Quiver Quantitative

Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - SPGI

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A. Risk Factors

The following risk factors and other information included in this annual report on Form 10-K should be carefully considered. The risks and uncertainties described below are not the only ones we face. These risks could materially and adversely affect our business, financial condition and results of operations. Additional risks and uncertainties not presently known to us or which we currently believe to be immaterial may also impair our business operations.

We are a global, diversified, and highly differentiated provider of benchmarks, data, analytics and workflow solutions in the global capital, energy and commodity, and automotive markets. Certain risk factors are applicable to certain of our individual segments while other risk factors are applicable Company-wide.

Cybersecurity, Technology and Innovation Risks

Our size, scale and role in the global markets increases our exposure to cyber attacks and other cyber-security risks. Our information systems and networks and those of our third-party service providers are exposed to risks related to cybersecurity and protection of confidential information, including material non-public information, which could have a material adverse effect on our business, financial condition or results of operations.

•Our operations rely on the secure processing, storage and transmission of confidential, sensitive and other types of data and information by our information systems and networks and those of our third-party service providers, including our vendors, data partners and distribution partners. Cyber threats continue to evolve and are increasingly difficult to detect and successfully defend against. As a result, cyber threats have in the past and may in the future defeat the measures that we or our third-party service providers take to anticipate, detect, avoid, or mitigate such threats.

•Our businesses often have access to material non-public information concerning the Company’s customers, including sovereigns, public and private companies, and other third parties around the world, the unauthorized disclosure of which could affect the trading markets for such customers’ securities and could damage such customers’ competitive positions. Some of our own products and services also include material non-public information that could affect trading markets. Unauthorized disclosure of this information as a result of cyber attacks and other unauthorized occurrences on our information systems and networks could cause our customers to lose faith in our ability to protect confidential information and therefore cause customers to cease doing business with us.

•The cyber threats we and our third-party service providers (including our vendors, data partners and distribution partners) face are rapidly evolving and are becoming increasingly sophisticated and include denial of service attacks, ransomware, spyware, misinformation, phishing/smishing/vishing attacks, business compromise attacks,

Table of Contents

typosquatting, automated attacks, employee errors, negligence or malfeasance, the use of malicious codes or worms, payment fraud, and other unauthorized occurrences on, or conducted through, our or our third-party service providers’ (including our vendors’, data partners’ and distribution partners’) information systems and networks, originating from a wide variety of sources, including criminals, terrorists, state-sponsored actors, financially motivated actors, internal actors, and external service providers. The cyber risks the Company faces range from cyber attacks common to most industries, to more sophisticated and targeted attacks, including attacks carried out by state-sponsored actors, intended to obtain unauthorized access to certain information or information systems or networks due in part to our prominence in the global marketplace, such as our ratings on debt issued by sovereigns and corporate issuers, our impending methodology changes in our benchmarks businesses, or the composition of our indices.

•We and our third-party service providers, including our vendors, data partners and distribution partners, experience cyber attacks, data breaches and other cyber threats of varying degrees on a regular basis. The volume of such attacks, breaches and threats has increased over the years and we expect that volume to continue to increase. Although we have not experienced a cyber attack or data breach that has had a material adverse effect on us to date, we may experience such an event in the future.

•In the ordinary course of business, we are exposed to vulnerabilities in widely deployed third-party software.

•Misappropriation, improper modification, destruction, corruption or unavailability of our data and information, including personal data, due to cyber incidents, attacks or other security breaches, or the perception of such an occurrence, could damage our brand and reputation, result in litigation, regulatory actions, sanctions or other statutory penalties, or lead to loss of customer confidence in our security measures and reliability. While such incidents have not had a material impact on the Company to date, future incidents could materially harm our ability to retain customers and gain new ones, result in financial losses that are either not insured against or not fully covered through any insurance maintained by us, and lead to increased expenses related to addressing or mitigating the risks associated with any such incidents. We may be required to expend significant resources to mitigate the impact of any errors, interruptions, delays or cessations of service and we may have insufficient recourse against our third-party service providers, including our vendors, data partners and distribution partners.

•We devote significant resources to maintain and regularly update our systems and processes that are designed to protect the security of our information systems, software, networks and other technology assets and the confidentiality, integrity and availability of information belonging to the enterprise and our customers and employees, and we expect to continue to expend significant additional resources to bolster these protections. Additionally, fragmented security tooling could create visibility gaps and increase the risk of missed threats and slower response.

•We conduct cyber due diligence during the acquisition process; however, following the completion of acquisitions, we from time to time identify weaknesses and vulnerabilities in acquired entities’ information systems and networks, which expose us to unexpected liabilities or make our own information systems or networks more vulnerable to a cyber attack.

•Any of the foregoing could have a material adverse effect on our business, financial condition or results of operations.

We operate in highly competitive markets that continuously change to adapt to customer needs. In order to maintain a competitive position, we invest in innovation, new offerings and enhancements, including new ways to deliver our products and services. These new or enhanced offerings resulting from our investments sometimes do not, and may not in the future, achieve market acceptance, profit or the level of profitability that we expect or have experienced historically.

Table of Contents

•The rapid change of technology is a key feature of all of the markets in which we operate.

•Innovation and constant development in support of new products and enhancements to existing products calls for the implementation of new and improved processes and technologies that require related change management efforts. While we employ a certain level of internal and external resources to mitigate the risks associated with implementing process and technology improvements, new processes and technologies that are still in development tend to be subject to more risks than established processes and technologies. We may also face unexpected challenges in execution that may require more management attention than expected, thus diverting management time and energy from other businesses. The foregoing and other unforeseen factors could also result in additional commitments of financial resources and business disruptions.

•We have transitioned an important portion of our technology to a cloud-based infrastructure, which is complex, time consuming, and involves substantial expenditures. We may discover material deficiencies in our design or implementation or maintenance of the new cloud-based systems that could adversely affect our business. Disruptions to either the outsourced systems or the communication links between us and the outsourced supplier negatively affect our ability to operate our data systems, and impair our ability to provide services to our customers.

•Enhancing existing products and developing new products often requires effective collaboration across various divisions, functions and business lines of the Company. Ineffective or insufficient collaboration across divisions, functions and business lines decreases our ability to expand geographically, enhance products, innovate, increase sales, promote brand awareness (and can lead to brand confusion) and may result in a material adverse effect on our business, financial condition or results of operations.

Given the importance of data to our products and services, the continued growth of publicly available free or relatively inexpensive information could materially reduce demand for our products and services. Demand could also be materially reduced as a result of cost-cutting initiatives at certain companies and organizations that choose to use publicly available free or relatively inexpensive information over our products and services.

Artificial Intelligence ("AI") presents new and evolving risks, and our approach to AI may not be successful, which could materially and adversely affect our business, financial condition or results of operations.

Given the importance of data to our products and services, AI continues to be an increasingly important part of our business and industry. While we have established a Company-wide AI strategy to drive our approach to data protection, licensing and AI integration in our processes, products and services, AI creates a number of evolving risks and opportunities and can exacerbate other risks, including those described herein:

•In order to remain competitive, we have made significant investments in various AI initiatives. There is no guarantee that these investments will lead to the development of products and services that achieve market acceptance, profit or the level of profitability that we expect or have experienced historically. The continued enhancement of AI within our products, services and processes depends in part on our ability to attract and retain talented employees with critical AI and data science experience, which is dependent on a number of factors, including prevailing market conditions and compensation packages offered by companies competing for the same talent. If we are less successful in our recruiting efforts, or if we are unable to attract, retain or train key qualified personnel, our ability to develop and deliver on our investments in our various AI initiatives may be adversely affected.

•The number of approaches to integrating and commercializing AI is currently large, and many of those approaches may fail to gain market acceptance or become obsolete as AI continues to evolve. At this time, we are unable to predict which AI offerings will ultimately be successful. In addition, the development, testing and deployment of AI systems

Table of Contents

requires continued investment and may materially increase the cost profile of our offerings due to the nature of the computing cost involved in such systems.

