Risk Factors Dashboard
Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.
View risk factors by ticker
Search filings by term
Risk Factors - MA
-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing
ITEM 1A. RISK FACTORS
As a technology company in the global payments industry entrusted with the safeguarding of sensitive information (including personal information), cybersecurity risk management is an integral part of our overall enterprise risk management program . A robust program to protect our network from cyber and information security threats is critical to managing risk effectively. Our network and platforms incorporate multiple layers of protection, providing greater resiliency and security protection. Our programs are assessed by third parties and incorporate benchmarking and other data from peer companies and consultants. We engage in many efforts to mitigate information security challenges, including maintaining an information security program, an enterprise resilience program and insurance coverage, as well as regularly testing our systems to address potential vulnerabilities. We work with experts across the organization (as well as through other sources such as public-private partnerships) to monitor and respond quickly to a range of cyber and physical threats, including threats and incidents associated with the use of services provided by third-party providers. Our cybersecurity program provides (among other things) a framework for handling cybersecurity threats and incidents, which includes steps for identifying the nature of a cybersecurity threat (including whether the threat is associated with a third-party provider), assessing the severity of a cybersecurity threat (including advancing to key members of management where appropriate for determination of potential materiality) and implementing cybersecurity processes and procedures.
In order to be appointed to one of the roles described above, we require expertise with cybersecurity or data privacy (as applicable), as demonstrated by prior work or other cybersecurity or data privacy experience or possession of a cybersecurity or data privacy degree or certification. Each individual currently serving in these roles meets the applicable expertise requirements.
Our management is responsible for identifying, considering and assessing material cybersecurity risks on an ongoing basis, establishing processes to ensure that such potential cybersecurity risks are monitored, implementing appropriate mitigation measures and maintaining our cybersecurity programs. Our cybersecurity programs are under the direction of our CSO (in coordination with our Chief Privacy and Data Responsibility Officer and Chief Data Officer, among others), who receives reports from our cybersecurity teams and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents. Our management, including the CSO and our cybersecurity teams, follow a risk-based escalation process to notify the Risk Committee outside of the regular reporting cycle as appropriate when they identify an emerging risk or material issue. Given the importance of information security and privacy to our stakeholders, our Board receives an annual report from our CSO to discuss our program for managing information security risks, including cyber and data security risks. The Risk Committee also receives periodic briefings on data privacy from the Chief Privacy and Data Responsibility Officer. Our Risk Committee receives regular reports on our cyber readiness, our risk profile status, our cybersecurity programs, material cybersecurity risks and mitigation strategies, third-party assessments of our cybersecurity program and other cybersecurity developments. The Risk Committee Chairperson provides reports to the Board on such topics. Our Board and the Risk Committee also receive information about these topics as part of regular business, legal and regulatory updates. In addition, we engage directors as part of cybersecurity and data breach incident simulations.
Item 1A. Risk factors
Legal and Regulatory
Payments Industry Regulation
Global regulatory and legislative activity related to the payments industry may have a material adverse impact on our overall business and results of operations.
Central banks and similar regulatory bodies have increasingly established or further expanded their authority over certain aspects of payments systems such as ours, including obligations or restrictions with respect to the types of products and services that we may offer, the countries in which our products and services may be used, the way we structure and operate our business and the types of consumers and merchants who can obtain or accept our products or services. Although we maintain a enterprise resiliency program to analyze risk, assess potential impacts, and develop effective response strategies, we cannot ensure that our business would be immune to these risks, because of the intrinsic importance of our switching systems to our business, any interruption or degradation could adversely affect the perception of the reliability of products carrying our brands and materially adversely affect our overall business and our results of operations. Similarly, jurisdictions that regulate a particular product may consider extending their jurisdiction to other products. For example, debit regulations could lead to regulation of credit products. Moreover, several jurisdictions are demonstrating increased interest about the network fees we charge to our customers (in some cases as part of broader market reviews of retail payments), which could in the future lead to regulation relating to our network fees. In several jurisdictions, we have been designated as a “systemically important payment system”, with other regulators considering similar designations. This type of regulation and oversight is related to switching activities, and includes policies, procedures and requirements related to risk management, collateral, participant default, timely switching of financial transactions, and capital and financial resources. Parts of our business have also been deemed as a “specified service provider” or considered “critical infrastructure”. The impact to our business created by any new law, regulation or designation is magnified by the potential it has to be replicated in, or conflict with, other jurisdictions, or involve other products within any particular jurisdiction. As a result, the risks to our business created by any one new law or regulation are magnified by the potential it has to be replicated in other jurisdictions or involve other products within any particular jurisdiction.
Our strategic expansion of our products and services has also created the need for us to obtain new types and increasing numbers of regulatory licenses, resulting in increased supervision and additional compliance burdens distinct from those imposed on our payment network activities. For example, certain of our subsidiaries maintain money transfer licenses that typically impose supervisory and examination requirements, as well as capital, safeguarding, risk management and other business obligations.
Increased regulation and oversight of payments systems, as well as increased exposure to regulation resulting from changes to our products and services, have resulted and may continue to result in significant compliance and governance burdens or otherwise increase our costs. As a result, customers could be less willing to participate in our payments system and/or use our other products or services, reduce the benefits offered in connection with the use of our products (making our products less desirable to consumers), reduce the volume of domestic and cross-border transactions or other operational metrics, disintermediate us, impact our profitability and/or limit our ability to innovate or offer differentiated products and services, all of which could materially and adversely impact our financial performance. As a result, issuers and acquirers could be less willing to participate in our payments system, reduce the benefits offered in connection with the use of our products (making our products less desirable to consumers), reduce the volume of domestic and cross-border transactions or other operational metrics, disintermediate us, impact our profitability and limit our ability to innovate or offer differentiated products and services, all of which could materially and adversely impact our financial performance. In addition, any regulation that is enacted related to the type and level of network fees we charge our customers could also materially and adversely impact our results of operations. In addition, any regulation that is enacted related to the type and level of network fees we charge our customers could also materially and adversely 20 MASTERCARD 2020 FORM 10-KPART IITEM 1A. Regulators could also require us to obtain prior approval for changes to our system rules, procedures or operations, or could require customization with regard to such
MASTERCARD 2025 FORM 10-K 27
PART I
ITEM 1A. RISK FACTORS
changes, which could negatively impact us. Moreover, failure to comply with the laws and regulations to which we are subject could result in fines, sanctions, civil damages or other penalties, which could materially and adversely affect our overall business and results of operations, as well as have an impact on our brand and reputation.
Increased activity with respect to interchange rates could have an adverse impact on our business.
Interchange rates are a significant component of the costs that merchants pay in connection with the acceptance of products associated with our payment network.Interchange rates are a significant component of the costs that merchants pay in connection with the acceptance of our products. Although we do not earn revenues from interchange, interchange rates can impact the volume of transactions we see on our payment products. If interchange rates are too high, merchants may stop accepting our products or route transactions away from our network. If interchange rates are too low, issuers may stop promoting our products and services, eliminate or reduce loyalty rewards programs or other account holder benefits (e. If interchange rates are too low, issuers may stop promoting our integrated products and services, eliminate or reduce loyalty rewards programs or other account holder benefits (e. g., free checking or low interest rates on balances), or charge fees to account holders (e.g., annual fees or late payment fees).
Governments and merchant groups in a number of countries have implemented or are seeking interchange rate reductions through legislation, regulation and litigation.Governments and merchant groups in a number of countries have implemented or are seeking interchange rate reductions through legislation, competition law, central bank regulation and litigation. See “Business - Government Regulation” in Part I, Item 1 and Note 19 (Legal and Regulatory Proceedings) to the consolidated financial statements included in Part II, Item 8 for more details.
If issuers cannot collect or we are required to reduce interchange rates, issuers may be less willing to participate in our four-party payments system. Alternatively, they may reduce the benefits associated with our products, choose to charge higher fees to consumers to attempt to recoup a portion of the costs incurred for their services, or seek a fee reduction from us to decrease the expense of their payment programs (particularly if regulation has a disproportionate impact on us as compared to our competitors in terms of the fees we can charge). These and other impacts could make our products less desirable to consumers, limit our ability to innovate or offer differentiated products, and/or make proprietary three-party networks or other forms of payment more attractive, ultimately reducing the volume of transactions over our network and our profitability.
We are devoting substantial resources to defending our right to establish interchange rates in regulatory proceedings, litigation and legislative activity. The potential outcome of any of these activities could have a more positive or negative impact on us relative to our competitors. If we are ultimately unsuccessful in defending our ability to establish interchange rates, any resulting legislation, regulation and/or litigation may have a material adverse impact on our overall business and results of operations. In addition, regulatory proceedings and litigation could result (and in some cases has resulted) in us being fined and/or having to pay civil damages, the amount of which could be material.
Limitations on our ability to restrict merchant surcharging could materially and adversely impact our results of operations.
We have historically implemented policies, referred to as no-surcharge rules, in certain jurisdictions, including the U.S. and Canada, that prohibit merchants from charging higher prices to consumers who pay using our products instead of other means. Authorities in several jurisdictions have acted to end or limit the application of these no-surcharge rules (or indicated interest in doing so). Additionally, our no-surcharge rules now permit U.S. and Canadian merchants to surcharge credit cards (subject to certain limitations). If, over time, an increased number of merchants choose to surcharge as permitted, this could result in consumers viewing our products less favorably and/or using alternative means of payment. These responses could result in a decrease in our overall transaction volumes, which in turn could materially and adversely impact our results of operations.
Preferential or Protective Government Actions
Preferential or protective government actions related to domestic payment services could adversely affect our ability to maintain or increase our revenues.
