Stifel Financial (SF) Risk Analysis

The financial services industry faces significant litigation and regulatory risks. Additionally, our litigation and regulatory risks continue to increase as our business expands internationally. Many aspects of our business involve substantial risk of liability. We have been named as a defendant or co-defendant in lawsuits and arbitrations primarily involving claims for damages. The risks associated with potential litigation often may be difficult to assess or quantify, and the existence and magnitude of potential claims often remain unknown for substantial periods of time. Unauthorized or illegal acts or noncompliance with firm policies by our associates could also result in substantial liability. We are also the subject of inquiries, investigations, and proceedings by regulatory and other governmental agencies. In our role as underwriter and selling agent, we may be liable if there are material misstatements or omissions of material information in prospectuses and other communications regarding underwritten offerings of securities. At any point in time, the aggregate amount of existing claims against us could be material. While we do not expect the outcome of any existing claims against us to have a material adverse impact on our business, financial condition, or results of operations, we cannot assure you that these types of proceedings will not materially and adversely affect our company. We do not carry insurance that would cover payments regarding these liabilities, except for insurance against certain fraudulent acts of our associates. Acts of fraud are difficult to detect and deter, and while we believe our supervisory procedures are reasonably designed to detect and prevent violations of applicable laws, rules, and regulations, we cannot assure investors that our risk management procedures and controls will prevent losses from fraudulent activity. In addition, our bylaws provide for the indemnification of our officers, directors, and associates to the maximum extent permitted under Delaware law. In the future, we may be the subject of indemnification assertions under these documents by our officers, directors, or associates who have or may become defendants in litigation. These claims for indemnification may subject us to substantial risks of potential liability. In challenging market conditions, the volume of claims and amount of damages sought in litigation and regulatory proceedings against financial institutions have historically increased. Litigation risks include potential liability under securities laws or other laws for alleged materially false or misleading statements made in connection with securities offerings and other transactions, issues related to our investment recommendations, including the suitability of such recommendations or potential concentration of investments, the inability to sell or redeem securities in a timely manner during adverse market conditions, contractual issues, employment claims, and potential liability for other advice we provide to participants in strategic transactions. Substantial legal liability could have a material adverse financial impact or cause us significant reputational harm, which, in turn, could seriously harm our business and future business prospects. In addition to the foregoing financial costs and risks associated with potential liability, the costs of defending individual litigation and claims and/or regulatory matters continue to increase over time. The amount of attorneys' fees incurred in connection with the defense of litigation and claims and/or regulatory matters could be substantial and might materially and adversely affect our results of operations. See "Item 3 – Legal Proceedings," and Note 18 of the Notes to Consolidated Financial Statements of this Form 10-K for additional information about legal matters.

We have multiple stakeholders, including our shareholders, clients, associates, federal, state, and foreign regulatory authorities, and the communities in which we operate, and these stakeholders will often have differing priorities and expectations regarding environmental, social, and governance matters. For example, individual U.S. states are increasingly developing differing, and sometimes conflicting, rules related to environmental, social, and governance matters, while at the federal level, the SEC has recently stopped pursuing rulemaking efforts focused on certain of these matters. In addition, proxy advisory firms and certain institutional investors who manage investments in public companies may integrate environmental, social, and governance factors into their investment analysis. Frameworks for evaluating such matters remain underdeveloped and vary widely, which may lead to misperceptions of our policies and practices. Organizations that provide ratings information to investors on such matters may also assign unfavorable ratings to Stifel. Stakeholders continue to focus on environmental, social, and governance issues in corporate actions, such as the election of directors and approval of executive compensation. Certain of our clients might also require that we implement additional procedures or standards in these areas in order to continue to do business with them. If we take action in conflict with one or another of those stakeholders' expectations, we could experience an increase in client complaints, a loss of business, or reputational harm. We could also face negative publicity or reputational harm based on the identity of those with whom we choose to do business. Any adverse publicity in connection with environmental, social, and governance issues could damage our reputation, ability to attract and retain clients, associates, and independent advisors, compete effectively, and grow our business. Regulatory scrutiny of disclosure practices for sustainable and values-based investment strategies has been a focus in recent years, though that focus appears to be moderating following the SEC's decision to withdraw proposed rulemaking in this area. Nonetheless, we could still face reputational risk if our investment managers are perceived as making inaccurate or misleading statements regarding the investment strategies of our funds and ETFs, commonly referred to as "greenwashing." Such perceptions or accusations could damage our reputation, result in litigation or regulatory enforcement actions, and adversely affect our business.

We, or our third-party service providers, may develop or incorporate artificial intelligence (AI) technology in certain business processes, products, or services. The development and use of AI presents a number of risks and challenges. The legal and regulatory environment relating to AI is uncertain and rapidly evolving, which could require changes in our potential use and implementation of AI technology, limit our ability to integrate AI, and increase our compliance costs and the risk of non-compliance. Additionally, we may integrate AI into our operations, technology, products, and services in the future. AI models may produce output or take action that is incorrect, infringe on the intellectual property rights of others, or is otherwise harmful. In addition, the complexity of AI models may make it challenging to understand why they generate particular outputs. There can be no assurance that any products or services that utilize AI will be successful or that we will keep pace with the rapid evolution of AI. Further, while we have policies governing the use of AI by our associates and third-party service providers, we cannot guarantee that they will follow such policies when using AI or that such policies will protect us from potential liability relating to our adoption or use of AI technologies. Additionally, others may use AI to increase the frequency and severity of cybersecurity attacks against us or our third-party service providers, which could adversely impact our business and results of operations.

Our operations rely heavily on the secure processing, storage, and transmission of sensitive and confidential financial, personal, and other information in our computer systems and networks. There have been numerous highly publicized cases involving financial services companies reporting the unauthorized disclosure of client or other confidential information in recent years, as well as cyber attacks involving the theft, dissemination, and destruction of corporate information or other assets, in some cases as a result of failure to follow procedures by employees or contractors or as a result of actions by third parties. There have also been numerous highly publicized cases where hackers have requested "ransom" payments in exchange for not disclosing customer information or for restoring access to information or systems. Like other financial services firms, we experience malicious cyber activity directed at our computer systems, software, networks, and its users on a daily basis. This malicious activity includes attempts at unauthorized access, implantation of computer viruses or malware, and denial-of-service attacks. We also experience large volumes of phishing and other forms of social engineering attempted for the purpose of perpetrating fraud against our company, our associates, our advisors, or our clients. Additionally, like many large enterprises, we provide secure remote work capabilities, which can introduce potential cyber vulnerabilities as well. We also face increased cybersecurity risk for a period of time after acquisitions as we transition the acquired entity's historical systems and networks to our standards. We also face additional cybersecurity risk related to an increased focus on mobile and cloud technologies and reliance on external service providers. Our reliance on public cloud services introduces cybersecurity risks, including potential data breaches, unauthorized access, and compromised application programming interfaces (APIs) which could impact the confidentiality, integrity, or availability of our systems and data. Cloud-related risks may also arise from misconfiguration, weaknesses in identity and access controls, vulnerabilities in cloud workloads, and failures or outages at cloud service providers. Likewise, our mobile and web-facing technologies expose us to risks such as data leakage, malicious applications, phishing attacks, and network level threats which pose similar risks. We seek to continuously monitor for and nimbly react to malicious cyber activity, and we develop our systems to protect the confidentiality, integrity, and availability of our data and technology infrastructure from misuse, misappropriation, or corruption. We also rely on numerous third-party service providers to conduct aspects of our business operations and face similar risks relating to those third parties, including operational disruptions, security weaknesses, delayed incident notification, and supply chain risks. Cyber attacks can originate from a variety of sources, including threat actors affiliated with foreign governments, organized crime, or terrorist organizations. Threat actors may also attempt to place individuals within our company or induce associates, clients, or other users of our systems to disclose sensitive information or provide access to our data, and these types of risks may be difficult to detect or prevent. Cybersecurity incidents among financial services firms are on the rise, and the techniques used in these attacks are increasingly sophisticated, change frequently, and are often not recognized until launched. To date, we have not experienced any cybersecurity incidents that we have determined to be material to our business, financial condition, or results of operations. We maintain a suite of layered information security controls, including cyber threat analytics, data encryption and monitoring technologies, anti-malware defenses, and vulnerability management programs. However, any one or combination of these controls could fail to detect, mitigate, or remediate these risks in a timely manner. Despite our implementation of protective measures and our efforts to modify them as circumstances warrant, our computer systems, software, and networks may remain vulnerable to human error, equipment failure, natural disasters, power loss, unauthorized access, supply-chain attacks, distributed denial-of-service (DDoS) attacks, zero-day vulnerabilities, computer viruses and other malicious code, and other events that could result in significant liability, reputational harm, and ongoing disruption to our operations. In addition, although we maintain cybersecurity insurance as one component of our broader risk-mitigation strategy, coverage is subject to policy terms, exclusions, and limits and may be insufficient to cover all losses, including litigation costs or losses that exceed policy limits or are otherwise excluded. Notwithstanding the precautions we take, a cyber attack or other information security breach could jeopardize confidential information we maintain and could cause interruptions in our operations or those of our clients and counterparties, exposing us to liability. As attempted attacks continue to evolve in scope and sophistication, we may be required to expend substantial additional resources to enhance protective measures, investigate and remediate vulnerabilities or other exposures, or communicate about cyber attacks to our customers and regulators. A technological breakdown could interfere with our ability to comply with financial reporting and other regulatory requirements, potentially resulting in disciplinary action by regulators. In addition, successful cyber attacks at other large financial institutions or market participants, whether or not we are directly affected, could erode confidence in financial institutions generally and in our firm specifically, including perceptions of the effectiveness of our security measures, which could reduce demand for our financial products and services. We maintain incident response, business continuity, and remediation programs designed to mitigate these impacts and to support timely regulatory reporting and recovery. Given our high transaction volumes, remote-work environment, and the large number of clients, partners, and counterparties we serve, a cyber attack could occur. Such an attack may persist for an extended period without detection. Investigations can require substantial time and resources, and there may be significant delays before we obtain complete and reliable information. During an extended investigation, we may not know the full extent of the harm or the optimal remediation path, and certain errors or malicious actions could be repeated or compounded before they are identified and remediated, which could significantly increase the costs and consequences of such an attack. Our Security Operations Center is designed to contain attacks and to support incident investigation and remediation, but notwithstanding these capabilities, detection or remediation may be delayed in some circumstances. We may be subject to liability under various data protection and privacy laws. In providing services to clients, we collect, use, store, and transmit sensitive client and associate information, including personal data, and are subject to an evolving matrix of U.S. federal, state, and international privacy and data-protection laws and regulations, including, where applicable, the Gramm-Leach-Bliley Act (GLBA), the EU General Data Protection Regulation (GDPR), and state consumer privacy laws such as the CCPA/CPRA. These laws and regulations are increasing in complexity and may impose obligations related to data security, breach notification, cross-border data transfers, data subject rights, and recordkeeping. If any person, including an associate or a third-party service provider, negligently disregards or intentionally breaches our controls or otherwise mismanages or misappropriates such data, we could incur significant monetary damages, regulatory enforcement actions, fines, and criminal penalties. Unauthorized disclosure of sensitive or confidential client or associate data, whether through system failure, human error, fraud, or third-party compromise, could damage our reputation, cause loss of clients and related revenue, and expose us to substantial liability. Depending on the circumstances giving rise to a breach, this liability may not be subject to contractual limits or exclusions for consequential or indirect damages. Lapses in our cybersecurity or privacy controls, or regulatory findings that our controls are inadequate, could lead to fines, penalties, or other remediation obligations that would compound monetary losses. We maintain a privacy governance framework that includes a designated privacy lead, a documented data inventory and mapping process, privacy impact assessments for high-risk processing, technical controls, such as encryption and data-loss prevention, and contractual requirements for processors and other third parties to meet our security and privacy obligations. Our incident response and escalation procedures incorporate regulatory notification requirements and roles to support timely reporting and cooperation with regulators. The development and use of AI present risks and challenges that could adversely impact our business, financial condition, and results of operations. We, and our third-party service providers, may develop or incorporate AI technology in certain business processes, products, or services. AI-based technology may produce output that is incorrect, biased, infringes on the intellectual property rights of others, or is otherwise harmful; the complexity of AI can make it challenging to explain why particular outputs occur. In addition, others may use AI to increase the frequency or severity of cybersecurity attacks against us or our service providers, which could adversely affect our business and results of operations. We seek to maintain an AI risk management framework that provides a centralized inventory of AI technologies, risk-based classification, security guardrails, and operational requirements prior to deployment. These frameworks seek to include documented requirements for ongoing monitoring, technical and security controls for AI-enabled capabilities, access and privilege controls, and controls to protect the confidentiality, integrity, and availability of systems and data used to develop, deploy, and operate AI. The Written Information Security Program ("WISP") incorporates AI governance and risk management and is subject to periodic independent assessment. For third-party AI technologies, we seek to require appropriate contractual and assurance measures, including data-handling obligations, intellectual property protections, explainability and validation rights, and incident-notification obligations. AI-related risks are evaluated within our broader cybersecurity, operational resilience, and vendor risk programs. The legal and regulatory environment for AI is evolving and could require changes to our use of AI, limiting our ability to integrate AI or increasing compliance costs. While we maintain policies and governance processes for AI, we cannot guarantee that they will be followed in all cases or that they will prevent all liability or harm arising from AI use. We also rely on numerous third parties, including service providers that utilize cloud technologies to conduct other aspects of our business operations, and we face similar risks relating to them. While we conduct security assessments on these third-party service providers, we cannot be certain that their information security protocols are sufficient to withstand a cyber attack or other security breach. We also cannot be certain that we will receive timely notification of such cyber attacks or other security breaches. In addition, in order to access our products and services, our customers may use computers and other devices that are beyond our security control systems.

Our businesses rely extensively on data processing and communications systems, including both third-party and internally developed technology solutions. In addition to better serving clients, the effective use of technology increases efficiency and enables us to reduce costs. Adapting or developing our technology systems to meet new regulatory requirements, client needs, and competitive demands is critical for our business. Introduction of new technology presents challenges on a regular basis. There are significant technical and financial costs and risks in the development of new or enhanced applications, including the risk that we might be unable to effectively use new technologies, adapt our applications to emerging industry standards, or keep applications current as it relates to vulnerabilities and security controls. Our continued success depends, in part, upon our ability to: (i) successfully maintain and upgrade the capability of our technology systems on a regular basis; (ii) maintain the quality of the information contained in our data processing and communications systems; (iii) address the needs of our clients by using technology to provide products and services that satisfy their demands; (iv) retain skilled information technology associates; and (v) ensure that our existing and new technology systems conform to regulatory requirements. Failure of our technology systems to operate appropriately, which could result from events beyond our control, including a systems malfunction or cyber attack, failure by a third-party service provider, or an inability to effectively upgrade those systems or implement new technology-driven products or services, could result in financial losses, liability to clients for non-compliant data processing, and violations of privacy and other laws and regulations, as well as regulatory sanctions.

The SEC's Regulation Best Interest requires, among other things, a broker-dealer to act in the best interest of a retail client when making a recommendation to that client of any securities transaction or investment strategy involving securities. The regulation imposes heightened standards on broker-dealers, and we have incurred substantial costs in order to review and modify our policies and procedures, including associated supervisory and compliance controls. We anticipate that we will continue to incur incremental costs in the future to comply with the standard. In addition to the SEC, various states might consider adopting laws and regulations that would impose new standards of conduct on broker-dealers that differ from the SEC's regulations and could lead to additional implementation costs. Implementation of the SEC regulations, as well as any new state rules that are adopted addressing similar matters, has resulted in (and may continue to result in) increased costs related to compliance, legal, operations, and information technology. Furthermore, certain non-U.S. jurisdictions have imposed heightened standards of conduct, which may have similar impacts on our business in those jurisdictions.

We are engaged in intensely competitive businesses. We compete on the basis of a number of factors, including the quality of our associates and financial advisors, our products and services, pricing (such as execution pricing and fee levels), technology solutions, and location and reputation in relevant markets. Over time, there has been substantial consolidation and convergence among companies in the financial services industry, which has significantly increased the capital base and geographic reach of our competitors. See "Item 1 – Business - Competition" of this Form 10-K for additional information about our competitors. We compete directly with other national full-service broker-dealers, investment banking firms, commercial banks, and investment managers, and to a lesser extent, with discount brokers and dealers and investment advisers. We face competition from more recent entrants into the market, including fintechs, and increased use of alternative sales channels by other firms. Technology has lowered barriers to entry and made it possible for fintechs to compete with larger financial institutions in providing electronic, internet-based, and mobile phone-based financial solutions. This competition has grown significantly over recent years and is expected to intensify. In addition, commercial firms and other non-traditional competitors have applied for banking licenses or have entered into partnerships with banks to provide banking services. We also compete indirectly for investment assets with insurance companies, real estate firms, and hedge funds, among others. Competition from other financial services firms to attract clients or trading volume, through direct-to-investor online financial services, or higher deposit rates to attract client cash balances, could result in pricing pressure or otherwise adversely impact our business and cause our business to suffer. We must monitor the pricing of our services and financial products in relation to competitors and periodically may need to adjust our fees, commissions, margins, or interest rates on deposits to remain competitive. In fixed income markets, regulatory requirements have resulted in greater price transparency, leading to price competition and decreased trading margins. Our trading margins have been further compressed by the shift from high- to low-touch services over time, which has created additional competitive pressure. We believe that price competition and pricing pressures in these and other areas will continue as institutional investors continue to reduce the amounts they are willing to pay, including by reducing the number of brokerage firms they use, and some of our competitors seek to obtain market share by reducing fees, commissions, or margins. Our future success also depends in part on our ability to develop, maintain, and enhance our products and services, including factors such as customer experience, and the pricing and range of our offerings. The financial services industry is continually undergoing rapid technological change with frequent introductions of new technology-driven products and services. If we are not able to develop new products and services, enhance existing offerings, effectively implement new technology-driven products and services, or successfully market these products and services to our customers, our business, financial condition, or results of operations may be adversely affected. Furthermore, both financial institutions and their non-banking competitors face the risk that payments processing and other services could be significantly disrupted by technologies (e.g., AI, online trading platforms, digital payment technologies) that require no intermediation. New technologies have required, and could require us in the future, to spend more to modify or adapt our products to attract and retain clients or to match products and services offered by our competitors, including technology companies. We use, develop, and incorporate within our technology platform and services, systems and tools that incorporate AI and machine learning, including generative AI. Although we strive to establish and maintain appropriate governance and risk management processes, ineffective or inadequate AI development or deployment practices by us or third-party vendors could result in unintended consequences, such as AI algorithms that produce inaccurate output or that are based on biased, incomplete, and/or inaccurate datasets. Despite implementing polices and safeguards to prevent unauthorized disclosures, our use of AI may still pose heightened security and privacy risks, which we seek to mitigate by relying on proprietary or "walled-garden" environments to enhance data protection and operational controls and maintain confidentiality. Any of the foregoing may result in harm to our business, results of operations, or reputation. Compliance with new or changing laws, regulations, or industry standards relating to AI may impose significant operational costs and limit our ability to develop, deploy, or use AI and machine learning technologies.

We have grown our asset management business in recent years, which has increased the risks associated with this business relative to our overall operations. The asset management fees we are paid are dependent upon the value of client assets in fee-based accounts in our Private Client Group segment, as well as assets under management ("AUM") in our asset management business. The value of our fee-based assets and AUM is impacted by market fluctuations and net inflows or outflows of assets. As our Private Client Group clients increasingly show a preference for fee-based accounts over transaction-based accounts, a larger portion of our client assets are more directly impacted by market movements. Therefore, in periods of declining market values, the values of fee-based accounts and AUM may resultantly decline, which would negatively impact our revenues. In addition, below-market investment performance by our funds, portfolio managers, or financial advisors could result in reputational damage that might cause outflows or make it more difficult to attract new investors into our asset management products and thus further impact our business and financial condition. Our asset management fees may also decline over time due to factors such as increased competition and the renegotiation of contracts. In addition, the market environment in recent years has resulted in a shift to passive investment products, which generate lower fees than actively managed products. A continued trend toward passive investments or changes in market values or in the fee structure of asset management accounts would negatively affect our revenues, business, and financial condition.

Maintaining our reputation is critical to attracting and maintaining clients, investors, financial advisors, and other associates. If we fail to address, or appear to fail to address, issues that may give rise to reputational risk, we could significantly harm our business prospects. These issues may include, but are not limited to, any of the risks discussed in this Item 1A, including appropriately dealing with potential conflicts of interest, legal and regulatory requirements, fraud perpetrated against our clients, ethical issues, money laundering, cybersecurity and privacy, record keeping, sales and trading practices, and associate misconduct. In addition, the failure to either sell securities we have underwritten at anticipated price levels or to properly identify and communicate the risks inherent in the products and services we offer could also give rise to reputational risk. A failure or perceived failure to maintain appropriate service and quality standards or to treat clients fairly can result in client dissatisfaction, litigation, and heightened regulatory scrutiny, all of which can lead to lost revenue, higher operating costs, and reputational harm. Negative publicity about us, including information posted on social media and internet forums or published by news organizations, whether or not true, may also harm our reputation. The speed and pervasiveness with which information can be disseminated through these channels, in particular social media, may magnify risk relating to negative publicity. Further, failures at other large financial institutions or other market participants, regardless of whether they relate to our activities, could lead to a general loss of customer confidence in financial institutions that could negatively affect us, including harming the market perception of the financial system in general.

We are engaged in various financial services businesses. As such, we are affected by domestic and international macroeconomic and political conditions, as well as economic output levels, interest and inflation rates, employment levels, prices of commodities, consumer confidence levels, changes in consumer spending, international trade policy, and fiscal and monetary policy. For example, Fed policies determine, in large part, interest rates and the cost of funds which directly affect the returns and fair value on our lending and investing activities. The market impact from such policies can also materially decrease the value of certain of our financial assets, most notably debt securities, as well as our cash flows. In addition, our results of operations may be impacted by governmental policy changes and/or regulatory reform in multiple areas, including tax, international trade, immigration, healthcare, labor, infrastructure, and energy. While there is uncertainty around the timing of many such potential changes, such changes, or any market uncertainty caused by a potential change in governmental policies, may also affect our clients and, directly or indirectly, our business. Furthermore, over the last several years, the federal government has shut down multiple times, in some cases for prolonged periods, and it is possible that the federal government may shut down again in the future. Although the recent government shutdown is not expected to materially affect our results of operations, any prolonged future shutdown could significantly impact business and economic conditions generally or specifically in our key markets, which could have a material adverse effect on our results and financial condition. Macroeconomic conditions may also be negatively affected by domestic or international events, including natural disasters, political unrest, the indirect impact of wars and conflicts, or public health epidemics and pandemics, as well as by several factors in the global financial markets that may be detrimental to our operating results. If we were to experience a period of sustained downturn in the securities markets, credit market dislocations, reductions in the value of real estate, increases in mortgage and other loan delinquencies, or other negative market factors, our revenues and the value of the assets we own could be adversely impacted. Market uncertainty could also cause clients to move their investments to lower margin products, or withdraw them, which could have an adverse impact on our profitability. We could also experience a material reduction in trading volume and lower asset prices in times of market uncertainty, which would result in lower brokerage revenues, including losses on firm inventory, as well as losses on certain of our investments. Conversely, periods of severe market volatility may result in a significantly higher level of transactions and activity which may cause operational challenges that may result in losses. These can include, but are not limited to, trade errors, failed transaction settlements, late collateral calls to borrowers and counterparties, credit losses, or interruptions to our system processing. Periods of reduced revenue and other losses could lead to reduced profitability because certain of our expenses,including our interest expense on debt, lease expenses, and salary expenses, are fixed, and our ability to reduce them over short time periods is limited. We do business in other parts of the world and, as a result, are exposed to risks, including market, litigation, and regulatory compliance risks. Our businesses and revenues derived from non-U.S. operations are subject to risk of loss from currency fluctuations, social or political instability, less established regulatory regimes, changes in governmental or central bank policies, downgrades in the credit ratings of sovereign countries, expropriation, nationalization, confiscation of assets, and unfavorable legislative, economic, and political developments. Action or inaction in any of these operations, including failure to follow proper practices with respect to regulatory compliance and/or corporate governance, could harm our operations and our reputation. We also invest or trade in the securities of corporations located in non-U.S. jurisdictions. Revenues from trading non-U.S. securities also may be subject to negative fluctuations as a result of the previously mentioned factors.