•Our competitors are deploying AI in ways that could materially reduce demand for our products and services (for example, by deploying AI in ways that make collection and processing of information relatively inexpensive or free or by leveraging AI to build products and services that compete with our products and services). The emerging availability of “off-the-shelf” AI models may also increase the ability of new and existing competitors to develop technology and applications which may compete with our products and services.

•Our ability to produce and develop products and services with AI capabilities is dependent upon the products and services of other suppliers, including certain data, software and service suppliers. Our products and services with AI capabilities may rely on third-party AI providers for certain capabilities and infrastructure. If any such providers were to limit, discontinue or materially alter the terms of our access, we may be unable to obtain comparable data from other sources in a timely or cost-effective manner, or at all. To the extent we rely on third-party AI models, the providers may discontinue such models or their model capabilities may become insufficient or obsolete.

•AI presents risks and challenges that could affect its adoption, including social and ethical risks. For example, our products and services with AI capabilities may contain errors or defects that lead to privacy concerns, accuracy issues, unintended biases or discriminatory outputs. Errors or defects may exist during any part of a product’s life cycle and may persist notwithstanding testing and/or other quality assurance practices. Inadequate internal oversight or testing within the Company increases the risk that such errors or defects may not be detected or mitigated. Failing to properly remediate any social or ethical issues that may arise in our offerings may result in material brand or reputational harm, competitive harm, legal liability or loss of public confidence, or a material reduction to the marketability or competitiveness of our products and services. Any of these social, ethical or operational issues could materially and adversely affect our business, financial condition or results of operations.

•AI is being utilized by malign actors to launch increasingly sophisticated cyber attacks against us and our third-party service providers (including our vendors, data partners and distribution partners), which, if successful, could have a material adverse effect on our business, financial condition or results of operations.

•The AI landscape is complex and rapidly evolving, and new and enhanced laws and regulations (or inadequate laws or regulations), novel application of existing laws to AI technology, governmental or regulatory scrutiny, litigation and ethical concerns could materially and adversely impact our ability to protect our data and intellectual property, to develop and offer products and services that effectively use AI, to compete with other AI products or services, to improve efficiency of existing products or services through the effective use of AI to remain competitive, or to incorporate AI in our internal operations, or could materially increase our burden and cost of research, development and regulatory compliance.

•We do not yet know whether intellectual property laws and regulations in the jurisdictions in which we operate will enable us to effectively protect our intellectual property rights from unintended use by AI. Third parties could also use our data with AI tools to create their own insights and potentially supplant our products and services. We are also subject to a variety of evolving laws and regulations regarding AI in an increasing number of jurisdictions. Further, global AI legislation, regulatory, enforcement, and policy activity is rapidly and continually evolving and creating a complex regulatory compliance environment. Such measures increase our operating costs and require significant management time and attention and may result in negative publicity and subject us to significant costs that may harm our business, including fines or damages as well as demands or orders that we modify or cease existing business practices. The integration of AI in our products and services may increase the risks of improper processing of personal data, further exacerbating such risks.

•AI technologies used in our products and processes may incorporate or reproduce third-party content in their outputs, which may expose us to risks associated with infringing, misappropriating or otherwise violating others’ intellectual property rights, including the trademarks, copyrights, patents and other intellectual property rights of third parties, including from our competitors or nonpracticing entities which may expose us to protracted and expensive litigation and may materially and adversely affect our business going forward.

•Our approach for managing our clients’ use of our data is influenced by AI. Our approach must effectively balance protecting our data and enabling our clients to leverage our data for their needs. Given the evolving nature of AI, at this time we are unable to predict if our approach will be successful. If our approach is ultimately inadequate, we could materially dilute the value of our data and/or lose significant market share or revenue.

Table of Contents

Any of the foregoing factors could materially and adversely affect our business, reputation, financial condition or results of operations.

Our use of open source software could result in litigation or impose unanticipated restrictions on our ability to commercialize our products and services.

We use open source software in our technology, most often as small components within a larger product or service. Open source code is also contained in some third-party software we rely on. The terms of many open source licenses are ambiguous and have not been interpreted by United States (“U.S.”) or other courts. We could also be subject to suits by parties claiming breach of the terms of licenses, which could be costly for us to defend.

Our inability to adequately obtain, protect and maintain our intellectual property and other proprietary rights could impact our competitive position.

•We consider many of our products and services to be proprietary, and our success depends, in part, on protecting our intellectual property, proprietary information, and technology. We rely on a variety of measures to maintain, protect and enforce our intellectual property portfolio, including trademark and patent protection, trade secret laws, legal misappropriation doctrines, confidentiality procedures and contractual restrictions, all of which provide only limited protection. In particular, such measures may not prevent infringement, violation, misuse or misappropriation of our intellectual property rights or proprietary or confidential information. For example, we routinely face unauthorized use of our indices and price assessments, and our efforts to stop such uses require significant time and expense, and are not always successful.

•We have filed for patents in the U.S. and in certain international jurisdictions, but such protections can be expensive and may not be available in all countries in which we operate or in which we seek to enforce such rights, or may be difficult to enforce in practice. We have filed for trademark registrations and participated in trademark enforcement and trademark oppositions in the U.S. and certain international jurisdictions to protect our brand, good will and reputation. These efforts cannot ensure registrations will be issued, our trademark rights will be enforced, or violations of our trademark rights will be appropriately resolved. The lack of strong patent and other intellectual property protection in jurisdictions in which we operate increases our vulnerability regarding unauthorized disclosure or use of our intellectual property and undermines our competitive position.

•There can be no assurance that any future patent, trademark, or other intellectual property registrations will be issued for our pending or future applications or that any of our current or future patents, trademarks or other intellectual property rights will be valid, enforceable, sufficiently broad in scope, provide adequate protection of our technology or other proprietary rights, or provide us with any competitive advantage. Any additional investment in protecting our intellectual property rights through additional trademark, patent or other intellectual property filings could be time consuming and expensive, both in terms of application and maintenance costs. We make business decisions about whether and where to seek patent, copyright, and trademark protection for a particular technology and when to rely upon trade secret protection, and the approach we select may ultimately prove to be inadequate. Businesses we acquire may also have intellectual property portfolios which increase the complexity of managing our intellectual property portfolio and protecting our competitive position.

•We cannot guarantee that we will be successful in maintaining, protecting, or enforcing the confidentiality of our trade secrets or that our confidentiality and non-disclosure agreements for such trade secrets will provide sufficient protection of our trade secrets, know-how, or other proprietary information in the event of any unauthorized use, misappropriation, or other disclosure. Enforcing a claim that a party illegally disclosed or misappropriated a trade secret or know-how is difficult, fact-intensive, expensive, and time-consuming, and the outcome is unpredictable. In addition, trade secrets and know-how can be difficult to protect and some courts inside and outside the U.S. are less willing or unwilling to protect trade secrets and know-how. Further, these agreements do not prevent our competitors from independently developing product or service offerings that are substantially equivalent or superior to our offerings. If any of our trade secrets were to be lawfully obtained or independently developed by a competitor or other third party, we would have no right to prevent them from using that technology or information to compete with us, and

Table of Contents

our competitive position would be materially and adversely harmed.

•Our products and services contain intellectual property delivered through a variety of digital and other media. Our ability to achieve anticipated results depends in part on our ability to defend our intellectual property rights against infringement and misappropriation. Our business, financial condition or results of operations could be materially and adversely affected by inadequate or changing legal and technological protections for intellectual property and proprietary rights in jurisdictions and markets in which we operate.

•Our products also contain intellectual property of third-party sources.

•Any of the above factors could materially and adversely affect our business, reputation, financial condition or results of operations.

We have been, and may in the future be, subject to intellectual property disputes, which are costly to defend and could harm our business and operating results.

Our success depends, in part, on our ability to operate our business without infringing, misappropriating or otherwise violating third-party intellectual property rights. We have been, and may in the future be, subject to claims and litigation alleging that we or our products or services infringe, misappropriate or otherwise violate others’ intellectual property rights, including the trademarks, copyrights, patents and other intellectual property rights of third parties, including from our competitors or nonpracticing entities. We may also learn of possible infringement, misappropriation or other violation of our trademarks, copyrights, patents and other intellectual property. Patent and other intellectual property litigation may be protracted and expensive, and the results are difficult to predict and may result in significant settlement costs or payment of substantial damages. Furthermore, a successful claimant could secure a judgment that requires us to stop offering some products or services or prevents us from conducting our business as we have historically done or may desire to do in the future. We might also be required to seek a license and pay royalties for the use of such intellectual property, which may not be available on commercially acceptable terms, or at all. Alternatively, we may be required to modify our products and services, which could require significant effort and expense and may ultimately not be successful.

