Cannae Holdings (CNNE) Risk Analysis

Improper access to, misappropriation, destruction or disclosure of confidential, personal or proprietary data could result in significant harm to our reputation or the reputation of any of the businesses we own. For example, D&B collects, stores and transmits a large amount of confidential company information on hundreds of millions of businesses, including financial information and personal information, as well as certain consumer information and credit information. D&B operates in an environment of significant risk of cybersecurity incidents resulting from unintentional events or deliberate attacks by third parties or insiders, which may involve exploiting highly obscure security vulnerabilities or sophisticated attack methods. With respect to Alight, one of its significant responsibilities is to maintain the security and privacy of its employees' and clients' confidential and proprietary information and the confidential information about clients' employees' compensation, health and benefits information and other personally identifiable information. With respect to our Restaurant Group companies, they rely heavily on information technology systems across their operations and corporate functions, including for order and delivery from suppliers and distributors, point-of-sale processing in their restaurants, management of their supply chains, payment of obligations, collection of cash, data warehousing or support analytics, finance or accounting systems, labor optimization tools, gift cards, online business and various other processes and transactions, including the storage of employee and customer information. The businesses we own and manage have experienced and we expect will continue to experience numerous attempts to access their computer systems, software, networks, data and other technology assets on a daily basis. The security and protection of their data is a top priority for them. Such businesses devote significant resources to maintain and regularly upgrade the wide array of physical, technical and contractual safeguards that they employ to provide security around the collection, storage, use, access and delivery of information they possess. These businesses have implemented various measures to manage their risks related to system and network security and disruptions, but an actual or perceived security breach, a failure to make adequate disclosures to the public or law enforcement agencies following any such event or a significant and extended disruption in the functioning of its information technology systems could damage a subsidiary company's reputation and cause it to lose clients, adversely impact its operations, sales and operating results and require it to incur significant expense to address and remediate or otherwise resolve such issues. Although our businesses have not incurred material losses or liabilities to date as a result of any breaches, unauthorized disclosure, loss or corruption of their data or inability of their clients to access their systems, such events could result in intellectual property or other confidential information being lost or stolen, including client, employee or business data, disrupt their operations, subject them to substantial regulatory and legal proceedings and potential liability and fines, result in a material loss of business and/or significantly harm their reputation. If they are unable to efficiently manage the vulnerability of their systems and effectively maintain and upgrade their system safeguards, they may incur unexpected costs and certain of their systems may become more vulnerable to unauthorized access. Furthermore, if we are unable to similarly and effectively maintain and upgrade our corporate system safeguards, data and confidential information we may have access to from time to time about the businesses we own and manage may also become more vulnerable to unauthorized access. We utilize a third party to manage the Company's corporate IT network and related resources and we actively collaborate with the third party to monitor risks and recent threats to our IT environment, develop protocols for responding to cybersecurity incidents, and train employees on common techniques used in cyber attacks. Our failure to adequately monitor our key third-party IT service provider could result in the failure of all or a portion of our IT resources and impact the operations of our business. Furthermore, loss of our third-party IT service provider could result in increased cost associated with acquiring new internal IT resources and developing internal IT processes. Due to concerns about data security and integrity, a growing number of legislative and regulatory bodies have adopted breach notification and other requirements in the event that information subject to such laws is accessed by unauthorized persons and additional regulations regarding the use, access, accuracy and security of such data are possible. For example, in the United States, D&B is subject to laws that provide for at least 50 disparate notification regimes. D&B is also subject to various laws in regulations in the other global markets it operates including Europe and Asia. Complying with such numerous and complex regulations in the event of unauthorized access would be expensive and difficult, and failure to comply with these regulations could subject D&B to regulatory scrutiny and additional liability. In many jurisdictions, including North America and the European Union, Alight is subject to laws and regulations relating to the collection, use, retention, security and transfer of this information including the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA") and the HIPAA regulations governing, among other things, the privacy, security and electronic transmission of individually identifiable protected health information, the Personal Information Protection and Electronic Documents Act and the European Union General Data Protection Regulation ("GDPR"). California also enacted legislation, the California Consumer Privacy Act of 2018 ("CCPA") and the related California Privacy Rights Act ("CPRA"), that afford California residents expanded privacy protections and a private right of action for security breaches affecting their personal information. Virginia and Colorado have similarly enacted comprehensive privacy laws, the Consumer Data Protection Act and Colorado Privacy Act, respectively, both laws of which emulate the CCPA and CPRA in many respects. The Virginia Consumer Data Protection Act took effect on January 1, 2023, and the Colorado Privacy Act took effect on July 1, 2023. We anticipate federal and state regulators to continue to consider and enact regulatory oversight initiatives and legislation related to privacy and cybersecurity. These and other similar laws and regulations are frequently changing and are becoming increasingly complex and sometimes conflict among the various jurisdictions and countries in which Alight provides services both in terms of substance and in terms of enforceability. This makes compliance challenging and expensive. Alight's failure to adhere to or successfully implement processes in response to changing regulatory requirements in this area could result in legal liability or impairment to our reputation in the marketplace. Further, regulatory initiatives in the area of data protection are more frequently including provisions allowing authorities to impose substantial fines and penalties, and therefore, failure to comply could also have a significant financial impact. If Cannae or its businesses are unable to protect their computer systems, software, networks, data and other technology assets it could have a material adverse effect on the value of our businesses, and ultimately, our financial condition and results of operations.

