services, which may increase pressure on our existing operational processes and increase the risks stated above.

We may face risks associated with our use of certain artificial intelligence and machine learning models and systems.

We use artificial intelligence and machine learning models in the development of some of our products and artificial intelligence systems to support the deployment of new applications and to improve the efficiency of our business operations. For new products, the models that we use are developed or trained using various data sets. If the models are incorrectly designed, if the data we use to train them is incomplete, inadequate or biased in some way, if we do not have sufficient rights to use the data on which our models rely, or if we do not have the ability to explain the output, the performance of our products

and business, as well as our reputation, could suffer or we could incur liability through the violation of laws, third-party privacy or other rights, or contracts to which we are a party.

We continuously invest in new technologies. As we implement new technology that includes artificial intelligence, we may introduce incremental risks in our environment if these technologies are incorrectly configured or implemented, if the data we use to prompt them is incomplete, inadequate or biased in some way, or if the outputs are not sufficiently reviewed for reliability and validity. In addition, our investments in new technology, including artificial intelligence technology, may not yield the return on investment we anticipate and have a negative impact on our operating margins.

Our use of artificial intelligence could lead to new or enhanced governmental or regulatory scrutiny, litigation or other legal liability, concerns about ethical use and privacy, negative consumer and customer impacts, and negative perceptions of artificial intelligence generally, all of which could adversely affect our business, reputation or financial results. In particular, our use of artificial intelligence in credit decisioning could lead to enhanced scrutiny.

The demand for some of our products and services may be negatively impacted to the extent the availability of free or less expensive consumer information increases.

Public or commercial sources of free or relatively inexpensive consumer credit, credit score and other information have become increasingly available, including sources that utilize artificial intelligence or machine learning, and this trend is expected to continue. Free sources of consumer employment and income information, such as paystubs, have always existed and could impact demand for our products and services in the event that customers determine such data is sufficient to meet their needs. In addition, governmental agencies in particular have increased the amount of information to which they provide free public access and these or other sources of free or relatively inexpensive consumer information from competitors or other commercial sources may reduce demand for our services. To the extent that our customers choose not to obtain services from us and instead rely on information obtained at no cost or relatively inexpensively from these other sources, our business, financial condition and results of operations may be adversely affected.

We rely, in part, on acquisitions, joint ventures and other alliances to grow our business and expand our geographic reach. The acquisition, integration or divestiture of businesses by us may not produce the expected financial or operating results or IT and data security profile we expect. In addition, if we are unable to make acquisitions or successfully develop and maintain joint ventures and other alliances, our growth may be adversely impacted.

Historically, we have relied, in part, on acquisitions, joint ventures and other alliances to grow our business. We may have difficulty assimilating new businesses and their products, services, technologies, IT systems and personnel into our operations. We may also have difficulty integrating and operating businesses in geographies and markets or market segments where we do not currently have a significant presence, and acquisitions of businesses having a significant presence outside of the U.S. will increase our exposure to risks of conducting operations in international markets. These difficulties could disrupt our ongoing business, distract our management and workforce, increase our expenses and adversely affect our operating results and financial condition.

Despite our past experience, opportunities to grow our business through acquisitions, joint ventures and other alliances may not be available to us in the future.

If our government contracts are terminated, if we are suspended from government work, or if our ability to compete for new contracts is adversely affected, our business could suffer.

We derive a meaningful portion of our revenue from direct and indirect sales to U.S. federal, state and local governments, as well as foreign governments, and their respective agencies. Such contracts are subject to various procurement laws and regulations, and contract provisions relating to their formation, administration and performance.

Furthermore, our government contracts are funded through federal and state budgeting processes, which may be subject to political, tax revenue and other external factors. Budget shortfalls or changing priorities may cause legislatures to fail to appropriate sufficient funds to fulfill our government contracts from year to year. The U.S. federal government has taken steps to reduce spending on vendor contracts, which could negatively impact the continuation, renewal or negotiation of our contracts with the federal government. Congress has also enacted legislation to reform government benefit programs which may impact contracting with federal and state government agencies.

Our business has been and may continue to be negatively impacted by health epidemics, pandemics and similar outbreaks.

We face various risks related to health epidemics, pandemics and similar outbreaks.

Our reputation and/or business could be negatively impacted by stakeholder responses to our responsible business priorities and commitments and our reporting of such matters.