Governments in some countries have acted, or in the future may act, to provide resources, preferential treatment or other protection to selected national or domestic payment and switching providers, or have created, or may in the future create, their own national provider.Governments in some countries have acted, or in the future may act, to provide resources, preferential treatment or other protection to selected national payment and switching providers, or have created, or may in the future create, their own national provider. These actions may displace us from, prevent us from entering into, or substantially restrict us from participating in, particular geographies, and may prevent us from competing effectively against those providers. This action may displace us from, prevent us from entering into, or substantially restrict us from participating in, particular geographies, and may prevent us from competing effectively against those providers. For example:
•Governments in some countries have implemented, or may implement, regulatory requirements that mandate switching of domestic payments either entirely in that country or by only domestic companies.
•Some jurisdictions have implemented, or are considering implementing, requirements to collect, store and/or process data within their borders, as well as prohibitions on the transfer of data abroad, leading to technological and operational implications as well as increased compliance burdens and other costs.
•Geopolitical events and any resulting OFAC sanctions, adverse trade policies, enforcement of U.S. laws related to countering the financing of terrorism, economic sanctions and anti-corruption, or other types of government actions could lead affected or other jurisdictions to take actions in response that could adversely affect our business. Moreover, because of various concerns jurisdictions may have with respect to our business, including any decisions we may make relating to entering or exiting a
28 MASTERCARD 2025 FORM 10-K
PART I
ITEM 1A. RISK FACTORS
particular market, such jurisdictions may decide to begin to or increase their focus on growing local payment networks and other solutions.
•Regional groups of countries are considering, or may consider, efforts to restrict our switching of regional transactions.
•Governments have been increasingly creating and expanding local payments structures, which are increasingly being considered as alternatives to traditional domestic payment solutions and schemes such as ours.
Such developments prevent us from utilizing our global switching capabilities for domestic or regional customers. In addition, to the extent a jurisdiction determines us not to be in compliance with regulatory requirements (including those related to data localization), we have been, and may again in the future be, subject to resource and time pressures in order to come back into compliance. Our inability to effect change in, or work with, these jurisdictions could adversely affect our ability to maintain or increase our revenues and extend our global brand.
Additionally, some jurisdictions have implemented, or may implement, foreign ownership restrictions, which could potentially have the effect of forcing or inducing the transfer of our technology and proprietary information as a condition of access to their markets. Such restrictions could adversely impact our ability to compete in these markets.
Privacy, Data, AI and Information Security
Regulation and enforcement of privacy, data, AI, information security and the digital economy could increase our costs and lead to legal claims and fines, as well as negatively impact our growth and reputation.
We are subject to increasingly complex, fragmented, overlapping and/or divergent laws and regulations related to privacy and data protection, data use and governance, AI and information security (including with respect to cybersecurity and cyber-risk) in the jurisdictions in which we do business. New or updated laws and regulations have led, and may continue to lead, to similar, stricter or at times conflicting requirements, creating an uncertain regulatory environment. For example, some jurisdictions have implemented or are otherwise considering requirements to collect, store and/or process data within their borders, as well as prohibitions on the transfer of and access to data abroad, leading to technological and operational implications. Additionally, some jurisdictions have implemented, or may implement, foreign ownership restrictions, which could potentially have the effect of forcing or inducing the transfer of our technology and proprietary information as a condition of access to their markets. Other jurisdictions have adopted or are otherwise considering adopting sector-specific regulations for the payments industry and other industries in which we participate, including forced data sharing requirements or additional verification requirements. Other jurisdictions are considering adopting sector-specific regulations for the payments industry, including forced data sharing requirements or additional verification requirements that overlap or conflict with, or diverge from, general privacy rules. With respect to information security, any single breach could require parallel notifications to data protection authorities, cyber authorities and/or law-enforcement, often requiring different thresholds, reporting deadlines and formats. In addition, laws and regulations on AI, data governance and credit decisioning may overlap or conflict with, or diverge from, general privacy rules. Overall, these myriad laws and regulations may require us to modify or limit our data processing practices and policies, incur substantial compliance-related costs and expenses, and otherwise suffer adverse impacts on our business. Failure to comply with any of these laws, regulations and requirements (including as a result of conflicting regulations) could result in fines, sanctions or other enforcement actions or penalties (both civil and criminal), which could materially and adversely affect our results of operations and overall business, as well as have an impact on our reputation.
As a user and deployer of AI technology, we are also subject to increasing and evolving laws and regulations related to AI governance, including the EU AI Act, and new applications of existing laws and regulations to AI. How our use and deployment of AI will be regulated is still developing as policymakers around the world consider how to regulate AI, and uncertainty remains as to how AI technology or its application (such as in agentic commerce) will continue to advance. In addition, the use of AI creates or amplifies risks that are challenging to fully prevent or mitigate. In particular, AI algorithms may generate inaccurate, unintended, unfair, biased or discriminatory outcomes (which may not be easily detectable or explainable) and may inadvertently disclose confidential information and/or breach intellectual property, privacy or other rights. Our implementation of robust AI governance and risk management frameworks, designed to ensure our responsible use of AI and help us to comply with emerging laws and regulations, may not be sufficient protection against these emerging risks.
Further, as we acquire new companies and develop integrated and personalized products and services to meet the needs of a changing marketplace, we have expanded and may further expand our data profile through additional data types and sources, across multiple channels, and involving new partners. This expansion has amplified and may continue to amplify the impact of these various laws and regulations on our business or subject us to new laws and regulations. For example, as a provider of global threat intelligence services through Recorded Future, we are subject to increased exposure to certain laws and regulations, including global cybercrime and other laws and regulations in various jurisdictions. As a result, we are required to constantly monitor our data practices and potentially change them when necessary or appropriate. We also need to provide increased care in our data management, governance, quality and accuracy practices, particularly as it relates to the use of data in products leveraging AI.
New requirements and rules, or changing interpretations of existing requirements in these areas, or the development of new regulatory schemes related to the digital economy in general, may also increase our costs and/or restrict our ability to leverage data or use AI for innovation.New requirements or interpretations of existing requirements in these areas, or the development of new regulatory schemes related to the digital economy in general, may also increase our costs and/or restrict our ability to leverage data for innovation. This could impact the products and services we offer and other aspects of our business, such as fraud
MASTERCARD 2025 FORM 10-K 29
PART I
ITEM 1A. RISK FACTORS
monitoring, the need for improved data management, governance, quality and accuracy practices, the development of information-based products and solutions, and technology operations. In addition, these requirements may increase the costs to our customers of issuing payment products or using information products, which may, in turn, decrease the number of our products that they offer. In addition, these requirements may increase the costs to our customers of issuing payment products, which may, in turn, decrease the number of our payment products that they issue. While we intend to comply with all regulatory requirements, innovate responsibly and deploy Privacy by Design, Data by Design and AI Governance approaches to all of our product development, the speed and pace of changes in laws (as well as stakeholder interests) may not allow us to meet rapidly evolving regulatory and stakeholder expectations. Any of these developments could materially and adversely affect our overall business and results of operations.
Other Regulation
Regulations that directly or indirectly apply to Mastercard as a result of our participation in the global payments industry may materially and adversely affect our overall business and results of operations.
We are subject to regulations that affect the payments industry in the many jurisdictions in which our products and services are used. Many of our customers are also subject to regulations applicable to banks and other financial institutions that, at times, consequently affect us. Such regulation has increased significantly in the last several years (as described in “Business - Government Regulation” in Part I, Item 1). Examples include:
•Anti-Money Laundering, Countering the Financing of Terrorism, Economic Sanctions and Anti-Corruption. We are subject to AML and CFT laws and regulations globally. Economic sanctions programs administered by OFAC restrict financial transactions and other dealings with certain countries and geographies, and persons and entities. We are also subject to anti-corruption laws and regulations globally, which, among other things, generally prohibit giving or offering payments or anything of value for the purpose of improperly influencing a business decision or to gain an unfair business advantage.
•Account-based Payments Systems. In the U.K., aspects of our Vocalink business are subject to the U.K. payment system oversight regime and are directly overseen by the Bank of England.
•Issuer and Acquirer Practices Legislation and Regulation. Certain regulations or legislation that do or could impact our issuers and acquirers (such as caps on issuer interest rates) may impact various aspects of our business. Additionally, strong authentication requirements within the EU’s Payment Services Directive in the EEA could increase the number of transactions consumers abandon if we are unable to secure a frictionless authentication experience under these standards. Such an increase could adversely impact our volumes or other operational metrics.
Increased regulatory focus on us has resulted and may continue to result in significant compliance and governance burdens or otherwise increase our costs.Increased regulatory focus on us, such as in connection with the matters discussed above, may result in costly compliance burdens and/or may otherwise increase our costs. Similarly, increased regulatory focus on our customers and other stakeholders may cause them to reduce the volume of transactions processed through our systems, or may otherwise impact the competitiveness of our products. Similarly, increased regulatory focus on our customers may cause such customers to reduce the volume of transactions processed through our systems, or may otherwise impact the competitiveness of our products. Actions by regulators could influence other organizations around the world to enact or consider adopting similar measures, amplifying any potential compliance burden. Additionally, our compliance with new economic sanctions and related laws with respect to particular jurisdictions or customers could result in a loss of business, which could be significant. Moreover, while our risk-based compliance program obligates issuers and acquirers to comply with U.S., EU and local sanctions programs (among other obligations), the failure of those issuers and acquirers to identify potential non-compliance issues either during or after their customer onboarding processes could ultimately impact our compliance with economic sanctions and related laws. Finally, failure to comply with the laws and regulations discussed above to which we are subject could result in fines, sanctions or other penalties. In particular, a violation and subsequent judgment or settlement against us, or those with whom we may be associated, under economic sanctions and AML, CFT, and anti-corruption laws could subject us to substantial monetary penalties, damages, and/or have a significant reputational impact. Each instance may individually or collectively materially and adversely affect our financial performance and/or our overall business and results of operations, as well as have an impact on our reputation. Each instance may individually or collectively materially and adversely affect our financial performance and/or our overall business and results of operations, as well as have an impact on our reputation.
