CBRE Group (CBRE) Risk Analysis

Periods of economic weakness or recession, fiscal or political uncertainty, market volatility, declining employment levels, declining demand for commercial real estate, falling real estate values, disruption to the global capital or credit markets, disputes with U.S. trading partners, unpredictable changes in U.S. trading policy, increased tariffs, inflationary pressures, significant rises in interest rates or the public perception that any of these events may occur, may materially and negatively affect the performance of some or all of our business lines. Our business is significantly affected by generally prevailing economic conditions in the markets where we operate. Adverse economic conditions, political or regulatory uncertainty and significant public health events may result in declines in real estate sale and leasing volumes and the value of commercial real estate. It may also lead to a decrease in funds invested in commercial real estate assets and development projects. Such developments in turn may reduce our revenue from property management fees and commissions derived from property sales, leasing, valuation and financing, as well as revenues associated with development or investment management activities. For example, in 2023 and early 2024, commercial real estate capital markets were under significant pressure. As a result, we experienced a sustained slowdown in property sales and debt financing activity. Our businesses could also suffer from geopolitical or economic disruptions (or the perception that such disruptions may occur) or interest rate or currency fluctuations, capital availability and changes in cost of capital, or heightened financial, market or regulatory uncertainty. We also make co-investments alongside our investor clients in our development and investment management businesses. During an economic downturn, capital for our investment activities could be constrained and it may take longer for us to dispose of real estate investments or sale prices we achieve may be lower than originally anticipated. As a result, the value of our commercial real estate investments may be reduced, and we could realize losses or diminished profitability. In addition, economic downturns may reduce the volume of loans our capital markets business originates and/or services. Fees within our property management business are generally based on a percentage of rent collections, making them sensitive to macroeconomic conditions that negatively impact rent collections and the performance of the properties we manage. Economic, political and regulatory uncertainty as well as significant changes and volatility in the financial markets and business environment, and in the global landscape, make it difficult for us to predict our financial performance into the future. As a result, any guidance or outlook that we provide on our performance is based on then-current conditions, and there is a risk that such guidance may turn out to be inaccurate.

International economic trends and governmental policy actions and the following factors may have a material adverse effect on the performance of our business: - difficulties and costs of staffing and managing international operations among diverse geographies, languages and cultures;- currency restrictions, transfer-pricing regulations and adverse tax consequences, which may affect our ability to transfer capital and profits;- adverse changes in regulatory, tax or trade policies (including tariffs) or uncertainty about potential changes in such regulatory, tax or trade policies;- responsibility for complying with numerous, potentially conflicting and frequently complex and changing laws in multiple jurisdictions (e.g., with respect to data privacy and protection, sustainability, corrupt practices, embargoes, trade sanctions, employment and licensing);- the impact of regional or country-specific business cycles and economic instability, including those related to geopolitical, weather, public health or safety events;- greater difficulty in collecting accounts receivable or delays in client payments in some geographic regions;- potential interest rate and /or inflation rate increases and less available and more expensive debt capital;- foreign ownership restrictions in certain countries, particularly in Asia Pacific and the Middle East, or the risk that such restrictions will be adopted in the future; and - changes in laws or policies governing foreign trade or investment and use of foreign operations or workers, and any negative sentiments towards multinational companies as a result of any such changes to laws or policies as well as other geopolitical risks. We have invested in enhancing our service and product offerings globally. If we do not successfully execute these initiatives or effectively manage the risks inherent in operating on a global scale, our business, financial condition, or results of operations could be materially adversely affected. Additionally, political, regulatory, and cultural conditions in certain countries may limit our ability to operate effectively or implement our strategic priorities, which could negatively impact our performance in those regions.

Our businesses are exposed to various litigation and regulatory risks, especially within our valuations business. Although we maintain insurance coverage for most of this risk, insurance coverage is unavailable at commercially reasonable pricing for certain types of exposures. Additionally, our insurance policies and/or self-insurance reserves may not cover us in the event of grossly negligent or intentionally wrongful conduct or may not be sufficient to pay the full damages. Accordingly, an adverse result in a litigation against us, or a lawsuit that results in a substantial legal liability for us (and particularly a lawsuit that is not insured), could have a disproportionate and material adverse effect on our business, financial condition and results of operations. Furthermore, an adverse result in regulatory proceedings, if applicable, could result in fines or other liabilities or adversely impact our operations. Prolonged or complex investigations, even if they do not result in regulatory or other proceedings or adverse findings, may result in significant costs that may not be covered by insurance and in diversion of employee resources. In addition, we depend on our business relationships and our reputation for high-caliber professional services to attract and retain clients. As a result, allegations against us, or the announcement of a regulatory investigation involving us, irrespective of the ultimate outcome of that allegation or investigation, may harm our professional reputation and as such materially damage our business and its prospects.

