Risk Factors - MORN

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A. Risk Factors

Risk Factors

You should carefully consider the risks and uncertainties described below and all of the other information included in this Report when deciding whether to invest in our common stock or otherwise evaluating our business. If any of the following risks or uncertainties materialize, our business, financial condition, or operating results could suffer. In that case, the trading price of our common stock could decline, and you may lose all or part of your investment. Our operations could also be affected by other risks and uncertainties that are not presently known to us or that we currently consider to be immaterial to our operations.

Risks Related to Our Business and Industry

Failing to maintain and protect our brand, independence, and reputation may harm our business. Our reputation and business may also be negatively impacted by allegations made about possible conflicts of interest, lack of independence, or by other negative publicity or media reports. Our reputation and business may also be harmed by allegations made about possible conflicts of interest, by other negative publicity or media reports, or by adverse outcomes in regulatory proceedings.

We believe our reputation, brand, and the value of our products and services are built on the trust that our users have in our commitment to empowering investor success through independence, transparency, and a long-term focus. Any real or perceived failure to uphold these principles, including lapses in employee integrity or independence, may harm our reputation. Additionally, real or perceived errors in our products or negative customer or employee experiences could further damage our reputation. Our reputation and brand could also be impacted by factors beyond our control, such as negative news about our clients, suppliers, employees, consultants, or competitors, regulatory scrutiny, and adverse publicity about our products or industries that we operate in. Expanding our brand to less mission-aligned products may also harm our reputation or dilute our brand.

As our business continues to evolve and expand, we have entered and may in the future enter into business lines and/or arrangements that may raise concerns about potential conflicts of interest or perceived independence failures. We provide ratings and research on our clients’ investment products, such as ETFs and mutual funds, and we typically charge a licensing fee to use our ratings. We also provide investment advisory and management services, including through our own series of mutual funds, which expose us to claims that we are both the referee and the player in the same industry. We also provide investment advisory and investment management services, including through our own series of mutual funds, which expose us to the claim that we are acting as both a referee and a player in the investment management industry. Our issuer-pay model in our credit ratings business and for certain of our other ratings products, for which we receive payments from issuers for our ratings versus from the investor consuming such ratings, may also lead to perceptions that our research and ratings in these areas are not independently determined.

Certain of our products and methodologies, including those of Morningstar Sustainalytics, have placed, and may in the future, place us at the center of public debate on sustainability, social, and corporate governance issues, or result in scrutiny of our clients. This scrutiny may affect product demand and may result in negative media coverage, reputational harm, or increased regulatory attention.

Failure to effectively and successfully navigate these independence and reputational challenges could adversely affect our business, operating results, and financial condition.

Failing to create and maintain innovative, proprietary, and insightful product and service offerings, keep pace with new investor requirements, technology developments, and trends, or anticipate our clients’ changing needs may negatively affect our competitive position and business. Failing to create innovative, proprietary and insightful product and service offerings, keep pace with new investor requirements and technology developments, and trends, or anticipate our clients’ changing needs may negatively affect our competitive position and business results.

We believe rapid innovation and technological advances in financial information services and investable products are changing how investors and intermediaries’ access and use data. These changes may result in our existing products becoming less competitive or obsolete. Our future success will continue to depend on our ability to develop new products and enhancements that address and support the evolving needs of our current and target markets, as well as on our ability to keep pace with competitors.

22

---

Table of Contents

If we fail to continuously innovate and effectively incorporate or deploy new datasets, research, AI technologies, content, or software to meet evolving customer needs, our competitive position may suffer. Our reputation would be harmed if we are seen as slow to adapt to meet the changing needs of investors or their financial advisors, especially as customers expect more personalized advice and greater data security. Increased interest in alternative assets, such as private market offerings, require new expertise and data. Competitors who innovate faster or offer broader solutions may outpace us. Our investments in new products, especially those involving AI technologies, carry execution risks and challenges and may not deliver expected benefits, such as generating revenue or cost savings, or creating efficiencies in our processes. Additionally, we cannot guarantee we will successfully adapt or seamlessly transition to new product offerings. Failure to successfully manage these transitions and investments would materially and adversely affect our reputation, operating results and financial condition.

As financial intermediary customers further automate their processes, demand for our products may shift, making technological flexibility and system interoperability increasingly important. Clients increasingly expect technology solutions that address specific needs, such as integrated wealth management capabilities. Our technology heavily relies on the quality and comprehensiveness of our data and our ability to build valuable analytics, research, and intellectual property around it. Delivering personalized advice that clients value requires collecting, organizing, and analyzing large, diverse datasets. If we fail to adequately allocate resources to meet client demands, we may lose our competitive advantage, which could adversely impact our business, operating results, and financial condition.

Changing economic conditions, including prolonged volatility, recessions, or downturns affecting the financial sector and global financial markets, fluctuating interest rates, and the impacts of global trade policies, may negatively impact our business.

Our business performance is influenced by external factors such as economic and financial market trends, credit availability, changing laws or trade policy, currency fluctuations, and geopolitical uncertainties. Extended economic or market downturns, or volatility, interest and inflation rate shifts, and stagflation, among other factors, may dampen investment activity, thereby reducing demand for our products and services. In recent years, uncertain economic conditions, including those caused by tariffs and retaliatory trade measures, have decreased asset values under management and may do so again in the future. Further, market sentiment regarding the impact of AI on software an data company growth prospects has driven meaningful recent sector-wide stock price declines, including Morningstar's. We cannot predict the timing or duration of economic cycles, sector-focused market downturns or the direct and indirect effects or duration of trade or other economic policy impacts on our business, assets, operating results, and financial condition.

Our asset-based revenue depends on the value of assets under our advisory services, which fluctuates with market performance. Economic or market declines, reduced inflows, or increased redemptions, driven by market conditions or poor investment performance, can lower asset levels and, consequently, our fee-based revenue. Industry trends toward lower asset-based fees may further impact revenue. Additionally, if investors shift to non-traditional asset classes such as cryptocurrencies, private debt, real estate, structured products, or collectibles, and we cannot effectively incorporate or anticipate their performance, our assets under management may be negatively affected.

Many of our license-based customers are asset management and financial advisory firms, whose businesses may be impacted by global market trends. The rise of passive investment strategies may diminish the perceived value of our research on active strategies. Prolonged recessions, financial crises, and other economic uncertainties have in the past and could in the future prompt significant spending cuts and lengthen sales cycles among clients. Industry consolidation has the potential to reduce our client base, and clients may discontinue using our products and services if they fail, merge, or are acquired by non-clients or firms using fewer of our services. These factors may decrease demand for our offerings.

Fluctuations in interest rates and central bank decisions have reduced credit issuance in the past and may do so in the future, negatively impacting our credit ratings business. For example, our credit ratings business depends on the volume and value of debt securities issued, making it vulnerable to market volatility, rising interest rates, widening credit spreads, and economic slowdowns. Demand for credit ratings may also decline due to negative publicity, regulatory or political changes, increased use of alternative credit sources, or defaults by major issuers. Our ability to reduce costs in adverse conditions may be limited by our obligations to monitor and maintain outstanding ratings.

Our PitchBook business is also subject to cyclical trends specific to the private capital markets. Many of PitchBook’s clients are investment banks and other participants in the capital and M&A markets, which are subject to periodic business downturns driven by changes in such markets. During these downturns, they often seek to reduce spending on third-party services, as well as the number of employees, which would directly and adversely affect the length of sales cycles and the number of prospective users for the PitchBook platform. During these downturns, they often seek to reduce spending on third-party services, as well as the number of employees, which would directly and adversely affect the number of prospective users for the PitchBook platform.

