Marsh & Mclennan Companies (MMC) Risk Factors

We conduct business globally. In 2023, approximately 53% of the Company's total revenue was generated from operations outside the U.S., and over one-half of our employees were located outside the U.S. In addition, we conduct our operations through four separate businesses. Potential conflicts of interest may arise across our businesses given the significant volume of our engagements. The geographic breadth of our activities also subjects us to significant legal, economic, operational, market, compliance and reputational risks. These include, among others, risks relating to: - economic and political conditions in the countries in which we operate;- client concentration in certain high-growth countries in which we operate;- the length of payment cycles and potential difficulties in collecting accounts receivable;- unexpected increases in taxes or changes in U.S. or foreign tax laws, rulings, policies or related legal and regulatory interpretations, including recent changes to the U.K. statutory rate;- the implementation of the Organization for Economic Cooperation and Development (OECD) international tax framework, including the implementation of the Pillar 2 minimum tax regime by key jurisdictions in 2024 and the Pillar 1 profit reallocation regime, which could have an adverse effect on our effective tax rate, tax payments and results of operations;- international initiatives to require multinational enterprises, like ours, to calculate and report profitability on a country-by-country basis, which could increase scrutiny by, or cause disagreements with, foreign tax authorities;- potential transfer pricing-related tax exposures that may result from the flow of funds among our subsidiaries and affiliates in the various jurisdictions in which we operate;- unexpected reassessment by tax authorities of interpretations of existing rules which may require companies to defend previously accepted positions and may create both new and prior-year exposures;- litigation arising from ongoing and future controversies with tax authorities;- permanent establishments created due to colleagues traveling to and doing work in countries where the Company has no presence, or living in such countries and working remotely post-pandemic, which are not properly compensated through transfer pricing;- our ability to obtain dividends or repatriate funds from our non-U.S. subsidiaries, including as a result of the imposition of currency controls and other government restrictions on repatriation in the jurisdictions in which our subsidiaries operate, fluctuations in foreign exchange rates and the imposition of withholding and other taxes on such payments;- geopolitical tensions, such as the war in Ukraine and the escalating conflict throughout the Middle East, in countries where we operate, international hostilities, international trade disputes, terrorist activities, natural disasters, pandemics, and infrastructure disruptions;- local investment or other financial restrictions that foreign governments may impose;- potential lawsuits, investigations, market studies, reviews or other activity by foreign regulatory or law enforcement authorities or legislatively appointed commissions, which may result in potential modifications to our businesses, related private litigation or increased scrutiny from U.S. or other regulators;- potential costs and difficulties in complying with a wide variety of foreign laws and regulations (including tax systems) administered by foreign government agencies, some of which may conflict with U.S. or other sources of law;- potential costs and difficulties in complying, or monitoring compliance, with foreign and U.S. laws and regulations that are applicable to our operations abroad, including trade sanctions laws relating to countries such as Afghanistan, Belarus, Cuba, Iran, North Korea, Russia, Syria, Ukraine (Russia-controlled territories) and Venezuela, anti-corruption laws such as the U.S. Foreign Corrupt Practices Act and the U.K. Bribery Act 2010;- limitations or restrictions that foreign or U.S. governments and regulators may impose on the products or services we sell, the methods by which we sell our products and services and the manner in which and the amounts we are compensated;- potential limitations or difficulties in protecting our intellectual property in various foreign jurisdictions;- limitations that foreign governments may impose on the conversion of currency or the payment of dividends or other remittances to us from our non-U.S. subsidiaries;- engaging and relying on third parties to perform services on behalf of the Company; and - potential difficulties in monitoring employees in geographically dispersed locations.