We operate in many jurisdictions with complex and varied tax regimes and are subject to different forms of taxation resulting in a variable effective tax rate. Due to the different tax laws in the many jurisdictions where we operate, we are often required to make subjective determinations. The tax authorities in the various jurisdictions where we carry on business may not agree with the determinations that are made by us with respect to the application of tax law. Such disagreements could result in disputes and, ultimately, in the payment of additional funds to the government authorities in the jurisdictions where we carry on business, which could have an adverse effect on our results of operations. In addition, changes in tax rules or the outcome of tax assessments and audits could have an adverse effect on our results in any particular quarter. In addition, changes in tax laws or regulations and multi-jurisdictional changes enacted in response to the action items provided by the Organization for Economic Co-operation and Development (OECD), including the OECD's accord to set a minimum global corporate tax rate of 15%, increase tax uncertainty and could impact the company's effective tax rate and provision for income taxes. Given the unpredictability of possible further changes to and the potential interdependency of the United States or foreign tax laws and regulations, it is difficult to predict the cumulative effect of such tax laws and regulations on the company's results of operations.

We are subject to numerous United States federal, state, local, and international laws and regulations regarding privacy, data protection and cybersecurity that govern the processing of certain data (including personal information, sensitive information, health information, and other regulated data). These laws and regulations are increasing in severity, complexity and number, change frequently, and increasingly conflict among the various jurisdictions in which we operate, which has resulted in greater compliance risk and cost for us. As of December 31, 2025, we are required to comply with the European Union General Data Protection Regulation (GDPR) as well as the United Kingdom (U.K.) equivalent and other global data protection laws (including in Switzerland, Japan, Singapore, China, India, United Arab Emirates, Australia, and Brazil), the implementation of which exposes us to parallel data protection regimes, each of which potentially authorizes similar fines and other enforcement actions for certain violations. Several jurisdictions in which we operate are considering or have proposed or enacted legislation and policies regulating AI and non-personal data, such as the European Union's AI Act. These new regulations may diverge from one another, which could require us to navigate different obligations and enforcement actions in different geographies. Any violations of these laws may lead to reputational damage, financial penalties and increased regulatory scrutiny and oversight. In the U.S., the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) broadly defines personal information, gives California residents expanded privacy rights and protections, and provides for civil penalties for certain violations, and established a regulatory agency dedicated to enforcing those requirements. At least nineteen U.S. states have also passed consumer privacy laws, and several states, most notably Illinois and Texas, have passed laws regulating the processing of biometric information. Without any overarching federal privacy law, the patchwork of privacy legislation formed by individual state laws heightens the costs of compliance, the risks of noncompliance, and the potential for enforcement actions by individual state attorneys general. We are also subject to an increasing number of reporting obligations in respect of material cybersecurity incidents. These reporting requirements have been proposed or implemented by a number of regulators in different jurisdictions, may vary in their scope and application, and could contain conflicting requirements. Certain of these rules and regulations may require us to report a cybersecurity incident before we have been able to fully assess its impact or remediate the underlying issue. Efforts to comply with such reporting requirements could divert management's attention from our cybersecurity incident response and could potentially reveal system vulnerabilities to threat actors. Failure to timely report cybersecurity incidents under these rules could also result in regulatory investigations, litigation, monetary fines, sanctions, or subject us to other forms of liability. A significant actual or potential theft, loss, corruption, exposure, fraudulent use or misuse of client, employee or other personal information or proprietary business data, whether by third parties or as a result of employee malfeasance or otherwise, perceived or actual non-compliance with our contractual or other legal obligations regarding such data or intellectual property or a violation of our privacy and security policies with respect to such data could result in significant remediation and other costs, fines, litigation or regulatory actions against us. Such an event could additionally disrupt our operations and the services we provide to clients, harm our relationships with contractors and vendors, damage our reputation, result in the loss of a competitive advantage, impact our ability to provide timely and accurate financial data and cause a loss of confidence in our services and financial reporting, which could adversely affect our business, revenues, competitive position and investor confidence. Additionally, we rely on third parties to support our information and technology networks, including cloud storage solution providers, and as a result have less direct control over our data and information technology systems. Such third parties are also vulnerable to security breaches and compromised security systems, for which we may not be indemnified and which could materially adversely affect us and our reputation.

We rely on third parties, and in some cases subcontractors, to perform activities on behalf of our organization to improve quality, increase efficiencies, cut costs and lower operational risks across our business and support functions. We have instituted a Supplier Code of Conduct, which is intended to communicate to our vendors the standards of conduct we expect them to uphold. Our contracts with vendors typically impose a contractual obligation to comply with our Supplier Code of Conduct. In addition, we leverage technology to help us better screen vendors, with the aim of gaining a deeper understanding of the compliance, data privacy, health and safety, environmental, sustainability and other risks posed to our business by potential and existing vendors. If our third parties do not have the proper safeguards and controls in place, or appropriate oversight cannot be provided, we could be exposed to increased operational, regulatory, financial or reputational risks. A failure by third parties to comply with service level agreements or regulatory or legal requirements in a high quality and timely manner could result in economic and reputational harm to us. In addition, these third parties face their own technology, operating, business and economic risks, and any significant failures by them, including the improper use or disclosure of our confidential client, employee or company information, could cause damage to our reputation and harm to our business.

We compete across a variety of business disciplines within the commercial real estate services and investment industry, including property management, facilities management, project and transaction management, tenant and landlord leasing, capital markets solutions (property sales and commercial mortgage origination), real estate investment management, valuation, loan servicing, development services and proprietary research. Although we are the largest commercial real estate services firm in the world in terms of 2025 revenue, our relative competitive position varies across geographies, property types and services and business lines. Depending on the geography, property type or service or business line, we face competition from other commercial real estate services providers and investment firms, including outsourcing companies that traditionally competed in limited portions of our facilities management business and have expanded their offerings from time to time, in-house corporate real estate departments, developers, flexible space providers, institutional lenders, insurance companies, investment banking firms, investment managers and accounting and consulting firms. Some of these firms may have greater financial resources allocated to a particular geography, property type or service or business line than we have allocated to that geography, property type, service or business line. In addition, future changes in laws could lead to the entry of other new competitors. Some of our competitors are larger than us on a local or regional basis despite having a smaller global footprint. We also compete with large national and multi-national firms that have similar service and investment competencies to ours, and it is possible that further industry consolidation could lead to much larger and more formidable competitors globally or in the particular geographies, property types, service or business lines that we serve. In addition, disruptive innovation by existing or new competitors could alter the competitive landscape in the future and require us to accurately identify and assess such changes and make timely and effective changes to our strategies and business model to compete effectively. Furthermore, we are substantially dependent on long-term client relationships and on revenue received for services under various service agreements. Many of these agreements may be canceled by the client for any reason with as little as 30 to 60 days' notice, as is typical in the industry. In this competitive market, if we are unable to effectively execute on our strategy and differentiate ourselves from our competitors, maintain long-term client relationships or are otherwise unable to retain existing clients and develop new clients, our business, results of operations and/or financial condition may be materially adversely affected. There is no assurance that we will be able to compete effectively, to maintain current fee levels or margins, or maintain or increase our market share.

Having large and concentrated clients may lead to greater or more concentrated risks of loss if, among other possibilities, such a client (i) experiences its own financial problems, which may lead to larger individual credit risks; (ii) becomes bankrupt or insolvent, which may lead to our failure to be paid for services we have previously provided or funds we have previously advanced; (iii) decides to reduce its real estate operations; (iv) makes a change in its real estate strategy, such as no longer outsourcing its real estate operations; (v) decides to change its providers of real estate services; or (vi) merges with another corporation or otherwise undergoes a change of control, which may result in new management taking over with a different real estate philosophy or in different relationships with other real estate providers. In addition, competitive conditions, particularly in connection with increasingly large clients, may require us to compromise on certain contract terms with respect to the payment of fees, the extent of risk transfer, or acting as principal rather than agent in connection with supplier relationships, liability limitations, credit terms and other contractual terms, or in connection with disputes or potential litigation. Where competitive pressures result in higher levels of potential liability under our contracts, the cost of operational errors and other activities for which we have indemnified our clients will be greater and may not be fully insured.

