Crawford & Company B (CRD.B) Risk Analysis

As of December 31, 2025, Jesse C. Crawford, a member of our Board of Directors, and the father of Jesse C. Crawford, Jr., who is also a member and Chair of the Board of Directors, beneficially owned approximately 68% of our outstanding voting Class B Common Stock. As a result, he has the ability to control substantially all matters submitted to our shareholders for approval, including the election and removal of directors. He also has the ability to control our management and affairs. As of December 31, 2025, Mr. Crawford also beneficially owned approximately 36% of our outstanding non-voting Class A Common Stock. This concentration of ownership of our stock may delay or prevent a change in control; impede a merger, consolidation, takeover, or other business combination involving us; discourage a potential acquirer from making a tender offer or otherwise attempting to obtain control of us; reduce the liquidity, and thus the trading price, of our stock; or result in other actions that may be opposed by, or not be in the best interests of, the Company and our other shareholders.

We are party to a credit facility, effective as of December 2, 2025, with Bank of America, N.A., Wells Fargo Bank, N.A., Truist Bank, and the other lenders a party thereto, (the "Credit Facility"). The Credit Facility consists of a $500 million revolving credit facility, with a letter of credit sub-commitment of $125 million. The available borrowing capacity under the Credit Facility totaled $290.7 million on December 31, 2025. The Credit Facility contains various representations, warranties and covenants, including covenants limiting liens, indebtedness, guarantees, mergers and consolidations, substantial asset sales, investments and loans, sale and leasebacks, restrictions on dividends and distributions, and other fundamental changes in our business. Additionally, the Credit Facility contains covenants requiring us to remain in compliance with maximum leverage ratio and a minimum interest coverage ratio. If we do not maintain compliance with the covenant requirements, we may be in default under the Credit Facility. In such an event, the lenders under the Credit Facility would generally have the right to declare all then-outstanding amounts thereunder immediately due and payable. If we could not obtain a required waiver on satisfactory terms, we could be required to renegotiate the terms of the Credit Facility or immediately repay this indebtedness. Any such renegotiation could result in less favorable terms, including additional fees, higher interest rates and accelerated payments, and would necessitate significant time and attention of management, which could divert their focus from business operations. Any required payment may necessitate the sale of assets or other uses of resources that we do not believe would be in our best interests. While we do not presently expect to be in violation of any of these requirements, no assurances can be given that we will be able to continue to comply with them in the future. Any failure to continue to comply with such requirements could materially adversely affect our borrowing ability and access to liquidity, and thus our overall financial condition, as well as our ability to operate our business.

We have made substantial investments in software and related technologies that are critical to the core operations of our business. These IT resources will require future maintenance and enhancements, potentially at substantial costs. Additionally, these IT resources may become obsolete in the future and require replacement, potentially at substantial costs. We may not be able to develop or acquire replacement resources or identify new technology resources necessary to support and grow our business. In addition, we could face changes in our markets due to disruptive technologies that could impact the volume and pricing of our products or introduce changes to the insurance claims management processes which could negatively impact our volume of case referrals. Our failure to address these risks, or to do so in a timely manner or at a cost considered reasonable by us, could materially adversely affect our business, results of operations, and financial condition.

We rely on a combination of trademark, trade name, copyright and trade secret laws to protect our proprietary information, intellectual property, and technology. However, all of these measures afford only limited protection and may be challenged, invalidated or circumvented by third parties. Third parties may copy aspects of our processes, products or materials, or otherwise obtain and use our proprietary information without authorization. Unauthorized copying or use of our intellectual property or proprietary information could materially adversely affect our financial condition and results of operations. Third parties may also develop similar or superior technology independently, including by designing around any of our proprietary technology. Furthermore, the laws of some foreign countries do not offer the same level of protection of our proprietary rights as the laws of the U.S., and we may be subject to unauthorized use of our intellectual property in those countries. Any legal action that we may bring to protect intellectual property and proprietary information could be unsuccessful, expensive and may distract management from day-to-day operations.

Malicious technology-related events, such as cyberattacks, computer hacking, computer viruses, ransomware, worms and other destructive or disruptive software and other attempts to gain access to confidential or personal data, denial of service attacks and other malicious activities are becoming increasingly diverse and sophisticated and the incidence of these events is on the rise worldwide and highlights the need for continual and effective cybersecurity awareness and education. Our business, which involves the collection, use, transmission and other processing of data, makes us and our clients and business partners attractive targets for threat actors such as hackers, denial-of-service attacks, malicious code distributors, perpetrators of phishing and ransomware attacks, and malicious insiders (including current and former employees), which may result in security incidents. Types of cybersecurity incidents may include unauthorized access, misuse, loss, corruption, inaccessibility, or destruction of data (including personal, confidential and sensitive data), unavailability of services, or other adverse events. Separately, in the event of a cyberattack we may not be able to consistently maintain active communications between our various global operations and with our clients due to disruptions in telecommunication networks and power supplies. Any significant failure in our ability to communicate could result in a disruption in business, which could hinder our performance and our ability to complete projects on time. Significant failure of our equipment or systems, or any major disruption to basic infrastructure like power and telecommunications in the locations in which we operate, resulting from a cybersecurity incident, could impede our ability to provide services to our clients, have a negative impact on our reputation, cause us to lose clients, and adversely affect our results of operations. In the past three years, we have faced cyberattacks, and we expect to continue to face cyberattacks in the future. Some of these attacks have been successful, though none have been material. We have made investments in our information security policies, procedures and technical controls and routinely engage a third party to assess the maturity of our information security program against the National Institute of Standards and Technology ("NIST") Cybersecurity Framework. However, we do not believe it is possible to protect our systems or third-party systems against every attempt at a malicious breach due to the increasing sophistication and frequency of such attacks. All employees receive security awareness training including communication of processes for reporting a potential security incident. We have a robust Cybersecurity and Privacy Incident Response Policy in place which provides a documented framework for handling high severity security and privacy incidents and facilitates coordination across multiple parts of the Company and with external expertise when necessary. Additionally, we have existing procedures to determine the potential materiality of a cybersecurity incident. These procedures include reporting protocols to and oversight from our Board of Directors. We also have disclosure controls and insider trading restrictions that would apply in the event of a material cybersecurity incident, and we routinely perform simulations and drills at both a technical and management level. Notwithstanding these measures, we cannot provide any assurance that we will always be able to prevent or mitigate a cybersecurity attack. These types of cybersecurity attacks and incidents can give rise to a variety of losses and costs, including legal exposure and regulatory fines, damages to reputation, and others.

In the normal course of the claims administration services business, we are from time to time named as a defendant in suits by insureds or claimants contesting decisions by us or our clients with respect to the settlement of claims. Additionally, our clients have in the past brought, and may, in the future bring, claims for indemnification on the basis of alleged actions on our part or on the part of our agents or our employees in rendering services to clients. There can be no assurance that additional lawsuits will not be filed against us. There also can be no assurance that any such lawsuits will not have a disruptive impact upon the operation of our business, that the defense of the lawsuits will not consume the time and attention of our senior management and financial resources or that the resolution of any such litigation will not have a material adverse effect on our business, financial condition and results of operations. We are also subject to numerous federal, state, and foreign labor, employment, worker health and safety, antitrust and competition, environmental and consumer protection, import/export, anti-corruption, and other laws. From time to time, we face claims and investigations by employees, former employees, and governmental entities under such laws or employment contracts with such employees or former employees. Such claims, investigations, and any litigation involving the Company could divert management's time and attention from business operations and could potentially result in substantial costs of defense, settlement or other disposition, which could have a material adverse effect on our results of operations and financial condition.

We are impacted by inflationary increases in wages, benefits and other costs. In all countries in which we operate, wage and benefit inflation, whether driven by competition for talent, or ordinary course pay increases and other inflationary pressure, may increase our cost of providing services and reduce our profitability. Furthermore, as a result of our global operations, wage increases in emerging markets may increase at a faster rate than wages in the U.S. and other developed markets, which increases our exposure to inflation risks. If we are not able to pass increased wage and other costs resulting from inflation onto our clients or charge premium prices when justified by market demand, our profitability may decline. The risks described above are not the only ones we face, but are the ones currently deemed the most material by us based on available information. New risks may emerge from time to time, and it is not possible for management to predict all such risks, nor can we assess the impact of known risks on our business or the extent to which any factor or combination of factors may cause actual results to differ materially from those contained in any forward-looking statement.

Our international operations subject us to political, legal, operational, financial, exchange rate and other risks that we do not face in our domestic operations. Many of these operations are substantially smaller than our U.S. operations and as such are at risk of generating operating losses due to lack of scale. We face, among other risks, the risk of discriminatory regulation; nationalization or expropriation of assets; changes in both domestic and foreign laws regarding taxation, trade and investment abroad; pandemics; potential loss of proprietary information due to piracy, misappropriation or laws that may be less protective of our intellectual property rights; or price controls and exchange controls or other restrictions that could prevent us from transferring funds from these operations out of the countries in which they were earned or converting local currencies we hold into U.S. dollars or other currencies. Although we do not have direct exposure from the ongoing and potential global conflicts including Russia and the Ukraine, the Middle East, and growing tensions in the Asia Pacific region, we are aware of their potential negative impact to adjacent economies which could lower claim activity across our network of offices and increase our exposure to cyberattacks. International operations also subject us to numerous additional laws and regulations that are in addition to, or may be different from, those affecting U.S. businesses, such as those related to labor, employment, worker health and safety, antitrust and competition, trade restriction, environmental protection, consumer protection, import/export and anti-corruption, including but not limited to the Foreign Corrupt Practices Act ("FCPA"). Although we have put into place policies and procedures aimed at ensuring legal and regulatory compliance, our employees, subcontractors, and agents could inadvertently or intentionally take actions that violate any of these requirements. Violations of these regulations could impact our ability to conduct business, or subject us to criminal or civil enforcement actions, any of which could have a material adverse effect on our business, financial condition or results of operations.

Our business may be negatively affected by instability, disruption or destruction in the many geographic regions where we operate. Natural or man-made disasters, including storm, flood, fire, earthquake, pandemics and other regional or global health crises, as well as war, terrorism, riot, civil insurrection or social unrest, may cause damage to our facilities or disrupt our services. This includes our shared services centers which exist in international geographies. Specifically, we continue to increase employees and processes performed by our Global Business Service Centers located in the Philippines. Our crisis management procedures, business continuity plans and disaster recovery capabilities may not be effective at preventing or mitigating the effects of such disasters, particularly in the case of a catastrophic event. These events may pose significant security risks to our employees, the facilities where they work, our operations, electricity and other utilities, communications, travel and network services and the disruption of any or all of them could materially adversely affect our financial results.

Our ability to retain clients and maintain and increase case referrals is also dependent in part on our ability to continue to provide high-quality, competitively priced services and effective sales efforts. The global claims management services market is highly competitive and comprised of a large number of companies that vary in size and that offer a varied scope of services. The demand from insurance companies and self-insured entities for services provided by independent claims service firms like us is largely dependent on industry-wide claims volumes, which are affected by, among other things, the insurance underwriting cycle, weather-related events, general economic activity, overall employment levels, and workplace injury rates. We are also impacted by decisions insurance companies and self-insured entities make with respect to the level of claims outsourced to independent claim service firms as opposed to those handled by their own in-house claims adjusters. We also face competition from potential new entrants into the global claims management services market, in addition to traditional competitors. Potential consolidation in our industry can also create stronger competition. Our inability to react to such competition could negatively impact our volume of case referrals and results of operations.

From time to time, we derive a material portion of our revenues from a limited number of clients. No single customer accounts for 10% or more of our consolidated revenues for the years ended December 31, 2025, 2024, or 2023. However, for the year ended December 31, 2025, two customers in our Platform Solutions segment represented in excess of 10% of its revenues, and for each of the years ended December 31, 2024 and 2023, three customers in our Platform Solutions segment each represented in excess of 10% of its revenues. For the year ended December 31, 2023, our International Operations segment derived in excess of 10% of its revenues from one customer. In the event we are not able to retain these significant relationships, or replace any lost revenues from such relationships, revenues and operating earnings within these segments could be materially adversely affected.