If we experience a local or regional disaster or other business continuity event, such as an earthquake, hurricane, flood, terrorist attack, pandemic, war or other geopolitical tensions, protests or riots, security breach, cyberattack (including manipulating the control systems of critical infrastructure), power loss or telecommunications failure, our ability to operate will depend, in part, on the continued availability of our personnel, our office facilities and the proper functioning of our computer, telecommunication and other related systems and operations. In such an event, we could experience operational challenges that could have a material adverse effect on our business. The risk of business disruption is more pronounced in certain geographic areas, including major metropolitan centers, like New York or London, where we have significant operations and approximately 3,700 and 5,700 colleagues in those respective locations, and in certain countries and regions in which we operate that are subject to higher potential threat of terrorist attacks or military conflicts. Our operations depend in particular upon our ability to protect our technology infrastructure against damage. If a business continuity event occurs, we could lose client or Company data or experience interruptions to our operations or delivery of services to our clients, which could have a material adverse effect. Such risks have increased significantly due to hybrid and remote work environments. A cyberattack or other business continuity event affecting us or a key vendor or other third party could result in a significant and extended disruption in the functioning of our information technology systems or operations or our ability to recover data, requiring us to incur significant expense to address and remediate or otherwise resolve such issues. For example, hackers have increasingly targeted companies by attacking internet-connected industrial control and safety control systems. An extended outage could result in the loss of clients and a decline in our revenues. In the worst case, any manipulation of the control systems of critical infrastructure may even result in the loss of life. We regularly assess and take steps to improve our existing business continuity, disaster recovery and data recovery plans and key management succession. However, a disaster or other continuity event on a significant scale or affecting certain of our key operating areas within or across regions, or our inability to successfully recover from such an event, could materially interrupt our business operations and result in material financial loss, loss of human capital, regulatory actions, reputational harm, damaged client relationships and legal liability. Our business disruption insurance may also not fully cover, in type or amount, the cost of a successful recovery in the event of such a disruption. Acquisitions and Dispositions Risks

There is increased focus, including from governmental organizations, regulators (including the SEC in the U.S.), investors, colleagues and clients, on ESG issues such as environmental stewardship, climate change, greenhouse gas emissions, inclusion and diversity, human rights, racial justice, pay equity, workplace conduct, cybersecurity and data privacy. Negative public perception, adverse publicity or negative comments in social media could damage our reputation if we do not, or are not perceived to, adequately address these issues. Any harm to our reputation could impact colleague engagement and retention and the willingness of clients and our partners to do business with us. Additionally, there has been increased regulatory focus on ESG and sustainability. For example, laws and regulations related to ESG issues continue to evolve, including in the U.S., the U.K., the EU and Australia, and these regulations may impose additional compliance or disclosure obligations on us. In particular, heightened demand for, and scrutiny of, ESG and sustainable-related products, funds, investment strategies and advice has increased the risk that we could be perceived as, or accused of, making inaccurate or misleading statements, commonly referred to as "greenwashing" or that we have otherwise run afoul of regulation. Such perceptions or accusations could damage our reputation, result in litigation or regulatory enforcement actions, and adversely affect our business. Furthermore, perceptions of our efforts to achieve ESG goals or advance ESG and sustainable-related products, funds, investment strategies or advice may differ widely among stakeholders and could present risks to our reputation and business, including litigation risk. For example, in the U.S. there has been increased legal scrutiny on inclusion and diversity-related programs and initiatives. Moreover, as ESG reporting standards continue to evolve, including with guidance from the International Sustainability Standards Board (ISSB) and the European Sustainability Reporting Standards (ESRS) under the Corporate Sustainability Reporting Directive (CSRD), we continue to evaluate and update our public disclosures in these areas, including refining our disclosure of metrics and goals in accordance with the guidance and our own ESG assessments and priorities. These disclosures, metrics and goals and any failure to accurately report or comply with federal, state or international ESG laws and regulations, or to achieve progress on our metrics and goals on a timely basis, or at all, may result in legal and regulatory proceedings against us and negatively impact our reputation. Implementation of our ESG initiatives also depends in part on third-party performance or data that is outside the Company's control. In addition, organizations that provide information to investors on corporate governance and related matters have developed ratings processes for evaluating companies on their approach to ESG matters, and unfavorable ratings of our company or our industries may lead to negative investor sentiment and the diversion of investment to other companies or industries, exclusion of our stock from ESG-oriented indices or investment funds or harm our relationships with regulators and the communities in which we operate.

As a global professional services firm, the Company faces competition in each of its businesses, and the competitive landscape continues to change and evolve. Our ability to compete successfully depends on a variety of factors, including the quality and expertise of our colleagues, our geographic reach, the sophistication and quality of our services, our pricing relative to competitors, our clients' ability to self-insure or use internal resources instead of consultants, and our ability to respond to changes in client demand and industry conditions. Any failure by us to design and execute operating model changes that capture opportunities and efficiencies at the intersections of our businesses and maximize the value we deliver to clients and stakeholders could have an adverse impact on our business. Additionally, some of our competitors may have greater financial resources, or may be better positioned to respond to technological and other changes in the industries we serve, and they may be able to compete more effectively. Furthermore, the competition for talent continues to accelerate. Across our Risk and Insurance Services segment, we operate in a variety of markets and face different competitive landscapes. In addition to the challenges posed by capital market alternatives to traditional insurance and reinsurance, we compete against a wide range of other insurance and reinsurance brokerage and risk advisory firms that operate on a global, regional, national or local scale for both client business and employee talent. In recent years, private equity sponsors have invested tens of billions of dollars into the insurance brokerage sector, transforming existing players and creating new ones to compete with large brokers. We also compete with insurance companies that market and service their insurance products directly to consumers and reinsurance companies that market and service their products directly to insurance companies, in each case without the assistance of brokers or other market intermediaries, and with various other companies that provide risk-related services or alternatives to traditional brokerage services, including those that rely almost exclusively on technological solutions or platforms. This competition is intensified by an often "syndicated" or "distributed" approach to the purchase of insurance and reinsurance brokerage services, where a client engages multiple brokers to service different portions of the client's account. In addition, third party capital providers have entered the insurance and reinsurance risk transfer market offering products and capital directly to our clients that serve as substitutes for traditional insurance. In our Consulting segment, we compete for business with numerous consulting firms and similar organizations, many of which also provide, or are affiliated with firms that provide, accounting, information systems, technology and financial services. Such competitors may be able to offer more comprehensive products and services to potential clients, which may give them a competitive advantage. Some of our competitors also may be able to invest more significant capital in technology and digital solutions. In certain sub-segments, we compete in highly fragmented markets or with start-ups that may be able to offer solutions at a lower price or on more favorable conditions. In addition, companies in the industries that we serve may seek to achieve economies of scale and other synergies by combining with or acquiring other companies. If two or more of our current clients merge, or consolidate or combine their operations, it may decrease the amount of work that we perform for these clients.

We depend in large part on our technology systems for conducting business, as well as for providing the data and analytics we use to manage our business. As a result, our business success is dependent on maintaining the effectiveness of existing technology systems and on continuing to develop and enhance technology systems that support our business processes and strategic initiatives in a cost and resource efficient manner, particularly as our business processes become more digital. We have a number of strategic initiatives involving investments in or partnerships with technology companies as part of our growth strategy, as well as investments in technology, including generative AI, and infrastructure to support our own systems. These investments may be costly and require significant capital expenditures, may not be profitable or may be less profitable than what we have experienced historically. In addition, investments in technology systems may not deliver the benefits or perform as expected, or may be replaced or become obsolete more quickly than expected, which could result in operational difficulties or additional costs. In some cases, we also depend on key vendors and partners to provide technology and other support for our strategic initiatives. If these vendors or partners fail to perform their obligations or otherwise cease to work with us, our ability to execute on our strategic initiatives could be adversely affected. If we do not keep up with technological changes or execute effectively on our strategic initiatives, our business and results of operations could be adversely impacted. In addition, to remain competitive in many of our business areas, we must anticipate and respond effectively to the threat of digital disruption and other technological change such as generative AI. The threat comes from traditional players, such as insurers, through disintermediation as well as from new entrants, such as technology companies, "Insurtech" start-up companies and others. In the past few years, there has been a substantial increase in private equity investments into these Insurtech companies. These players are focused on using technology and innovation, including AI, digital platforms, data analytics, robotics and blockchain, to simplify and improve the client experience, increase efficiencies, alter business models and effect other potentially disruptive changes in the industries in which we operate. We are actively investing in generative AI tools. While our internal generative AI tool, LenAI, was designed to meet our standards for data security and to address and mitigate the risks associated with this new technology, our use of generative AI in certain products and services may present risks and challenges that remain uncertain due to the relative novelty of this technology. These risks may include enhanced governmental or regulatory scrutiny, litigation or ethical concerns. While we are implementing certain mitigation measures and governance to the proliferation of AI tools, these measures may be inadequate or may not meet a growing number of legal and regulatory requirements related to AI. Competitive Risks