D&B's solutions depend extensively upon continued access to and receipt of data from external sources, including data received from clients, strategic partners and various government and public records repositories. In some cases, D&B competes with its data providers. D&B's data providers could stop providing data, restrict the scope of data to which they have access, provide untimely data or increase the costs for their data for a variety of reasons, including changing regulatory requirements, judicial decisions, a perception that its systems are unsecure as a result of data security incidents, budgetary constraints, a desire to generate additional revenue or for regulatory or competitive reasons. European regulators and the European Commission have adopted prescriptive measures for assessing and demonstrating that all cross-border data transfers comply with the Court of Justice of the European Union ruling in Case 311/18 Data Protection Commission v Facebook Ireland and Maximillian Schrems (Schrems II), and China adopted its own restrictions on cross-border data transfers under its new DSL and PIPL data compliance laws. Additional supplemental measures in China requiring prior authorization for certain data transfers as well as regulatory enforcement decisions and opinions were adopted in 2022. As a result of these developments and related regulatory decisions, D&B has become and may become subject to further increased restrictions or mandates on the collection, disclosure or use or transfer of such data, in particular if such data is not collected by D&B's providers in a way that allows it to legally use the data or cannot be transferred out of the country where it has been collected. D&B may not be successful in maintaining its relationships with these external data source providers or be able to continue to obtain data from them on acceptable terms or at all. Furthermore, D&B may not be able to obtain data from alternative sources if its current sources become unavailable. If D&B were to lose access to this external data or if its access or use were restricted or were to become less economical or desirable, D&B's ability to provide solutions could be negatively impacted, which could have a material adverse effect on its business, financial condition and results of operations. Additionally, due to data transfer restrictions, existing and prospective D&B clients may be reluctant to acquire or use data that is subject to these restrictions, which may impede D&B's growth.

While the members of our management team intend to devote a substantial majority of their time to the affairs of the Company, and while our Manager currently does not manage any other businesses that are in lines of business similar to our businesses, neither our management team nor our Manager is expressly prohibited from investing in or managing other entities, including those that are in the same or similar line of business as our businesses, or required to present any particular acquisition or business opportunity to the Company. In this regard, the Management Services Agreement and the obligation thereunder to provide management services to us will not create a mutually exclusive relationship between our Manager, on the one hand, and the Company, on the other.

Alight's competitors may have greater resources, larger customer bases, greater name recognition, stronger presence in certain geographies and more established relationships with their customers and suppliers than it has. In addition, new competitors, alliances among competitors or mergers of competitors could result in Alight's competitors gaining significant market share and some of Alight's competitors may have or may develop a lower cost structure, adopt more aggressive pricing policies or provide services that gain greater market acceptance than the services that Alight offers or develops. Large and well-capitalized competitors may be able to respond to the need for technological changes (including the implementation of AI and Machine Learning ("ML")) and innovate faster, or price their services more aggressively. They may also compete for skilled professionals, finance acquisitions, fund internal growth and compete for market share more effectively than Alight does. If Alight is unable to compete successfully, it could lose market share and clients to competitors, which could materially adversely affect its results of operations. To respond to increased competition and pricing pressure, Alight may have to lower the cost of its solutions or decrease the level of service provided to clients, which could have an adverse effect on its financial condition or results of operations.

D&B is subject to various government regulations affecting the collection, processing, and sale of its data-driven solutions, such as the FTC Act and the California Consumer Privacy Act of 2018 ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), existing and expected rules and regulations in various U.S. states governing the collection, processing and protection of data, privacy rights, data security breach notification and related matters, the General Data Protection Regulation ("GDPR") and certain credit information laws and permits as well as constitutional requirements in the European Union, the Cyber Security Law, DSL, and PIPL, and new AI regulations in China and various other international, federal, state and local laws and regulations. See "Business-Regulatory Matters" for a description of select regulatory regimes to which D&B is subject. These laws and regulations, which generally are designed to protect information relating to individuals and small businesses, the data rights of individuals, and to prevent the unauthorized collection, access to and use of personal or confidential information available in the marketplace and prohibit certain deceptive and unfair acts, are complex and have tended to become more stringent over time. Further, new laws and regulations are likely to be enacted and existing laws and regulations may change or be interpreted and applied differently over time and from jurisdiction to jurisdiction, and it is possible they will be interpreted and applied in ways that will materially and adversely affect D&B's business. New and amended data protection, privacy, credit, data security, artificial intelligence and ESG legislation that may impact Dun & Bradstreet has also been proposed both in the U.S. and internationally. D&B already incurs significant expenses in their effort to ensure compliance with these laws and those expenses may increase as new laws or regulations are enacted or the interpretation and application of existing laws and regulations change. D&B responded to a second civil investigative demand from the U.S. Federal Trade Commission ("FTC") that they received in September 2019 in relation to an investigation by the FTC into potential violations of Section 5 of the FTC Act,primarily concerning our credit managing and monitoring products, such as CreditBuilder. Following consent negotiations, on September 21, 2021, D&B agreed to enter into an Agreement Containing Consent Order (the "FTC Consent Order") subject to acceptance by the FTC, the approval of which was finalized on April 6, 2023. The FTC Consent Order requires that D&B undertake specific compliance practices, recordkeeping, monitoring and reporting during its term, which ends on April 6, 2042. D&B's compliance with the FTC Consent Order may cause them to incur significant expenses or to reduce the availability or effectiveness of their solutions. Failure to comply with the FTC Consent Order could subject D&B to civil or criminal penalties or other liabilities. On March 17, 2023, D&B was served by the FTC with an Order under Section 6(b) of the FTC Act (the "6(b) Order"), which authorizes the FTC to conduct wide-ranging studies that do not have a specific law enforcement purpose, in connection with the FTC's inquiry into the small business credit reporting industry. Similar Orders were served on other companies in the credit reporting industry. Certain requirements of the 6(b) Order relate to subject matter similar to the scope of the FTC Consent Order. The FTC's 6(b) inquiry is expected to examine various aspects of the collection, processing, and quality of information concerning small businesses for purposes of business credit reports and other business risk solutions, as well as the marketing and commercial practices related to such solutions, and various related matters. It is too early to determine what action, if any, the FTC may take with respect to its findings from its inquiry. It is possible that the FTC's findings could result in FTC rule making or other action that may impact D&B's business. Some new U.S. state laws are intended to provide consumers (including sole proprietors) with greater transparency and control over their personal data as well as to provide additional obligations and duties for businesses. These laws place requirements on a broad scope of data sales and processing, which are likely to affect D&B's business. Additionally, the duties and obligations for data handling, time sensitive privacy rights management, assessments, contracts, and similar requirements are expected to create more operational burdens on D&B's business. D&B anticipates that additional state and/or federal legislation in the U.S. relating to these matters will be enacted in the future and that our operations will need to continue to evolve to accommodate unique considerations across jurisdictions. The following legal and regulatory developments also could have a material adverse effect on D&B's business, financial condition or results of operations: - changes in cultural and consumer attitudes in favor of further restrictions on information collection use and transfer, which may lead to regulations that prevent full utilization of our solutions and impair D&B's ability to transfer data across borders;- failure of data suppliers, third-party processors, or clients to comply with laws or regulations, where mutual compliance is required or where D&B's ability to comply is dependent on the compliance of those parties;- failure of D&B's solutions to comply with current laws and regulations or the requirements of the FTC Consent Order; and - failure to adapt D&B's solutions to changes in the regulatory environment in an efficient, cost-effective manner. This would include the failure to modify existing solutions, or new solutions created internally or acquired through mergers, to comply with existing or evolving legal requirements. Changes in applicable legislation or regulations that restrict or dictate how D&B collects, maintains, combines and disseminates information could have a material adverse effect on D&B's business, financial condition or results of operations. In the future, D&B may be subject to significant additional expense to ensure continued compliance with applicable laws and regulations and to investigate, defend or remedy actual or alleged violations. Moreover, D&B's compliance with privacy and other data laws and regulations and D&B's reputation depend in part on its clients' and business partners' adherence to such laws and regulations and their use of D&B's solutions in ways consistent with client expectations and regulatory requirements. Businesses today are under intense scrutiny to comply with an ever-expanding and evolving set of data regulatory requirements, which can vary by geography and industry served. As such, performing adequate diligence on clients and suppliers can be cumbersome and dampen the pace of their business expansion or leave a business exposed to fines and penalties. Further, certain of the laws and regulations governing D&B's business are subject to interpretation by judges, juries and administrative entities, creating substantial uncertainty for its business. D&B cannot predict what effect the interpretation of existing or new laws or regulations may have on its business.