We could be subject to adverse changes in tax laws, regulations and interpretations or challenges to our tax positions.
We are subject to tax laws and regulations of the U.S. federal, state and local governments as well as various non-U.S. jurisdictions. Current and potential future changes in existing tax laws, including regulatory guidance, are continuously being considered and have been or may be enacted (such as guidelines issued by the Organization for Economic Co-operation and Development (OECD) which impact how multinational enterprises are taxed on their global profits). These changes have and in the future may continue to have an impact on our effective income tax rate and tax payments. Similarly, changes in tax laws and regulations that impact our customers and counterparties, or the economy generally, have impacted and may continue to impact us. Similarly, changes in tax laws and regulations that impact our customers and counterparties or the economy generally may also impact our financial condition and results of operations.
In addition, tax laws and regulations are complex and subject to varying interpretations, and any significant failure to comply with applicable tax laws and regulations in all relevant jurisdictions could give rise to substantial penalties and liabilities. Jurisdictions around the globe have also increased tax-related audits, which require time and resources to resolve.
30 MASTERCARD 2025 FORM 10-K
PART I
ITEM 1A. RISK FACTORS
Any changes in enacted tax laws, rules, regulatory or judicial interpretations or guidance; any adverse outcome in connection with tax audits in any jurisdiction; or any changes in the pronouncements relating to accounting for income taxes could materially and adversely impact our effective income tax rate, tax payments, financial condition and results of operations.
Litigation
Liabilities or business limitations resulting from litigation could materially and adversely affect our results of operations.
We are a defendant in a number of civil litigations and regulatory proceedings and investigations, including among others, those alleging violations of competition and antitrust law and those involving intellectual property claims (as described in Note 19 (Legal and Regulatory Proceedings) to the consolidated financial statements included in Part II, Item 8).We are a defendant on a number of civil litigations and regulatory proceedings and investigations, including among others, those alleging violations of competition and antitrust law and those involving intellectual property claims. In the event we are found liable in any material litigations or proceedings (particularly in a large class-action lawsuit or on the basis of an antitrust claim entitling the plaintiff to treble damages or under which we were jointly and severally liable), we could be subject to significant damages, which could have a material adverse impact on our overall business and results of operations. In the event we are found liable in any material litigations or proceedings, particularly in the event we may be found liable in a large class-action lawsuit or on the basis of an antitrust claim entitling the plaintiff to treble damages or under which we were jointly and severally liable, we could be subject to significant damages, which could have a material adverse impact on our overall business and results of operations.
Certain limitations have been placed on our business because of litigation and litigation settlements, such as changes to our no-surcharge rule in the U.S. and Canada. Any future limitations resulting from the outcomes of any litigation and litigation settlements (such as the Rules Relief Class settlement as described in Note 19 (Legal and Regulatory Proceedings) to the consolidated financial statements included in Part II, Item 8) or regulatory proceeding, including any changes to our rules or business practices, could impact our relationships with our customers, including reducing the volume of business that we do with them, which may materially and adversely affect our overall business and results of operations.
Business and Operations
Competition and Technology
Substantial and intense competition worldwide in the global payments industry may materially and adversely affect our overall business and results of operations.
The global payments industry is highly competitive. Our payment programs compete against competitors both within and outside of the global payments industry and compete in all payment categories, including paper-based payments and all forms of electronic payments. We compete against general purpose payments networks, debit and local networks, ACH and real-time account-based payments systems, digital wallets and other fintechs (focused on online activity across various channels and processing payments using in-house capabilities), digital public infrastructure and other government-backed solutions and digital currencies. We also face competition from companies that provide alternatives to our services and other solutions.
Our traditional competitors may have substantially greater financial and other resources than we have, may offer a wider range of programs, services, and payment capabilities than we offer or may use more effective advertising and marketing strategies to achieve broader brand recognition and merchant acceptance than we have. They may also introduce their own innovative programs, services and capabilities that adversely impact our growth. Our competitors may also introduce their own innovative programs and services that adversely impact our growth.
Certain of our competitors to our payment network operate three-party payments systems with direct connections to both merchants and consumers, potentially providing competitive advantages. If we continue to attract more regulatory scrutiny than these competitors because we operate a four-party system, or we are regulated because of the system we operate in a way in which our competitors are not, we could lose business to these competitors. See “Business - Competition” in Part I, Item 1.
Certain of our competitors have developed alternative, e-commerce and/or mobile device payments systems, as well as physical store locations. A number of these competitors rely principally on technology to support their services that provides cost advantages, and as a result may benefit from lower costs than we do. A number of these new entrants rely principally on the Internet to support their services and may enjoy lower costs than we do, which could put us at a competitive disadvantage. Many of these competitors are also able to use existing payment networks without being subject to many of the associated costs. Moreover, these competitors also occupy various roles in the payments ecosystem that enable them to influence payment choice of other participants. With respect to government-backed solutions, including those involving DPI, government participation in structures could prevent us from entering into, or substantially restrict us from participating in, particular geographies. Any of these factors could put us at a competitive disadvantage.
Our ability to compete may also be affected by regulatory and legislative initiatives, as well as the outcomes of litigation, competition-related regulatory proceedings and both central bank and legislative activity.
If we are not able to differentiate ourselves from our competitors, drive value for our customers and/or effectively align our resources with our goals and objectives, we may not be able to compete effectively against these threats. Our failure to compete effectively against any of the foregoing threats could materially and adversely affect our overall business and results of operations.Our failure to compete effectively against any of the foregoing competitive threats could materially and adversely affect our overall business and results of operations.
MASTERCARD 2025 FORM 10-K 31
PART I
ITEM 1A. RISK FACTORS
Disintermediation from stakeholders both within and outside of the payments value chain could harm our business.
As the payments industry continues to develop and change, we face disintermediation and related risks, including the following:
•Parties that process our transactions in certain countries (such as merchants and third-party payment processors) may try to eliminate our position as an intermediary in the payment process by switching transactions directly with issuers or processing transactions directly between issuers and acquirers.
•Payments industry participants may develop their own products and services to support our switched transaction and payments offerings, forcing us to change our pricing or practices for our own offerings in order to compete. Participants may also withhold rights to data we use to power our solutions in order to support their own potential future solutions, potentially impacting the effectiveness of our solutions. In addition, governments may promote their own national or international payments platforms, potentially putting us at a competitive disadvantage in those markets, or requiring us to compete differently. Moreover, as central banks experiment with CBDCs, policies and design considerations that governments adopt could impact the extent of our role in facilitating CBDC-based payment transactions, potentially impacting the transactions that we may process over our network.
•Payments industry participants continue to invest in and develop alternative capabilities, such as account-based payments, which could facilitate P2M transactions that compete with both our payment network and our additional payments capabilities.
•Fintechs and technology companies could develop platforms or networks that disintermediate us from digital payments as well as develop products or services that compete with our customers and could diminish demand for our products and services. In addition, we face a heightened risk that data we share with these companies as part of our products and services could be used in a way that could put us at a competitive disadvantage.
•Payments industry participants may merge, create joint ventures or form other business combinations that may strengthen their existing business services, leverage other business models to create a competitive edge over us or create new payment products and services that compete with our products and services.
•Regulation may disintermediate issuers by enabling third-party providers opportunities to route payment transactions toward their own forms of payment by offering account information or payment initiation services directly to our product users. Such regulation may also provide these processors with the opportunity to commoditize the data that are included in the transactions they are servicing. Disintermediation of our customers’ business could diminish demand for our products and services.
Our failure to compete effectively against any of the foregoing competitive threats could materially and adversely affect our overall business and results of operations.
Continued intense pricing pressure may materially and adversely affect our overall business and results of operations.
In order to increase transaction volumes, enter new markets and expand our products and services, we seek to enter into business agreements with customers through which we offer incentives, pricing discounts and other support that promote our products.In order to increase transaction volumes, enter new markets and expand our Mastercard-branded cards and enabled products and services, we seek to enter into business agreements with customers through which we offer incentives, pricing discounts and other support that promote our products. In order to stay competitive, we may have to increase the amount of these incentives and pricing discounts so as to meet customer demand for better pricing arrangements and greater rebates and incentives. In order to stay competitive, we may have to increase the amount of these incentives and pricing discounts. As a result, we may not be able to grow our volume and/or services to the extent necessary to compensate for the additional costs related to these increased incentives and pricing discounts. In addition, increased pressure on prices increases the importance of cost containment and productivity initiatives in areas other than those relating to customer incentives.
In the future, we may not be able to enter into agreements with our customers if they require terms that we are unable or unwilling to offer, and we may be required to modify existing agreements in order to maintain relationships and compete with others in the industry. Some of our competitors are larger with greater financial resources and accordingly may be able to charge lower prices. Some of our competitors are larger and have greater financial resources than we do and accordingly may be able to charge lower prices to our customers. In addition, to the extent that we offer discounts or incentives under such agreements, we will need to further increase transaction volumes or the amount of services provided in order to benefit from such agreements and to increase revenue and profit, and we may not be successful in doing so, particularly in the current regulatory environment. In addition, to the extent that we offer discounts or incentives under such agreements, we will need to further increase transaction volumes or the amount of services provided thereunder in order to benefit incrementally from such agreements and to increase revenue and profit, and we may not be successful in doing so, particularly in the current regulatory environment. Our customers also may implement cost reduction initiatives that reduce or eliminate payment product marketing or increase requests for greater incentives or greater cost stability. In addition to decisions made by competitors and customers, we also face pressure from pricing regulation and litigation.
Additionally, we face pricing pressure related to real-time account-based payment schemes. These pressures impact both domestic pricing (such as the increased use of schemes that offer increasingly lower or subsidized P2M pricing) and cross-border pricing (including from both competing schemes and global initiatives to lower the cost of cross-border payments to end users).
Any of these factors could have a material adverse impact on our overall business and results of operations.
32 MASTERCARD 2025 FORM 10-K
PART I
ITEM 1A. RISK FACTORS
Rapid and significant technological developments and changes could negatively impact our overall business and results of operations or limit our future growth.
The payments industry is subject to rapid and significant technological changes, including new technologies and changes to existing technologies (such as digital assets and blockchain, AI, machine learning, privacy enhancement and cybersecurity). These changes could result in new technologies that may be superior to, or render obsolete, the technologies we currently use in our programs and services. They may also result in new and innovative payment methods, products and services.
Additionally, there are a number of factors relating to technology change that could impact us. These include: the inability of third parties on which we rely for the development of and access to new technologies to keep pace with technological changes (including with regard to AI); potential action from third-party patent holders, including notices or inquiries threatening litigation against us or our customers for alleged patent infringement or demanding significant license fees; the scope of, as well as customer and merchant resistance to, industry-wide solutions and standards (such as those related to tokenization or other security technologies); any difficulty we may experience in attracting and retaining employees with technology expertise; and the need to invest resources for new technologies, which could lead to further additional expenses. Any of these developments could impact our ability to develop and adopt new technologies, as well as improve and keep pace with current technologies and reflect such technology in our payments offerings.
Moreover, regulatory or government requirements could continue to require us to host and deliver certain products and services on-soil in certain markets. As a result, we may need to alter our technology and delivery model, potentially resulting in additional expenses and/or other operational impacts.
Our future success will depend, in part, on our ability to anticipate, develop or adapt to technological changes and evolving industry standards. If we fail to sufficiently develop and adopt new technologies, or improve and keep pace with current technologies and reflect such technology in our payments offerings, our payments offerings could be negatively impacted and/or we could be put at a competitive disadvantage. This could impact our ability to compete with new technologies and products, as well as encourage customers that use our technology to enhance and deliver their payment-related products and services (including fintechs and technology companies) to use their own technology to compete against us. These developments could lead to a decline in the use of our technology, products and services, which could have a material adverse impact on our overall business and results of operations.
Operating a real-time account-based payments network presents risks that could materially affect our business.Operating a real-time account-based payment network presents risks that could materially affect our business.
U.K. regulators have designated Vocalink, our real-time account-based payments network platform, to be a “specified service provider” and regulators in other countries may in the future expand their regulatory oversight of real-time account-based payments systems in similar ways. regulators have designated Vocalink, our real-time account-based payment network platform, to be a “specified service provider” and regulators in other countries may in the future expand their regulatory oversight of real-time account-based payment systems in similar ways. Any prolonged service outage on this network could result in quickly escalating impacts, including potential intervention by the Bank of England and significant reputational risk to Vocalink and us. In addition, any prolonged service outage on this network could result in quickly escalating impacts, including potential intervention by the Bank of England and significant reputational risk to Vocalink and us. For a discussion of related regulatory risks, see our risk factor in “Risk Factors - Payments Industry Regulation” in this Part I, Item 1A. Furthermore, the complexity of this payment technology requires careful management to address information security vulnerabilities that are different from those faced on our payment network. Furthermore, the complexity of this payment technology requires careful management to address security vulnerabilities that are different from those faced on our core network. Operational difficulties, such as the temporary unavailability of our services or products, or information security breaches on our real-time account-based payments network could cause a loss of business for these products and services, result in potential liability for us and adversely affect our reputation. Operational difficulties, such as the temporary unavailability of our services or products, or security breaches on our real-time account-based payment network could cause a loss of business for these products and services, result in potential liability for us and adversely affect our reputation.
Working with new customers and end users as we continue to expand our products and services can present operational and onboarding challenges, be costly and result in reputational damage if the new products or services do not perform as intended.Working with new customers and end users as we expand our integrated products and services can present operational and onboarding challenges, be costly and result in reputational damage if the new products or services do not perform as intended.
The payments markets in which we compete are characterized by rapid technological change, new product introductions, evolving industry standards and changing customer and consumer needs. In order to remain competitive and meet the needs of the payments markets, we are continually involved in developing and implementing complex multi-rail solutions and diversifying our products and services. These efforts carry the risks associated with any diversification initiative, including cost overruns, delays in delivery and performance problems. These projects also carry risks associated with working with different types of customers (such as corporations that are not financial institutions, non-governmental organizations (NGOs) and new end users). These projects also carry risks associated with working with different types of customers, for example organizations such as corporations that are not financial institutions and non-governmental organizations (“NGOs”), and end users other than those we have traditionally worked with. These differences may present new operational challenges, such as enhanced infrastructure and monitoring for less regulated customers. These differences may present new operational challenges in the development and implementation of our new products or services.
Our failure to effectively design and deliver these products and services could make our other offerings less desirable to these customers, or put us at a competitive disadvantage.Our failure to deliver these integrated products and services could make our other integrated products and services less desirable to customers, or put us at a competitive disadvantage. In addition, if there is a delay in the implementation of our products or services (which could include compliance obligations, such as AML and CFT, and licensing requirements for applicable products and services), if our products or services do not perform as anticipated, or we are unable to otherwise adequately anticipate risks related to new types of customers, we could face additional regulatory scrutiny, fines, sanctions or other penalties, which could materially and adversely affect our overall business and results of operations, as well as negatively impact our brand and reputation. In addition, if there is a delay in the implementation of our products or services or if our products or services do not perform as anticipated, or we are unable to adequately anticipate risks related to new types of customers, we could face additional regulatory scrutiny, fines, sanctions or other penalties, which could materially and adversely affect our overall business and results of operations, as well as negatively impact our brand and reputation.
MASTERCARD 2025 FORM 10-K 33
PART I
ITEM 1A. RISK FACTORS
Information Security and Operational Resilience
Information security incidents or account data compromise events could disrupt our business, damage our reputation, increase our costs and cause losses.
Information security risks for payments and technology companies such as ours have significantly increased in recent years in part because of the proliferation of new technologies (including AI), the use of the Internet and telecommunications technologies to conduct financial transactions, and the increased sophistication and activities of organized crime, hackers, “hacktivists”, terrorists, nation-states, state-sponsored actors and other external parties.Information security risks for payments and technology companies such as ours have significantly increased in recent years in part because of the proliferation of new technologies, the use of the Internet and telecommunications technologies to conduct financial transactions, and the increased sophistication and activities of organized crime, hackers, terrorists and other external parties. These threats may derive from fraud or malice on the part of our employees or third parties, or may result from human error, software bugs, server malfunctions, software or hardware failure or other technological failure. These threats may derive from fraud or malice on the part of our employees or third parties, or may result from human error or accidental technological failure. These threats include cyber-attacks such as computer viruses, denial-of-service attacks, malicious code (including ransomware), social-engineering attacks (including phishing attacks) or information security breaches and could lead to the misappropriation or loss of consumer account and other information and identity theft. These threats include cyber-attacks such as computer viruses, malicious code, phishing attacks or information security breaches and could lead to the misappropriation of consumer account and other information and identity theft. These types of threats have risen significantly due to a significant portion of our workforce working in a hybrid environment. The widespread use of AI, and its increasing capabilities, is enhancing the frequency and effectiveness of threat actors.
Our operations rely on the secure transmission, storage and other processing of confidential, proprietary, sensitive and personal information and technology in our computer systems and networks, as well as the systems of our third-party providers.Our operations rely on the secure processing, transmission and storage of confidential, proprietary and other information and technology in our computer systems and networks, as well as the systems of our third-party providers. Our customers and other parties in the payments value chain, as well as account holders, rely on our digital technologies, computer systems, software and networks to conduct their operations. In addition, to access our products and services, our customers and account holders increasingly use personal smartphones, tablet PCs and other mobile devices that may be beyond our control. In addition, to access our integrated products and services, our customers and account holders increasingly use personal smartphones, tablet PCs and other mobile devices that may be beyond our control. We, like other financial technology organizations, routinely are subject to cyber-threats and our technologies, systems and networks, as well as the systems of our third-party providers, have been subject to attempted cyber-attacks. Because of our position in the payments value chain, we believe that we are likely to continue to be a target of such threats and attacks. Geopolitical events and resulting government activity could also lead to information security threats and attacks by affected or sympathizing jurisdictions or other actors, which could put our information and assets at risk, as well as result in network disruption. In addition, the current or future listing of Recorded Future as an “undesirable” or “unreliable” entity by certain jurisdictions could further increase our risks in this area.