We rely heavily on network systems and the Internet and any failures or disruptions may adversely affect our ability to serve our customers.

•Our products and services are delivered electronically, and our customers rely on our ability to process transactions rapidly and deliver substantial quantities of data on computer-based networks.

•Our ability to deliver our products and services electronically may be impaired due to infrastructure or network failures, malicious or defective software, human error, natural disasters, service outages at cloud or third-party Internet providers or increased government regulation. Delays in our ability to deliver our products and services electronically may harm our reputation and result in the loss of customers.

Our operations and infrastructure may malfunction or fail, which could have a material adverse effect on our business, financial condition or results of operations.

•Our ability to conduct business may be materially and adversely impacted by a disruption in the infrastructure that supports our businesses and the communities in which we are located, including New York City, the location of our headquarters, and major cities worldwide in which we have offices and operations.

•This may include a disruption involving physical or technological infrastructure used by us or third parties with or through whom we conduct business, whether due to human error, natural disasters, power loss, telecommunication failures, cyber attacks, data breaches, break-ins, sabotage, intentional acts of vandalism, acts of terrorism, political unrest, war or otherwise. Technology failures could also result from inadequate implementation or poor governance.

•We rely on our information technology environment and certain critical databases, systems, applications and services (e.g. Amazon Web Services (“AWS”)) to support key product and service offerings. We believe we have appropriate policies, processes and internal controls to ensure the stability of our information technology, provide security from unauthorized access to our systems and maintain business continuity, but our business could be subject to significant disruption and our business, financial condition or results of operations could be materially and adversely affected by unanticipated system failures, data corruption or unauthorized access to our systems.

•We have at times experienced outages and other disruptions due to internal system or human errors and could in the future be subject to outages or other disruptions due to similar errors. While we have taken steps to address these

Table of Contents

errors, we may experience outages or other disruptions in the future, and such outages or disruptions could have a material adverse effect on our business, financial condition or results of operations.

•The physical or technological infrastructure used by us or our third-party service providers can become obsolete or restrictive, unavailable, incompatible with future versions of our products, fail to be comprehensive or accurate, or fail to operate effectively, and our business could be adversely affected if we are unable to timely or effectively replace it.

•We also do not have fully redundant systems for most of our smaller office locations and low-risk systems, and our disaster recovery plan does not include restoration of non-essential services. If a disruption occurs in one of our locations or systems and our personnel in those locations or those who rely on such systems are unable to utilize other systems or communicate with or travel to other locations, such persons’ ability to service and interact with our customers may suffer.

•We cannot predict with certainty all of the adverse effects that could result from our failure, or the failure of a third party, to efficiently address and resolve these delays and interruptions. A disruption to our operations or infrastructure could have a material adverse effect on our business, financial condition or results of operations.

Legal and Regulatory Risks

Exposure to litigation and government and regulatory proceedings, investigations and inquiries could have a material adverse effect on our business, financial condition or results of operations.

•In the normal course of business, both in the U.S. and abroad, we and our subsidiaries are defendants in numerous legal proceedings and are often the subject of government and regulatory proceedings, investigations and inquiries, as discussed under Item 7, Management’s Discussion and Analysis of Financial Condition and Results of Operations, in this Annual Report on Form 10-K and in Note 13 – Commitments and Contingencies to the consolidated financial statements under Item 8, Consolidated Financial Statements and Supplementary Data, in this Annual Report on Form 10-K, and we face the risk that additional proceedings, investigations and inquiries will arise in the future.

•Many of these proceedings, investigations and inquiries regularly relate to the activity of our Ratings, Indices, and Energy businesses. From time to time, we also face proceedings, investigations or inquiries related to tax matters. Enhancements to our products and services combined with evolving regulation requires us to continuously evaluate our regulatory and compliance obligations, and government and self-regulatory agencies may conduct investigations to determine whether our products and services subject us to additional regulations.

•In view of the uncertainty inherent in litigation, government and regulatory enforcement matters, and changing political sentiments, we cannot predict the eventual outcome of the matters we are currently facing or the timing of their resolution, or in most cases reasonably estimate what the eventual judgments or impact of activity restrictions may be. The outcome of matters we are currently facing or that we may face in the future could have a material adverse effect on our business, financial condition or results of operations.

•As litigation or the process to resolve pending matters progresses, as the case may be, we continuously review the latest information available and assess our ability to predict the outcome of such matters and the effects, if any, on our consolidated financial condition, cash flows, business and competitive position, which sometimes requires us to record liabilities in the consolidated financial statements.

•Risks relating to legal proceedings may be heightened in foreign jurisdictions that lack the legal protections or liability standards comparable to those that exist in the U.S. In addition, new laws and regulations have been and may continue to be enacted that establish lower liability standards, shift the burden of proof or relax pleading requirements, thereby increasing the risk of successful litigations against the Company in the U.S. and in foreign jurisdictions. These litigation risks are often difficult to assess or quantify and could have a material adverse effect on our business, financial condition or results of operations.

•We may not have adequate insurance or reserves to cover these risks, and the existence and magnitude of these risks often remains unknown for substantial periods of time and could have a material adverse effect on our business, financial condition or results of operations.

Changes and increased enforcement in the global privacy, data localization, operational resilience, and data protection legislative, regulatory, and commercial environments in which we operate may materially and adversely impact our ability to collect, compile, use, and publish data, require us to disclose information about our security environment, and could have a material adverse effect on our business, financial condition or results of operations.

•We, and certain types of information we collect, compile, store, use, process, transfer, publish and sell, are subject to laws and regulations governing the protection of personal and sensitive information in the various jurisdictions in

Table of Contents

which we operate. We move data across national borders to conduct our operations, and consequently, are subject to a variety of evolving laws and regulations regarding privacy, data protection, and data security in an increasing number of jurisdictions. Further, global privacy, data localization, data maintenance, data transfer, operational resilience (e.g., the E.U. Digital Operational Resilience Act), data protection legislation, regulatory, enforcement, and policy activity are rapidly and continually evolving and creating a complex regulatory compliance environment. There is also increasing public concern among certain privacy and data protection advocates, government regulators, litigators, and the press regarding, and resulting increasing regulations of, privacy, data, and consumer protection issues. Certain laws and regulations to which we are subject pertain to personally identifiable information (“PII”) relating to individuals. Such laws and regulations constrain the collection, use, processing, storage, and transfer of PII, and impose other obligations with which we must comply. Costs and adaptation of our business practices to comply with evolving laws and regulations governing and restricting the processing and transfer of certain data is, and we expect will continue to be, significant. In addition, such measures, as well as any associated inquiries or investigations or any other government actions, increase our operating costs and require significant management time and attention, and may result in negative publicity and subject us to significant costs that may harm our business, including fines or damages as well as demands or orders that we modify or cease existing business practices. The risks of inadvertent disclosure of personal data can increase with the introduction of new and complex technologies, further exacerbating such risks.

•There has been increased public attention regarding the use and transfer of personal information and regulations intended to strengthen data protection, information security and consumer and personal privacy. The law in these areas continues to develop and the changing nature and interpretation of these laws by courts and enforcement actions, including in jurisdictions such as the U.S. (including in an increasing number of U.S. states), the European Union (the “EU”), the People’s Republic of China and India, could have a significant impact on our processing of employee, commercial, vendor, and customer data, and in turn, our business practices.

•These laws and regulations are wide-ranging in scope and impose numerous requirements on entities that process certain data, including personal data, such as requirements relating to processing sensitive data, obtaining consent of the individuals to whom the personal data relates in certain circumstances, providing information to individuals regarding data processing activities, implementing safeguards to protect the security and confidentiality of personal data, providing notification of data breaches and taking certain measures when engaging third-party processes that will have access to personal data. These laws and regulations are increasing in complexity and number, sometimes change, and can conflict among the various jurisdictions in which we operate. It is possible that we could be prohibited or constrained from collecting or disseminating certain types of data or from providing certain products or services as a result of such laws and regulations. For example, we may not be able, or we may fail, to obtain appropriate third-party consent where consent is required to collect or use certain types of data for certain purposes in our business. For example, a failure to comply with the GDPR or U.K. GDPR could result in fines up to the greater of €20 million (or £17.5 million under the U.K. GDPR) or 4% of annual global revenues. Additionally, in the case of a DPPA violation, U.S. courts may award liquidated damages of $2,500 per individual’s personal information. Enforcement of these laws and regulations may increase as enforcement programs mature and better tooling enhances identification of compliance issues.

•We devote meaningful time and financial resources to compliance with current and future applicable international and U.S. privacy, cybersecurity, data protection and related laws and regulations.

•Continued privacy and data protection concerns may result in new or amended laws and regulations. It is also possible that we could be prohibited from collecting or disseminating certain types of data, which could affect our ability to meet our customers’ needs or require changes in our processes, technologies, and data management.

•We are also from time to time subject to, or face assertions that we are subject to, additional obligations relating to personal and other data by contract or due to assertions that self-regulatory obligations or industry standards apply to our practices. We are also subject to the terms of our privacy policies and privacy-related obligations to third parties, and could face claims or allegations that we are not in compliance with such terms, which could result in costly litigation and could have a material adverse effect on our business, financial condition or results of operations.

Table of Contents

Future legislation, regulatory reform or policy changes, especially abrupt changes, could have a material adverse effect on our business, financial condition or results of operations.

There are currently a number of laws and regulations in jurisdictions in which we operate around the world that have recently been adopted but not yet implemented or have been proposed or are being considered to which we or our clients will or may become subject, but at this time their impact on our business and results of operations remains uncertain. Changes in legislation, regulation or policy increase the likelihood that we will fail to appropriately adapt to changes in our compliance obligations, particularly when such changes happen abruptly, such as following a change in government. Such changes may also impact our business by creating increased volatility and uncertainty in the markets in which we operate. At this time, we cannot predict the scope or nature of these changes or assess what the overall effect of such potential changes could be on our results of operations or cash flows.

Increasing regulation of our Ratings business in the U.S., Europe and elsewhere can increase our costs of doing business and therefore could have a material adverse effect on our business, financial condition or results of operations.

•The financial services industry is highly regulated, rapidly evolving and subject to the potential for increasing regulation in the U.S., Europe and elsewhere. The businesses conducted by Ratings are regulated under the laws of various jurisdictions around the world, including the U.S. Credit Rating Agency Reform Act of 2006, the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act, the U.S. Securities Exchange Act of 1934, the EU’s credit rating agency regulation, and the U.K.’s credit rating agency regulation.

•The U.S. Congress, the International Organization of Securities Commissions ("IOSCO"), the SEC, the European Commission, including through the European Securities Market Authority (“ESMA”) and the U.K. Financial Conduct Authority (“FCA”), as well as regulators in other countries in which Ratings operates, have reviewed the role of rating agencies and their processes and the need for greater oversight or regulations concerning the issuance of credit ratings or the activities of credit rating agencies, and they may conduct such reviews in the future. Other laws, regulations and rules relating to credit rating agencies are from time to time considered by local, national and multinational bodies and are likely to continue to be considered in the future, including, for example, provisions seeking to reduce regulatory and investor reliance on credit ratings or to increase competition among credit rating agencies, provisions regarding remuneration and rotation of credit rating agencies, and liability standards applicable to credit rating agencies. Other laws, regulations and rules are being considered or are likely to be considered in the future that may impact ancillary and other services provided by Ratings in addition to its credit rating products and services. Examples include regulatory oversight regimes for ESG ratings providers which may impose new regulatory requirements regarding some of Ratings’ ancillary and other services, such as the EU regulation on the transparency and integrity of ESG rating activities adopted by the European Parliament and Council in November 2024, or legislation and draft rules published by the FCA in 2025 to supervise ESG ratings providers from June 2028.

•Credit rating laws and regulations, and any other similar future rule-making, could result in reduced demand for credit ratings and/or significant increased costs, which we may be unable to pass through to customers. In addition, there may be uncertainty over the scope, interpretation and administration of such laws and regulations. We may be required to incur significant expenses and/or take actions inconsistent with our business objectives in order to comply with such laws and regulations and to mitigate the risk of fines, penalties or other sanctions. Legal proceedings could become increasingly lengthy and there may be increased uncertainty over and exposure to liability. It is difficult to accurately assess the future impact of legislative and regulatory requirements on our business and our customers’ businesses, and they may affect Ratings’ communications with issuers as part of the rating assignment process, alter the manner in which Ratings’ ratings are developed, affect the manner in which Ratings or its customers or users of credit ratings operate, impact the demand for our ratings or our other products and services and alter the economics of the credit ratings business.

•Additional information regarding rating agencies is provided under Item 7, Management’s Discussion and Analysis of Financial Condition and Results of Operations, in this Annual Report on Form 10-K.

Table of Contents

•In addition to the extensive and evolving U.S. laws and regulations, foreign jurisdictions have taken measures to increase regulation of the financial services and energy and commodities industries.

•Energy has aligned its operations with the Principles for Oil Price Reporting Agencies ("PRA Principles") issued by IOSCO and, as recommended by IOSCO in its final report on the PRA Principles, has aligned to the PRA Principles for other commodities for which it publishes benchmarks.

•Energy and Indices are subject to financial and commodity benchmark regulation in the EU (the “EU Benchmark Regulation”) and the U.K. (the “U.K. Benchmark Regulation”) as well as increasing benchmark regulation in other jurisdictions. Energy is supervised by the Dutch Authority for the Financial Markets for the EU Benchmark Regulation. Indices has recently transitioned from supervision by the Dutch Authority for the Financial Markets to supervision by ESMA for the EU Benchmark Regulation. Indices is also supervised by the FCA for the U.K. Benchmark Regulation. Indices is also subject to the benchmark regulation in Australia under which it is required to and has obtained a license from and is subject to the supervision of the Australian Securities and Investment Commission regarding its administration of the S&P ASX 200 index.

•Certain products and services provided by the S1 business in Energy are subject to the EU regulation on the transparency and integrity of ESG rating activities adopted by the European Parliament and Council in November 2024, and will also be subject to The Financial Services and Markets Act 2000 (Regulated Activities) (ESG Ratings) Order 2025 and will need to become supervised by the FCA for the ESG ratings it provides from June 2028.

•The EU's package of legislative measures called the Markets in Financial Instruments Directive and Regulation (collectively "MiFID II") have applied in all EU Member States since 2018. MiFID II and the Market Abuse Regulation may impose additional regulatory burdens on the activities of Indices and Energy in the EU over time, but their impact on, and costs to, the Company have not yet been substantive.

•The European Commission has adopted or proposed various options for regulatory intervention to address high energy prices including, among others, price limiting mechanisms on exchange traded gas products, the introduction of circuit breakers and the development of LNG import benchmarks.

•These laws, regulations and principles have impacted our Energy and Indices businesses by increasing their operating obligations, exposure, compliance risk, and costs of doing business. Such impacts may continue or get worse as the regulatory landscape continues to evolve, which could have a material adverse effect on our business, financial condition or results of operations.

Our international business activities must comport with international trade restraints, including economic sanctions regulations administered by the U.S. Treasury Department’s Office of Foreign Assets Control, which could affect our ability to market and/or sell our products and services into certain countries where we do business. Failure to comply with these laws and regulations can result in significant fines and penalties and related material adverse effects on our reputation, business, financial condition and results of operations.

•As a global company, we are subject to international trade restraints, including economic and financial sanction laws and embargoes. These laws include prohibitions or restrictions on the sale or supply of certain products and services to embargoed or sanctioned countries, regions, governments, persons and entities.

•Embargoes and sanctions laws are changing rapidly for certain geographies, including with respect to Iran, Russia, and Venezuela. These embargoes and sanctions laws have affected, and may in the future affect, our ability to continue to market and/or sell our products and services into these geographies and in turn adversely impact our revenue from such geographies. For example, in response to the ongoing military conflict between Russia and Ukraine, governments in the U.S., the EU, the U.K., Canada and others imposed financial and economic sanctions on certain industry segments and various parties in Russia and Belarus.

•Additional international trade restraints may be promulgated at any time and may require changes to our operations and increase our risk of noncompliance.

•Failure to comply with these laws and regulations can result in significant fines and penalties and related material adverse effects on our reputation, business, financial condition and results of operations. The Company has previously settled and paid fines in connection with such matters.

We may become subject to liability or face reputational harm due to our offerings.

•Some of our products and services support the investment processes and other activities of our clients, which, in the aggregate, manage or own trillions of dollars of assets. The use of our products or services as part of such activities, including the investment process, from time to time exposes us to claims for significant dollar amounts by our clients or the parties whose assets are managed by our clients. Such claims have not materially adversely affected us to date, but future claims may have a material adverse effect on our business, financial condition or results of operations.

•We have a heightened risk of litigation and reputational harm due to our role in the global markets.

•The products we develop or license, and the proprietary methodologies, models and processes on which these products rely, from time to time contain undetected errors or defects, despite testing and/or other quality assurance practices.

Table of Contents

Moreover, many of our products use new and evolving technologies that may contain their own undetected errors or defects. Errors or defects may exist during any part of a product’s life cycle and may persist notwithstanding testing and/or other quality assurance practices. Inadequate internal oversight or testing within the Company increases the risk that such errors or defects may not be detected or mitigated. Deploying products containing such errors or defects may damage our reputation, and the costs associated with remediating such errors or defects may have an impact on our profitability.

•Any claim relating to our products or services, even one in which the outcome is ultimately favorable to us, involves a significant commitment of our management, personnel, financial and other resources and could have a negative impact on our reputation. In addition, such claims and lawsuits could have a material adverse effect on our business, financial condition or results of operations.

Business and Operational Risks

Changes in the volume of securities issued and traded in domestic and/or global capital markets, asset levels and flows into investment products, high interest rates, changes in interest rates and volatility in the financial markets, and volatility in the energy and commodity markets impact our business, financial condition or results of operations.

•Our business is impacted by general economic conditions and volatility in the U.S. and world energy and commodity markets and financial markets.

•Economic conditions and volatility across the globe are generally affected by negative or uncertain economic and political conditions. In addition, natural and man-made disasters, public health crises (e.g., pandemics), and military action or conflict, such as the ongoing military conflicts between Russia and Ukraine and in the Middle East and the U.S. intervention in Venezuela, introduce volatility and uncertainty into the global capital and energy and commodity markets and negatively impact general economic conditions. Volatile, negative or uncertain economic and political conditions in our significant markets typically undermine business confidence in our significant markets or in other markets, which are increasingly interdependent. Because we operate globally and have significant businesses in many markets, increased volatility or an economic slowdown in any of those markets typically adversely affects our results of operations. For example, military conflicts typically result in adverse and uncertain economic conditions such as negatively impacting global demand for goods and services; causing supply chain disruptions (e.g., tensions across the Taiwan Straight that could lead to semiconductor supply disruption); increasing costs for transportation, energy and other raw materials; and causing an increase in cybersecurity incidents. Such conditions typically result in increased volatility and disruption to the global economy and the markets in which we operate, thereby adversely impacting our results of operations.

•Since a significant component of our credit-rating and issuance based revenue is transaction-based, and is essentially dependent on the number and dollar volume of rated debt securities issued in the capital markets, unfavorable financial or economic conditions that either reduce investor demand for rated debt securities or reduce issuers’ willingness or ability to issue rated debt securities reduce the number and dollar volume of debt issuances for which Ratings provides credit ratings.

•Unfavorable financial or economic conditions that either reduce investor demand for debt or equity securities or reduce issuers’ willingness or ability to issue such securities negatively impact the revenue of certain business lines within Market Intelligence that are linked to debt and equity issuances.

•Our Indices business is impacted by market volatility, asset levels or notional values of investment products based on our indices, and trading volumes of certain exchange traded derivatives. Uncertain economic conditions, political unrest and a variety of other factors may lead to market volatility and volatile capital markets, as well as changing investment styles, which, among other factors, may influence an investor’s decision to invest in and maintain an investment in an index-linked investment product.

•High or increasing interest rates or credit spreads, volatility in financial markets or the interest rate environment, significant political or economic events, defaults of significant issuers and other market and economic factors may negatively impact the general level of debt issuance, the debt issuance plans of certain categories of borrowers, the level of derivatives trading and/or the types of credit-sensitive products being offered, which impact our Ratings segment and portions of our Market Intelligence, Energy and Indices segments, and in the future could have a material adverse effect on our business, financial condition or results of operations.

•Our Energy business is impacted by volatility in the energy and commodity markets. Such volatility in our key markets could cause reduced demand for our products, impacting our revenues and margins.

•High or increasing interest rates, volatility in financial markets or the interest rate environment, significant political or economic events, and other market and economic factors may impact the supply and demand for new and used vehicles, which impacts our Mobility business.

•Disruptions in the automotive supply chain impact production in the automotive industry and typically impact our Mobility business.

Table of Contents

•Any weakness in the macroeconomic environment, including due to recession, inflation, high or increasing interest rates and other factors, could constrain customer budgets across the markets we serve, potentially leading to a reduction in their employee headcount and a decrease in demand for our subscription-based products.

•The foregoing factors generally affect our performance and could have a material adverse effect on our business, financial condition or results of operations.

Inability to attract, retain or train key qualified personnel or to navigate key management transitions could have a material adverse effect on our business, financial condition or results of operations.

The development, maintenance, sale and support of our products and services are dependent upon the knowledge, experience and ability of our highly skilled, educated and trained key personnel. Our ability to attract and retain talented employees is dependent on a number of factors, including prevailing market conditions and compensation packages offered by companies competing for the same talent. While we offer competitive salary and benefit packages, intense competition for talent within our markets is driving difficulties in attracting and retaining skilled employees. Key management transitions involve inherent risk, and such transition periods can be disruptive and may result in a loss of personnel with deep institutional or technical knowledge. If we are less successful in our recruiting efforts, or if we are unable to attract, retain or train key qualified personnel or to navigate key management transitions, our ability to develop and deliver successful products and services or achieve strategic goals may be adversely affected, which could have a material adverse effect on our business, financial condition or results of operations.

The planned separation of our Mobility business into an independent, publicly traded company is contingent upon the satisfaction of a number of conditions, may not be completed on the currently contemplated timeline, or at all, and may not achieve the intended benefits.

On April 29, 2025, we announced our intent to pursue a separation of our Mobility business through a spin-off to our shareholders. The proposed separation is subject to various conditions, is complex in nature, and may be affected by unanticipated developments. The separation is intended to qualify as a tax-free transaction for U.S. federal income tax purposes. There can be no assurance regarding the ultimate timing of the separation or that such separation will be completed. Unanticipated developments could delay, prevent or otherwise adversely affect the separation, including but not limited to disruptions in general or financial market conditions or potential problems or delays in satisfying required conditions. Such developments could cause the separation to occur on terms or conditions that are less favorable than anticipated. In addition, we may not be able to achieve the full strategic and financial benefits that we anticipate to result from the separation, or such benefits may be delayed or not occur at all. The anticipated benefits of the separation are based on a number of assumptions, some of which may prove incorrect. We also expect to incur significant expenses in connection with the separation, certain of which will be incurred even if the separation is not completed. Executing the separation will continue to require significant resources, time and attention from our senior management and employees, which could divert attention and resources away from other projects and the day-to-day operation of our business. We may experience negative reactions from financial markets if we do not complete the separation in a reasonable time period. Following the proposed separation, the combined value of the shares of the two publicly-traded companies may not be equal to or greater than what the value of our shares would have been had the separation not occurred. The above factors could have a material adverse effect on our business, financial condition, results of operations or the price of our shares.

Our acquisitions, divestitures and other strategic transactions may not produce anticipated results, which could have a material adverse effect on our business, financial condition or results of operations.

•We have made and expect to continue to make acquisitions, divestitures and other strategic transactions to strengthen our business and grow our Company.

•If we are unsuccessful in completing such transactions or if such opportunities for expansion do not arise, our business, financial condition or results of operations could be materially adversely affected.

•If such transactions are completed, the anticipated growth and other strategic objectives of such transactions may not be fully realized or may take longer to realize than expected, and a variety of factors may adversely affect any anticipated benefits from such transactions. Our acquisitions, divestitures and other strategic transactions face difficulties, including, but not limited to, the following:

◦the process of integration being more expensive or requiring more resources than anticipated;

◦an acquisition changing the composition of our markets and product mix, and difficulty gaining the skills necessary for such markets or products;

◦delays or difficulties consolidating corporate and administrative infrastructures and eliminating duplicative operations, including issues in integrating financial reporting, information technology infrastructure, data and content management systems and product platforms, communications and other systems;

Table of Contents

◦delays or difficulties harmonizing corporate cultures, operating practices, management philosophies, employee development and compensation programs, internal controls, compliance programs and other policies, procedures and processes;

◦assuming unintended liabilities;

◦unexpected regulatory and operating difficulties and expenditures, including regulatory challenges that impact our ability to conduct due diligence;

◦failure to maintain employee morale or retain key personnel of the current or acquired business;

◦failure to retain existing business and operational relationships;

◦continuing operational or financial obligations that arise under transition services agreements requiring significant management and operational resources that limit our ability to fully implement cost reduction and efficiency initiatives or other aspects of our transition plans, or divert the management’s focus from other business operations;

◦difficulty coordinating geographically separate organizations, including consolidating offices;

◦the impact of divestitures on our revenue growth being larger than projected due to greater dis-synergies or adverse effects on our overall product offerings than expected;

◦divestitures requiring continued financial involvement in the divested business through continuing equity ownership, guarantees, indemnities, other financial or operational obligations, or transition services obligations;

◦incurring impairment charges or other losses related to divestitures; and

◦diversion of management’s focus from other business operations.

•The failure of acquisitions, divestitures and other strategic transactions to perform as expected could have a material adverse effect on our business, financial condition or results of operations.

The markets in which we operate are intensely competitive, and our inability to successfully compete could materially adversely affect our business, financial condition or results of operations.

•The markets for credit ratings, financial research, market data and solutions, index-based products, automotive data, energy and commodities analytics and price assessments, and related news and information about these markets are intensely competitive. Our businesses compete domestically and internationally on the basis of a number of factors, including the quality of their offerings, client service, reputation, price, geographic scope, range of products and technological innovation.

•While our businesses face competition from traditional content and analytics providers (including exchanges), we also face competition from non-traditional providers, many of whom are our clients, such as asset managers, investment banks, private equity and technology-led companies that are adding content and analytics capabilities to their core businesses.

•The competitive landscape also experiences consolidation in the form of mergers and acquisitions, joint ventures or strategic partnerships, which results in competitors that are better capitalized or that are able to gain a competitive advantage through synergies.

•In some of the countries in which our businesses operate, governments have, and may in the future, provide financial or other support to locally-based competitors (particularly credit rating agencies) and have, and may from time to time in the future, establish official credit rating agencies, credit ratings criteria, benchmarks or benchmark providers, or procedures for evaluating local issuers.

•Changes in the markets in which we compete from time to time drive us to lower the fees we charge for our products and services in order to remain competitive. Moreover, certain of our fees are based on the performance of our customers, and such fees are negatively impacted when our customers’ performance is down, including due to changes in their markets.

•If we are not able to successfully compete with our competitors, we may be required to significantly reduce the costs for our products or services, or we may lose significant market share, revenue or customers, which could materially adversely affect our business, financial condition or results of operations.

A significant increase in operating costs and expenses could have a material adverse effect on our profitability.

•Our major expenditures include employee compensation and capital investments.

•We offer competitive salary and benefit packages to attract and retain the quality employees required to grow and expand our businesses.

•We make significant investments in information technology data centers and other technology initiatives and such investments may not result in increased revenues.

•We rely on data provided by third-party data suppliers for a variety of our products and we rely significantly on AWS to provide, develop and maintain our cloud infrastructure. We are facing increasing costs from our third-party service providers due to a number of reasons, including inflationary pressures and costs associated with the increasing complexity of the data we require.

Table of Contents

•Although we believe we are prudent in our investment strategies and execution of our implementation plans, the ultimate recoverability or effectiveness of these investments is not yet known.

•A significant increase in any of the operating costs and expenses mentioned above could have a material adverse effect on our profitability.

Consolidation of customers, reduced staffing levels of customers or reduced spending by customers could have a material adverse effect on our business, financial condition or results of operations.

•Our businesses have a customer base which is largely comprised of members from the corporate, financial services, energy and commodities, and automotive industries. The consolidation of customers resulting from mergers and acquisitions across these industries can result in reductions in the number of firms and workforce which can impact the size of our customer base.

•Our customers that strive to reduce their operating costs may seek to reduce their spending on our products and services. If a large number of smaller customers or a critical number of larger customers reduce their spending with us, our business, financial condition or results of operations could be materially and adversely affected.

•Alternatively, customers may use other strategies to reduce their overall spending on financial, energy and commodity market and automotive products and services by consolidating their spending with fewer vendors, including by selecting other vendors with lower-cost offerings, or by self-sourcing their need for financial, energy and commodity market and automotive products and services.

We rely on the products and services of other suppliers, including certain data, software and service suppliers, for many aspects of our business.

•Our ability to produce our products and services and develop new products and services is dependent upon the products and services of other suppliers, including certain data, software and service suppliers. We obtain data from many third-party data sources. Our business relies on our ability to obtain data for our own internal operational purposes and for the benefit of customers using our products and services. Certain of our third-party data sources supply us with critical datasets that support our products and services for which suitable alternative sources may not be readily available.

•Some of our products and services and their related value are dependent upon updates from our third-party data suppliers and most of our information and data products and services are dependent upon continuing access to historical and current data.

•We could experience interruptions in our data access for a number of reasons, including difficulties in renewing our agreements with third-party data providers, changes to the software used by third-party data providers, efforts by industry participants to restrict access to data, increased fees we may be charged by third-party data providers and legal or regulatory changes. Our competitive position could be negatively affected if any of our key data providers terminates its relationship with us or if data flow from any key data provider is interrupted. If these third-party data providers experience difficulty meeting our requirements or standards, have adverse audit results, violate the terms of our agreements or applicable law, fail to obtain or maintain applicable licenses, cease operations temporarily or permanently, face financial distress or other business disruptions, increase their fees, or if the relationships we have established with such third-party data providers deteriorate, expire or otherwise terminate, whether as a result of macroeconomic conditions or otherwise, we could suffer increased costs and we may be unable to provide similar services or operate certain aspects of our business until we are able to find an equivalent provider or develop replacement technology or operations, which could damage our financial condition and reputation. Furthermore, if we are unsuccessful in identifying or finding high-quality third-party data providers, if we fail to negotiate cost-effective relationships with them, or if we ineffectively manage these relationships, it could have a material adverse effect on our business, financial condition or results of operations.

•Many of our suppliers are also our competitors, and from time to time they negotiate to change the terms of the data and products that they supply to us in order to gain an advantage in the marketplace, which could materially harm our business.

•We utilize certain information and data provided by third-party sources in a variety of ways, including information gathered by market participants and large volumes of data from certain stock exchanges around the world.

•From time to time, the data from our suppliers has errors, is delayed, has design defects, is unavailable on acceptable terms or is not available at all.

Table of Contents

•The consolidation of our suppliers has reduced the number of firms we partner with, which has impacted the size of our supplier base for certain products and services and resulted in an increase in fees charged by certain of our supplier partners.

•Some of our agreements with data suppliers allow them to cancel on short notice.

Our inability to successfully recover should we, our third-party service providers or our clients experience a disaster or other business continuity problem could cause material financial loss, loss of human capital, regulatory actions, reputational harm, damaged client relationships or legal liability.

•Should we or our third-party service providers experience a local or regional disaster or other business continuity problem, such as an earthquake, hurricane, flood, civil unrest, protests, military conflict, terrorist attack, public health crisis (e.g., pandemic), security breach, cyber attack, data breach, power loss, telecommunications failure or other natural or man-made disaster, our ability to continue to operate will depend, in part, on the availability of our or our third-party service provider’s personnel, our or our third-party service provider’s office facilities and the proper functioning of our or our third-party service provider’s computer, telecommunication and other related systems and operations. In the event of any such disaster or other business continuity problem, we could experience operational challenges with regard to particular areas of our operations, such as key executive officers or personnel, or we could be exposed to the operational challenges of our third-party service providers, over which we have no control, which could have a material adverse effect on our business, financial condition or results of operations.

•The steps governments take to prevent or contain a disaster or other business continuity problem (such as travel restrictions, shelter in place orders, business shutdowns, or quarantines) may negatively impact our operations, or the operations of our third-party service providers or clients, or may limit our ability to interact with clients and effectively maintain and grow our operations, including through securing new subscriptions and renewals.

•The negative impact of a disaster or other business continuity problem on our clients could result in our products and services facing pricing pressure or delayed renewals, and challenges to new sales, which would in turn reduce revenue, ultimately impacting our results of operations.

•We regularly assess and take steps to improve our existing business continuity plans and key management succession. However, a disaster on a significant scale or affecting certain of our key operating areas within or across regions, or our inability to successfully recover should we, our third-party service providers or our clients experience a disaster or other business continuity problem, could materially interrupt our business operations and result in material financial loss, loss of human capital, regulatory actions, reputational harm, damaged client relationships or legal liability.

•Our reputation, credibility, and the strength of our brand are key competitive strengths.

•Given our role in the financial, energy and commodity, and automotive markets, our ability to attract and retain customers is uniquely affected by external perceptions of our reputation, credibility, and brand.

•We provide credit ratings, pricing and valuation services, benchmark products, indices, and ESG scores and data, many of which depend on contributions or inputs from third parties or market participants. Our customers and other market participants expect us to be able to demonstrate that our products and services are produced independently and are not readily subject to manipulation. We believe our products and services are designed with appropriate methodologies, processes, and procedures to maintain independence and integrity; however, we may not be able to prevent third parties or market participants from working together or colluding to try to manipulate their inputs and thus the resulting outputs of our products and services. From time to time, we are involved in third-party investigations or litigation related to the markets and stakeholders our products and services serve. Any failures, negative publicity, investigations, or lawsuits that implicate the independence and integrity of our credit ratings, pricing and valuation services, benchmarks, indices, and ESG scores and data could result in a loss of confidence in the administration of these products and services and could harm our reputation and our business.

•Negative perceptions or publicity could damage our reputation with customers, prospects, regulators, and the public generally, which in turn could negatively impact, among other things, our ability to attract and retain customers, employees and suppliers, as well as suitable candidates for acquisitions or other combinations. In addition, sustainability and corporate responsibility state, federal and international laws, regulations, standards and regulatory expectations are evolving, varied and at times conflicting, and our failure or perceived failure to comply

Table of Contents

with such laws, regulations, standards or expectations could result in adverse reactions by certain stakeholders, including governmental authorities, regulators, shareholders and customers, including the commencement of private litigation or government and regulatory proceedings, investigations, inquiries and litigation.

•Our divisions are all actively engaged in analyzing and providing views on economic conditions, including assessing the impact of events that create volatility and economic uncertainty, such as the ongoing military conflicts between Russia and Ukraine and in the Middle East, tensions across the Taiwan Strait and U.S. intervention in Venezuela. Notwithstanding the care we take in carrying out our work, the views and assumptions we express, the conclusions we draw, the actions we take (including, but not limited to, rating actions, revising the composition of our indices, etc.), and the work our divisions produce are likely to be heavily scrutinized with the benefit of hindsight. We have faced significant regulatory and media scrutiny following prior periods of volatility and economic uncertainty.

•Given our businesses are often privy to material non-public information concerning our customers, our data could be improperly used, including for insider trading by our employees and third-party vendors with access to key systems. We have experienced insider trading incidents involving employees in the past, and it is not always possible to deter misconduct by employees or third-party vendors. We take precautions to detect and prevent such activity, including training on insider trading policies for our employees, contractual obligations for our third-party vendors, and policies that require access restrictions for material non-public information, but such precautions are not guaranteed to deter misconduct. Any breach of our clients’ confidences as a result of employee or third-party vendor misconduct could harm our reputation.

•Damage to our reputation, credibility, and brand could have a material adverse effect on our business, financial condition or results of operations.

We are exposed to multiple risks associated with the global nature of our operations, which could have a material adverse effect on our reputation, business, financial condition or results of operations.

•The geographic breadth of our activities subjects us to significant legal, economic, operational, market, compliance and reputational risks. These include, among others, risks relating to:

◦economic and political conditions around the world,

◦inflation,

◦high interest rates or fluctuation in interest rates, currency exchange rates or energy and commodity markets,

◦limitations that foreign governments may impose on the conversion of currency or the payment of dividends or other remittances to us from our non-U.S. subsidiaries,

◦differing accounting principles and standards,

◦increases in taxes or changes in U.S. or foreign tax laws,

◦potential costs and difficulties in complying with a wide variety of foreign laws and regulations (including tax systems) administered by foreign government agencies, some of which may conflict with U.S. or other sources of law,

◦changes in applicable laws and regulatory requirements, including data localization and operational resilience requirements,

◦restrictive actions of governmental authorities in the jurisdictions in which we operate affecting trade, cross-border data transfer and foreign investment, especially during periods of heightened tension between governmental authorities in such jurisdictions, including protective measures such as export restrictions and customs duties and tariffs, government intervention favoring local competitors, data localization efforts, and restrictions on the level of foreign ownership,

◦nationalization, expropriation, price controls, withdrawal of licenses to operate, and unilateral termination of contracts by government entities,

◦competition with local rating agencies that have greater familiarity, longer operating histories and/or support from local governments or other institutions, and

◦civil unrest, protests, terrorism, unstable governments, geopolitical uncertainties and legal systems, and other factors.

Adverse developments in any of these areas could have a material adverse effect on our business, financial condition or results of operations.

•Additionally, we are subject to complex U.S., European and other local laws and regulations that are applicable to our operations abroad, including trade sanctions laws, anti-corruption and anti-bribery laws such as the U.S. Foreign Corrupt Practices Act and the U.K. Our internal controls, policies and procedures and employee training and compliance programs related to these topics are not always effective in preventing employees, contractors or agents from violating or circumventing such internal policies and violating applicable laws and regulations. Violations of such laws could result in a material adverse effect on our reputation, business, financial condition or results of operations.

•Compliance with international and U.S. laws and regulations that apply to our international operations increases the cost of doing business in foreign jurisdictions. Violations of such laws and regulations may result in fines and

Table of Contents

penalties, criminal sanctions, administrative remedies, or restrictions on business conduct that have a material adverse effect on our reputation, business, financial condition or results of operations.

Outsourcing certain aspects of our business could result in material financial loss, increased costs, regulatory actions and penalties, reputational harm, unauthorized access to our systems, system or network disruption, or improper disclosure of confidential information.

•We have outsourced certain functions to third-party service providers to leverage leading specialized capabilities and achieve cost efficiencies, and such functions may be further outsourced. From time to time, our third-party service providers do not perform to our standards, produce reliable results, perform in a timely manner, or perform at all. We also face the risk that our third-party service providers may fail to comply with legal requirements or maintain the confidentiality of our proprietary information. Failure of these third parties to meet their contractual, regulatory, confidentiality, or other obligations to us could result in material financial loss, higher costs, regulatory actions and reputational harm.

•Outsourcing these functions also involves the risk that the third-party service providers may not maintain adequate physical, technical and administrative safeguards to protect the security of our confidential information and data.

•AWS provides a distributed computing infrastructure platform for business operations, or what is commonly referred to as a “cloud” computing service. Currently, we run a significant amount of our computing on AWS. Given this, any disruption of or interference with our use of AWS would impact our operations and our business would be adversely impacted.

•We rely on the business infrastructure and systems of third parties with whom we do business and to whom we outsource the maintenance and development of operational and technological functionality, including our AWS “cloud” computing services. Our service providers from time to time experience system breakdowns or failures, outages, downtime, cyber attacks, adverse changes to financial condition, bankruptcy or other adverse conditions. Thus, our plans to increase the amount of our infrastructure that we outsource to “the cloud” or to other third parties may increase our risk exposure.

Sustainability and energy expansion matters pose operational, commercial and regulatory risks.

Consumer and institutional preferences around sustainability and energy expansion matters continue to change, and the possible failure of our products or services to facilitate the needs of customers facing these issues could adversely impact our business and revenues. Changing preferences, including as a result of shifting market or political sentiment, could also have an adverse impact on the operations or financial condition of our customers, which could result in reduced revenues from those customers. We are also subject to risks relating to state, federal and international sustainability regulations, legislation and regulatory expectations, which are evolving, varied and at times conflicting, and which could impact us and our customers and result in increased regulatory, compliance or operational costs. These risks associated with sustainability and energy expansion matters are continuing to evolve rapidly, and we expect that such risks may continue to increase over time.

These markets may not develop as anticipated or we may not have success in these markets, in which case we may be unable to recover our investment spent to expand our business into these markets or may forgo opportunities in more lucrative markets, which could adversely impact our business, financial condition and results of operations.

Our indebtedness, or a downgrade to our credit ratings, could adversely affect our business, financial condition, and results of operations.

•We may incur substantial additional indebtedness (including secured indebtedness) for many reasons, including to fund acquisitions, which could have significant consequences on our future operations, including: making it more

Table of Contents

difficult for us to satisfy our indebtedness obligations and our other ongoing business obligations, which may result in defaults; events of default if we fail to comply with the financial and other covenants contained in the agreements governing our debt instruments, which could result in all of our debt becoming immediately due and payable or require us to negotiate an amendment to financial or other covenants that could cause us to incur additional fees and expenses; limiting our flexibility in planning for, or reacting to, and increasing our vulnerability to, changes in our business, the industries in which we operate, and the overall economy; placing us at a competitive disadvantage compared to any of our competitors that have less debt or are less leveraged; and increasing our vulnerability to the impact of adverse economic and industry conditions.

•Our ability to meet our payment and other obligations under our debt instruments depends on our ability to generate significant cash flow in the future. This, to some extent, is subject to general economic, financial, competitive, legislative, and regulatory factors as well as other factors that are beyond our control. We cannot be certain that our business will generate cash flow from operations, or that future borrowings will be available to us under our existing or any future credit facilities or otherwise, in an amount sufficient to enable us to meet our indebtedness obligations and to fund other liquidity needs.

Table of Contents

Item 1B. Unresolved Staff Comments

None.

Item 1C. Cybersecurity

Risk Management and strategy.

Integrated Risk Management

Management is responsible for the day-to-day management of the Company’s risk exposures in a manner consistent with the strategic direction and objectives established by the Board. As a critical component of the Company’s risk management process, management has adopted an integrated risk management framework to continuously identify, assess, measure, manage, monitor and report current and emerging non-financial risks. As part of this framework, the Company has an Enterprise Risk Management (“ERM”) Committee which is chaired by the Company’s Chief Risk Officer. Our Chief Information Security Officer (“CISO”) is also a member of the ERM Committee. The ERM Committee oversees the Company’s risk management framework, including the implementation of the framework components across the Company and promotes a strong Company-wide culture of risk management, compliance and control.

Engagement of Third-party Support

We engage third-party services to conduct evaluations of our security controls, whether through penetration testing, independent audits or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. We also share and receive threat intelligence with our defense industrial base peers, government agencies, information sharing and analysis centers and cybersecurity associations.

Third-party Risk Management

Our risk management program also assesses third-party risks, and we perform third-party risk management to identify and mitigate risks from third parties such as vendors, suppliers, and other business partners associated with our use of third-party service providers. Cybersecurity risks are evaluated when determining the selection and oversight of applicable third-party service providers.

Impact of Risks from Cybersecurity Threats

We are regularly subject to cybersecurity attacks. None of the risks from cybersecurity threats we’ve faced to date have materially affected, and we do not believe are reasonably likely to materially affect the Company, our business strategy, results of operations or financial condition. For further information about risks we face from cybersecurity threats, see the risk factor entitled "Our size, scale and role in the global markets increases our risk for cyber attacks and other cyber-security risks. Our information systems and networks and those of our third-party service providers are exposed to risks related to cybersecurity and protection of confidential information, including material non-public information, which could have a material adverse effect on our business, financial condition or results of operations" in Item 1A, Risk Factors in this Annual Report on Form 10-K.

Governance.

Board Oversight of Cybersecurity Threats

The board of directors of the Company (the “Board”) has oversight responsibility for the Company’s risk management framework, including technology and cybersecurity risks facing the Company.

The full Board receives briefings from management on enterprise-wide technology, cybersecurity risk management and the overall technology and cybersecurity environment by management. Specifically, the full Board receives biannual reports from the Chief Digital Solutions Officer and the CISO.

Table of Contents

The Board coordinates with the Audit Committee to ensure active Board- and Committee-level oversight of the Company’s technology and cyber risk profile, enterprise technology and cyber strategies, and information security initiatives. In addition, the Board has delegated primary responsibility for oversight of the Company’s key risks, including cybersecurity, to the Audit Committee. The Audit Committee reviews technology and cybersecurity risks, as well as the Company’s risk mitigation processes and internal control procedures to protect sensitive business information. The Audit Committee also receives regular updates from the Chief Digital Solutions Officer and the CISO on the Company’s technology and cybersecurity programs. In addition, the Finance Committee oversees management’s strategy with regard to technology and associated risks, including cybersecurity risks, when considering major capital expenditures and acquisitions.

Role of Management

In addition to the risk management activities undertaken by the ERM Committee, our corporate information security organization, led by our CISO, is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response. The current CISO has more than 32 years of technology industry leadership, cybersecurity expertise and engineering and operations experience. The corporate information security organization manages and continually enhances the Company’s enterprise security structure with the goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience to minimize the business impact should an incident occur. Central to this organization is our cyber incident response team, which is responsible for the Company’s protection, detection and response capabilities. In the event of a cybersecurity incident, the Company is equipped with an incident response plan that includes: (i) detection and analysis, (ii) containment and eradication, and (iii) remediation and (iv) preparation for future incidents. Incident responses are led by our Information Security team and supported by Legal, Compliance and other functions as appropriate. The CISO and the Chief Digital Solutions Officer provide regular updates to the Board and the Audit Committee concerning the Company’s technology and cybersecurity programs, associated risks and the Company’s efforts to help mitigate those risks.

Recently Filed

Click on a ticker to see risk factors

Ticker *	File Date
AVTR	18 minutes ago
LEU	26 minutes ago
FNMA	40 minutes ago
SHOP	49 minutes ago
U	49 minutes ago
UE	50 minutes ago
BXMT	an hour ago
NI	an hour ago
PSN	an hour ago
ZG	an hour ago
REXR	9 hours ago
KRC	12 hours ago
F	12 hours ago
ENTG	13 hours ago
NSP	13 hours ago
LYFT	14 hours ago
DAL	14 hours ago
ARW	14 hours ago
SPGI	14 hours ago
DIOD	14 hours ago
LEGT	14 hours ago
NTST	15 hours ago
AOS	15 hours ago
EXEL	15 hours ago
HCA	15 hours ago
PEGA	15 hours ago
MOH	15 hours ago
GPRE	15 hours ago
PTEN	15 hours ago
PECO	15 hours ago
ARI	15 hours ago
HIW	15 hours ago
SLAB	15 hours ago
KVYO	15 hours ago
UPST	15 hours ago
TCBI	15 hours ago
ADC	15 hours ago
MEDP	15 hours ago
INCY	15 hours ago
CMI	16 hours ago
CNX	17 hours ago
MAR	18 hours ago
GT	20 hours ago
CMS	20 hours ago
L	23 hours ago
CNA	23 hours ago
MAS	1 day ago
CURB	1 day ago
CVS	1 day, 1 hour ago
ACRE	1 day, 10 hours ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - SPGI

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - SPGI

-New additions in green-Changes in blue-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing