Morningstar (MORN) Risk Analysis

We believe rapid innovation and technological advances in financial information services and investable products are changing how investors and intermediaries' access and use data. These changes may result in our existing products becoming less competitive or obsolete. Our future success will continue to depend on our ability to develop new products and enhancements that address and support the evolving needs of our current and target markets, as well as on our ability to keep pace with competitors. If we fail to continuously innovate and effectively incorporate or deploy new datasets, research, AI technologies, content, or software to meet evolving customer needs, our competitive position may suffer. Our reputation would be harmed if we are seen as slow to adapt to meet the changing needs of investors or their financial advisors, especially as customers expect more personalized advice and greater data security. Increased interest in alternative assets, such as private market offerings, require new expertise and data. Competitors who innovate faster or offer broader solutions may outpace us. Our investments in new products, especially those involving AI technologies, carry execution risks and challenges and may not deliver expected benefits, such as generating revenue or cost savings, or creating efficiencies in our processes. Additionally, we cannot guarantee we will successfully adapt or seamlessly transition to new product offerings. Failure to successfully manage these transitions and investments would materially and adversely affect our reputation, operating results and financial condition. As financial intermediary customers further automate their processes, demand for our products may shift, making technological flexibility and system interoperability increasingly important. Clients increasingly expect technology solutions that address specific needs, such as integrated wealth management capabilities. Our technology heavily relies on the quality and comprehensiveness of our data and our ability to build valuable analytics, research, and intellectual property around it. Delivering personalized advice that clients value requires collecting, organizing, and analyzing large, diverse datasets. If we fail to adequately allocate resources to meet client demands, we may lose our competitive advantage, which could adversely impact our business, operating results, and financial condition.

We rely primarily on trademarks, copyright, patents and trade secret rights, as well as contractual protections and technical safeguards, to protect our intellectual property and proprietary information. These measures may not be adequate to safeguard our brand or competitive advantage, and third parties could challenge, circumvent, or improperly access our intellectual property and proprietary information. Additionally, jurisdictions in which we operate may lack strong intellectual property protections, which increases our vulnerability to unauthorized use or disclosure and may undermine our competitive position, particularly in non-US markets. Even where legal protections exist, defending these rights can require significant cost, time, and resources with no guarantee of success. We believe our trademark rights in the "Morningstar" name and logo, and those of our subsidiaries represent materially valuable intangible assets. We have encountered and may continue to encounter jurisdictions in which third parties hold pre-existing trademark registrations or use the "Morningstar" name, either as part of a registered corporate name or domain name, or otherwise. This may prevent us from registering or using our marks and could limit our ability to market products or secure trademark protection in those locations. We have been and may continue to be subject to claims by third parties alleging infringement of their intellectual property rights. Such claims can also be alleged against clients, customers, or distributors of our products and services with whom we have agreed to provide indemnification protection. The defense of such claims can be costly, time consuming, and disruptive and lead to unfavorable outcomes requiring us to pay damages, enter disadvantageous licensing or royalty agreements, incur litigation and settlement costs, or suspend affected products or services, any of which could materially adversely affect our business, operating results, or financial condition. Our reputation, financial condition, and operating results may be adversely impacted by any failure by us to successfully assert or enforce our intellectual property rights or by any alleged intellectual property infringement claims by a third party. In addition, unauthorized third parties may attempt to imitate or fraudulently use our brand, websites, or other digital assets, such as through website spoofing or phishing attacks, which could result in reputational harm, financial loss for individuals, or impede our ability to attract and retain customers.

Our business requires that we securely collect, process, store, and transmit confidential information including sensitive personal information relating to our operations, customers, employees and other third parties. We continuously invest in measures designed to protect this information, but we cannot guarantee absolute security. Improper access or release of data may still occur due to employee or vendor error, system issues, failure to consistently apply security practices across our business, or cyberattacks. We may also be subject to specific legal or contractual obligations relating to personal information and personal financial information, as in certain cases our products and services handle, store, and transmit personal information. Due to the global nature of our business, personal information is routinely moved from one jurisdiction to another, subjecting us and our customers to complex and evolving federal, state and foreign privacy, cybersecurity, and data protection laws, which may vary across geographies. Restrictions on cross-border data transfers and conflicting regulations may enhance compliance obligations and associated costs. As a global business, we regularly seek to optimize our data storage to enhance information accuracy and streamline our technology, which supports our operations. However, data privacy laws such as the General Data Protection Regulation (GDPR) impose obligations on the storage, transfer, and use of personal information, potentially restricting the processing of data about individuals outside of their home jurisdictions. Legislation aimed at protecting material nonpublic information or mitigating potential conflicts of interest further defines how we access and retain certain data, potentially resulting in less efficient or more costly technological processes and infrastructure. One of our core strengths is our ability to collect data and enrich it with data from another part of our business to provide valuable information and insights to investors. As data is accessible across our products, consistent data privacy practices and disclosure become more important and challenging. Failure to comply with our public statements or to adequately disclose our privacy or data protection practices could result in costly investigations by government authorities, litigation, and fines, as well as reputational damage and customer loss. We may be subject to increasingly frequent and sophisticated cyberattacks by actors with substantial resources and advanced capabilities that could overcome the defensive measures of our security program. These actors have targeted, and may target, our products, people, services, and network infrastructure to access intellectual property, confidential or personal information, or disrupt operations (e.g., distributed denial of service attacks or ransomware). Though we have dedicated resources and protective measures designed to identify and mitigate cyberattacks, such attacks continue to evolve, can be difficult to detect, and may go unnoticed for extended periods. Our measures may not be adequate or designed to prevent all eventualities or all types of attacks. We may be vulnerable to circumvention of security systems, denial of service attacks or other cyberattacks, hacking including "hacktivism," "phishing," or other social engineering attacks, malware, ransomware, employee or insider errors, employee or vendor malfeasance, physical breaches, or other malicious actions. Additionally, remote work and the use of personal devices introduce additional risk management challenges. We may also be impacted by a cyberattack targeting one of our vendors or other supplier/service provider within our technology supply chain or infrastructure, including cloud providers. As we expand our product and service offerings, we increasingly share confidential and proprietary data with third-party vendors, service providers, and software as a service (SaaS) platforms. This growing exposure to third parties introduces the risk that inadequacies in their security technologies, practices, or monitoring could result in unauthorized access, data breaches, or other cybersecurity incidents, that could impact us and our customers. From time to time, we have acquired, and may in the future acquire, other businesses or assets. While we conduct due diligence on the products, technology systems, and practices of these companies, we may inherit existing or undiscovered security vulnerabilities, data breaches, or system intrusions for which we could be liable. Acquired products and technologies may expose us to additional security risks, integration delays, increased costs to meet our security standards, and challenges in augmenting the acquired technologies to levels consistent with our brand and reputation. These businesses may also have less advanced security or data privacy controls, introducing further risks as their systems are integrated with ours. While we maintain recovery capabilities intended to restore operations and data integrity following a cybersecurity incident, these capabilities are not absolute and are subject to similar limitations and uncertainties as our preventive measures. Accordingly, we cannot guarantee that all attack vectors can be fully mitigated or that recovery will be complete or timely in all circumstances. Any failure to protect confidential information or any material significant cybersecurity incident, whether in our systems or those of third parties handling our data, could lead to reputational damage, operational challenges, loss of customers, regulatory actions, sanctions, or other penalties, litigation, financial losses, and increased mitigation costs, which could have a material adverse effect on our business, operating results, and financial condition.

We may face claims related to securities law violations, defamation, negligence, or other issues arising from the information we publish, including our research and ratings. For example, investors could take legal action against us if they rely on published information that contains an error, or companies may claim we have made a defamatory statement about them or their employees. In our credit ratings business, we have access to significant amounts of material non-public information on issuers of securities, and any inadvertent disclosure or real or perceived misuse of such information could expose us to legal liability. Even minor errors may require us to temporarily remove ratings or research, potentially reducing the perceived value of our products or causing us to fall short of service-level commitments to customers. Some of our products are used by clients to support investment processes, account reporting, and other activities involving significant third-party assets. This creates the risk that clients, or the parties whose assets they manage, may bring claims against us for losses linked to our products. We may also face regulatory investigations related to our products and their use by clients. While the contracts for our software products generally contain limitations on our liability, we may still need to compensate clients or their customers to preserve business relationships. Additionally, we could face claims related to content that is accessible through links on our website. Products and enhancements that we develop or license have contained, and may in the future contain, undetected errors or defects despite testing or other quality-assurance practices. Use of our products or services as part of the investment processes and other activities, by our customers, investors, companies that we rate or assess, or their shareholders could subject us to claims for errors in our data, calculations, methodologies, inputs, analysis, or system failures. We may also face claims from providers of data and information we compile from websites and other sources, alleging we have obtained the data in violation of the source's terms of use or copyrights. We may face claims from third parties, such as securities exchanges from which we license and redistribute data and information, alleging improper use or redistribution of licensed data, or that we have inadequately permissioned our clients to use such data. These agreements often grant extensive audit rights, which have in the past and in the future may be triggered, and can be costly, time-consuming, and may result in substantial fees. Regulators may also claim we have mishandled private ratings or nonpublic data, particularly in our credit ratings business. These regulators have audit rights regarding our data use which could have similar adverse consequences in terms of time, expenses, or fines. Defending claims based on the information we publish could be expensive and time-consuming and could adversely affect our business, operating results, and financial condition. Additionally, we use and incorporate open-source code in our software development and products, which could expose us to additional security risks, increase costs, and complicate the commercialization of our products and services. Security vulnerabilities due to the use of open-source software could require additional testing, change control, or re-engineering, potentially increasing costs and impacting our development processes and products. Open-source licenses typically lack warranties for infringement claims or covering the quality or security of the code, and some may require public release of our proprietary source code if combined in certain ways, potentially putting us at a competitive disadvantage. Many open-source licenses are ambiguous and have not been widely interpreted by US or other courts, and any unexpected restrictions or claims could require us to seek alternative licenses at increased costs or reduced scope, re-engineer products or systems, or discontinue the licensing of certain products.

Our effective tax rate is based on the mix of income and losses in our US and non-US operations, statutory tax rates, and tax-planning opportunities available in the various jurisdictions in which we operate. We have been, and could in the future be, subject to changes in our tax rates, the adoption of new or evolving US or non-US tax legislation or exposure to additional tax liabilities. Due to economic and political conditions, tax rates in various jurisdictions may be subject to significant change. Our future effective tax rates could be affected by changes in the mix of earnings in countries with differing statutory tax rates including impacts related to transfer pricing, changes in the valuation of deferred tax assets and liabilities, or changes in tax laws or their interpretation by relevant authorities. Corporate tax reform, base-erosion efforts, and tax transparency continue to be high priorities in many jurisdictions in which we operate. Changes in tax laws or regulation around the world, including efforts led by the Organization for Economic Co-operation and Development (OECD), could result in increases to our effective tax rate. We continue to monitor developments and administrative guidance in the countries where we operate in addition to evaluating the potential impact on our consolidated financial statements for future periods.

In response to market demand, we offer products, including those from Morningstar Sustainalytics, that may expose us to liability and higher regulatory costs. New and evolving environmental, social, and governance regulations are being introduced, amended, or revoked in the EU, the US, and other jurisdictions, requiring compliance with specific frameworks and disclosure obligations. For example, the EU Corporate Sustainability Reporting Directive (CSRD) applies to both EU and non-EU entities in scope and mandates extensive disclosures on sustainability topics such as climate change, biodiversity, workforce, supply chain, and business ethics, and may apply to our operations based on recent legal developments. In contrast, the future of any US regulation of sustainability matters is uncertain, and if adopted may not align with the disclosures required by the CSRD or other legal and regulatory requirements. Similarly, a number of US states have passed, or are in the process of adopting, broad climate change disclosure requirements, such as the Climate Corporate Data Accountability Act and Climate-Related Financial Risk Act in California, the future scope and implementation of which also remains uncertain. We have announced decarbonization goals and other initiatives, guided by standards such as the Task Force on Climate-Related Financial Disclosure (TCFD), the Sustainability Accounting Standards Board (SASB), and Global Reporting Initiative (GRI). Morningstar has committed to decarbonizing 50% of our scope 1 and scope 2 greenhouse gas emissions by 2030 and to publicly disclosing our emissions annually. Implementing these initiatives and complying with new or amended regulations may require significant resources and management attention. Any failure, or perceived failure, to fully comply with mandatory ESG requirements or voluntary ESG standards could adversely affect our business, operating results, and financial condition. At the same time, we may face evolving and sometimes conflicting expectations from various stakeholders regarding our business practices and company activities, including environmental, social and governance matters. These expectations may increase operational complexity and place additional demands on our employees, systems, and resources. Different stakeholders may hold differing views on such matters, increasing the risk that actions we take, or fail to take, are perceived negatively by certain groups. Public sentiment and the broader sociopolitical environment may shift rapidly and unpredictably, and we may not be able to anticipate or respond to such changes within expected timeframes or without incurring significant costs. If we do not effectively manage such evolving expectations, we could experience reputational harm, stakeholder disengagement, litigation, or other adverse consequences, which may adversely impact our business, operating results, and financial condition.

Our continued success depends on attracting, hiring, and onboarding qualified employees. Many of our key offerings require specialized skills in areas such as engineering, research, quantitative analysis, fixed income data, and credit analysis, as well as emerging strategic disciplines. These skills are highly sought after, creating strong competition for talent. The development, maintenance, and support of our products also rely on the expertise and experience of our existing employees. As a global business with a distributed workforce, we face recruiting challenges across many locations. Managing employees across geographies introduces complexities, including implementing systems, policies, benefits, and compliance programs, and addressing external factors such as geopolitical unrest. Rising wage scales in key markets, inflationary pressures, strong sector stock performance in the sectors where we focus hiring efforts, immigration policies, regulatory changes, and skill shortages increase compensation costs and can make it harder to attract and retain qualified employees. We invest in employee development through programs such as learning tools and educational stipends and encourage engagement. Shifts in labor markets, such as moves toward or away from remote or hybrid work, may affect retention. Integration of acquired businesses or sunsetting brands can also impact culture and morale, potentially leading to unforeseen attrition. We believe our success depends on the continued service of our executive officers, including Joe Mansueto, our executive chairman, and Kunal Kapoor, our chief executive officer, as well as senior leaders and other key employees. Their experience and expertise make them attractive to competitors and early-stage companies that can offer significant financial incentives. Loss of these leaders, or inadequate succession planning, or loss of key employees could pose substantial challenges, including loss of potential or existing clients, and adversely affect our operating results and financial condition.

We rely on certain external sources for data and research, including securities exchanges, fund companies, issuers, and other providers, as well as third-party data for many of our products. Certain data feeds create sole-source dependency, and any service degradation could harm our products and expose us to downstream risk. External data may contain errors, affecting product accuracy and customer confidence. Our innovation depends on vendor products, including data, software, and services. Some offerings require ongoing updates and access to historical data. Many vendors are also competitors, and termination of agreements, changes in terms, or restrictions on data use relating to such vendors could materially harm our business. We use AI technologies from third parties, including AI product engines and open-source software. If we are unable to maintain rights to use these AI technologies on commercially reasonable terms, or if third-party suppliers discontinue or materially change their offerings, we may be forced to acquire or develop alternate AI technologies. Such changes could be difficult and costly to implement, may limit or delay our ability to provide competitive offerings, and could significantly increase our costs. Additionally, reliance on third-party AI suppliers may create switching challenges due to integration complexity, proprietary dependencies, and retraining requirements. Moreover, the risks described above with respect to our own AI systems-including the possibility that such systems generate inaccurate, misleading, biased, or discriminatory content that could harm our reputation and expose us to liability-would similarly apply to AI technologies supplied by third-party vendors and could materially harm us if they occur. We rely on numerous third-party service providers, including for contract labor, SaaS, and data backup facilities. Failure by a provider could disrupt our ability to deliver products and services and require significant costs to internalize functions or find adequate alternatives. For limited products and regions, we are subject to vendor oversight regulations, such as the EU's Digital Operational Resilience Act, which increases compliance obligations and costs. Inadequate due diligence relating to or oversight of third parties, such as failing to detect conflicts of interest, fraud, data breaches, cyberattacks, or legal noncompliance, could result in financial loss, regulatory sanctions, or reputational harm.

Our business performance is influenced by external factors such as economic and financial market trends, credit availability, changing laws or trade policy, currency fluctuations, and geopolitical uncertainties. Extended economic or market downturns, or volatility, interest and inflation rate shifts, and stagflation, among other factors, may dampen investment activity, thereby reducing demand for our products and services. In recent years, uncertain economic conditions, including those caused by tariffs and retaliatory trade measures, have decreased asset values under management and may do so again in the future. Further, market sentiment regarding the impact of AI on software an data company growth prospects has driven meaningful recent sector-wide stock price declines, including Morningstar's. We cannot predict the timing or duration of economic cycles, sector-focused market downturns or the direct and indirect effects or duration of trade or other economic policy impacts on our business, assets, operating results, and financial condition. Our asset-based revenue depends on the value of assets under our advisory services, which fluctuates with market performance. Economic or market declines, reduced inflows, or increased redemptions, driven by market conditions or poor investment performance, can lower asset levels and, consequently, our fee-based revenue. Industry trends toward lower asset-based fees may further impact revenue. Additionally, if investors shift to non-traditional asset classes such as cryptocurrencies, private debt, real estate, structured products, or collectibles, and we cannot effectively incorporate or anticipate their performance, our assets under management may be negatively affected. Many of our license-based customers are asset management and financial advisory firms, whose businesses may be impacted by global market trends. The rise of passive investment strategies may diminish the perceived value of our research on active strategies. Prolonged recessions, financial crises, and other economic uncertainties have in the past and could in the future prompt significant spending cuts and lengthen sales cycles among clients. Industry consolidation has the potential to reduce our client base, and clients may discontinue using our products and services if they fail, merge, or are acquired by non-clients or firms using fewer of our services. These factors may decrease demand for our offerings. Fluctuations in interest rates and central bank decisions have reduced credit issuance in the past and may do so in the future, negatively impacting our credit ratings business. For example, our credit ratings business depends on the volume and value of debt securities issued, making it vulnerable to market volatility, rising interest rates, widening credit spreads, and economic slowdowns. Demand for credit ratings may also decline due to negative publicity, regulatory or political changes, increased use of alternative credit sources, or defaults by major issuers. Our ability to reduce costs in adverse conditions may be limited by our obligations to monitor and maintain outstanding ratings. Our PitchBook business is also subject to cyclical trends specific to the private capital markets. Many of PitchBook's clients are investment banks and other participants in the capital and M&A markets, which are subject to periodic business downturns driven by changes in such markets. During these downturns, they often seek to reduce spending on third-party services, as well as the number of employees, which would directly and adversely affect the length of sales cycles and the number of prospective users for the PitchBook platform. Changing economic conditions or market trends could affect demand for products and services or asset values, which may have a material and adverse effect on our business, operating results, and financial condition.

As a business with international business activities, we are subject to risks related to fluctuations in foreign currency exchange rates. Movements in the exchange rates can impact the US dollar reported value of our revenues, expenses, assets, and liabilities denominated in non-US dollar currencies or where the currency of such items is different than the functional currency of the entity where these items were recorded. In addition, the value of assets in indexed investment products can fluctuate significantly over short periods of time and such volatility may be further impacted by fluctuations in foreign currency exchange rates. We incur expenses for employee compensation and other operating expenses at our non-US locations in the local currency. In the future, if there is an increase or decrease in our international business activities that are recorded in local currencies, our exposure to fluctuations in foreign currency exchange rates may correspondingly increase or decrease, which could materially adversely affect our business, financial condition, or operating results. Although we may in the future decide to undertake foreign exchange hedging transactions, to date, we have not engaged in currency hedging, and we do not currently have any positions in derivative instruments to hedge our currency risk.

We believe our reputation, brand, and the value of our products and services are built on the trust that our users have in our commitment to empowering investor success through independence, transparency, and a long-term focus. Any real or perceived failure to uphold these principles, including lapses in employee integrity or independence, may harm our reputation. Additionally, real or perceived errors in our products or negative customer or employee experiences could further damage our reputation. Our reputation and brand could also be impacted by factors beyond our control, such as negative news about our clients, suppliers, employees, consultants, or competitors, regulatory scrutiny, and adverse publicity about our products or industries that we operate in. Expanding our brand to less mission-aligned products may also harm our reputation or dilute our brand. As our business continues to evolve and expand, we have entered and may in the future enter into business lines and/or arrangements that may raise concerns about potential conflicts of interest or perceived independence failures. We provide ratings and research on our clients' investment products, such as ETFs and mutual funds, and we typically charge a licensing fee to use our ratings. We also provide investment advisory and management services, including through our own series of mutual funds, which expose us to claims that we are both the referee and the player in the same industry. Our issuer-pay model in our credit ratings business and for certain of our other ratings products, for which we receive payments from issuers for our ratings versus from the investor consuming such ratings, may also lead to perceptions that our research and ratings in these areas are not independently determined. Certain of our products and methodologies, including those of Morningstar Sustainalytics, have placed, and may in the future, place us at the center of public debate on sustainability, social, and corporate governance issues, or result in scrutiny of our clients. This scrutiny may affect product demand and may result in negative media coverage, reputational harm, or increased regulatory attention. Failure to effectively and successfully navigate these independence and reputational challenges could adversely affect our business, operating results, and financial condition.