To date, we have not experienced any material impact relating to cyber-attacks or other information security breaches. To date, we have not experienced any material impact relating to cyber-attacks or other information security breaches. However, future attacks or breaches could lead to security breaches of the networks, systems (including third-party provider systems) or devices that our customers use to access our products and services, which in turn could result in the unauthorized disclosure, release, gathering, monitoring, misuse, loss or destruction of confidential, proprietary, sensitive and personal information (including account data information) or data security compromises. However, future attacks or breaches could lead to security breaches of the networks, systems (including third-party provider systems) or devices that our customers use to access our integrated products and services, which in turn could result in the unauthorized disclosure, release, gathering, monitoring, misuse, loss or destruction of confidential, proprietary and other information (including account data information) or data security compromises. Such attacks or breaches could also cause service interruptions, malfunctions or other failures in the physical infrastructure, networks or operations systems that support our business and customers (such as the lack of availability of our services), as well as the operations of our customers or other third parties. Such attacks or breaches could also cause service interruptions, malfunctions or other failures in the physical infrastructure or operations systems that support our businesses and customers (such as the lack of availability of our value-added services), as well as the operations of our customers or other third parties. In addition, they could lead to damage to our reputation with our customers, other stakeholders and the broader payments ecosystem, additional costs to us (such as repairing systems, adding new personnel or protection technologies or compliance costs), regulatory penalties, financial losses to both us and our customers and partners and the loss of customers and business opportunities. In addition, they could lead to damage to our reputation with our customers and other parties and the market, additional costs to us (such as repairing systems, adding new personnel or protection technologies or compliance costs), regulatory penalties, financial losses to both us and our customers and partners and the loss of customers and business opportunities. These consequences could be further pronounced in jurisdictions in which we are deemed critical national infrastructure. If such attacks are not detected immediately, or disclosed as required by law, their effect could be compounded. If such attacks are not detected immediately, their effect could be compounded.
In addition to information security risks for our systems and networks, we also routinely encounter account data compromise events involving merchants and third-party payment processors that process, store or transmit payment transaction data, which affect millions of Mastercard, Visa, Discover, American Express and other types of account holders.In addition to information security risks for our systems, we also routinely encounter account data compromise events involving merchants and third-party payment processors that process, store or transmit payment transaction data, which affect millions of Mastercard, Visa, Discover, American Express and other types of account holders. Further events of this type may subject us to reputational damage and/or lawsuits involving payment products carrying our brands. Damage to our reputation or brands resulting from an account data breach of our systems and networks or those of our customers, merchants and other third parties could decrease the use and acceptance of our products and services. Damage to our reputation or that of our brands resulting from an account data breach of either our systems or the systems of our customers, merchants and other third parties could decrease the use and acceptance of our integrated products and services. Such events could also slow or reverse the trend toward electronic payments. In addition to reputational concerns, the cumulative impact of multiple account data compromise events could increase the impact of the fraud resulting from such events by, among other things, making it more difficult to identify consumers. Moreover, while most of the lawsuits resulting from account data breaches do not involve direct claims against us and while we have releases from many issuers and acquirers, we could still face damage claims, which, if upheld, could materially and adversely affect our results of operations. While we offer security solutions that are designed to prevent, detect and respond to fraud and cyber-attacks, there can be no assurance that such security solutions will perform as expected or address all possible security threats. Real or perceived defects, failures, errors or vulnerabilities in our security solutions could adversely impact our reputation, customer confidence in our solutions and our business and may subject us to litigation, governmental audits and investigation or other liabilities. Such events could have a material adverse impact on our transaction volumes, results of operations and prospects for future growth, or increase our costs by leading to additional regulatory burdens being imposed on us.
34 MASTERCARD 2025 FORM 10-K
PART I
ITEM 1A. RISK FACTORS
In addition, companies have generally experienced in recent years an increase in fraudulent activity and cyber-attacks, which has been further exacerbated by the increased use of AI. Criminals are using increasingly sophisticated methods to capture consumer personal information to engage in illegal activities such as counterfeiting or other fraud and may see their effectiveness enhanced by the use of AI. Criminals are using increasingly sophisticated methods to capture consumer personal information to engage in illegal activities such as counterfeiting or other fraud. As outsourcing and specialization become common in the payments industry, there are more third parties involved in processing transactions using our payment products. We continue to take measures to make card and digital payments more secure. However, increased fraud levels and cyber-attacks involving our products, services and/or network, or misconduct or negligence by third parties switching or otherwise servicing our products and services could damage our reputation and reduce the use and acceptance of our products and services and/or increase our compliance costs. Further, such occurrences have resulted in and could further result in legislative or regulatory intervention, which could lead to enhanced security requirements and liabilities. See “Risk Factors - Privacy, Data, AI and Information Security” in this Part I, Item 1A for more detail concerning related legal risks and obligations.
Despite various mitigation efforts that we undertake, there can be no assurance that we, or third parties with which we work, will not suffer material breaches and resulting losses in the future. While we maintain insurance coverage, such coverage may not be adequate to protect us from such losses as well as any liabilities or damages with respect to claims alleging compromises of our confidential, proprietary, sensitive or personal information or our technologies, systems or networks. In addition, we cannot be sure that our existing insurance coverage will continue to be available on acceptable terms or at all, or that our insurers will not deny coverage as to any future claim. To the extent our leaders behave in a manner that is not consistent with our values, we could experience significant impact to our brand and reputation, as well as to our corporate culture. Our risk and exposure to these matters remain heightened due to, among other things, the evolving nature of these threats, our prominent role in the global payments ecosystem, our continued implementation of our strategic priorities, our extensive use of third-party vendors and potential vulnerabilities from previous and future acquisitions, strategic investments or related opportunities. As a result, we remain focused on the continued development and enhancement of our controls, processes and practices designed to protect our computer systems, software, data and networks from attack, damage or unauthorized access. As cyber-threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities. Any of the risks described above could materially adversely affect our overall business and results of operations.
Service disruptions that cause us to be unable to process transactions or service our customers could reduce our operational resilience and materially affect our overall business and results of operations.Service disruptions that cause us to be unable to process transactions or service our customers could materially affect our overall business and results of operations.
Our transaction switching systems and other offerings may experience interruptions as a result of technology malfunctions, network degradation, updates and migrations to new technology and platforms, supply-chain attacks, fire, floods, earthquakes, weather events, power outages, telecommunications disruptions, terrorism, workplace violence, accidents or other catastrophic events (including those related to climate change). We have experienced in limited instances, and may continue to experience, some types of these interruptions. Our visibility in the global payments industry may also put us at greater risk of attack by terrorists, activists, or hackers who intend to disrupt our facilities, networks and/or systems. Inadequate infrastructure in lesser-developed markets could also result in service disruptions, which could impact our ability to do business in those markets. Inadequate infrastructure in lesser-developed markets could also result in service disruptions, which could impact our ability to do business in those markets. Additionally, we rely on third-party service providers for the timely transmission of information across our global data network. If one of our service providers fails to provide the communications capacity or services we require, as a result of natural disasters, operational disruptions, cybersecurity-related disruptions or failures, terrorism, hacking or any other reason, the failure could interrupt our services. If one of our service providers fails to provide the communications capacity or services we require, as a result of natural disaster, operational disruptions, terrorism, hacking or any other reason, the failure could interrupt our services. Although we maintain an enterprise resiliency program to analyze risk, assess potential impacts, and develop effective response strategies, we cannot ensure that our business would be immune to these risks. Due to the intrinsic importance of our switching systems to our business, any interruption or degradation could adversely affect the perception of the reliability of products carrying our brands and materially adversely affect our overall business and our results of operations. Operational difficulties, such as the temporary unavailability of our services or products, or security breaches on our real-time account-based payment network could cause a loss of business for these products and services, result in potential liability for us and adversely affect our reputation.
Stakeholder Relationships
Losing a significant portion of business from one or more of our largest customers could lead to significant revenue decreases in the longer term, which could have a material adverse impact on our business and our results of operations.
Many of our customer relationships are not exclusive. Our customers can reassess their future commitments to us subject to the terms of our contracts, and they separately may develop their own services that compete with ours. Our business agreements with these customers may not ultimately reduce the risk (inherent in our business) that customers may terminate their relationships with us in favor of relationships with our competitors, or for other reasons, or might not meet their contractual obligations to us. Accordingly, our business agreements with these customers may not reduce the risk inherent in our business that customers may terminate their relationships with us in favor of relationships with our competitors, or for other reasons, or might not meet their contractual obligations to us.
In addition, a significant portion of our revenue is concentrated among our five largest customers. Loss of business from any of our large customers could have a material adverse impact on our overall business and results of operations.
MASTERCARD 2025 FORM 10-K 35
PART I
ITEM 1A. RISK FACTORS
Exclusive/near exclusive relationships certain customers have with our competitors may have a material adverse impact on our business.
While we have exclusive, or nearly-exclusive, relationships with certain of our customers to issue payment products, other customers have similar exclusive, or nearly-exclusive, relationships with our competitors. These relationships may make it difficult or cost-prohibitive for us to do significant amounts of business with these customers to increase our revenues. In addition, these customers may be more successful and may grow faster than the customers that primarily issue our payment products, which could put us at a competitive disadvantage. Furthermore, we earn substantial revenue from customers with nearly-exclusive relationships with our competitors. Such relationships could provide advantages to the customers to shift business from us to the competitors with which they are principally aligned. A significant loss of our existing revenue or transaction volumes from these customers could have a material adverse impact on our business.
Consolidation amongst our customers could materially and adversely affect our overall business and results of operations.
The industries in which our customers participate have undergone substantial, accelerated consolidation in the past. These consolidations have included customers with a substantial Mastercard portfolio being acquired by institutions with a strong relationship with a competitor. Consolidations have included customers with a substantial Mastercard portfolio being acquired by institutions with a strong relationship with a competitor. Potential future consolidation could occur as a result of bank failures, similar to those that occurred in recent years. If significant consolidation among customers were to continue, it could result in the substantial loss of business for us, which could have a material adverse impact on our business and prospects. In addition, one or more of our customers could seek to merge with, or acquire, one of our competitors, and any such transaction could also have a material adverse impact on our overall business. Consolidation could also produce a smaller number of large customers, which could increase their bargaining power and lead to lower prices and/or more favorable terms for our customers. These developments could materially and adversely affect our results of operations.
Our business significantly depends on the continued success and competitiveness of our issuing and acquiring customers and, in many jurisdictions, their ability to effectively manage or help manage our brands.
While we work directly with many stakeholders in the payments system (including merchants, governments, fintechs and large digital companies and other technology companies), we are, and will continue to be, significantly dependent on our relationships with our issuers and acquirers and their respective relationships with account holders and merchants to support our programs and services. Furthermore, we depend on our issuing partners and acquirers to continue to innovate to maintain competitiveness in the market. We do not issue cards or other payment devices, extend credit to account holders or determine the interest rates or other fees charged to account holders. Each issuer determines these and most other competitive payment program features. In addition, we do not establish the discount rate that merchants are charged for acceptance, which is the responsibility of our acquiring customers. As a result, our business significantly depends on the continued success and competitiveness of our issuing and acquiring customers and the strength of our relationships with them. In turn, our customers’ success depends on a variety of factors over which we have little or no influence, including economic conditions in global financial markets or their disintermediation by competitors or emerging technologies, as well as regulation. If our customers become financially unstable, we may lose revenue or we may be exposed to settlement risk. See “Risk Factors - Settlement and Third-Party Obligations” in this Part I, Item 1A with respect to how we guarantee certain third-party obligations.
We switch a high percentage of domestic (or in-country) transactions conducted using cards with our brands. However, there are several jurisdictions in which domestic transactions are switched by our customers or other processors. Because we do not provide domestic switching services in these countries or have direct relationships with account holders, we depend on our close working relationships with our customers to effectively manage our brands, and the perception of our payments system, among consumers in these countries. Because we do not provide domestic switching services in these countries and do not, as described above, have direct relationships with account holders, we depend on our close working relationships with our customers to effectively manage our brands, and the perception of our payments system, among consumers in these countries. We also rely on these customers to help manage our brands and perception among regulators and merchants in these countries, alongside our own relationships with them. From time to time, our customers may take actions that we do not believe to be in the best interests of our payments system overall, which may materially and adversely impact our business.
Merchants’ continued focus on acceptance costs may lead to additional litigation and regulatory proceedings and/or increase our incentive program costs, which could materially and adversely affect our profitability.Merchants’ continued focus on acceptance costs may lead to additional litigation and regulatory proceedings and increase our incentive program costs, which could materially and adversely affect our profitability.
Merchants are important constituents in our payments system. We rely on both our relationships with them, as well as their relationships with our issuer and acquirer customers, to continue to expand the acceptance of our products and services. We also work with merchants to help them enable new sales channels, create better purchase experiences, improve efficiencies, increase revenues and fight fraud. In the retail industry, we believe a set of larger merchants with increasingly global scope and influence are having a significant impact on all participants in the global payments industry, including Mastercard. Some large merchants have supported the legal, regulatory and legislative challenges to interchange fees that Mastercard has been defending, including the U.S. merchant litigations. Some merchants are increasingly asking regulators to review and potentially regulate our own network fees, in addition to interchange. See “Risk Factors – Payments Industry Regulation” in this Part I, Item 1A. The continued focus of merchants on the costs of accepting various forms of payment (including digital) may lead to additional litigation and regulatory proceedings. The continued focus of merchants on the costs of accepting various forms of payment, including in connection with the growth of digital payments, may lead to additional litigation and regulatory proceedings.
36 MASTERCARD 2025 FORM 10-K
PART I
ITEM 1A. RISK FACTORS
Certain larger merchants are also able to negotiate incentives from us and pricing concessions from our issuer and acquirer customers as a condition of accepting our products. We also make payments to certain merchants to incentivize them to create co-branded payment programs with us. As merchants consolidate and become even larger, we may have to increase the amount of incentives that we provide to certain merchants, which could materially and adversely affect our results of operations. Competitive and regulatory pressures on pricing could make it difficult to offset the costs of these incentives. Additionally, if the rate of merchant acceptance growth slows, our business could suffer.
Our work with governments exposes us to risks that could have a material impact on our business and results of operations. RISK FACTORSOur work with governments exposes us to unique risks that could have a material impact on our business and results of operations.
As we increase our work with national, state and local governments (both indirectly through financial institutions, system integrators and other third party partners and with them directly as our customers), we may face various risks inherent in associating or contracting directly with governments.As we increase our work with national, state and local governments, both indirectly through financial institutions and with them directly as our customers, we may face various risks inherent in associating or contracting directly with governments. These risks include, but are not limited to, the following:
•Governmental entities typically fund projects through appropriated monies. Changes in governmental priorities or other political developments, including disruptions in governmental operations, could impact approved funding and result in scope changes or termination of the arrangements or contracts we or financial institutions enter into with respect to our products and services. Changes in governmental priorities or other political developments, including disruptions in governmental operations, could impact approved funding and result in changes in the scope, or lead to the termination, of the arrangements or contracts we or financial institutions enter into with respect to our payment products and services.
•Our work with governments is heavily regulated, subjecting us to additional potential exposure under U.S. and international anti-corruption laws (including the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act), as well as compliance with various procurement and other laws, regulations, standards and contract terms. Any violation and subsequent judgment or settlement related to the above could subject us to substantial monetary penalties and damages and have a significant reputational impact. A violation and subsequent judgment or settlement under these laws could subject us to substantial monetary penalties and damages and have a significant reputational impact. Moreover, as a government contractor, we are subject to a government’s right to conduct audits and investigations into both our contract performance and our compliance with applicable laws, regulations and contract terms. Any adverse finding could subject us to civil or criminal penalties, sanctions, or suspension or disbarment.
•Working or contracting with governments (either directly or via our financial institution customers, system integrators or other third party partners) can subject us to heightened reputational risks, including extensive scrutiny and publicity, as well as a potential association with the policies of those governments. Any negative publicity or negative association with a government entity, regardless of its accuracy, may adversely affect our reputation. In addition, threat intelligence gathering services provided to governments through our acquisition of Recorded Future could negatively impact how we are viewed by other jurisdictions.
Any of the above issues could have a material or adverse impact to our overall business and/or results of operations.
Global Economic and Political Environment
Global economic, political, financial and societal events or conditions could result in a material and adverse impact on our overall business and results of operations.
Adverse economic trends. Adverse economic trends in key countries in which we operate may adversely affect our financial performance. Such impact may include, but is not limited to, the following:
•Customers mitigating their economic exposure by limiting the issuance of new Mastercard products and requesting greater incentive or greater cost stability from us
•Consumers and businesses reducing spending, which could impact domestic and cross-border spend
•Debt limit and budgetary discussions in the U.S. have affected, and could further affect, the U.S. credit rating, impacting consumer confidence and spending
•Uncertain global trade policies and related government actions (including those related to tariffs), which could have an adverse impact on our business (including with respect to consumer and business spending) and relationships with stakeholders
•Government intervention (including the effect of laws, regulations and/or government investments on or in our financial institution customers), as well as uncertainty due to changing political regimes in executive, legislative and/or judicial branches of government, that may have potential negative effects on our business and our relationships with customers or otherwise alter their strategic direction away from our products
•Tightening of credit availability that could impact the ability of participating financial institutions to lend to us under the terms of our credit facility
Cross-border transactions. We switch substantially all cross-border transactions using Mastercard, Maestro and Cirrus-branded cards and generate a significant amount of revenue from cross-border volume fees and fees related to switched transactions. Revenue from switching cross-border and currency conversion transactions for our customers fluctuates with the levels and destinations of cross-border travel and our customers’ need for transactions to be converted into their base currency. Cross-border activity has been, and may continue to be, adversely affected by world geopolitical, economic, health, weather and other conditions. Cross-border activity has, and may continue to be, adversely affected by world geopolitical, economic, health, weather and other conditions. These include or have included:
MASTERCARD 2025 FORM 10-K 37
PART I
ITEM 1A. RISK FACTORS
•Global pandemics (and related post-pandemic global economic impacts) and potential separate outbreaks of flu, viruses and other diseases (any of which could result in future epidemics or pandemics)
•Current and potential future geopolitical conflicts, as well as expansion into regional or global conflicts, and the resulting impacts to our business
•The threat of terrorism and major environmental and extreme weather events (including those related to climate change)
The impact of and uncertainty that could result from any of these events or factors could ultimately decrease cross-border activity. Additionally, any regulation of interregional interchange fees could also negatively impact our cross-border activity (for example, the targets announced by the G20 Financial Stability Board related to cross-border payments). Additionally, any regulation of interregional interchange fees could also negatively impact our cross-border activity. In each case, decreased cross-border activity could decrease the revenue we receive.
Russia’s invasion of Ukraine. In addition to the cross-border impacts described above, our compliance with sanctions and our decision to suspend our business operations in Russia has led, and could further lead, to other legal ramifications and operational challenges, including fines, the nationalization of our subsidiary and any resulting impacts, and/or lawsuits.
Standards. Our operations as a global payments network rely in part on global interoperable standards to help facilitate payments. To the extent geopolitical events or government intervention result in jurisdictions no longer participating in the creation or adoption of these standards, or the creation of competing standards, our products and services could be negatively impacted. To the extent geopolitical events result in jurisdictions no longer participating in the creation or adoption of these standards, or the creation of competing standards, the products and services we offer could be negatively impacted.
Any of these developments potentially could have a material adverse impact on our overall business and results of operations. Any of these developments could have a material adverse impact on our overall business and results of operations.
Adverse currency fluctuations and foreign exchange controls could negatively impact our results of operations.
During 2025, approximately 71% of our revenue was generated from activities outside the U.S., which could be transacted in a non-functional currency. Impacts from currency fluctuations are included in our net income. Our risk management activities provide protection with respect to adverse changes in the value of only a limited number of currencies and are based on estimates of exposures to these currencies.
In addition, the revenue we generate in entities with non-U.S. dollar functional currencies is subject to unpredictable currency fluctuations, including where the values of other currencies change relative to the U.S. dollar. If the U.S. dollar strengthens compared to currencies in which we generate revenue, this revenue may be translated at a materially lower amount than expected.