In operating our business and providing services and solutions to clients, we collect, use, store, transmit and otherwise process certain electronic information, including personal, confidential, proprietary and sensitive data such as financial records, health care, mergers and acquisitions and personal data of our clients, colleagues and vendors. We rely on the efficient, uninterrupted and secure operation of complex information technology systems and networks to operate our business and securely process, transmit and store electronic information. In the normal course of business, we also share electronic information with our vendors and other third parties. This electronic information comprises sensitive and confidential data, including information related to financial records, health care, mergers and acquisitions and clients' personal data. Our information technology systems and information security control systems, and those of our numerous third-party providers, as well as the control systems of critical infrastructure they rely on, such as power grids, and undersea cables, are potentially vulnerable to unauthorized access, damage or interruption from a variety of external threats, including software bugs, physical attack, cyberattacks, computer viruses and other malware, malicious or destructive code, ransomware, social engineering attacks (including phising and digital or telephonic impersonation), hacking, denial-of-service attacks and other types of data and systems-related modes of attack. The techniques used to achieve such unauthorized access, damage or interruption change frequently and new techniques may not be identified until they are launched against a target, and we may be unable to anticipate these techniques or implement adequate preventative or remedial measures, resulting in potential data loss, data unavailability, data corruption or other damage to information technology systems. In addition, remote and hybrid work arrangements have increased the risk of phishing and other cybersecurity attacks, unauthorized dissemination of personal, confidential, proprietary or sensitive data, and unauthorized access to company computing assets. Further, a disruption of physical infrastructure could impact our ability to conduct business and service clients. This may include deliberate or unintentional disruption of service to electrical systems, satellite communications, undersea or terrestrial cable systems, Internet services, or other systems our colleagues or third parties rely on us to conduct business in a multitude of jurisdictions across the globe. Disruptions may be the result of weather, natural disaster, war, terrorism, pandemic, or other natural or geopolitical events. Our systems are also subject to compromise from internal threats such as fraud, mistake, misconduct or other improper action by employees, vendors and other third parties with otherwise legitimate access to our systems. Moreover, we face the ongoing challenge of managing access controls in a complex environment. The latency of a compromise is often measured in months but could be years, and we may not be able to detect a compromise in a timely manner, and even if detected, there can be no assurance that we can mitigate or remediate such compromise in an adequate or timely manner. We could experience significant financial and reputational harm if our information systems are breached, sensitive client or Company data are compromised, surreptitiously modified, rendered inaccessible for any period of time or maliciously made public, or if we fail to make adequate or timely disclosures to the public, law enforcement agencies or regulators following any such event, whether due to delayed discovery or a failure to follow existing protocols. Cyberattacks are increasing in frequency and evolving in nature. We are at risk of attack by a variety of adversaries, including nation states, state-sponsored organizations, organized crime and hackers, through use of increasingly sophisticated methods of attack, including the deployment of AI to find and exploit vulnerabilities, "deep fakes", long-term, persistent attacks (referred to as advanced persistent threats) and the use of the IT supply chain to introduce malware through software updates or compromised suppliers accounts or hardware. In particular, the advance of AI and large language models has given rise to additional vulnerabilities and potential entry points for cyber threats. With generative AI tools, threat actors may have additional tools to automate breaches or persistent attacks, evade detection, or generate sophisticated phishing emails or other forms of digital impersonation. In addition, increasing use of generative AI models in our internal systems may create new attack methods for adversaries. Because generative AI is a new field, understanding of cybersecurity risks and protection methods continues to develop, and features that rely on generative AI, including in services provided to us by third parties, may be susceptible to unanticipated cybersecurity threats from sophisticated adversaries and other cybersecurity incidents. Further, we are at increased risk of a cyberattack during periods of heightened geopolitical conflict, such as the war in Ukraine and the escalating conflict throughout the Middle East, as diplomatic events and economic policies may trigger espionage or retaliatory cyber incidents. Despite our efforts to comply with applicable cybersecurity requirements and mitigate risks of cybersecurity threats, we cannot be certain that our security measures will definitively prevent, contain, detect, or remediate all cybersecurity threats or incidents or other instructions from malware currently in existence or developed in the future. As the breadth and complexity of the technologies we use and the software and platforms we develop continue to grow, including as a result of the use of mobile devices, cloud services, "open source" software, social media tools and the increased reliance on devices connected to the Internet (known as the "Internet of Things"), the potential risk of security breaches and cyber-attacks also increases. Despite ongoing efforts to improve our ability to protect data from compromise, we may not be able to protect all of our data across our diverse systems. Our efforts to improve and protect data from compromise may also identify previously undiscovered instances of security breaches or other cyber incidents. Our policies, employee training (including phishing prevention training), procedures and technical safeguards may also be insufficient to prevent, detect or remediate improper access to confidential, personal or proprietary information. In addition, the competition for talent in the data privacy and cybersecurity space is intense, and we may also be unable to hire, develop or retain suitable talent capable of adequately detecting, mitigating or remediating these risks. Should an attacker gain access to our network using compromised credentials of an authorized user, we are at risk that the attacker might successfully leverage that access to compromise additional systems and data. Certain measures that could increase the security of our systems, such as data encryption (including encryption of data at rest), heightened monitoring and logging, scanning for source code errors or deployment of multi-factor authentication, take significant time and resources to deploy broadly, and such measures may not be deployed in a timely manner or be effective against an attack. The inability to implement, maintain and upgrade adequate safeguards could have a material adverse effect on our business. Our information systems must be continually updated, patched, and upgraded to protect against known vulnerabilities. The volume of new software vulnerabilities has increased markedly, as has the criticality of patches and other mitigation and remedial measures. In addition to mitigating and remediating newly identified vulnerabilities, previously identified vulnerabilities must also be continuously addressed. Accordingly, we are at risk that cyberattackers exploit these known vulnerabilities before they have been communicated by vendors or addressed. Due to the large number and age of the systems and platforms that we operate, the increased frequency at which vendors are issuing security patches to their products, the need to test patches and, in some cases coordinate with clients and vendors, before they can be deployed, we perpetually face the substantial risk that we cannot deploy patches in a timely manner. We are also dependent on third party vendors to keep their systems patched and secure in order to protect our data. Any failure related to these activities could have a material adverse effect on our business. We have numerous vendors and other third parties who receive personal information from us in connection with the services we offer our clients and our employees. We also use hundreds of IT vendors and software providers to maintain and secure our global information systems infrastructure. In addition, we have migrated certain data, and may increasingly migrate data, to the cloud where it is hosted by third-party providers. Some of these vendors and third parties also have direct access to our systems or data. We are at risk of a cyberattack involving a vendor or other third party, which could result in a breakdown of such third party's data protection processes or the cyberattackers gaining access to our infrastructure or data through a supply chain attack. Highly publicized data security breaches, such as the October 2023 attack on Okta may embolden malicious actors to target the IT supply chain and providers of business software. Our control over and ability to monitor the cybersecurity practices of our third-party vendors and service providers, and other third parties with whom we do business, remains limited, and there can be no assurance that we can prevent, mitigate, or remediate the risk of any compromise or failure in the cybersecurity infrastructure owned or controlled by such third parties. Additionally, any contractual protections with such third parties, including our right to indemnification, if any, may be limited or insufficient to prevent a negative impact on our business from such compromise or failure. We have a history of making acquisitions and investments. The process of integrating the information systems of any businesses we acquire is complex and exposes us to additional risk. For instance, we may not adequately identify weaknesses and vulnerabilities in an acquired entity's information systems, either before or after the acquisition, which could affect the value we are able to derive from the acquisition, expose us to unexpected liabilities or make our own systems more vulnerable to a cyberattack. In addition, if we discover a historical compromise, security breach or other cyber incident related to the target's information systems following the close of the acquisition, we may be liable and exposed to significant costs and other unforeseen liabilities. We may also be unable to integrate the systems of the businesses we acquire into our environment in a timely manner, which could further increase these risks until such integration takes place. We have experienced data incidents and cybersecurity breaches, such as malware incursions (including computer viruses and ransomware), vulnerabilities in the software on which we rely, users exceeding their data access authorization, employee misconduct and incidents resulting from human error, such as emails sent to the wrong recipient, loss of portable and other data storage devices or misconfiguration of software or hardware resulting in inadvertent exposure of personal, sensitive, confidential or proprietary information. In April 2021, an unauthorized actor leveraged a vulnerability in a third party's software and gained access to a limited set of data in our environment. Like many companies, we are also subject to social engineering attacks such as WhatsApp scams and regular phishing email campaigns directed at our employees that can result in malware infections, fraud and data loss. Although these incidents have resulted in data loss and other damages, to date, they have not had a material adverse effect on our business or operations. In the future, these types of incidents could result in personal, sensitive, confidential or proprietary information, including client, employee or Company data, being lost or stolen, surreptitiously modified, rendered inaccessible for any period of time, or maliciously made public, which could have a material adverse effect on our business. In the event of a cyberattack, we might have to take our systems offline, which could interfere with services to our clients or damage our reputation. A cyberattack may also result in systems or data being encrypted or otherwise unavailable due to ransomware or other malware. We also may be unable to detect an incident, assess its severity or impact, or appropriately respond in a timely or adequate manner. In addition, our liability insurance, which includes cyber insurance, may not be sufficient in type or amount to cover us against claims related to security breaches, cyberattacks and other related data and system incidents. Further, we cannot be sure that our existing coverage will continue to be available on acceptable terms or at all or that our insurers will not deny coverage as to any future claim.