23

---

Table of Contents

Changing economic conditions or market trends could affect demand for products and services or asset values, which may have a material and adverse effect on our business, operating results, and financial condition.

Risks Related to Our Information Technology and Security

We could face significant reputational, operational, and financial consequences relating to cybersecurity and the protection of confidential information, including personal information about individuals.

Our business requires that we securely collect, process, store, and transmit confidential information including sensitive personal information relating to our operations, customers, employees and other third parties. We continuously invest in measures designed to protect this information, but we cannot guarantee absolute security. Improper access or release of data may still occur due to employee or vendor error, system issues, failure to consistently apply security practices across our business, or cyberattacks.

We may also be subject to specific legal or contractual obligations relating to personal information and personal financial information, as in certain cases our products and services handle, store, and transmit personal information. Due to the global nature of our business, personal information is routinely moved from one jurisdiction to another, subjecting us and our customers to complex and evolving federal, state and foreign privacy, cybersecurity, and data protection laws, which may vary across geographies. Restrictions on cross-border data transfers and conflicting regulations may enhance compliance obligations and associated costs.

As a global business, we regularly seek to optimize our data storage to enhance information accuracy and streamline our technology, which supports our operations. However, data privacy laws such as the General Data Protection Regulation (GDPR) impose obligations on the storage, transfer, and use of personal information, potentially restricting the processing of data about individuals outside of their home jurisdictions. Legislation aimed at protecting material nonpublic information or mitigating potential conflicts of interest further defines how we access and retain certain data, potentially resulting in less efficient or more costly technological processes and infrastructure. Legislation aimed at protecting material nonpublic information or mitigating potential conflicts of interest further define how certain information can be accessed and retained which may result in less efficient or higher cost technological processes and infrastructure.

One of our core strengths is our ability to collect data and enrich it with data from another part of our business to provide valuable information and insights to investors.One of Morningstar’s core strengths is the ability to collect data and enrich it with data from another part of the business to provide valuable information and insights to investors. As data is accessible across our products, consistent data privacy practices and disclosure become more important and challenging. Failure to comply with our public statements or to adequately disclose our privacy or data protection practices could result in costly investigations by government authorities, litigation, and fines, as well as reputational damage and customer loss.

We may be subject to increasingly frequent and sophisticated cyberattacks by actors with substantial resources and advanced capabilities that could overcome the defensive measures of our security program. These actors have targeted, and may target, our products, people, services, and network infrastructure to access intellectual property, confidential or personal information, or disrupt operations (e.g., distributed denial of service attacks or ransomware). Though we have dedicated resources and protective measures designed to identify and mitigate cyberattacks, such attacks continue to evolve, can be difficult to detect, and may go unnoticed for extended periods. Our measures may not be adequate or designed to prevent all eventualities or all types of attacks. We may be vulnerable to circumvention of security systems, denial of service attacks or other cyberattacks, hacking including “hacktivism,” “phishing,” or other social engineering attacks, malware, ransomware, employee or insider errors, employee or vendor malfeasance, physical breaches, or other malicious actions. Additionally, remote work and the use of personal devices introduce additional risk management challenges.

We may also be impacted by a cyberattack targeting one of our vendors or other supplier/service provider within our technology supply chain or infrastructure, including cloud providers. As we expand our product and service offerings, we increasingly share confidential and proprietary data with third-party vendors, service providers, and software as a service (SaaS) platforms. This growing exposure to third parties introduces the risk that inadequacies in their security technologies, practices, or monitoring could result in unauthorized access, data breaches, or other cybersecurity incidents, that could impact us and our customers.

24

---

Table of Contents

From time to time, we have acquired, and may in the future acquire, other businesses or assets. While we conduct due diligence on the products, technology systems, and practices of these companies, we may inherit existing or undiscovered security vulnerabilities, data breaches, or system intrusions for which we could be liable. While we perform extensive due diligence on the technology systems and practices of these companies, there can be no assurance that such companies have not suffered data breaches or system intrusions prior to or continuing after our acquisition for which we may be liable. Acquired products and technologies may expose us to additional security risks, integration delays, increased costs to meet our security standards, and challenges in augmenting the acquired technologies to levels consistent with our brand and reputation. These businesses may also have less advanced security or data privacy controls, introducing further risks as their systems are integrated with ours.

While we maintain recovery capabilities intended to restore operations and data integrity following a cybersecurity incident, these capabilities are not absolute and are subject to similar limitations and uncertainties as our preventive measures. Accordingly, we cannot guarantee that all attack vectors can be fully mitigated or that recovery will be complete or timely in all circumstances.

Any failure to protect confidential information or any material significant cybersecurity incident, whether in our systems or those of third parties handling our data, could lead to reputational damage, operational challenges, loss of customers, regulatory actions, sanctions, or other penalties, litigation, financial losses, and increased mitigation costs, which could have a material adverse effect on our business, operating results, and financial condition.

AI technologies may present business, legal, compliance, and reputational risks as they are incorporated into our products and tools.

We use, and may expand our use of, AI technologies across our products, internal tools, and third‑party SaaS platforms. While AI offers opportunities to improve efficiency and innovation, it also introduces risks. If we fail to keep pace with AI advancements, or if competitors adopt AI more effectively, our competitive position may be harmed. Slow internal adoption could reduce operational effectiveness, while AI‑generated errors may be incorporated into our processes or products. Our use of AI technologies may require investment of resources and costs to develop, test, and maintain related products and services, and there is no assurance that these investments will be successful. The rapid evolution and adoption of AI may create operational risks that may be difficult to anticipate or control, particularly where we rely on third‑party platforms. These risks could lead to operational inefficiencies, reputational harm, or compliance challenges.

The pace of adoption and use of AI technologies, including generative AI, in our products and processes may increase compliance obligations, regulatory scrutiny, litigation exposure, ethical concerns, and confidentiality or security risks. For example, AI systems may generate content that appears correct but is inaccurate, misleading, biased, or discriminatory, which, if relied upon and attributed to us, could harm our reputation and expose us to liability. We may also face risks relating to data privacy or cybersecurity incidents stemming from our use of AI technologies. Emerging laws and regulations governing AI - such as the EU Artificial Intelligence Act and other evolving global frameworks - may impose burdensome requirements or restrict the deployment of certain AI capabilities in our offerings, and regulations on AI are developing at varying paces, meaning the global regulatory landscape is uncertain and could potentially require significant changes to comply with emerging laws, which could have significant costs. As regulators introduce new or updated AI‑related rules, we may incur substantial compliance costs or be required to adjust our business practices, and failure to timely or adequately address these evolving obligations could result in significant costs, liabilities, or fines. Because AI is complex and rapidly developing, it is not possible to predict all of the legal, operational, or technological risks that may arise relating to our use of AI.

AI technologies may use or incorporate data from third-party sources, which may expose us to risks associated with data rights and protection and may also lead to the unintended consequences of using AI discussed above. These AI technologies also may incorporate data from third-party sources, which may expose us to risks associated with data rights and protection, and may also lead to the unintended consequences of using AI discussed above. Current laws and court decisions governing intellectual property ownership and license rights may not address new questions relating to AI technologies, which may negatively affect our ability to safeguard our intellectual property, as well as increase the compliance costs associated with navigating an uncertain legal and regulatory environment. The use or adoption of AI technologies into our products may expose us to claims of copyright infringement or other intellectual property misappropriation by third parties, which may require us to pay compensation or license fees. The use or adoption of AI technologies into our products may result in exposure to claims by third parties of copyright infringement or other intellectual property misappropriation, which may require us to pay compensation or license fees to third parties. In addition, increased use of AI technologies may affect our workforce needs, including our ability to recruit, attract, or retain employees with the skills necessary to support AI-enabled products and processes. Laws, regulations or industry standards that develop in response to the use of AI may be burdensome or may significantly restrict the deployment of AI, particularly generative AI technologies, in our products or processes. We may also face challenges if portions of our existing workforce do not possess, or cannot efficiently develop, the rapidly evolving skill sets required to meet changing business demands, which could adversely impact our operations and competitiveness.

25

---

Table of Contents

In addition, the implementation of AI technologies by competitors and disruptors presents risks to our business. The value of our products and services may be negatively affected by the increasing amount of information and external tools that are available online for free, or at low cost, that use AI to scrape data – including our own content – from the Internet. These technologies integrate machine learning abilities and other AI systems to process and organize large data sets aggregated from products that previously were paid for, posing an external risk to our product suite. The rapidly evolving regulatory environment for AI technologies may also impact our ability to protect our own data and intellectual property against infringement or unintended use through these external AI tools.

We could face liability stemming from the accuracy and use of our research, ratings, and published data, and our dependence on ingested third-party data, licensed content, and open-source components.

We may face claims related to securities law violations, defamation, negligence, or other issues arising from the information we publish, including our research and ratings.We may be subject to claims for securities law violations, defamation (including libel and slander), negligence, or other claims relating to the information we publish, including our research and ratings. For example, investors could take legal action against us if they rely on published information that contains an error, or companies may claim we have made a defamatory statement about them or their employees. For example, investors may take legal action against us if they rely on published information that contains an error, or a company may claim that we have made a defamatory statement about it or its employees. In our credit ratings business, we have access to significant amounts of material non-public information on issuers of securities, and any inadvertent disclosure or real or perceived misuse of such information could expose us to legal liability. Even minor errors may require us to temporarily remove ratings or research, potentially reducing the perceived value of our products or causing us to fall short of service-level commitments to customers.

Some of our products are used by clients to support investment processes, account reporting, and other activities involving significant third-party assets. This creates the risk that clients, or the parties whose assets they manage, may bring claims against us for losses linked to our products. We may also face regulatory investigations related to our products and their use by clients. While the contracts for our software products generally contain limitations on our liability, we may still need to compensate clients or their customers to preserve business relationships. Additionally, we could face claims related to content that is accessible through links on our website.

Products and enhancements that we develop or license have contained, and may in the future contain, undetected errors or defects despite testing or other quality-assurance practices. Products and enhancements we develop or license have contained, and in the future may contain, undetected errors or defects despite testing or other quality assurance practices. Use of our products or services as part of the investment processes and other activities, by our customers, investors, companies that we rate or assess, or their shareholders could subject us to claims for errors in our data, calculations, methodologies, inputs, analysis, or system failures. We may also face claims from providers of data and information we compile from websites and other sources, alleging we have obtained the data in violation of the source’s terms of use or copyrights.

We may face claims from third parties, such as securities exchanges from which we license and redistribute data and information, alleging improper use or redistribution of licensed data, or that we have inadequately permissioned our clients to use such data. These agreements often grant extensive audit rights, which have in the past and in the future may be triggered, and can be costly, time-consuming, and may result in substantial fees. Regulators may also claim we have mishandled private ratings or nonpublic data, particularly in our credit ratings business. These regulators have audit rights regarding our data use which could have similar adverse consequences in terms of time, expenses, or fines. These regulatory bodies have audit rights regarding our data use which could have similar adverse consequences in terms of time, expense, or fines. Defending claims based on the information we publish could be expensive and time-consuming and could adversely affect our business, operating results, and financial condition.

Additionally, we use and incorporate open-source code in our software development and products, which could expose us to additional security risks, increase costs, and complicate the commercialization of our products and services.Additionally, we use and incorporate open-source code in our software development and our products, which could expose us to additional security risks, impede our ability to commercialize our products and services, and lead to additional costs. Security vulnerabilities due to the use of open-source software could require additional testing, change control, or re-engineering, potentially increasing costs and impacting our development processes and products. Open-source licenses typically lack warranties for infringement claims or covering the quality or security of the code, and some may require public release of our proprietary source code if combined in certain ways, potentially putting us at a competitive disadvantage. Many open-source licenses are ambiguous and have not been widely interpreted by US or other courts, and any unexpected restrictions or claims could require us to seek alternative licenses at increased costs or reduced scope, re-engineer products or systems, or discontinue the licensing of certain products. Any unanticipated restrictions or conditions on our ability to use, or claims involving our use of, open-source licenses could require us to seek alternative third-party licenses at increased costs or reduced scope, re-engineer products or systems, or discontinue the licensing of certain products.

26

---

Table of Contents

Failure to protect our intellectual property rights, or claims of intellectual property infringement against us, could harm our brand, our financial results, and our competitive position.

We rely primarily on trademarks, copyright, patents and trade secret rights, as well as contractual protections and technical safeguards, to protect our intellectual property and proprietary information. We rely primarily on patent, trademark, copyright, and trade secret rights, as well as contractual protections and technical safeguards, to protect our intellectual property rights and proprietary information. These measures may not be adequate to safeguard our brand or competitive advantage, and third parties could challenge, circumvent, or improperly access our intellectual property and proprietary information. Additionally, jurisdictions in which we operate may lack strong intellectual property protections, which increases our vulnerability to unauthorized use or disclosure and may undermine our competitive position, particularly in non-US markets. Even where legal protections exist, defending these rights can require significant cost, time, and resources with no guarantee of success.

We believe our trademark rights in the “Morningstar” name and logo, and those of our subsidiaries represent materially valuable intangible assets.We believe our trademark rights with respect to the Morningstar name and logo, along with our subsidiaries' names and logos represent materially valuable intangible assets. We have encountered and may continue to encounter jurisdictions in which third parties hold pre-existing trademark registrations or use the “Morningstar” name, either as part of a registered corporate name or domain name, or otherwise. This may prevent us from registering or using our marks and could limit our ability to market products or secure trademark protection in those locations.

We have been and may continue to be subject to claims by third parties alleging infringement of their intellectual property rights. Such claims can also be alleged against clients, customers, or distributors of our products and services with whom we have agreed to provide indemnification protection. Such claims can also be alleged against clients, customers, or distributors of our products or services whom we have agreed to indemnify against third party claims of infringement. The defense of such claims can be costly, time consuming, and disruptive and lead to unfavorable outcomes requiring us to pay damages, enter disadvantageous licensing or royalty agreements, incur litigation and settlement costs, or suspend affected products or services, any of which could materially adversely affect our business, operating results, or financial condition. A failure in the performance of our due diligence processes and controls related to the supervision and oversight of these firms in detecting and addressing conflicts of interest, fraudulent activity, data breaches and cyber-attacks or noncompliance with relevant securities and other laws could cause us to suffer financial loss, regulatory sanctions or damage to our reputation.

Our reputation, financial condition, and operating results may be adversely impacted by any failure by us to successfully assert or enforce our intellectual property rights or by any alleged intellectual property infringement claims by a third party. In addition, unauthorized third parties may attempt to imitate or fraudulently use our brand, websites, or other digital assets, such as through website spoofing or phishing attacks, which could result in reputational harm, financial loss for individuals, or impede our ability to attract and retain customers.

Risks Related to Legal and Regulatory Matters

Compliance failures, regulatory action, or changes in laws could adversely affect our business.

Our business is subject to extensive and evolving laws, rules, and regulations that vary by jurisdiction. We have not always been able to, and in the future may not be able to, comply with the changing substance, application, and interpretation of such laws, rules, and regulations without making significant modifications to our operations. We have not always been able to, and in the future may not be able to comply with these changes or variances without extensive changes to our business practices. The increasing pace and scope of global regulatory changes heightens the potential risk of failing to identify or respond to new or expanded obligations in a timely manner. Regulations focused on increasing investor transparency or providing individuals with greater control over their own data may reduce the value or utility of the investments we have made in our data sets. Regulations aimed at increasing transparency for investors or providing individuals greater control over their own data may devalue the investments we have made in our data sets or reduce their use cases. The global nature of our operations makes monitoring and implementing regulatory changes more complex. Noncompliance could result in fines, sanctions, restrictions, and/or other penalties that could affect our products and services, and harm our reputation, operating results, and financial condition.

We are also subject to certain anti-corruption laws in the jurisdictions where we do business, which prohibit the improper offering, promising, authorizing, or giving anything of value to foreign government officials, or business employees for the purpose of directing, obtaining, or retaining business. We conduct business in countries and regions with varying anti-corruption laws and that have experienced government corruption to some degree, which may increase the pressure and risk of inadvertent violations by our employees or agents, despite our policies and training. Any violation of anti-corruption laws could lead to regulatory penalties, government investigations, administrative, civil or criminal penalties, government investigations, and/or other remedial measures, which could adversely affect our business, operating results, and financial condition, and also cause reputational and brand damage. Developments in technology are fundamentally changing the ways investors, financial intermediaries, and other market participants access data and content, allowing for greater personalization of products customized to individual investor profiles and interests, such as direct indexing and sustainability goals-based investing.

As we engage in global business activities, we are subject to international trade restraints, including economic and financial sanction laws and embargoes, administered by the US Treasury Department’s Office of Foreign Assets Controls, which prohibit or restrict the sale or supply of certain products or services to certain regions, countries, entities, governments, and individuals.Additionally, as we have global business activities, we are subject to international trade restraints including economic and financial sanction laws and embargoes administered by the US Treasury Department’s Office of Foreign Assets Controls, which prohibit or restrict the sale or supplying of certain products and services to embargoed or sanctioned countries, regions, governments, individuals, and entities. These restrictions have impacted and may in the future impact our ability to continue to market and sell our products in these geographies, resulting in loss of revenue. These international trade restraints have and may in the future impact our ability to continue to market and/or sell our products and services in these geographies, resulting in loss in revenue. While we have compliance measures in place to promote adherence to applicable restrictions, they may not always be effective.

27

---

Table of Contents

These and new restrictions could further impact our operations, increase compliance costs, and expose us to fines or investigations, which could adversely affect our business, operating results, and financial condition.

Several of our businesses are highly regulated throughout the world, and the regulatory environment is increasingly complicated and rapidly evolving.41Table of Contents Several of our businesses are highly regulated throughout the world and the regulatory environment is increasingly complicated and rapidly evolving.

The expansion of our business, including through acquisitions, has increased our exposure to government regulation across our product lines. Some areas require extensive and ongoing interactions with regulators, which is an increasingly costly and resource intensive process and could result in a finding of noncompliance, which could expose us to fines, sanctions, penalties and reputational risk.

Morningstar DBRS, our credit ratings business, operates in highly regulated environments in Canada, the US, the UK, Australia, and the EU, with substantial ongoing compliance obligations. The scope and interpretation of these regulations can be uncertain and inconsistent across jurisdictions, making compliance challenging and costly. Adhering to any current or expanded requirements that may arise under these frameworks can be complex, resource-intensive, and time-consuming. In addition, Morningstar DBRS is subject to regular regulatory examinations and occasional investigations, which can be time consuming and impact day to day operations.

In the US, Morningstar Investment Management LLC (MIM), is a registered investment adviser under the Investment Advisers Act of 1940 (the 40 Act), and is subject to SEC requirements for record-keeping, reporting, standards of care, and fiduciary obligations. The Morningstar Funds Trust, an open-end mutual fund advised by MIM, subjects MIM to additional 40 Act requirements and the Commodity Exchange Act. These entities face SEC examinations and, when advising retirement plans, may act as Employee Retirement Income Security Act of 1974 (ERISA) fiduciaries, which would require compliance with strict obligations. Breaches, actual or alleged, could result in liability, particularly in retirement advice and managed accounts. Some contracts designate us as ERISA fiduciaries, including selecting and monitoring plan options, and we offer managed account services for plan participants. Such activities have been and may again be subject to class action litigation, including one current case. Many asset management and financial advisor clients are similarly regulated. Many of our asset management and financial advisor clients are similarly regulated. The failure of our licensed products to meet their regulatory requirements could lead to loss of business.

Our regulated investment services operations are subject to regulation in markets outside the US. Post Brexit, we made a strategic decision to restrict the provision of regulated investment management activity to EU domiciled clients in part to reduce regulatory risk. The UK-based Morningstar Wealth Platform (Platform) has regulatory compliance obligations related to, among other things, the safeguarding and administration of client monies and assets, due to the offering of regulated products and services in the UK. The Platform business has offices in Jersey, South Africa, and the United Arab Emirates, all of which are or have been subject to the Financial Action Task Force (FATF) grey list. Increased regulatory scrutiny in Jersey, which was recently removed from the FATF grey list, and South Africa, which is currently on the FATF grey list, increase compliance costs and exposes us to potential reputational harm.

Our Indexes business, Morningstar Indexes, is subject to the EU Benchmarks Regulation, which mandates certain governance requirements, conflict management, and controls over the benchmark process and require administrators to improve the quality of input data and methodologies. We also closely monitor US regulatory developments, as the SEC has sought comment on whether index providers, model portfolio providers, and pricing services should be regulated as investment advisers or outsourced service providers. If adopted, these changes could significantly increase our regulatory exposure and compliance costs.

Morningstar Sustainalytics may face increased regulation of its research, ratings, and data activities. EU rules for ESG ratings providers, which become effective in 2026, will require significant investment in governance, internal controls, and compliance processes. We have established a regulatory readiness program, and we continue to make significant investments in governance, internal controls, and compliance processes. Many jurisdictions have already established regulations regarding the provision and distribution of ESG data and ratings. Others, such as the UK, are developing similar frameworks, which may differ from EU requirements. The final form of these regulations remains uncertain, but they could impose substantial compliance burdens and risk of inadvertent noncompliance. As Sustainalytics operates globally, future regulations may be inconsistent across markets. Conversely, deregulation could reduce demand for our products. Failure to address this evolving landscape adequately and promptly could adversely affect our business, operating results, and financial condition.

28

---

Table of Contents

Environmental, social, and governance considerations could result in enhanced regulatory obligations and expose us to potential liabilities and increased costs.

In response to market demand, we offer products, including those from Morningstar Sustainalytics, that may expose us to liability and higher regulatory costs. New and evolving environmental, social, and governance regulations are being introduced, amended, or revoked in the EU, the US, and other jurisdictions, requiring compliance with specific frameworks and disclosure obligations. For example, the EU Corporate Sustainability Reporting Directive (CSRD) applies to both EU and non-EU entities in scope and mandates extensive disclosures on sustainability topics such as climate change, biodiversity, workforce, supply chain, and business ethics, and may apply to our operations based on recent legal developments.

In contrast, the future of any US regulation of sustainability matters is uncertain, and if adopted may not align with the disclosures required by the CSRD or other legal and regulatory requirements. Similarly, a number of US states have passed, or are in the process of adopting, broad climate change disclosure requirements, such as the Climate Corporate Data Accountability Act and Climate-Related Financial Risk Act in California, the future scope and implementation of which also remains uncertain.

We have announced decarbonization goals and other initiatives, guided by standards such as the Task Force on Climate-Related Financial Disclosure (TCFD), the Sustainability Accounting Standards Board (SASB), and Global Reporting Initiative (GRI). Morningstar has committed to decarbonizing 50% of our scope 1 and scope 2 greenhouse gas emissions by 2030 and to publicly disclosing our emissions annually. Morningstar has committed to decarbonize 50% of our scope 1 and scope 2 greenhouse gas emissions by 2030 and to publicly disclosure our emissions annually. Implementing these initiatives and complying with new or amended regulations may require significant resources and management attention. Any failure, or perceived failure, to fully comply with mandatory ESG requirements or voluntary ESG standards could adversely affect our business, operating results, and financial condition. Any failure, or perceived failure, by us to comply fully with ESG laws and regulations, or meet evolving and varied stakeholder expectations and standards could harm our business, operating results, and financial condition.

At the same time, we may face evolving and sometimes conflicting expectations from various stakeholders regarding our business practices and company activities, including environmental, social and governance matters. These expectations may increase operational complexity and place additional demands on our employees, systems, and resources. Different stakeholders may hold differing views on such matters, increasing the risk that actions we take, or fail to take, are perceived negatively by certain groups. Public sentiment and the broader sociopolitical environment may shift rapidly and unpredictably, and we may not be able to anticipate or respond to such changes within expected timeframes or without incurring significant costs. If we do not effectively manage such evolving expectations, we could experience reputational harm, stakeholder disengagement, litigation, or other adverse consequences, which may adversely impact our business, operating results, and financial condition.

Errors in our automated advisory tools may subject us to liability for any losses that result.

We rely on automated investment technology for retirement advice and managed accounts, including the Wealth Forecasting Engine, which determines asset allocations and assigns portfolios, as well as other automated portfolio construction tools. As these systems become more interconnected with other product offerings and integrate with client and third-party technology, complexity increases, requiring greater expertise and testing. Problems could arise if these systems do not work as intended. Any errors, especially ones undetected over time, could result in liability, including breaches of fiduciary duty or applicable law, despite our quality assurance practices. We continually invest in training to maintain in-house expertise and educate record-keepers, plan sponsors, and participants on the proper use and differentiation of these offerings, which is costly and time-consuming.

We seek to continually enhance our retirement services, adding capabilities such as modeling and advising on income-generating products, and regularly release technology updates and methodology changes. Clients may require additional support to implement updates and understand their implications, including strategy suitability. We also allocate resources to support legacy versions of the Wealth Forecasting Engine still in use. Errors in updates or methodology could result in significant liabilities, including make-whole payments or litigation.

Risks Related to Our Operations

Our future success depends on our ability to recruit, develop, and retain qualified employees.

Our continued success depends on attracting, hiring, and onboarding qualified employees. Many of our key offerings require specialized skills in areas such as engineering, research, quantitative analysis, fixed income data, and credit analysis, as well as emerging strategic disciplines. These skills are highly sought after, creating strong competition for talent. The development, maintenance, and support of our products also rely on the expertise and experience of our existing employees.

29

---

Table of Contents

As a global business with a distributed workforce, we face recruiting challenges across many locations. Managing employees across geographies introduces complexities, including implementing systems, policies, benefits, and compliance programs, and addressing external factors such as geopolitical unrest. Rising wage scales in key markets, inflationary pressures, strong sector stock performance in the sectors where we focus hiring efforts, immigration policies, regulatory changes, and skill shortages increase compensation costs and can make it harder to attract and retain qualified employees.

We invest in employee development through programs such as learning tools and educational stipends and encourage engagement. Shifts in labor markets, such as moves toward or away from remote or hybrid work, may affect retention. Integration of acquired businesses or sunsetting brands can also impact culture and morale, potentially leading to unforeseen attrition.

We believe our success depends on the continued service of our executive officers, including Joe Mansueto, our executive chairman, and Kunal Kapoor, our chief executive officer, as well as senior leaders and other key employees. Their experience and expertise make them attractive to competitors and early-stage companies that can offer significant financial incentives. Loss of these leaders, or inadequate succession planning, or loss of key employees could pose substantial challenges, including loss of potential or existing clients, and adversely affect our operating results and financial condition.

Our operations are dependent on third-party service providers.We are dependent on third-party service providers in our operations.

We rely on certain external sources for data and research, including securities exchanges, fund companies, issuers, and other providers, as well as third-party data for many of our products. Certain data feeds create sole-source dependency, and any service degradation could harm our products and expose us to downstream risk. External data may contain errors, affecting product accuracy and customer confidence. Our innovation depends on vendor products, including data, software, and services. Some offerings require ongoing updates and access to historical data. Many vendors are also competitors, and termination of agreements, changes in terms, or restrictions on data use relating to such vendors could materially harm our business.

We use AI technologies from third parties, including AI product engines and open-source software.We use AI technologies from third parties, which may include open-source software. If we are unable to maintain rights to use these AI technologies on commercially reasonable terms, or if third-party suppliers discontinue or materially change their offerings, we may be forced to acquire or develop alternate AI technologies. If we are unable to maintain rights to use these AI technologies on commercially reasonable terms, we may be forced to acquire or develop alternate AI technologies, which may limit or delay our ability to provide competitive offerings and may increase our costs. Such changes could be difficult and costly to implement, may limit or delay our ability to provide competitive offerings, and could significantly increase our costs. Additionally, reliance on third-party AI suppliers may create switching challenges due to integration complexity, proprietary dependencies, and retraining requirements. Moreover, the risks described above with respect to our own AI systems—including the possibility that such systems generate inaccurate, misleading, biased, or discriminatory content that could harm our reputation and expose us to liability—would similarly apply to AI technologies supplied by third‑party vendors and could materially harm us if they occur.

We rely on numerous third-party service providers, including for contract labor, SaaS, and data backup facilities. Failure by a provider could disrupt our ability to deliver products and services and require significant costs to internalize functions or find adequate alternatives. For limited products and regions, we are subject to vendor oversight regulations, such as the EU’s Digital Operational Resilience Act, which increases compliance obligations and costs. Inadequate due diligence relating to or oversight of third parties, such as failing to detect conflicts of interest, fraud, data breaches, cyberattacks, or legal noncompliance, could result in financial loss, regulatory sanctions, or reputational harm.

30

---

Table of Contents

Our strategic transactions, acquisitions, dispositions, and investments in companies or technologies may not result in the expected business or financial benefits, ultimately having an adverse effect on our operating results and our ability to deliver long-term value to our shareholders.

As a means to implement our business strategy, we periodically evaluate and make investments in, or acquisitions of, complementary businesses, services and technologies, and intellectual property rights, or dispose of assets or products, and expect to continue to do so in the future.As a means to implement our business strategy, we periodically evaluate and make investments in, or acquisitions of, complementary businesses, services and technologies, and intellectual property rights, and expect to continue to make such investments and acquisitions in the future. However, there can be no assurance we can identify suitable investment, acquisition, or disposition candidates at acceptable prices. However, there can be no assurance we can identify suitable investment or acquisition candidates at acceptable prices. In addition, although we conduct robust due diligence through cross-functional teams when making an acquisition, each acquisition presents potential challenges and risks, including the following:

–difficulties in assimilating, integrating, or retraining acquired employees.

–differences between our values and those of our acquired companies, as well as disruptions to our workplace culture.

–diversion of financial and managerial resources from existing operations.

–challenges relating to the potential entry into new markets in which we have little experience or where competitors may have stronger market positions.

–difficulties in integrating acquired operations, including challenges with the acquired company’s customers and partners.

–challenges with the acquired company’s third-party service providers.

–challenges with integrating the acquired companies' technology.

–challenges and costs relating to known and potential unknown liabilities, technology or security vulnerabilities, or regulatory investigations associated with the acquired businesses.

We have also made, and expect to continue to make, investments in companies where we do not have or obtain a controlling interest.We also have, and expect to continue to make, various investments in companies where we do not have or obtain a controlling interest. Such investments are motivated both by their prospective financial return and the access they give us to certain new technologies, products, business ideas, and management teams. While we obtain various rights in connection with such investments, the future value of such investments is highly dependent on the management skill of the managers of those companies, among other factors.

The strategic transactions we ultimately pursue may be subject to various closing conditions, including review or approval by foreign and domestic regulatory authorities and obtaining third party consents, which we may not obtain on a timely basis or at all. In addition, these strategic transactions may present financial, managerial, and operational challenges such as diversion of managerial resources from core business functions, increased expenses associated with the transaction, potential disputes with customers, suppliers, or acquirers of disposed assets, and failure to achieve the expected economic benefits of the transaction, any of which could have a material adverse effect on our business, financial condition and operating results. In addition, we are and continue to be susceptible to website spoofing attacks, where fraudulent websites are created to closely resemble our brand, products and offerings and are designed to lure potential clients to share personal sensitive information, such as login credentials, social security numbers, credit card information, bank account numbers, and in some instances send money to individuals portraying to be associated with our entities and brands.

Our ability to acquire or dispose of businesses, make strategic investments, or integrate acquisitions may be hindered by trade tensions and heightened scrutiny of foreign investments, particularly in technology. Several countries, including the United States, Europe, and Asia-Pacific, have adopted or are considering restrictions on such transactions, and antitrust authorities are reviewing technology deals with greater rigor. Our business strategy includes expanding into new and adjacent product lines, but regulatory requirements across different Morningstar businesses may limit our ability to pursue these opportunities. Regulatory sanctions in one area could affect operations in unrelated regulated sectors, and sharing intellectual property across product lines may be restricted by regulatory concerns. Future restrictions or government actions could also limit acquisition and investment opportunities and negatively impact our business and financial results. Acquisitions or divestitures may also expose us to shareholder or third-party litigation, which could be costly and distract management even if unsuccessful. Acquisitions may expose us to litigation from our shareholders or other third parties, which, even if unsuccessful, could be costly to defend and serve as a distraction to management.

The goodwill of our business and other intangible assets could be impaired in the future, requiring us to record substantial impairments that could impact future earnings.

We assess goodwill for impairment on an annual basis or when evidence of potential impairment exists. Intangible and long-lived assets are evaluated for impairment when events or changes in circumstances arise that indicate the carrying value of the asset may be unrecoverable. Intangible assets are evaluated when events or changes in circumstances arise that indicate the carrying value of the asset may be unrecoverable. Some factors that may be considered include changes in our business related to acquisitions, a significant and sustained decline in stock price and market capitalization, or other changes in fair market valuations. Impairment testing is based on several factors which require judgment from management and may result in non-cash impairment charges in future periods, which could have a material adverse impact on our operating results and financial condition. In general, changes in our business condition or changes in fair market valuations and our operating performance may result in future impairments of goodwill or intangible assets which could have a material adverse impact on our operating results.

31

---

Table of Contents

As a global taxpayer, we face challenges due to increasing complexities in accounting for taxes (e.g., base erosion, minimum taxes, and tax transparency), which are high priorities in jurisdictions in which we operate and could materially affect our tax obligations and effective tax rate.

Our effective tax rate is based on the mix of income and losses in our US and non-US operations, statutory tax rates, and tax-planning opportunities available in the various jurisdictions in which we operate. We have been, and could in the future be, subject to changes in our tax rates, the adoption of new or evolving US or non-US tax legislation or exposure to additional tax liabilities. Due to economic and political conditions, tax rates in various jurisdictions may be subject to significant change. Our future effective tax rates could be affected by changes in the mix of earnings in countries with differing statutory tax rates including impacts related to transfer pricing, changes in the valuation of deferred tax assets and liabilities, or changes in tax laws or their interpretation by relevant authorities.

Corporate tax reform, base-erosion efforts, and tax transparency continue to be high priorities in many jurisdictions in which we operate. Changes in tax laws or regulation around the world, including efforts led by the Organization for Economic Co-operation and Development (OECD), could result in increases to our effective tax rate. We continue to monitor developments and administrative guidance in the countries where we operate in addition to evaluating the potential impact on our consolidated financial statements for future periods. We are continuing to monitor developments and administrative guidance in addition to evaluating the potential impact on our consolidated financial statements for future periods.

Our revenues, expenses, assets, and liabilities are subject to fluctuations in foreign currency exchange rates.

As a business with international business activities, we are subject to risks related to fluctuations in foreign currency exchange rates. Movements in the exchange rates can impact the US dollar reported value of our revenues, expenses, assets, and liabilities denominated in non-US dollar currencies or where the currency of such items is different than the functional currency of the entity where these items were recorded. In addition, the value of assets in indexed investment products can fluctuate significantly over short periods of time and such volatility may be further impacted by fluctuations in foreign currency exchange rates.

We incur expenses for employee compensation and other operating expenses at our non-US locations in the local currency.48Table of Contents We incur expenses for employee compensation and other operating expenses at our non-US locations in the local currency. In the future, if there is an increase or decrease in our international business activities that are recorded in local currencies, our exposure to fluctuations in foreign currency exchange rates may correspondingly increase or decrease, which could materially adversely affect our business, financial condition, or operating results. In the future if there is an increase or decrease in our international business activities that recorded in local currencies, our exposure to fluctuations in foreign currency exchange rates may correspondingly increase or decrease, which could materially adversely affect our business, financial condition or operating results. Although we may in the future decide to undertake foreign exchange hedging transactions, to date, we have not engaged in currency hedging, and we do not currently have any positions in derivative instruments to hedge our currency risk.

Our indebtedness could adversely affect our cash flow and financial flexibility. Our variable rate indebtedness could subject us to interest rate risk, which could cause our debt service obligations to increase significantly.

For an overview of our current outstanding indebtedness, refer to Item 7 - Management's Discussion and Analysis of Financial Condition and Results of Operations - Liquidity and Capital Resources below. Our long-term debt was $1,072.6 million on December 31, 2025. While our business has historically generated strong cash flow and we are in compliance with all of our debt covenants, borrowings under our current credit facilities are floating rate. As a result, our annual debt service requirements are affected by rising interest rates, and we cannot provide assurance that we will generate and maintain cash flows sufficient to permit us to service our indebtedness. Our ability to make payments on our indebtedness and to fund expected capital expenditures depends on our ability to generate and access cash in the future, which, in turn, is subject to general economic, financial, competitive, regulatory, tax and other factors, many of which are beyond our control. If we cannot refinance or otherwise pay our obligations as they mature and fund our liquidity needs, our business, financial condition, results of operations, cash flows, liquidity, ability to obtain financing, and ability to compete in our industry could be materially adversely affected.

In addition, any borrowings under our current credit facilities bear interest in fluctuating interest rates based on the Secured Overnight Financing Rate (SOFR), which replaced London Interbank Offered Rate (LIBOR) as the reference rate under our credit facilities. There can be no assurance that SOFR will perform in the same way as LIBOR would have at any time, which may result in increased volatility in the interest rates payable under our credit facilities and potentially increase our funding costs. As a result, there can be no assurance that SOFR will perform in the same way as USD LIBOR would have at any time, which may result in increased volatility in the interest rates payable under our credit facility and potentially increase our funding costs.

32

---

Table of Contents

Furthermore, the terms of our debt agreements include restrictive covenants that limit, among other things, our and our subsidiaries’ financial flexibility and ability to implement certain transactions. If we are unable to comply with the restrictions and covenants in our debt agreements, there could be a default that, in some cases, if continuing, could result in the accelerated payment of our debt obligations or the termination of borrowing commitments on the part of the lenders under our Credit Agreement. Additionally, our current credit facilities mature in October 2028 and October 2030. We may not be able to renegotiate or obtain additional or new financing on a timely basis or on terms favorable or acceptable to us. If we are unable to refinance or otherwise fund our liquidity needs, our business, financial condition, results of operations, cash flows, liquidity, and ability to compete in our industry could be materially adversely affected. If we fail to comply with any applicable law, rule, or regulation, we could be fined, sanctioned, or barred from providing certain products and services in the future, which could adversely affect our reputation, business and financial results. Refer to Item 7—Management's Discussion and Analysis of Financial Condition and Results of Operations—Liquidity and Capital Resources for a description of the restrictive covenants in our debt agreements.

Our insurance coverage may be inadequate or expensive.

We maintain voluntary and required insurance coverages, including, among others, general liability, property, director and officer, technical professional liability, media liability, network cybersecurity and privacy liability, investment advisory professional liability, fidelity bond, and worker’s compensation/employers liability at a significant annual cost, which is generally expected to increase over time. While we endeavor to maintain coverage that we feel is appropriate to our operations, size, and general risk profile, certain types of claims may not be covered by this insurance. Further, we are unable to predict with certainty the frequency, nature, or magnitude of claims under our policies or our actual claims recovery experience. Our business may be negatively affected if insurance coverage proves to be inadequate or unavailable on acceptable terms or at all.

Risks Related to Ownership of Our Common Stock

The concentrated ownership position of Joe Mansueto could adversely affect our other shareholders.

As of December 31, 2025, Joe Mansueto, our Executive Chairman and Chairman of the Board, owned approximately 37.5% of our outstanding common stock. While Joe has reduced his share ownership of the company in recent years as part of a personal plan to diversify his assets, his concentrated ownership position gives him substantial influence over substantially all matters submitted to our shareholders for approval, including the election and removal of directors and any merger, consolidation, or sale of a significant portion of our assets. While Joe has reduced his percentage ownership of the company in recent years as part of a personal plan to diversify his assets, his concentrated ownership position gives him substantial influence over substantially all matters submitted to our shareholders for approval, including the election and removal of directors and any merger, consolidation, or sale of our assets. This concentration of ownership may disincentivize other shareholders from proposing the election of other persons to our board of directors, delay or prevent a change in control, impede a merger, consolidation, takeover, or other business combination involving Morningstar, discourage a potential acquirer from making a tender offer or otherwise attempting to obtain control of the company, or result in actions that may be opposed by other shareholders.

Our stock price may not reflect our assessment of intrinsic value and future sales of our common stock by our significant shareholders and fluctuations in our operating results may negatively affect our stock price.

We believe our business has relatively high fixed costs, mainly for compensation and benefits, and low variable costs, making our operating results sensitive to revenue fluctuations. A decline in our revenue may lead to a proportionally larger drop in operating income. As a result of managing our business with a long-term view, we typically do not make significant adjustments to our strategy or cost structure in response to short-term changes. In addition, because we manage our business with a long-term perspective, we generally don’t make significant adjustments to our strategy or cost structure in response to short-term factors. For example, if the US economy were to experience prolonged inflationary pressures, increased compensation and other expenses, could adversely impact our operating results. For example, if the US economy were to experience current inflationary pressures over a prolonged period, increased compensation and other expenses could adversely impact our operating results. As we do not provide earnings guidance and our executive team generally doesn’t take individual meetings with investors and analysts, and given limited analyst coverage of our stock, our stock price may not now, or in the future, reflect the intrinsic value of our business and assets.For example, recent market sentiment regarding the impact of AI on software and data company growth prospects has driven meaningful sector-wide stock price declines, including Morningstar's, despite strong operating performance. Additionally, we opportunistically repurchase shares of our common stock when we believe that valuations are attractive relative to our assessment of our intrinsic value. However, the repurchases we make may not yield positive returns in the future and may not create value or increase investor confidence in our stock. If our results or metrics fall short of expectations, our stock price and trading volume may decrease.

Additionally, our stock price may be susceptible to decline if our significant shareholders, including Joe Mansueto, were to sell substantial amounts of our common stock. A significant reduction in ownership by Joe or any other large shareholder over a short period of time could cause the market price of our common stock to fall. A significant reduction in ownership by Joe Mansueto or any other large shareholder over a short period of time could cause the market price of our common stock to fall.

33

---

Table of Contents

We cannot guarantee we will pay dividends in the future or make any repurchases of our common stock under our repurchase program.

We have historically paid cash dividends on our common stock, but there is no guarantee that such dividends will continue in the future. Whether our Board authorizes future dividends will depend on a number of factors, including, our results of operations, financial condition, contractual restrictions, restrictions imposed by applicable law, and other factors. Moreover, our Board may determine not to repurchase shares of our common stock pursuant to the share repurchase program we authorized on October 29, 2025. Refer to Note 18 of our Notes to our Consolidated Financial Statements for more information regarding our share repurchase program. Any failure to repurchase stock after we have announced our intention to do so may adversely impact our reputation and investor confidence in us and may adversely impact our stock price.

The existence of our share repurchase program could cause our stock price to be higher than it otherwise would and could potentially reduce the market liquidity for our stock. Repurchase programs are also subject to potential excise tax under the Inflation Reduction Act of 2022.

Item 1B. Unresolved Staff Comments

We do not have any unresolved comments from the Staff of the SEC regarding our periodic or current reports under the Exchange Act.

Item 1C. Cybersecurity

The purpose of our information security program is to enable the business to effectively identify, assess, prioritize, and manage cybersecurity risk in order to support our long-term corporate objectives and to protect our employees, customers, and company assets from threats to our information systems. Cybersecurity is a critical component of our enterprise risk management, and the company has identified cybersecurity as one of the key risk categories it faces.

Risk Management and Strategy

Morningstar takes a risk-based approach for managing its cybersecurity program. The program is evaluated biennially, including against the NIST Cybersecurity Framework, most recently in 2024. The outcome of these reviews, as well as any changes implemented as a result of these reviews, are reported to the audit committee of our board of directors (the Audit Committee).

Morningstar deploys various safeguards to help protect against cybersecurity threats, including but not limited to, anti-malware (EDR) tools, email security, web filtering, multi-factor authentication and single-sign-on, regular patch cadence and vulnerability management, and hardened laptops with full disk encryption and admin permissions removed. For in-house developed software, Morningstar deploys various security tools to detect vulnerabilities, including but not limited to, static application security and dynamic application security testing, software composition analysis tooling, cloud security posture management, and central logging. For in-house software, Morningstar deploys various security tools to detect vulnerabilities, including but not limited to, static application security and dynamic application security testing, SAC tooling, cloud security posture management and central logging. We engage a third-party to conduct a NIST CSF assessment to measure the completeness and readiness of our cybersecurity program and have a third-party perform a security assessment of our network annually. Additionally, we have application security assessments and SOC 2 certifications performed by a third-party on products where we deem them beneficial.

The company's team of information security professionals (InfoSec Team), conducts vulnerability scans and third-party security assessments of operating systems, network devices, and web-facing applications. We require all Morningstar products to follow enterprise-wide Disaster Recovery (DR) standards. Identified vulnerabilities and DR tasks are assigned to appropriate owners and on a weekly basis we produce a cybersecurity scorecard for each Morningstar product. These scorecards are disseminated to the relevant leadership team.

The InfoSec Team, under the supervision of the chief information security officer (CISO), has also implemented processes to evaluate cybersecurity controls of third-party service providers. As part of the company’s processes for engaging vendors, subcontractors and other third-parties, the InfoSec Team evaluates any such entities that may process confidential information prior to conducting business with them.We also conduct periodic assessments of the security posture of critical third party vendors through the use of formal questionnaires and a review of pertinent documentation provided by those parties, to confirm their continued adherence to our security standards. Security vulnerabilities with the use of open-source software could impact our products and services, which may result in the need for change control, testing and potential re-engineering efforts that could increase costs and impact our software development and products.

34

---

Table of Contents

Employees undergo annual security awareness training, and a quarterly phishing exercise is conducted. Quarterly security incident tabletop exercises are conducted with appropriate stakeholders to practice response procedures, and an annual tabletop exercise is conducted with the executive leadership team to test our enterprise resilience. The enterprise resilience team manages both disaster recovery as well as business continuity plans in preparation to recover from high-impact events.

We believe that currently we have not encountered a cybersecurity event that has had a material impact on our business, financial condition, or results of our operation. We believe that currently we have not encountered a cybersecurity event that has had a material impact on our business, financial condition, or results of our operation. We continue to invest in our IT security infrastructure, InfoSec Program and to enhance our internal controls and processes to help assess, identify, and protect against cybersecurity threats to our business. We continue to invest in our IT security infrastructure and framework and to enhance our internal controls and processes to help protect our data from cybersecurity threats. For a discussion of the risks cybersecurity threats pose to our business strategy, results of operations, and financial condition, please see “Item 1A. Risk Factors — Risks Related to Our Information Technology and Security” in this Report.

Governance

Our experienced InfoSec Team is headed by our CISO, who reports to a member of our executive leadership team. Our CISO holds a Ph.D. in Computer Science with a focus on Cybersecurity and Privacy and has more than 15 years of information security experience. The InfoSec Team is responsible for assessing and managing cybersecurity risks and threats. The InfoSec Team manages our Information Security Program (InfoSec Program), which has oversight of IT risk governance, IT third-party risk management, software and product security, security operations and incident management, IT compliance, technical disaster recovery, and establishing enterprise-wide information security policies and procedures. The InfoSec Team, under the leadership of our CISO, manages our Information Security Program (InfoSec Program), which has oversight of IT risk governance, IT third-party risk management, software and product security, security operations and incident management, IT compliance, technical disaster recovery, and establishing enterprise-wide information security policies and procedures.

Our CISO also meets regularly with senior leaders from the IT, Legal, Audit, and Compliance departments to discuss environmental, regulatory, and technological changes and associated risks to the security and confidentiality of our information.

Our Board of Directors has delegated oversight of cybersecurity risks to the Audit Committee. The Audit Committee reviews and discusses with management risks relating to our cybersecurity and data privacy practices and has oversight of our cybersecurity risks.The Audit Committee reviews and discusses with management risks relating to our cybersecurity and data privacy practices and has oversight of our cybersecurity risks. Our Chief Information Officer (CIO) and CISO provide an update to the Audit Committee at each of its regular meetings, which covers recent trends, identifies emergent risks to our technology infrastructure, Disaster Recovery (DR) plan statistics, employee training metrics, and major updates on security assessments and threat landscape as needed. Our CTO and CISO provide an update to the Audit Committee at each of its regular meetings, which covers recent trends, identifies emergent risks to our technology infrastructure, DR plan statistics, employee training metrics, and updates on vulnerability assessments and threat landscape as needed. The Audit Committee is also provided a summary of events and reporting on how any such events were resolved.

Cybersecurity Event Management

We have instituted a specific event management process for the monitoring, prevention, detection, identification, mitigation, and remediation of cybersecurity incidents. Cybersecurity incidents are responded to and managed by our 24-hour Security Operations Center (SOC), and technical outages/accidental occurrences are reviewed and managed by operational teams at the relevant Morningstar product and by the SOC. Upon resolution of a cybersecurity incident, we conduct a retrospective analysis to inform our security and operational efforts going forward. We engage third parties, such as incident response service providers, as appropriate, based on the severity of the cybersecurity event and/or the work required to remediate. Upon identification of a cybersecurity event, we assign a significance rating to the event. All cybersecurity events that meet or exceed designated criteria are escalated to the CISO or CIO. All cybersecurity events that meet or exceed designated criteria are escalated to the CISO or Chief Information Officer (CIO). Cybersecurity events which may be significant are further escalated to the Cyber Incident Disclosure Committee (Cyber Committee).

The Cyber Committee consists of the CIO, the CISO, the chief privacy officer, the chief legal officer, the head of corporate communications, and representatives of the affected business unit and/or their respective delegates.The Cyber Committee consists of the CTO, the CIO, the CISO, the chief privacy officer, the chief legal officer, the chief communications officer, representatives of the affected business unit and/or their respective delegates.

Recently Filed

Click on a ticker to see risk factors

Ticker *	File Date
HTH	an hour ago
HASI	an hour ago
OSCR	an hour ago
HCSG	an hour ago
MTH	an hour ago
MORN	an hour ago
DOV	an hour ago
PLD	an hour ago
CPS	an hour ago
EQR	an hour ago
VRTX	an hour ago
JPM	an hour ago
NEE	an hour ago
WY	an hour ago
HR	an hour ago
AON	an hour ago
ROKU	an hour ago
KMI	an hour ago
FROG	an hour ago
VRT	an hour ago
EXAS	an hour ago
UBER	an hour ago
AMGN	an hour ago
TRUP	an hour ago
NTGR	an hour ago
INSP	an hour ago
LEA	an hour ago
AAP	an hour ago
LSCC	an hour ago
NWL	2 hours ago
TRIP	2 hours ago
OM	2 hours ago
WAB	2 hours ago
TEX	2 hours ago
RHI	2 hours ago
GPI	3 hours ago
HBAN	3 hours ago
FCX	3 hours ago
AGCO	3 hours ago
PII	3 hours ago
CHRW	3 hours ago
CSL	3 hours ago
WEX	3 hours ago
ATMU	4 hours ago
MHO	4 hours ago
ITW	4 hours ago
SXT	4 hours ago
AXTA	4 hours ago
TROW	5 hours ago
DCH	5 hours ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard

TRADE SMARTER

with our free, cutting-edge alternative data platform

Please enter user name

Password too short

Sign in

Don't have an account? Sign Up for Free

Forgot password?

TRADE SMARTER

with our free, cutting-edge alternative data platform

Please enter user name

Please enter valid email

Password too short

Password too short

Sign Up

I already have an account, Sign In

App Store (iOS)

Play Store (Android)