Our brand and reputation are key assets, and we believe our continued success depends on our ability to preserve, grow and leverage the value of our brand. Our ability to attract and retain clients is highly dependent upon the external perceptions of our level of service, trustworthiness, business practices, management, workplace culture, financial condition, our response to unexpected events and other subjective qualities. Negative perceptions or publicity regarding these matters, even if related to seemingly isolated incidents and whether or not factually correct, could erode trust and confidence and damage our reputation among existing and potential clients, which could make it difficult for us to attract new clients and maintain existing ones. Negative public opinion could result from actual or alleged conduct in any number of activities or circumstances, including handling of complaints, regulatory compliance, such as compliance with government sanctions, the Foreign Corrupt Practices Act (FCPA), the U.K. Bribery Act and other anti-bribery, anti-money laundering and corruption laws, the use and protection of client and other sensitive information and from actions taken by regulators or others in response to such conduct. Furthermore, as a company with headquarters and operations located in the U.S., a negative perception of the U.S. arising from its political or other positions could harm the perception of our company and our brand abroad. Although we monitor developments for areas of potential risk to our reputation and brand, negative perceptions or publicity would materially and adversely affect our revenues and profitability. Social media channels may also cause rapid, widespread reputational harm to our brand. Our brand and reputation may also be harmed by the actions of third parties that are outside of our control, including vendors and joint venture partners. The protection of our brand, including related trademarks, may require the expenditure of significant financial and operational resources.

Security breaches and other disruptions of our information and technology networks, as well as that of third-party vendors, could compromise our information and intellectual property and expose us to liability, reputational harm and significant remediation costs, which could cause material harm to our business and financial results. In the ordinary course of our business, we collect and store confidential data, including our proprietary business information and intellectual property, and that of our clients and personal information (also referred to as "personal data" or "personally identifiable information") of our employees, contractors and vendors, in our data centers, networks and third-party cloud hosting providers. The secure collection, use, storage, retention, maintenance, sharing, processing, transfer, transmission, disclosure, and protection (collectively, "Processing") of this information is critical to our operations. Although we and our vendors continue to implement new security measures and regularly conduct employee training, our information technology and infrastructure may nevertheless be vulnerable to cyberattacks by third parties or breached due to employee error, malfeasance or other disruptions. These risks have been heightened in connection with the ongoing conflict between Russia and Ukraine, instability in the Middle East, and rising tensions in East Asia, including China. When geopolitical conflicts develop, critical infrastructures may be targeted by state-sponsored cyberattacks even if they are not directly involved in the conflict. An increasing number of companies that rely on information and technology networks have disclosed breaches of their security, some of which have involved sophisticated and highly targeted attacks on portions of their websites or infrastructure. The techniques used to obtain unauthorized access, disable, or degrade service, or sabotage systems, change frequently, may be difficult to detect, and often are not recognized until launched against a target. The rapid evolution and increased adoption of AI technologies may intensify these security risks, and the emergence and maturation of AI capabilities may also lead to new and/or more sophisticated methods of attack. This includes fraud that relies upon "deep fake" impersonation technology or other forms of generative automation that enhance the effectiveness of cyber threats. To date, we have not experienced any cybersecurity breaches that have been material, either individually or in the aggregate. However, there can be no assurance that we will be able to prevent any material events from occurring in the future.

Our business requires the continued operation of information technology and communication systems and network infrastructure. Our ability to conduct our global business may be materially adversely affected by disruptions to these systems or our infrastructure. Our information technology and communications systems are vulnerable to damage or disruption from fire, power loss, telecommunications failure, system malfunctions, computer viruses, cyberattacks, natural disasters such as hurricanes, earthquakes and floods, acts of war or terrorism, employee errors or malfeasance, or other events which are beyond our control. Cyberattacks and malware pose growing threats to many companies, and we, as well as our third-party service providers, have been a target and may continue to be a target of such threats, which could expose us to liability, reputational harm and significant remediation costs and cause material harm to our business and financial results. In addition, the timely operation and maintenance of these systems and networks is in some cases dependent on third-party technologies, systems and service providers for which there is no certainty of uninterrupted availability. Any of these events could cause system interruption, delays and loss, corruption or exposure of data or intellectual property and may also disrupt our ability to provide services to or interact with our clients, contractors and vendors, and we may not be able to successfully implement contingency plans. Furthermore, while we have certain business interruption and cyber insurance coverage and various contractual arrangements that can serve to mitigate costs, damages and liabilities, any such event could result in substantial recovery and remediation costs and liability to customers, business partners and other third parties. We have crisis management, business continuity and disaster recovery plans and backup systems to reduce the potentially adverse effect of such events, but our crisis management, business continuity and disaster recovery planning may not be sufficient and cannot account for all eventualities, and a catastrophic event that results in the destruction or disruption of any of our data centers and third-party cloud hosting providers or our critical business or information technology systems could severely affect our ability to conduct normal business operations, and as a result, our future operating results could be materially adversely affected. Our business relies heavily on the use of commercial real estate data. A portion of this data is purchased or licensed from third-party providers for which there is no certainty of uninterrupted availability or accuracy. A disruption of our ability to provide data to our professionals and/or our clients or an inadvertent exposure of proprietary data could damage our reputation and competitive position, and our operating results could be adversely affected.