Over the past several years, regulators, investors, customers, employees and other stakeholders have focused on various sustainability-related matters, including environmental, social and governance ("ESG") matters, both in the U.S. and internationally. In response to stakeholder feedback, we communicate certain information regarding our responsible business priorities, including initiatives, goals and commitments related to data security and privacy, climate, inclusion and diversity, employee engagement and community investments, in our public disclosures. These initiatives, goals and commitments could be difficult to achieve and costly to implement. For example, we have announced our commitments to reduce our greenhouse gas emissions, the achievement of which relies, in large part, on the accuracy of our estimates and assumptions around the availability and cost of renewable energy sources and technologies, the availability of suppliers that can meet our sustainability and other standards, and other factors. In addition, we could be criticized for the timing, scope or nature of these initiatives, goals and commitments, or for any revisions to them.

More recently, an “anti-ESG” sentiment has developed in the U.S. among certain activists, institutions and governments, and we may face scrutiny, reputational risk, lawsuits or market access restrictions from these parties regarding our responsible business priorities, initiatives, goals and commitments. To the extent that we continue to make disclosures about responsible business priorities, initiatives, goals and commitments, we could be criticized for such matters, which could negatively impact our reputation or otherwise materially harm our business.

Operational Risks

Our use of cloud-based and other technologies that are outsourced to third parties could expose us to operational disruptions.

We rely on the efficient and uninterrupted operation of complex information technology systems and networks, some of which are managed internally within the Company and some of which are outsourced to third parties. Our information technology applications and systems consist primarily of outsourced, cloud-based infrastructure, platforms and software-as-a-service solutions not under our direct management or control. Any disruption to either the outsourced systems or the communication links between us and the outsourced supplier could negatively affect our ability to operate our data systems and could impair our ability to provide services to our customers. We may incur additional costs to remedy the damages caused by these disruptions.

Our customers' decisioning may be adversely affected if we provide inaccurate or unreliable data, which could adversely affect our financial condition, cause loss of customer trust and contribute to non-compliance with certain laws and regulations.

Data accuracy is an essential component of data quality and is the foundation of our business model. Accurate data increases predictive ability and improves confidence in decisions for our customers. Any future data accuracy issues could have a material adverse effect on our business or results of operations, including through the incurrence of additional costs or the loss of customers and harm to our reputation.

Our customers expect high system availability and response time performance, as well as a very high degree of system resilience. We depend on reliable, stable, efficient and uninterrupted operation of our technology network, systems and data centers to provide service to our customers. Many of the services and systems upon which we rely have been outsourced to third parties. In addition, many of our revenue streams are dependent on links to third party telecommunications providers. These systems and operations, and the personnel that support, service and operate these systems, could be exposed to interruption, damage or destruction from power loss, telecommunication failures, computer viruses, denial-of-service or other cyber attacks, employee or insider malfeasance, human error, fire, natural disasters, war, terrorist acts or civil unrest. We may not have sufficient disaster recovery or redundant operations in place to cover a loss or failure of systems or telecommunications links in a timely manner, which may be exacerbated by any delays in obtaining equipment due to supply chain or other impacts.

Dependence on outsourcing certain portions of our operations may adversely affect our ability to bring products to market and damage our reputation. Dependence on outsourced information technology and other administrative functions may impair our ability to operate effectively.

We have outsourced various components of our application development, information technology, operational support and administrative functions and will continue to evaluate additional outsourcing. If our outsourcing vendors fail to perform their obligations in a timely manner or at satisfactory quality levels including with respect to data and system security, or increase prices for their services to unreasonable levels, our ability to bring products to market and support our customers and our reputation could suffer. Any failure to perform on the part of these third-party providers could impair our ability to operate effectively and could result in lower future revenue, unrealized efficiencies and adversely impact our results of operations and our financial condition. Some of our outsourcing takes place in countries outside the U.S. and, as a result, may be subject to political and geopolitical uncertainty. Insourcing, or transitioning to domestic U.S.-based outsourcing vendors, could cause us to incur significant costs, result in unrealized efficiencies and adversely impact our results of operations and our financial condition.

Our business will suffer if we are not able to retain and hire key personnel.

Our future success depends partly on the continued service of our key development, sales, marketing, executive and administrative personnel. If we fail to retain and hire a sufficient number of these personnel, we will not be able to maintain or expand our business. Hiring, on-boarding training, motivating, retaining and managing employees with the skills required is time-consuming and expensive. There is intense competition for certain highly technical specialties in geographic areas where we continue to recruit, and it may become more difficult to retain our key employees.

Global Operational Risks

Economic, political and other risks associated with international sales and operations could adversely affect our results of operations.

Sales outside the U.S. comprised 23% of our total revenue in 2025. As a result, our business is subject to various risks associated with doing business internationally and these risks may differ in each jurisdiction where we operate. In addition, many of our employees, suppliers, job functions and facilities are located outside the U.S. Accordingly, our future results could be harmed by a variety of factors including:

•changes in specific country or region political, economic or other conditions;

•trade protection measures;

•data privacy, consumer protection and artificial intelligence laws and regulations;

•antitrust and competition laws;

•difficulty in staffing and managing widespread operations;

•differing labor, intellectual property protection and technology standards and regulations;

•business licensing requirements or other requirements relating to making foreign direct investments, which could increase our cost of doing business in certain jurisdictions, prevent us from entering certain markets, increase our operating costs or lead to penalties or restrictions;

•difficulties associated with repatriating cash generated or held abroad in a tax-efficient manner;

•implementation of exchange controls;

•geopolitical instability, including terrorism and war and international conflict;

•foreign currency changes;

•increased travel, infrastructure, legal and compliance costs of multiple international locations;

•foreign laws and regulatory requirements;

•terrorist activity, natural disasters, pandemics and other catastrophic events;

•restrictions on the import and export of technologies;

•difficulties in enforcing contracts and collecting accounts receivable;

•longer payment cycles;

•failure to meet quality standards for outsourced work;

•unfavorable tax rules or rulings;

•the presence and acceptance of varying levels of business corruption in international markets; and

•varying business practices in foreign countries.

We earn revenue, pay expenses, own assets and incur liabilities in countries using currencies other than the U.S. dollar, including among others, the British pound, the Australian dollar, the Canadian dollar, the Argentine peso, the Chilean peso, the Euro, the New Zealand dollar, the Costa Rican colon, the Singapore dollar, the Brazilian real and the Indian rupee. Because our consolidated financial statements are presented in U.S. dollars, we must translate revenue, income and expenses, as well as assets and liabilities, into U.S. dollars at exchange rates in effect during or at the end of each reporting period. Therefore, increases or decreases in the value of the U.S. dollar against major currencies will affect our operating revenues, operating income and the value of balance sheet items denominated in foreign currencies. We generally do not mitigate the risks associated with fluctuating exchange rates, although we may from time to time through forward contracts or other derivative instruments hedge a portion of our translational foreign currency exposure or exchange rate risks associated with material transactions which are denominated in a foreign currency. The use of such hedging activities may not offset any or more than a

portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Accordingly, fluctuations in foreign currency exchange rates, particularly the strengthening of the U.S. dollar against major currencies, may materially affect our consolidated financial results.

The establishment of tariffs, changes in tax policy or other restrictions on commerce or business operations by the U.S. or other countries in which we have operations could increase our costs or limit our access to certain technology or services.

Compliance with applicable U.S. and foreign laws and regulations, such as anti-corruption laws, tax laws, foreign exchange controls and restrictions on repatriation of earnings or other similar restraints, data privacy requirements, operational resilience requirements, sustainability reporting, labor laws and anti-competition regulations increases the cost of doing business in foreign jurisdictions. Although we have implemented policies and procedures to comply with these laws and regulations, a violation by our employees, contractors or agents could nevertheless occur.

Legal and Regulatory Risks

As part of a global settlement, we entered into agreements with various parties to settle the U.S. Consumer MDL Litigation and certain federal and state government investigations arising out of a material cybersecurity incident in 2017. If we are unable to comply with our obligations under these agreements, it could have a material adverse effect on our financial condition.

In July 2019, the Company entered into multiple agreements that resolved the U.S. consolidated consumer class action cases, captioned In re: Equifax, Inc. Customer Data Security Breach Litigation, MDL No. 2800 (Consumer Cases), and the investigations of the FTC, the CFPB, the Attorneys General of 48 states, the District of Columbia and Puerto Rico and the NYDFS (collectively, the “Consumer Settlement”) relating to a material cybersecurity incident in 2017. The Consumer Settlement became effective on January 11, 2022.

As part of the Consumer Settlement, we agreed to implement certain business practice commitments related to consumer assistance and our information security program, including third party assessments of our program. These business practice commitments are extensive and require a significant amount of attention from management. To the extent we are unable to comply or we are viewed as not being in compliance with these business practice commitments or other requirements of a relevant order, we could face an enforcement action or contempt proceeding that could potentially result in fines, penalties and new business practice commitments, which, depending on the amount and type, could have a material adverse effect on our financial condition.

We and our customers are subject to various current laws and governmental regulations, and could be affected by new and evolving laws and regulations, including those related to consumer privacy and protection, cybersecurity and artificial intelligence. Compliance with these laws and regulations may cause us to incur significant expenses and change our business practices, and if we fail to maintain satisfactory compliance with certain laws and regulations, we could be subject to civil or criminal penalties.

As a data, analytics and technology company and consumer reporting agency, we are subject to a number of U.S. federal, state, local and foreign laws and regulations relating to consumer financial protection, data protection, data privacy, artificial intelligence and cybersecurity. See “Item 1. Business—Governmental Regulation” in this Form 10-K for a summary of the U.S. and foreign consumer and data protection laws and regulations to which we are subject. These regulations are complex, change frequently, have tended to become more stringent over time, and are subject to administrative interpretation and judicial construction in ways that could harm our business. In addition, new laws and regulations are enacted frequently, such as amendments to the FCRA, cybersecurity and other requirements promulgated by the FTC, the NYDFS and the SEC, and data privacy and artificial intelligence laws in several U.S. states and foreign countries.

There are laws and regulatory requirements in the U.S. and abroad that govern the operations of consumer reporting agencies and the collection, use, accuracy, correction and sharing of personal data. Any future changes in laws or regulations that impose additional requirements on our operations or restrict our use of data could have a material adverse effect on our business.

In addition, there are laws and legislative proposals in the U.S. and abroad concerning privacy, cybersecurity and artificial intelligence that have implications for our business. For example, the Canadian and Australian governments have initiated reviews of their consumer privacy laws, and several U.S. states have introduced varying comprehensive privacy laws modeled to some degree on the CCPA and/or the GDPR. More recently, regulators and legislators have been increasingly focused on the use of algorithms, artificial intelligence and machine learning in business processes. Multiple jurisdictions, including the EU and several U.S. states, have adopted comprehensive oversight laws related to the development and use of

artificial intelligence and additional countries and U.S. states are expected to enact comprehensive artificial intelligence regulatory framework statutes.

In the U.S., state laws provide for disparate notification regimes, all of which we are subject to. Further, any perception that our practices or products are an invasion of privacy, whether or not consistent with current or future regulations and industry practices, may subject us to public criticism, private class actions, reputational harm, or claims by regulators, which could disrupt our business and expose us to increased liability.

In the future, we may be subject to significant additional expenses related to compliance with applicable laws and regulations, including new laws and evolving interpretations that have varying requirements and/or are difficult to predict, and to the investigation, defense or remedy of actual or alleged violations. Additionally, we cooperate with U.S. federal and state supervisory examinations and respond to other state, federal and foreign government examinations of, or inquiries into, our business practices.

Any failure by us to comply with, or remedy any violations of, applicable laws and regulations could result in new costs for our operations, the curtailment of certain of our operations, the imposition of fines and penalties, liability to private plaintiffs as a result of individual or class action litigation, restrictions on the operation of our business and reputational harm. It is difficult to predict the impact on our business if we were subject to allegations of having violated existing laws. For example, in Europe, the GDPR, which includes extensive regulations for certain security incidents, could result in fines of up to 4% of annual worldwide “turnover” (a measure similar to revenues in the U.S.). In addition, because many of our products are regulated or sold to customers in various industries, we must comply with additional regulations in marketing our products. Moreover, our compliance with privacy laws and regulations and our reputation depend in part on suppliers’ or customers’ adherence to privacy laws and regulations and their use of our services in ways consistent with consumer expectations and regulatory requirements. Additionally, we may not succeed in adapting our products to changes in the regulatory environment in an efficient, cost-effective manner. We cannot predict the ultimate impact on our business of new or proposed rules, supervisory examinations or government investigations or enforcement actions.

The CFPB has supervisory authority over our U.S. business and supporting operations and may initiate enforcement actions with regard to our compliance with federal consumer financial laws.

The CFPB, which was established under the Dodd-Frank Act and commenced operations in July 2011, has broad authority over our business. This includes authority to issue regulations under federal consumer financial protection laws, such as under the FCRA and other laws applicable to us and our financial customers. The CFPB is authorized to prevent “unfair, deceptive or abusive acts or practices” through its regulatory, supervisory and enforcement authority.

In these proceedings, the CFPB can seek relief that includes: rescission or reformation of contracts, restitution, disgorgement of profits, payment of damages, limits on activities and civil money penalties of up to $1.0 million per day for known violations. The CFPB has in the past, and may in the future, initiate enforcement actions against us with regard to our compliance with federal consumer financial protection laws. Actions by the CFPB against us can result, and have in the past resulted, in monetary penalties and requirements to alter or cease offering affected products and services, making them less attractive and restricting our ability to offer them.

Although we have committed resources to enhancing our compliance programs, actions by the CFPB or other regulators against us could result in financial or reputational harm.

Regulatory oversight of our contractual relationships with certain of our customers may adversely affect our business.

This guidance requires more rigorous oversight of third-party relationships that involve certain “critical activities.” In light of this guidance, our existing or potential bank and financial services customers subject to this guidance may continue to revise their third-party risk management policies and processes and the terms on which they do business with us, which may adversely affect our relationships with such customers and/or increase our expenses in servicing such customers.

We are regularly involved in claims, suits, government investigations, enforcement actions and other proceedings that may result in adverse outcomes.

We are regularly involved in claims, suits, government investigations, enforcement actions and regulatory proceedings arising from the ordinary course of our business, including actions with respect to consumer protection and data protection, including purported class action lawsuits. Such claims, suits, government investigations and proceedings are inherently uncertain and their results cannot be predicted with certainty. Regardless of their outcome, such legal proceedings can have an adverse impact on us because of legal costs, diversion of management and other personnel, and other factors. In addition, it is possible that a resolution of one or more such proceedings could result in reputational harm, liability, penalties or sanctions, as well as judgments, consent decrees or orders preventing us from offering certain features, functionalities, products or services, or requiring a change in our business practices, products or technologies, which could in the future materially and adversely affect our business, operating results, and financial condition. The FCRA contains an attorney fee shifting provision that provides an incentive for consumers to bring individual and class action lawsuits against a consumer reporting agency for violation of the FCRA, and the number of consumer lawsuits (both individual and class action) against us alleging a violation of the FCRA and our resulting costs associated with resolving these lawsuits have increased substantially over the past several years.

Third parties may claim that we are infringing on their intellectual property and we could suffer significant litigation or licensing expenses or be prevented from selling products or services.

There is substantial litigation, both in the U.S. and more recently the Unified Patent Court in Europe, regarding intellectual property rights in the information technology industry. From time to time, third parties may make claims that one or more of our products or services infringe their intellectual property rights. We analyze and take action in response to each such claim on a case-by-case basis. A dispute or litigation regarding patents or other intellectual property can be costly and time-consuming due to the complexity of our technology and the inherent uncertainty of intellectual property litigation, could divert our management and key personnel from our business operations, and we may not prevail. A claim of intellectual property infringement could force us to enter into a costly or restrictive license agreement, which might not be available under acceptable terms or at all, or could subject us to significant damages or to an injunction against development and sale of certain of our products or services. Although our policy is to obtain licenses or other rights where necessary, we cannot provide assurance that we have obtained all required licenses or rights.

Third parties may misappropriate or infringe our intellectual property and we may suffer competitive injury or expend significant resources enforcing our rights.

Our success increasingly depends on our proprietary technology and its ability to differentiate us from our competitors. We rely on various intellectual property rights, including patents, copyrights, database rights, trademarks and trade secrets, as well as contract restrictions, confidentiality provisions and licensing arrangements, to establish and protect our proprietary rights. Our pending patent and trademark applications may not be allowed at all, may be granted with claims that are not advantageous, or competitors may challenge the validity or scope of our

intellectual property rights. Despite our efforts to protect our intellectual property rights, others may independently develop similar products, duplicate our products or design around our intellectual property rights.

In addition, it is difficult to monitor compliance with, and enforce, our intellectual property rights on a worldwide basis in a cost-effective manner. We may need to devote significant resources to monitoring our intellectual property rights and we may or may not be able to detect misappropriation or infringement by third parties, which may harm our competitive position. In some circumstances, enforcement may not be available to us because a third party has a dominant intellectual property position or for other business reasons.

Financial Market Risks

A downgrade in our credit ratings could increase our cost of borrowing under our credit facilities and have an adverse effect on our ability to access the capital markets.

Credit ratings reflect an independent agency’s judgment on the likelihood that a borrower will repay a debt obligation at maturity. The ratings reflect many considerations, such as the nature of the borrower’s industry and its competitive position, the size of the company, its liquidity and access to capital and the sensitivity of a company’s cash flows to changes in the economy. A security rating is not a recommendation to buy, sell or hold securities and may be changed or withdrawn at any time by the assigning rating agency.

If our credit ratings were to decline to lower levels, we could experience increases in the interest cost for any new debt. In addition, the market’s demand for, and thus our ability to readily issue, new debt could become further affected by the economic and credit market environment.

We have significant retirement and post-retirement pension plan assets and obligations. The performance of the financial markets and interest rates impact our plan expenses, expected returns, and funding obligations. Significant decreases in interest rates, decreases in the fair value of plan assets and investment losses on plan assets will increase our funding obligations, and adversely impact our results of operations and cash flows.

UNRESOLVED STAFF COMMENTS

None.

ITEM 1C. CYBERSECURITY

Risk Management and Strategy

Equifax has invested significantly to develop and maintain an information security program with processes, technology and controls to protect the information, systems and resources of the Company. We have a global Security team that operates under the leadership of our Chief Information Security Officer (“CISO”), including approximately 450 cybersecurity professionals. The key elements of our information security program, including our cybersecurity risk management strategy, are described below.

Security Controls Framework

Equifax has implemented a unified security and privacy controls framework as our primary mechanism to establish strategic priorities related to cybersecurity, assess cybersecurity risk across the enterprise, comply with regulatory requirements and

enhance security program maturity. Our unified security and privacy controls framework is based upon the National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF) and Privacy Framework (NIST PF).

Cybersecurity Incident Detection and Response Process

Our information security program is based on five key functions as set forth in the NIST CSF: (i) identify; (ii) protect; (iii) detect; (iv) respond; and (v) recover. As part of that program, we maintain an incident detection and response process that is designed to ensure we appropriately identify, investigate, respond to, and recover from, cybersecurity incidents in order to protect our information, systems and resources. As part of our process, we maintain operational plans for incident response and recovery activities. We regularly review our incident response process and conduct multiple incident response exercises each year, including sessions with management, to test and assess our preparedness to respond to a cybersecurity incident.

As part of our incident detection and response process, we have established internal teams to investigate and escalate notification of cybersecurity incidents. We track incidents through resolution, conduct post-incident analysis and update our processes and procedures if areas for improvement are identified.

To inform our incident detection and response process, our cyber intelligence operations team regularly performs exercises to simulate real threat scenarios that would be carried out by a perpetrator by utilizing the actual tools and methodologies that would be deployed in such an attack (so called “red team” activities).

Risk Management

•Cybersecurity Incorporated into Enterprise Risk Management Program. We have implemented an enterprise risk management (“ERM”) program that operates under the leadership of our Chief Risk, Privacy and Compliance Officer. Each business unit and corporate support unit has primary responsibility for assessing and mitigating risks within its respective areas of responsibility, and the ERM team is responsible for oversight and reporting to management and the Board.

Under our ERM program, we conduct an annual enterprise risk assessment, which produces an enterprise risk scorecard. Cybersecurity is one of nine primary risk categories identified within the scorecard. The cybersecurity risk rating is based on a detailed enterprise security risk assessment performed by the Security team. The enterprise risk scorecard is reviewed with management and the Board of Directors on an annual basis.

•Security Risk Assessment. The Security team performs an annual enterprise security risk assessment of the information security program that is provided to management, the Board of Directors and other relevant parties. The security risk assessment provides a detailed understanding of the information security program in order to inform decisions and support risk response. The security risk assessment process evaluates the program’s control domains through various analyses and testing methods to determine the overall level of risk present within the environment over the period evaluated. The risk assessment identifies risks and considers observations from multiple business process- and system-level assessments.

We leverage NIST guidance to inform our process for conducting the security risk assessment. The risk management program and processes can be described in four steps: (i) frame risk; (ii) assess risk; (iii) respond to risk; and (iv) monitor risk.

•Third Party Risk Management. We have a governance process in place to oversee our third-party vendors who have access to our network or who hold or store personal information on our behalf (“risk vendors”). Our risk vendor contracts contain provisions requiring our suppliers to maintain a program that meets our information security standards. We periodically assess risk vendor compliance with our information security program requirements. One such requirement is the obligation that our risk vendors must notify Equifax within a designated time period upon identifying certain cybersecurity events.

•M&A Due Diligence and Integration Process. Our Security team has implemented a due diligence and integration process for entities we acquire through mergers and acquisitions (“M&A”). This process is designed to protect our information systems, align acquired entities with our security controls, and comply with applicable legal and

regulatory requirements, without interrupting critical business processes. Our M&A security integration status is reported regularly to management and the Technology Committee and annually to the Board of Directors.

•Employee Training and Awareness. In order to help bolster our cybersecurity defenses and mitigate the risk presented by insider or employee cyber and security threats, Equifax has incorporated employee training into our security program. On an annual basis, all employees are required to complete mandatory security training. In addition, each Equifax employee receives training customized to his or her role or function, and has visibility into his or her individual security performance. We continually measure and assess key employee behaviors, including secure browsing and sensitive data handling. In order to promote a Company-wide focus on data security and reinforce overall security program goals, Equifax includes an individual security performance measure as one of the metrics used to evaluate the performance of all bonus-eligible employees under our annual incentive compensation program.

•Cybersecurity Insurance. We maintain cybersecurity insurance under our errors and omissions/professional liability policy, which provides coverage for certain costs related to cybersecurity incidents.

Review and Assessment of Information Security Program

We conduct regular audits of our information security program, including third party assessments and review by our internal audit department.

•Third Party Assessments of Security Program Maturity. Equifax has a formal process in place to annually assess our security program maturity, which is a measure of our ability to adapt to cyber threats and manage risk over time. Under the oversight of the Technology Committee of the Board of Directors, Equifax engages a third party research and advisory firm to conduct an annual analysis of the maturity of our security program and identify potential initiatives to enhance maturity. On an annual basis, the Technology Committee reviews the results of this analysis with management, including a review of Company performance against relevant benchmarks.

•Controls Testing. Equifax has a formal process in place to periodically assess the effectiveness of controls in our security controls framework. These controls assessments are performed by the Security team. Results are regularly reported to management and the Technology Committee and annually to the Board of Directors.

•Internal Audit Review. Our internal audit department is responsible for providing the Audit and Technology Committees and management with an independent assessment and assurance regarding the design and effectiveness of the risk management framework related to cybersecurity. As part of the assessment of our cybersecurity program, the internal audit department has a “red team” that regularly performs testing to simulate real threat scenarios that would be carried out by a perpetrator. On a quarterly basis, our head of Internal Audit provides an update to management and the Audit and Technology Committees of the Board on audit activities pursuant to the IT and security portions of the internal audit plan. Our head of Internal Audit reviews the IT and security audit reports issued, including a summary of IT and security audit findings by inherent risk and residual risk rating.

Cybersecurity Risks to our Business

As a global data, analytics and technology company, our products and services involve the storage and transmission of personal information of consumers. As a result, we are routinely the target of attempted cyber and other security threats presented by outside third parties, as well as security threats presented by employees and other insiders.

In 2017, we experienced a material cybersecurity incident following a criminal attack on our systems that involved the theft of personal information of U.S., Canadian and U.K. consumers. If we experience additional significant compromises of our security measures, including from incidents that we fail to detect for a period of time, sensitive data may be accessed, stolen, disclosed, altered or lost. Any such access, disclosure, alteration or other loss of information could subject us to significant litigation, regulatory fines or penalties, any of which could have a material adverse effect on our cash flows, competitive position, financial condition or results of operations.

Cybersecurity incidents, and the adverse publicity that may follow, can have a negative impact on our reputation and our relationship with our customers. For example, our reputation with consumers and other stakeholders and our customer relationships were damaged following the cybersecurity incident in 2017, resulting in a negative impact on our revenue for a period of time. If we experience another material cybersecurity incident or are otherwise unable to demonstrate the security of our systems and the data we maintain and retain the trust of our customers, consumers and data suppliers, we could experience a substantial negative impact on our business.

For additional information related to the cybersecurity-related risks relevant to our business, see “Risk Factors—Technology and Data Security Risks—Security breaches and other disruptions to our information technology infrastructure could compromise Company, consumer and customer information, interfere with our operations, cause us to incur significant costs for remediation and enhancement of our IT systems and expose us to legal liability, all of which could have a substantial negative impact on our business and reputation” in Part I, Item 1A. of this annual report on Form 10-K.

Governance

Board Oversight of Cybersecurity Risk

The Equifax Board of Directors monitors our “tone at the top” and risk culture and oversees principal risks facing the Company. On an annual basis, the Board reviews an enterprise risk assessment prepared by management that describes the principal risks and monitors the steps management is taking to map and mitigate these risks. The Board then sets the general level of risk appropriate for the Company through business strategy reviews. Risks are assessed throughout the business, focusing on nine primary risk categories, including cybersecurity.

In addition, the Audit and Technology Committees of the Board coordinate on risk management oversight with respect to cybersecurity, including through quarterly joint meetings that cover the following topics:

•Regular reports from the internal audit department regarding the security and technology portions of the internal audit plan

•Regular reports from our CISO and CTO regarding the cybersecurity control environment, including remediation updates, control posture analyses and other recurring items

The Technology Committee of the Board oversees our information security program, including:

•Reviewing with management our technology investments and infrastructure associated with risk management, including policies relating to information security, disaster recovery and business continuity

•Receiving quarterly reports directly from our CISO, including updates on our enterprise cybersecurity threat level

•Overseeing the engagement of outside advisors to review our cybersecurity program

•Reviewing the results of our annual information security program maturity assessment performed by a third party

•Reviewing the results of our annual security program risk assessment prepared by management

The Audit Committee of the Board discusses with management our risk management policies and procedures, including:

•Receiving regular quarterly reports from our Chief Risk, Privacy and Compliance Officer regarding our global privacy, risk management and compliance programs, which includes the results of second line testing of our security controls

Management Oversight of Cybersecurity Risk

Our information security program is managed through implementation, monitoring and continuous improvement of the security program with active participation of management as described below.

•Senior Leadership Team. The SLT supports the management of the information security program through proper resource allocation and decision-making involving high risk issues. The SLT has overall managerial responsibility for confirming that the information security program functions in a manner that meets the needs of Equifax.

•Chief Information Security Officer. Equifax has a CISO who oversees our information security program, with responsibility for (i) oversight of the global Security team, (ii) the design, implementation and execution of the program, (iii) the assessment and management of material risks from cybersecurity threats, (iv) ensuring that the program is strategically aligned to our business strategy and (v) reporting on the effectiveness of the program to the SLT and the Board of Directors. Prior to joining Equifax, our CISO served in a management role at a leading global cybersecurity firm, where he led hundreds of cyber engagements for Fortune 100 and 500 companies with a focus on mitigating emerging threats, scaling security operations through automation and AI and enhancing cyber resilience.

•Global Security Team. The Equifax global Security team is responsible for supporting the CISO in the execution of the information security program to meet the program’s objectives. The Security team is directly responsible for the day to day program activities such as planning, implementation, monitoring and reporting on operational capabilities.

•Chief Technology Officer. Our CTO partners with our CISO to help ensure the effective execution of our information security program. Our CTO served in the role of CISO from 2018 until his appointment as CTO in 2025. He has more than two decades of experience in cybersecurity-related roles, including serving as CISO at other large, multinational companies.

Recently Filed

Click on a ticker to see risk factors

Ticker *	File Date
IRTC	an hour ago
GCMG	an hour ago
ED	an hour ago
IAUX	an hour ago
LNC	an hour ago
TSCO	an hour ago
MSTR	an hour ago
GH	an hour ago
MIR	an hour ago
CSGS	an hour ago
LKQ	an hour ago
DTM	an hour ago
BG	an hour ago
THRM	an hour ago
SEM	an hour ago
TVTX	an hour ago
KALU	an hour ago
LYV	an hour ago
FTI	an hour ago
MS	an hour ago
ICUI	an hour ago
ET	2 hours ago
BNL	2 hours ago
OWL	2 hours ago
BTU	2 hours ago
EFX	2 hours ago
PTCT	2 hours ago
RPD	2 hours ago
MET	2 hours ago
IEX	2 hours ago
CNDT	2 hours ago
SPSC	2 hours ago
CYH	2 hours ago
SLM	2 hours ago
STT	2 hours ago
WSC	2 hours ago
NPO	2 hours ago
FFBC	2 hours ago
SUNC	2 hours ago
FDP	2 hours ago
SUN	2 hours ago
UDMY	2 hours ago
OPEN	2 hours ago
MSEX	2 hours ago
ULS	2 hours ago
GATX	2 hours ago
RMAX	2 hours ago
CTO	2 hours ago
GLPI	2 hours ago
AIZ	2 hours ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - EFX

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - EFX

-New additions in green-Changes in blue-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing