Morningstar (MORN) Risk Factors

We believe innovation in financial information services and investable products available to investors and the various advisers and other intermediaries who serve them continues to accelerate. Developments in technology are fundamentally changing the ways investors, financial intermediaries, and other market participants access data and content, allowing for greater personalization of products customized to individual investor profiles and interests, such as direct indexing and sustainability goals-based investing. These developments can render our existing products less competitive, obsolete or unmarketable. As a result, our future success will continue to depend upon our ability to identify and develop new products and enhancements that address the future needs of our current and target markets and to deliver them in ways that support our customers' investing needs and business models and on our ability to keep pace with the competitive landscape for our products. Our core competencies are around data and research, technology, and design. Morningstar deploys each of these to create unique intellectual property, products, and solutions that clearly convey complex investment information to various investors, including individuals, financial advisors, asset managers, retirement plan providers and sponsors, institutional investors in the private capital markets, and participants in the fixed income markets. Our customers have access to a wide selection of investment data, fundamental equity research, manager research, credit ratings, private capital markets research, and ESG data and research, directly on Morningstar's proprietary desktop or web-based software platforms, or through subscriptions, data feeds, and third-party distributors. Our financial technology solutions also allow advisors to serve investors at all stages of the investing process. Morningstar's managed portfolio offerings help advisors outsource investment selection and asset allocation through proprietary portfolio strategies based on Morningstar's valuation-driven, fundamentals-based approach to investing. Applying its expertise in asset allocation, investment selection, and portfolio construction, our global investment team creates long-term investment strategies built on Morningstar's data and ratings. We also help retirement plan sponsors build high-quality savings programs for employees and advise participants in retirement plans on saving for retirement and choosing plan investments. We believe the breadth and depth of our current service offerings set us apart from our competitors, which we believe is a significant competitive advantage. If we fail to continuously innovate and develop new datasets, research, methodologies, content or software to meet the needs of our customers, or fail to successfully communicate such innovations and developments in our offerings to our customers, our competitive position and business results may suffer. In addition, our reputation could be harmed if we are perceived as not moving quickly enough to meet the changing needs of investors or their financial advisors and may sacrifice new business opportunities or renewals from existing customers. These changing needs include a greater expectation that advice be delivered with a high degree of personalization. Investors are also increasingly focused on the security of data we collect from them, as well as the sharing of their data with third parties. Increased interest in alternative asset classes has also created a need for applicable datasets and analytical expertise. Our competitive position and business results may suffer if other companies have greater breadth of product offerings or are able to successfully and more quickly introduce innovative, proprietary research tools and software, including through the application of AI, that gain attention from our clients. In addition, the value of our products and services may be negatively affected by the increasing amount of information and tools that are available for free, or at low cost, through Internet sources or other low-cost delivery systems, and by the ability of machine learning and other AI systems to process and organize large data sets. The impact of costs-cutting pressures across the industries we serve could lower demand for our products. Also, clients within the financial services industry that strive to reduce their operating costs may seek to reduce their spending on our products and services or may build in-house capability to provide the technology or investment advisory services they would otherwise purchase from us. Although we believe our products and services contain value-added features and functionality that deeply embed them in our customers' workflows, these developments may over time reduce the demand for, or customers' willingness to pay for, certain of our products and services. We must make long-term investments and commit significant resources often before knowing whether those investments will result in products or services that satisfy our clients' needs or generate revenues sufficient to justify the investments. Our software development process is based on frequently rolling out new features so that we can quickly incorporate user feedback. However, at times adoption of new features or enhanced versions is slowed by the significant client investment required for more advanced use cases. In addition, from time to time, we also incur costs to transition clients to new or enhanced products, systems, or services, as well as additional operating expenses supporting multiple platforms for extended periods of time if clients decline to migrate to the new or enhanced products, systems or services. Such transitions can involve material execution risks and challenges and we cannot guarantee that we will successfully adapt our product offerings to meet evolving customer needs or that the transition to such new offerings will be seamless. If we are unable to manage these investments and transitions successfully, our business, financial condition, and results of operations could be materially and adversely affected. As our financial intermediary customers further automate their business processes, their need for our products may change and the technological flexibility and interoperability of our systems may become more important. For example, the COVID-19 pandemic and the increase in remote and hybrid work environments has accelerated advisor and client demand for digital, friction-free technology and experiences with our turnkey asset management platform, shining a light on dated, legacy operational workflows. In addition, there has been an increasing focus on technology not merely supplying additional tools for users, but also offering solutions to specific client problems, such as those we are seeking to address for wealth advisors through bringing together our multiple wealth management capacities around asset management, data aggregation and client portfolio management software. We have a myriad of potential technology investments across our product lines and need to prioritize scarce technology development resources to focus on products that best anticipate the needs and priorities of our customers. In addition, only a limited number of employees have expertise in the software used for certain of our products. The loss of any such employees could negatively impact our development process. Our technology is also heavily dependent on the quality and comprehensiveness of our data and our ability to successfully build analytics, research, and other intellectual property around that data. For example, in order to provide the personalized holistic advice that clients value, we need to collect, organize, and protect large, non-homogenous datasets and synthesize and effectively analyze the insights offered by this data. We are investing significant resources in consolidating our various data assets and improving their usability and deliverability across our platform of products. Our competitive position and business results may suffer if we fail to realize the value and potential of our data assets. Additionally, our ability to continue to innovate and develop new products is reliant on the products of other vendors, including data, software and services vendors. Some of our products and offerings are dependent upon obtaining updates from data vendors as well as dependent on continuing access to current and historical data. Furthermore, many of our vendors are also competitors, and our ability to continue to provide our products and develop new products could be impacted if the vendors terminate our agreements with them or decide to change the terms or restrict use of the data and products, which could materially harm our business.

The steps we have taken to protect our intellectual property may not be adequate to safeguard our brand, proprietary information and competitive advantage. We rely primarily on patent, trademark, copyright, and trade secret rights, as well as contractual protections and technical safeguards, to protect our intellectual property rights and proprietary information. Despite these efforts, third parties may still be able to challenge, invalidate, or circumvent our rights or improperly obtain our proprietary information. Further, we may not be able to effectively utilize trademark, copyright, and trade secret protection in every country in which we offer our services or utilize our intellectual property. We believe our trademark rights with respect to the Morningstar name and logo, along with our subsidiaries' names and logos represent materially valuable intangible assets. From time to time, we encounter jurisdictions in which one or more third parties have a pre-existing trademark registration in certain relevant international classes that may prevent us from registering these or other marks in those jurisdictions. Our continued ability to use the "Morningstar" name or logo, either on a stand-alone basis or in association with certain products or services, could be compromised in those jurisdictions because of these pre-existing registrations. Similarly, from time to time, we encounter situations in certain jurisdictions where one or more third parties are already using the Morningstar name, either as part of a registered corporate name, a registered domain name, or otherwise. Our ability to effectively market certain products and/or services or obtain adequate trademark protection in those locations could be adversely affected by these pre-existing usages. We have from time to time been subject to claims by third parties alleging infringement of their intellectual property rights. Such claims can also be alleged against clients, customers, or distributors of our products or services whom we have agreed to indemnify against third party claims of infringement. The defense of such claims can be costly and consume valuable management time and attention. We may be forced to settle such claims on unfavorable terms, which can include the payment of damages, the entry into royalty or licensing arrangements on commercially unfavorable terms, or the suspension of our ability to offer affected products or services. If litigation were to arise from any such claim, there can be no certainty we would prevail in it. If any of these risks were to materialize, it could have a material adverse effect on our business, financial condition, operating results or reputation. In addition, we are and continue to be susceptible to website spoofing attacks, where fraudulent websites are created to closely resemble our brand, products and offerings and are designed to lure potential clients to share personal sensitive information, such as login credentials, social security numbers, credit card information, bank account numbers, and in some instances send money to individuals portraying to be associated with our entities and brands. In addition to individual losses triggered by these attacks, these spoofing attacks could harm our brand, our reputation and negatively impact our ability to attract new clients and customers.

Our business requires that we securely collect, process, store, and transmit confidential information, including personal information, relating to our operations, customers, employees, and other third parties. We continuously invest in systems, processes, controls, and other security measures designed to guard against the risk of improper access to or release of such information. However, these measures do not guarantee absolute security, and improper access to or release of confidential information may still occur through employee error or malfeasance, system error, other inadvertent release, failure to properly purge and protect data, failure to apply consistent security measures throughout our business or cyberattack. We may be targeted by malicious individuals or groups (including those sponsored by nation-states or terrorist organizations) seeking to attack our products and services or penetrate our network infrastructure to gain access to intellectual property, confidential or personal information, or to facilitate distributed denial of service attacks. While we have dedicated resources responsible for cybersecurity and have implemented systems and processes intended to help identify cyberattacks and protect and remediate security issues in our software and network infrastructure, these attacks have become increasingly frequent, sophisticated, and difficult to detect. Even in cases where an attack is ultimately detected, based on industry data, incidents may go undetected for several months. Our measures may not be adequate or designed to prevent all eventualities or all types or sources of attacks, and we may be vulnerable to circumvention of security systems, denial of service attacks or other cyberattacks, hacking including "hacktivism", "phishing" or other social engineering attacks, computer viruses, ransomware or malware, employee or insider error, employee or vendor malfeasance, physical breaches or other malicious actions. We offer a hybrid work environment, which provides employees with the flexibility to work remotely (and use personal devices) which introduces unique risk management challenges. We may also be impacted by a cyberattack targeting one of our vendors or within our technology supply chain or infrastructure, including cloud providers. Our information technology systems interact with those of customers, vendors, and service providers and collect an increasing amount of confidential data as we expand our product and service offerings. As a result, inadequacies of third party security technologies and practices introduce additional monitoring risk and cost and may only be detected after a security breach has occurred. Additionally, as we continue to offer a hybrid work environment which provides employees with the flexibility to work from remote locations we continue to rely on video conferencing, web conferencing and cloud services in order to operate magnifying the importance of the integrity of our remote access security measures and which may expose us to additional cyber risks. We are subject to regulatory expectations for the oversight of users, vendors and service providers, which further increase our compliance obligations. In addition, the proliferation of personal information privacy regimes across the globe have made scalable and comprehensive compliance practices ever more complex and costly to implement. Any failure to safeguard confidential information or any material cybersecurity failures or incidents in our systems (or the systems of a customer, vendor, or service provider which stores or processes confidential information for which we are responsible, including cloud providers) could cause us to experience reputational harm, loss of customers, regulatory actions, sanctions or other statutory penalties, litigation, or financial losses and increased expenses related to addressing or mitigating the risks associated with any such material failures or incidents. In addition to the risks above, we may also be subject to specific obligations relating to personal information and personal financial information. Our products and websites in certain cases collect, store, process, and transmit personal information about an individual, including financial information such as portfolio holdings, account numbers, and credit card information. Our business also operates across national borders and routinely moves personal information from one jurisdiction to another. Regulators and political leaders in various countries are increasingly interested in restricting cross-border data transfers that they perceive as problematic. We and our customers are often subject to federal, state, and foreign laws relating to privacy, cybersecurity, and data protection. The scope of applicable laws may be uncertain and required practices may be inconsistent with laws of other jurisdictions. Consequently, our business is subject to a variety of continuously evolving and possibly conflicting regulations and customer requirements. Our compliance with these changing and increasingly burdensome regulations and requirements may cause us to incur substantial costs or require us to change our business practices which may impact financial results. If we fail to comply with these regulations or requirements, we may be exposed to litigation expenses and possible significant liability, fees, or fines. For example, in the EU, noncompliance with the General Data Protection Regulation (GDPR) requirements could result in penalties of up to the greater of €20 million or 4% of worldwide revenues. One of Morningstar's core strengths is the ability to collect data and enrich it with data from another part of the business to provide valuable information and insights to investors. As data is accessible across our products, consistent data privacy practices and disclosure becomes more important and challenging. Failure to comply with our public statements or to adequately disclose our privacy or data protection practices could result in costly investigations by governmental authorities, litigation, and fines as well as reputational damage and customer loss. We also from time to time acquire other companies that collect and process personal information. While we perform extensive due diligence on the technology systems and practices of these companies, there can be no assurance that such companies have not suffered data breaches or system intrusions prior to or continuing after our acquisition for which we may be liable. Acquired businesses may not have invested as heavily in such security measures or data privacy controls, and they introduce additional cybersecurity and data privacy risk as their systems are integrated with ours. Even after an acquisition is completed, time is required to integrate the acquired business' technology and processes, which may result in an increased risk of security incidents until the integration for the new business is completed. While we maintain insurance coverage that is intended to address certain aspects of cybersecurity and data protection risks, such coverage may not be sufficient to cover all or the majority of the costs, losses, or types of claims. Our insurance coverage would not extend to any reputational damage, loss of customers, or required improvements to our systems.

Our effective tax rate is based on the mix of income and losses in our U.S. and non-U.S. operations, statutory tax rates, and tax-planning opportunities available in the various jurisdictions in which we operate. We could be subject to changes in our tax rates, the adoption of new U.S. or non-U.S. tax legislation or exposure to additional tax liabilities. Due to economic and political conditions, tax rates in various jurisdictions may be subject to significant change. Our future effective tax rates could be affected by changes in the mix of earnings in countries with differing statutory tax rates including, impacts related to transfer pricing, changes in the valuation of deferred tax assets and liabilities, or changes in tax laws or their interpretation by relevant authorities. Significant judgment is required to evaluate our tax positions. Corporate tax reform, base-erosion efforts, and tax transparency continue to be high priorities in many jurisdictions in which we operate. In October 2021, the Organization for Economic Co-operation and Development (OECD) agreed to a two-pillar approach to global taxation focusing on global profit allocation (Pillar One) and a global minimum tax rate (Pillar Two). In December 2022, the EU member states agreed to implement the OECD's global corporate minimum tax rate of 15% under Pillar Two to be effective in January 2024. Other countries are also considering changes to their tax laws to adopt certain parts of the OECD's proposals. This legislation represents a significant change in the international tax regime and could result in increases to our effective tax rate as a result of the imposition of minimum taxes. We are continuing to monitor developments and administrative guidance in addition to evaluating the potential impact on our consolidated financial statements for future periods.

Morningstar's business plan involves, in part, expansion into new and adjacent product lines to anticipate and meet our customers' needs. Our ability to realize those opportunities in one of our businesses, however, may be hindered by regulatory requirements governing a different business within the Morningstar group. In certain cases, regulatory sanctions against one of our businesses could affect our ability to continue to operate in unrelated regulated areas. In addition, the day-to-day sharing and optimization of the value of our intellectual property across our product lines can be affected by regulatory concerns. Similarly, differences in data privacy regimes and governmental surveillance rights applicable in specific countries significantly affect our workforce location strategy and technology infrastructure in relation to cross-border processing of personally identifiable information of customers, employees and other third parties. Such limitations, which seem likely to proliferate as global consensus regarding regulatory principles wanes, may impact our ability to execute on our strategy. The dynamics of today's geopolitical discourse may also impact business opportunities across different markets. It has been our experience that adoption of many ESG-focused products has been more rapid in European countries than in other parts of the world, and there is more agreement on ESG taxonomies, methodologies, and acceptable sources of data in that market. Customer opinions about such products, or preferences regarding their methodology or approach, are at times impacted by regional or national political trends which may differ significantly. Preferred terminology and information sources may similarly differ from place to place. In such an environment, Morningstar may struggle to maintain its reputation for methodological transparency and consistency which underpins the value and reputation of our research.

Our business and several of our major products are dependent on our ability to provide data, software applications, and other products and services on a current and time-sensitive basis. We rely extensively on our computer systems, database storage facilities, and other network infrastructure, which are located across multiple facilities in the U.S. and globally. Our computer systems, database and network facilities may be vulnerable to external attacks that misappropriate our data, corrupt our databases, or limit access to our information systems. Further, our operations and those of our vendors and customers are at risk of disruptions from numerous factors, including pandemic, violent incident, natural disaster, power loss, terrorist attack, telecommunications and Internet failures, civil unrest, cybersecurity attacks and breaches, and other events beyond our reasonable control. Our exposure to these types of disruptions may be more acute in circumstances where our business activities expose us to potential controversy and opposition, including various ESG-related matters. We are also subject to potential shortcomings in our own business resilience practices, such as failures to fully understand dependencies between different business processes across the locations in which they are performed, inadequate vendor risk assessment and management processes and critical vendor dependencies, concentration of certain critical activities in areas of geopolitical risk, concentration of certain skills and know-how with small groups of key employees, and possibly ineffective recovery strategies in the event of a disruption. As we have grown in recent years through acquisitions and continue to do so in the future, the newly acquired businesses may not have invested in technological infrastructure and disaster recovery to the same extent as we have. As their systems are integrated into ours, a vulnerability could be introduced, which could impact our platforms across the company. We engage third party vendors in several locations, including Colombia, India, and Ukraine, which provide contract labor in support of our operations. If a pandemic, war, natural disaster, violent incident, or another dangerous emergency significantly impacted the safety or communication connectivity of people living in and around these locations and/or at our significant office locations including but not limited to our corporate headquarters in Chicago, Illinois and our data collection, technology, and operational center in Mumbai, India, we might not be able to continue business operations at an acceptable level that would meet all our legal and contractual commitments. Each of these locations has experienced or may in the future experience various types of geopolitical risks and changes in laws and regulations relating to data privacy, security, protection of intellectual property rights, and acceptable telecommunication infrastructure which create uncertainty regarding our long-term operations there. Any extended disruptions to our operations in these locations would make it difficult for us to meet our operating goals. We do have a long-standing relationship with a third-party vendor in Ukraine which provides contract labor in support of development efforts at PitchBook. Our team has provided financial help and other assistance to these individuals and to date, we have been able to maintain the operations conducted by our contractors in Ukraine at an acceptable level. Through advanced preparation and business continuity planning, there has been limited disruption to the operations of PitchBook or our clients' access to the platform. However, the situation remains volatile and our team continues to monitor new developments to guard against negative impacts to our operations. We have shifted the storage of a majority of our data and delivery of several of our products and services to cloud-based delivery systems. We rely on cloud providers and other vendors to maintain, service, and improve our technological infrastructure, which underpins and protects our data, research, and other products and services. Some of these providers have recently experienced widely reported service disruptions that affected numerous customers including ourselves. To defend against these threats, we have implemented a series of controls focusing on both prevention and detection, including firewalls, intrusion detection systems, automated scanning and testing, server hardening, antivirus software, training, and patch management. We make significant investments in servers, storage, and other network infrastructure to prevent incidents of network failure and downtime, but we cannot guarantee that these efforts will work as planned. If disruptions, failures, or slowdowns of these electronic delivery systems or the Internet occur, our ability to distribute our products and services effectively and to serve our customers could be negatively impacted. In addition, the daily activities and productivity of our work force is now closely tied to key vendors, such as video conferencing services, to consistently deliver their services without material disruption. Our ability to deliver information using the Internet and to operate in a hybrid working environment may be impaired because of infrastructure failures, service outages at third-party Internet providers, malicious attacks, or other factors. If disruptions, failures, or slowdowns of these electronic delivery systems or the Internet occur, our ability to distribute our products and services effectively and to serve our customers may be impaired. We primarily rely on a third party to provide backup facilities for our data. We cannot guarantee that these facilities will not be impacted by interruptions in the future. We may not be able to fully recover data or information lost during a database or network facility outage impacting the provider of our backup facilities. Any losses, service disruption, or damages incurred by us could have a material adverse effect on our business, operating results, or financial condition. Although we maintain insurance, at levels we believe to be appropriate, this insurance may not provide adequate protection in the event of a loss. Additionally, the existence, magnitude and impact of the risks we face often remain unknown for substantial periods of time. These risks could damage our brand and reputation, result in litigation, regulatory actions, sanctions or other statutory penalties, lead to loss of customer confidence in our business operations, including the security and reliability of our products, services and system, any of which could harm our ability to retain customers and gain new ones, result in financial losses for which we are not insured or adequately insured, and could lead to increased expenses to address or mitigate any damages or disruptions.

Execution of our business plan requires identifying, attracting, hiring, and on-boarding new qualified employees. Engineering, research, quantitative, fixed income data and credit analysis skill sets are particularly needed to support and strengthen our key product offerings. We experience competition for analysts, technology experts, data and software engineers, and other employees from other companies and organizations. While we have a geographically diversified workforce location strategy, building valued teams in a variety of locations around the globe, we experience recruiting challenges in nearly all our global locations. There are also challenges inherent in effectively managing an increased number of employees over large geographic distances, including the need to implement appropriate systems, policies, benefits and compliance programs. Our talent acquisition activities may place a strain on our human resource management team. We must continue to refine and expand our recruiting capabilities, systems and processes in order to meet our talent acquisition needs in a highly competitive employment market. The development, maintenance, and support of our products and services are also dependent upon the knowledge, skills, experience, and abilities of our existing employees. We invest in our employees' continued development and growth through learning tools, educational stipends, speaker series, mentoring, and other resources to help them chart a fulfilling career at Morningstar. We are also thoughtful about employee engagement and communications to keep our staff focused and motivated by our mission and our company's success. However, changes in labor markets, such as the willingness of some employers to offer fully remote work brought on, in part, by the COVID-19 pandemic, may make it more difficult for us to retain existing employees or maintain traditional workplace arrangements. We require most employees in our business locations to make a commitment to a minimum amount of in-office work, but we remain uncertain as to the long-term effect of such requirements on employee attrition and engagement. We believe the success of our business depends to a significant extent upon the continued service of our senior business and functional leaders and other key employees. However, the talents and experience of these individuals make them attractive candidates to many of our competitors, as well as to early-stage companies that can offer the potential for outsize financial rewards if they are successful. Thus, competition for these employees is intense and the loss of such business leaders could pose substantial challenges to our business. We may not be able to retain these leaders and employees or to develop and retain similar highly qualified personnel in the future, which may cause us to lose potential clients and suffer a decline in revenues. In addition, we are currently exposed to rising wage scales in most of the employment markets in which our facilities are located, which negatively affect our compensation costs. Inflationary pressures, strong stock performance in our sector, and shortages of applicants with certain skills put upward pressure on wages. Shifting preferences regarding remote work flexibility and a backlog of immigration applications may further complicate our talent acquisition efforts. Our future success also depends on the continued service of our executive officers, including Joe Mansueto, our executive chairman and largest shareholder, and Kunal Kapoor, our chief executive officer. The loss of Mansueto, Kapoor, or other executive officers could hurt our business, operating results, or financial condition. We do not have employment agreements or noncompete agreements in place with any of our executive officers. They may leave us and work for our competitors or start their own competing businesses.

We utilize numerous third-party service providers in our operations, including for the provision of contract labor in several locations and backup facilities for our data. A failure by a third-party service provider could expose us to an inability to provide contractual services to our clients in a timely manner. Additionally, if a third-party service provider is unable to provide these services, we may incur significant costs to either internalize some of these services or find a suitable alternative. A failure in the performance of our due diligence processes and controls related to the supervision and oversight of these firms in detecting and addressing conflicts of interest, fraudulent activity, data breaches and cyber-attacks or noncompliance with relevant securities and other laws could cause us to suffer financial loss, regulatory sanctions or damage to our reputation.

We believe that the reputation of our company and our brand generally, as well as the perception of our research and ratings products and services, is based on the trust that users of our products and services have in our commitment to our mission of empowering investor success, our independence of editorial judgment, our insistence on methodological rigor, and our transparency concerning our processes. Any failure to uphold these commitments and standards and real or perceived failure of our customers to have consistently positive experience with us could damage our reputation. Our reputation may also be harmed if any errors are found in our products or services. Our ESG offerings has, and may in the future, put Morningstar in the public debate over a variety of issues surrounding climate, environment, social concerns, and corporate governance. Our position as an independent provider of investor choice may cause proponents of certain causes to question the adequacy, completeness and objectivity of our methodologies and models and of the data underlying them; the timing and nature of changes in our ratings or assessments and in other products, such as indexes, built on these ratings and assessments; the independence of our ratings determinations and editorial decisions and the influence of third parties, including governments and large institutional investors or asset owners, on such determinations or decisions; and our role in and influence upon various investment processes. Our position as a leading source of ESG research and opinions may also cause proponents of various causes to demand that we publicly take stands on a variety of controversial topics perceived by them as relevant to investor success or the evolving expectations of businesses; however, we may believe we are unsuited or unprepared to address some or all of these topics. New research and ratings offerings face a challenge to create objective, understandable methodologies in a rapidly developing field currently without widely accepted standards and for which regulatory oversight is emerging. Our methodologies generally are susceptible to potential claims of imprecision, empirical or methodological error, bias and puffery. We evaluate the potential impact of ESG factors on other companies and risk a claim of hypocrisy if we take or fail to take actions at the company level that are or seem inconsistent with our own sustainability and corporate responsibility policies and practices, including publicly disclosed ESG and climate-related targets and goals. Our failure to successfully navigate these issues as they arise from time to time may have an adverse effect on our reputation and our business. As our business has evolved, we have entered lines of business and business arrangements that may give rise to allegations of conflicts of interest or perceived failures of our independence. We provide ratings, analyst research, and investment recommendations on mutual funds, ETFs and other investment products offered by our institutional clients. While we don't charge asset management firms for their products to be rated, we do charge licensing fees for the use of our ratings. We also provide investment advisory and investment management services, including through our own series of mutual funds, which expose us to the claim that we are acting as both a referee and a player in the investment management industry. In our credit ratings business and Morningstar Sustainalytics' Sustainable Finance Solutions products we are participants in an issuer-pay business model under which we receive payments from issuers for our ratings rather than from the investors who consume such ratings. These payments may create the perception that our ratings and research in these areas are not independently determined. The expansion of our business over time, including through acquisitions, has resulted in greater exposure to governmental regulation across our product lines and risks that acquired businesses may harbor business practices that could harm our brand. In some cases, such as with respect to our credit ratings business, interactions with regulators are extensive and continuous, raising the risk of enforcement investigations and proceedings. To the extent any of those investigations or proceedings result in a finding of misconduct or noncompliance, they could pose a significant reputational risk to us and negatively impact our business. Regardless of source, allegations of improper conduct, whether the ultimate outcome is favorable or unfavorable to us, as well as negative publicity or media reports about Morningstar and its relationships with third parties, whether valid or not, may harm our reputation and damage our business. Our reputation may also be harmed by factors outside of our control, such as news reports about our clients, consultants, or suppliers, adverse publicity about certain types of investment and ratings products generally. We may also suffer brand dilution as our brand becomes associated with an ever more diverse variety of products and services that may align less well with our corporate mission. In addition, any failures by us to continue to instill effectively in our employees the non-negotiable expectation of independence and integrity may devalue our reputation over time and negatively affect both hiring and retention efforts.