Furthermore, we may become subject to exchange control regulations that might restrict or prohibit the conversion into U.S. dollars of our other revenue currencies and financial assets.
The occurrence of currency fluctuations or exchange controls could have a material adverse impact on our results of operations.
Brand, Reputational Impact and Environmental, Social and Governance
Negative brand perception may materially and adversely affect our overall business.
Our brands and their attributes are key assets of our business. The ability to attract consumers to our branded products and retain them depends upon the external perception of us and our industry:
•Our business may be affected by actions taken by our customers, merchants or other organizations that impact the perception of our brands or the payments industry in general. From time to time, our customers may take actions that we do not believe to be in the best interests of our brands, such as creditor practices that may be viewed as “predatory”. Moreover, adverse developments with respect to our industry or the industries of our customers or other companies and organizations that use our products and services (including certain legally permissible but high-risk merchant categories, such as adult content, firearms, alcohol and tobacco) may also, by association, impair our reputation, or result in greater public, regulatory or legislative scrutiny, as well as potential litigation. Moreover, adverse developments with respect to our industry or the industries of our customers or other companies and organizations that use our products and services (including certain legally permissible but high risk merchant categories, such as alcohol, tobacco, fire-arms and adult content) may also, by association, impair our reputation, or result in greater public, regulatory or legislative scrutiny. Additionally, we or our customers could take (or be perceived to take) actions related to these industries, which could be viewed negatively and result in threats or other retaliatory actions. We may also face similar scrutiny to the extent that we are unable to detect and/or prevent illegal activities using our payment products or otherwise occurring over our network.
•Under some circumstances, our use of social media, or the use of social media by others as a channel for criticism or other purposes, could also cause rapid, widespread reputational harm to our brands by disseminating rapidly and globally actual or perceived damaging information about us, our products or merchants or other end users who utilize our products.
•We are headquartered in the U.S. As such, a negative perception of the U.S. could impact the perception of our company, which could adversely affect our business.
Any of the above issues could have a material and adverse effect on our overall business.
38 MASTERCARD 2025 FORM 10-K
PART I
ITEM 1A. RISK FACTORS
Lack of visibility of our brand in our products and services, or in the products and services of our partners who use our technology, may materially and adversely affect our business.
As more players enter the global payments ecosystem, the layers between our brand and consumers and merchants increase. We often partner with other consumer brands on payment solutions, including large digital companies and other technology companies who are our customers and use our networks to build their own acceptance brands. In some cases, our brand may not be featured in the payment solution or may be secondary to other brands. Additionally, as part of our relationships with some issuers, our payment brand is only included on the back of the card. As a result, our brand may either be invisible to consumers or may not be the primary brand with which consumers associate the payment experience. This brand invisibility, or any consumer confusion as to our role in the consumer payment experience, could decrease the value of our brand, which could adversely affect our business.
Environmental, social and governance matters and related stakeholder reaction may impact our reputation, increase legal exposure and/or have other business impacts, which could adversely affect our overall business and/or results of operations.
Our brand and reputation are associated with the ways in which we impact environmental, social and governance matters. These matters include initiatives to reduce greenhouse gas emissions, help everyone participate in the digital economy and create a workplace where everyone has the opportunity to succeed. Consumers, investors, employees and other stakeholders are increasingly focused on these impacts. To the extent any of our disclosures, public statements and metrics about these matters are subsequently viewed as inaccurate or unlawful, or we are unable to execute on these initiatives, we may be viewed negatively by stakeholders concerned about these matters. To the extent any of our published sustainability metrics are subsequently viewed as inaccurate or we are unable to execute on our sustainability initiatives, we may be viewed negatively by consumers, investors and other stakeholders concerned about these matters. Moreover, in recent years, we have received negative feedback from stakeholders on the adequacy of our environmental, social and governance initiatives. We have also increasingly been receiving negative feedback from anti-environmental, social and governance stakeholders in opposition to such initiatives. Stakeholders from both sides of this issue may continue to view us negatively and take public action against us to the extent that we do not satisfy their conflicting views or expectations.
In addition, various jurisdictions are increasingly adopting or considering laws, regulations and oversight expectations that have or would impact us pertaining to environmental, social and governance matters, including required corporate reporting and disclosures. These requirements have resulted in, and are likely to continue to result in, increased compliance costs for our business and supply chain, which may increase our operating costs.
Moreover, as governments, investors and other stakeholders face pressure to address climate change and other environmental, social and governance matters, these stakeholders may express new expectations and focus investments in ways that could cause significant shifts in commerce and consumption behaviors. The impact of and uncertainty that could result from such shifts could ultimately impact our business.
Any of the above issues could have a material or adverse impact to our overall business and/or results of operations.
Talent and Culture
We may not be able to attract and retain a highly qualified workforce, or maintain our corporate culture, which could harm our overall business and results of operations.
Our performance largely depends on the skills, capabilities and motivation of our employees (including our people leaders), as well as the environment we create for them to enable them to perform their jobs effectively. The market for specialized skill-sets remains highly competitive, particularly in emerging technologies. To the extent we are unable to differentiate our value proposition in the market, effectively develop leaders and build robust succession pipelines, it could impact our ability to deliver for our customers. Failure to attract, hire, develop, motivate and retain highly qualified talent could leave us vulnerable to not identifying and/or acting on emerging customer or market opportunities. Failure to attract, hire, develop, motivate and retain highly qualified and diverse employee talent, or to maintain a corporate culture that fosters innovation, creativity and teamwork could harm our overall business and results of operations. In addition, broader trends such as escalations in global conflict and a rise in mental health needs are impacting the well-being of our people. To the extent we are unable to communicate effectively on these issues and provide support to our employees, we could experience a significant impact on our business, reputation and culture. Further, changes in and enforcement of immigration and work permit laws and visa regulations have made it difficult for employees to work in, or transfer among, jurisdictions where we operate, potentially impairing our ability to attract and retain talent. Additionally, changes in immigration and work permit laws and visa regulations and related enforcement have made it difficult for employees to work in, or transfer among, jurisdictions in which we have operations and could impair our ability to attract and retain qualified employees. We also face increasing regulation with respect to new pay and benefits transparency requirements, which could subject us to liability or reputational harm if we do not adhere to these requirements in a timely manner.
As our workforce composition continues to change, our employees may have different expectations with respect to flexibility and well-being support. Additionally, employees may require different levels of support as to re-skilling and upskilling in order to adapt to advancements in our industry and changes in technology. Further, certain current and prospective employees may have expectations as to positions we take on environmental, social and governance matters. To the extent we are unable to effectively meet and/or balance these different expectations and needs, we could experience a negative impact to the quality of our corporate culture, the productivity of our workforce and our ability to attract and retain talent.
MASTERCARD 2025 FORM 10-K 39
PART I
ITEM 1A. RISK FACTORS
We rely on our people leaders to display integrity and decency, as role models for the Mastercard Way. To the extent our leaders behave in a manner that is not consistent with these values, we could experience significant impact to our brand and reputation, as well as to our corporate culture. To the extent our leaders behave in a manner that is not consistent with our values, we could experience significant impact to our brand and reputation, as well as to our corporate culture.
Any one or more of the above could harm our overall business and results of operations.
Acquisitions and Strategic Investments
Our efforts to enter into acquisitions, strategic investments or new businesses could be impacted or prevented by regulatory scrutiny and could otherwise result in issues that could disrupt our business and harm our results of operations or reputation.
We continue to evaluate our strategic acquisitions of, and investments in, complementary businesses, products or technologies. As we do so, we face increasing regulatory scrutiny with respect to antitrust, national security and other considerations that could impact these efforts. We also face competition for acquisition targets due to the nature of the market for technology companies. As a result, we could be prevented from successfully completing such acquisitions in the future. If we are not successful in these efforts, we could lose strategic opportunities that are dependent, in part, on inorganic growth.
To the extent we do make these acquisitions, we may not be able to successfully partner with or integrate them, despite original intentions and focused efforts. Such an integration also may divert management’s time and resources from our core business and disrupt our operations. In addition, such an integration may divert management’s time and resources from our core business and disrupt our operations. Moreover, we have spent, and may continue to spend, time and money on acquisitions or projects that do not sufficiently meet our expectations (either strategically or financially), which has resulted (and may in the future result) in divesting from or otherwise exiting these investments or businesses. Additionally, to the extent we pay the purchase price of any acquisition in cash, it would reduce our cash reserves available to us for other uses, and to the extent the purchase price is paid with our stock, it could be dilutive to our stockholders. To the extent we pay the purchase price of any acquisition in cash, it would reduce our cash reserves available to us for other uses, and to the extent the purchase price is paid with our stock, it could be dilutive to our stockholders. Furthermore, we have inherited and may in the future inherit litigation risk which has or may increase our post-acquisition costs of operations.
Any acquisition, investment or entry into a new business could subject us to new regulations or legal requirements, both directly as a result of the new business as well as in the other existing parts of our business, with which we would need to comply.Any acquisition or entry into a new business could subject us to new regulations, both directly as a result of the new business as well as in the other existing parts of our business, with which we would need to comply. This compliance could increase our costs, and we could be subject to liability or reputational harm to the extent we cannot meet any such compliance requirements. Additionally, targets that we acquire have had, and may in the future have, data practices that do not initially conform to our privacy, data protection and information security standards and data governance model, which could lead to regulatory scrutiny and reputational harm. These targets also have resulted in, and may in the future lead to, information security vulnerabilities for us.
Settlement and Third-Party Obligations
Our role as guarantor, as well as other contractual obligations and discretionary actions, expose us to risk of loss or illiquidity.
We are a guarantor of certain third-party obligations, including those of certain of our customers and service providers. In this capacity, we are exposed to credit and liquidity risks. In this capacity, we are exposed to credit and liquidity risk from these customers and certain service providers. We may incur significant losses in connection with transaction settlements if a customer fails to fund its daily settlement obligations due to technical problems, liquidity shortfalls, insolvency or other reasons. The occurrence of bank failures, such as those seen in recent years, could increase the potential for such losses. Concurrent settlement failures of more than one of our larger customers or of several smaller customers either on a given day or over a condensed period of time may exceed our available resources. Concurrent settlement failures of more than one of our larger customers or of several of our smaller customers either on a given day or over a condensed period of time may exceed our available resources and could materially and adversely affect our results of operations. In addition, Brazil recently enacted regulation requiring PSOs in Brazil (including Mastercard and Visa) to extend their responsibility for the financial and settlement integrity of payments to merchants. As we continue to be subject to increased regulation across the globe, more jurisdictions may enact similar approaches from time to time. Any such changes could increase complexity and may impact our cost of operations and financial condition.
Certain non-guaranteed transactions, as well as chargebacks to acquirers in the event of acquirer default, could result in elevated brand risk and the potential for financial loss.
We have significant contractual indemnification obligations with certain customers, which could be triggered depending on the circumstances.
Any of the above issues or events could have a material or adverse impact to our overall business and/or results of operations.
40 MASTERCARD 2025 FORM 10-K
PART I
ITEM 1A. RISK FACTORS
Class A Common Stock and Governance Structure
Provisions in our organizational documents and Delaware law could be considered anti-takeover provisions and have an impact on change-in-control.
Provisions contained in our amended and restated certificate of incorporation and bylaws and Delaware law could be considered anti-takeover provisions, including provisions that could delay or prevent entirely a merger or acquisition that our stockholders consider favorable. These provisions may also discourage acquisition proposals or have the effect of delaying or preventing entirely a change in control, which could harm our stock price. For example, subject to limited exceptions, our amended and restated certificate of incorporation prohibits any person from beneficially owning more than 15% of any of the Class A common stock or any other class or series of our stock with general voting power, or more than 15% of our total voting power. In addition:
•our stockholders are not entitled to the right to cumulate votes in the election of directors
•our stockholders are not entitled to act by written consent
•any representative of a Mastercard or Mastercard Foundation competitor is disqualified from service on our board of directors
Mastercard Foundation’s substantial stock ownership, and restrictions on its sales, may impact corporate actions or acquisition proposals favorable to, or favored by, the other public stockholders.
Mastercard Foundation owns shares of our Class A common stock representing greater than 5% of our general voting power. Historically, Mastercard Foundation had been restricted from selling or otherwise transferring its shares of Class A common stock prior to May 1, 2027, except to the extent necessary to satisfy its charitable disbursement requirements, for which purpose earlier sales were permitted and had occurred. Mastercard Foundation may not sell or otherwise transfer its shares of Class A common stock prior to May 1, 2027, except to the extent necessary to satisfy its charitable disbursement requirements, for which purpose earlier sales are permitted and have occurred. In July 2023, pursuant to an application in consultation with Mastercard, Mastercard Foundation received court approval to advance that date to January 1, 2024. As a result, Mastercard Foundation is now permitted to sell all or part of its remaining shares, subject to certain conditions. In March 2024, Mastercard Foundation began selling shares pursuant to an orderly and structured plan to diversify its Mastercard shares over a seven-year period, while committing to remain a long-term Mastercard stockholder and retaining a significant holding of Mastercard shares in its portfolio. The directors of Mastercard Foundation are required to be independent of us and our customers. The ownership of Class A common stock by Mastercard Foundation, together with the seven-year diversification plan, could discourage or make more difficult acquisition proposals favored by other holders of the Class A common stock. The ownership of Class A common stock by Mastercard Foundation, together with the restrictions on transfer, could discourage or make more difficult acquisition proposals favored by the other holders of the Class A common stock. In addition, because Mastercard Foundation intends to sell its shares over an extended period of time, it may not have the same interest in short or medium-term movements in our stock price as, or incentive to approve a corporate action that may be favorable to, our other stockholders. In addition, because Mastercard Foundation is restricted from selling its shares for an extended period of time, it may not have the same interest in short or medium-term movements in our stock price as, or incentive to approve a corporate action that may be favorable to, our other stockholders.
Item 1B. Unresolved staff comments
Not applicable.
Item 1C. Item 1B. Cybersecurity
Cybersecurity program
MASTERCARD 2025 FORM 10-K 41
PART I
ITEM 1C. CYBERSECURITY
Program highlights
•We are committed to the responsible handling of personal information, and we balance our product development activities with a commitment to transparency and control, fairness and non-discrimination, as well as accountability
•Our multi-layered privacy, data protection and information security programs and practices are designed to ensure the security and responsible use of the information and data our stakeholders entrust to us
•We work with our customers, governments, policymakers and others to help develop and implement standards for secure transactions, as well as privacy-centric data practices
•Our programs are informed by third-party assessments and advice regarding best practices from consultants, peer companies and advisors
•Our programs are designed to align with internationally recognized privacy, data protection and information security standards and undergo regular certifications and attestations
•We continually test our systems to discover and address any potential vulnerabilities
•We have processes for evaluating (among other things) the privacy, data protection and information security infrastructure of our third-party providers (including examining any relevant records), and we seek to manage third-party risk with procedures to onboard our third-party providers, monitor their activity during our engagement (where possible) and off-board such third-party service providers at the end of our engagement
•We maintain a business continuity program and cyber insurance coverage
Governance and oversight of privacy, data protection and information security
Board and Committee responsibilities
Our Board and Risk Committee have specific oversight responsibilities with respect to cybersecurity and privacy risk:
•Board: Understanding the issues and risks that are central to the Company’s success, including cybersecurity matters
•Risk Committee: Overseeing risks relating to our policies, procedures and strategic approach to information security (inclusive of cybersecurity), privacy and data protection, among other things
In general, the Audit Committee and Risk Committee coordinate to oversee our guidelines and policies with respect to risk assessment and risk management and our Audit Committee discusses our financial and operational risk exposures and the steps management has taken to monitor and control such exposures. In this context, the Audit Committee would be informed of a material cybersecurity incident that could have a potential impact on our financial statements.
Management responsibilities
We have a core group of senior executives who are responsible for assessing and managing risk and implementing policies, procedures and strategies pertaining to security governance, data protection and privacy. These executives include:
•Chief Security Officer (CSO) , who develops and oversees the programs, policies and controls we have implemented across the organization to reduce and prevent logical and physical risks, including information security and cyber risks to our people, intellectual property, data and tangible property
•Chief Privacy and Data Responsibility Officer, who establishes and oversees the programs, policies, processes and controls we have implemented across the organization to ensure compliance with worldwide laws and regulations regarding how we collect, use, share, store, transfer and otherwise process data and utilize AI, while also managing our relevant engagements with regulators, policymakers and key stakeholders
•Chief Data Officer, who establishes and oversees our efforts to maintain an ethical, responsible enterprise data program that adheres to our high standards for data quality, curation and governance while minimizing data risks
•Data Protection Officer, who reports to the Chief Privacy and Data Responsibility Officer and, with the support of the Global Data Protection Office, ensures that we continue to adhere to the GDPR and local privacy requirements, including by handling privacy requests from individuals and regulators
42 MASTERCARD 2025 FORM 10-K
PART I
ITEM 1C. CYBERSECURITY
How management is informed of and monitors incidents
Reporting to our Board
Despite our efforts to identify and respond to cybersecurity threats, we cannot eliminate all risks from cybersecurity threats, or provide assurances that we have not experienced an undetected cybersecurity incident. See “Risk Factors – Information Security and Operational Resilience” in Part I, Item 1A for more information about these and other risks related to information security.
Recently Filed
Click on a ticker to see risk factors
| Ticker * | File Date |
|---|---|
| BWA | an hour ago |
| BKH | an hour ago |
| ACBM | an hour ago |
| SYK | 3 hours ago |
| BMY | 3 hours ago |
| MA | 3 hours ago |
| HLT | 4 hours ago |
| RPRX | 5 hours ago |
| NNN | 6 hours ago |
| NVCT | 6 hours ago |
| AVTR | 7 hours ago |
| LEU | 7 hours ago |
| FNMA | 7 hours ago |
| SHOP | 7 hours ago |
| U | 7 hours ago |
| UE | 7 hours ago |
| BXMT | 7 hours ago |
| NI | 8 hours ago |
| PSN | 8 hours ago |
| ZG | 8 hours ago |
| REXR | 16 hours ago |
| KRC | 18 hours ago |
| F | 19 hours ago |
| ENTG | 19 hours ago |
| NSP | 20 hours ago |
| LYFT | 20 hours ago |
| DAL | 20 hours ago |
| ARW | 21 hours ago |
| SPGI | 21 hours ago |
| DIOD | 21 hours ago |
| LEGT | 21 hours ago |
| NTST | 22 hours ago |
| AOS | 22 hours ago |
| EXEL | 22 hours ago |
| HCA | 22 hours ago |
| PEGA | 22 hours ago |
| MOH | 22 hours ago |
| GPRE | 22 hours ago |
| PTEN | 22 hours ago |
| PECO | 22 hours ago |
| ARI | 22 hours ago |
| HIW | 22 hours ago |
| SLAB | 22 hours ago |
| KVYO | 22 hours ago |
| UPST | 22 hours ago |
| TCBI | 22 hours ago |
| ADC | 22 hours ago |
| MEDP | 22 hours ago |
| INCY | 22 hours ago |
| CMI | 23 hours ago |
