Aon plc: 10-K Risk Factor Changes

Developing and implementing innovative strategies, efficient business practices, and new solutions to current and emerging client needs is important to our business. We may be unsuccessful in developing innovative strategies, or our competitors may be more successful in innovating and delivering services to meet new and existing client needs. Competitors may be able to innovate faster and respond better to evolving client demand and industry conditions, or may price their products in a more attractive manner. Further, new and non- traditional competitors (including “InsurTech” firms utilizing artificial intelligence or 11 11 11 11 11 11 other advanced technologies), our clients’ increasing ability and determination to self-insure, and capital market alternatives to traditional insurance and reinsurance markets create an even more dynamic, competitive, and innovative market environment that could affect our business. If we are unsuccessful in innovating, if we cannot innovate as quickly as our competitors, if we are not able to make sufficient investment in innovation, if new or existing competitors develop more cost-effective or efficient technologies or cause disintermediation (including through the use of artificial intelligence or other emerging technologies), or if our ideas are not accepted in the marketplace, it could have a material adverse effect on our ability to obtain and complete client engagements or on our financial condition and results of operations. For example, we have invested significantly in Aon Business Services and the development of proprietary data and analytics tools including repositories of our global insurance and reinsurance placement information, which we use to help drive results for our clients in the insurance and reinsurance placement process. Our competitors have developed or are developing competing data and analytics tools, and their success in this space may impact our ability to differentiate our own data and analytics tools. Innovations in software, cloud computing, data and analytics, generative and agentic artificial intelligence, or other technologies that alter how our services are delivered could significantly undermine our investment in the business if we are slow to innovate or unable to take advantage of these developments. In addition, innovation in the technology we leverage in our products and business processes, our capabilities, the sources of capital for our clients’ insurance and reinsurance needs, and the entry into new lines of business, services, or products require significant investment and present additional risks to our business, particularly in instances where the technologies and markets are new or developing or where we are new participants in such markets. Such risks include without limitation the investment of significant time and resources; the possibility that these efforts will not be successful or result in reputational damage to us; the possibility that the marketplace does not accept our products or services or that we are unable to retain clients that adopt our new products or services; the risk that our governance process and controls in these new areas may not be effective or consistent with legal, regulatory, or client requirements or expectations and the risk of new or additional liabilities associated with these efforts, including potential E&O or other claims. For example, we continue to invest in artificial intelligence, particularly in generative artificial intelligence tools, and maintain governance and oversight measures regarding its use. Certain use cases of artificial intelligence in our business processes could pose strategic, operational, legal, ethical, regulatory or reputational risks where there may be incorrect outputs or bias in those systems or processes, potential infringement of intellectual property rights, exposure of proprietary or personal information, heightened cybersecurity risks and challenges in safely deploying, governing or controlling artificial intelligence systems or where there is inadequate human oversight.

Developing and implementing innovative strategies, efficient business practices, and new solutions to current and emerging client needs is important to our business. We may be unsuccessful in developing innovative strategies, or our competitors may be more successful in innovating and delivering services to meet new and existing client needs. Competitors may be able to innovate faster and respond better to evolving client demand and industry conditions, or may price their products in a manner that clients find more attractive than Aon’s offerings. Further, new and non- traditional competitors, our clients’ increasing ability and determination to self-insure, and capital market alternatives to traditional insurance and reinsurance markets cause additional forms of competition and innovation that could affect our business. If we are unsuccessful in innovating, if we cannot innovate as quickly as our competitors, if we are not able to make sufficient investment in innovation, if our competitors develop more cost-effective technologies (including through the use of artificial intelligence or other emerging technologies), or if our ideas are not accepted in the marketplace, it could have a material adverse effect on our ability to obtain and complete client engagements. For example, we have invested significantly in Aon Business Services and the development of proprietary data and analytics tools including repositories of our global insurance and reinsurance placement information, which we use to help drive results for our clients in the insurance and reinsurance placement process. Our competitors have or are developing competing data and analytics tools, and their success in this space may impact our ability to differentiate our own data and analytics tools. Innovations in software, cloud computing, data and analytics, generative artificial intelligence, or other technologies that alter how our services are delivered could significantly undermine our investment in the business if we are slow to innovate or unable to take advantage of these developments. In addition, innovation in the technology we leverage in our products and business processes, our capabilities, the sources of capital for our clients’ insurance and reinsurance needs, and the entry into new lines of business, services, or products require significant investment and present additional risks to our business, particularly in instances where the technologies and markets are new or developing or where we are new participants in such markets. Such risks include the investment of significant time and resources; the possibility that these efforts will not be successful and could result in reputational damage to us; the possibility that the marketplace does not accept our products or services or that we are unable to retain clients that adopt our new products or services; and the risk of new or additional liabilities associated with these efforts, including potential E&O or other claims. For example, we continue to invest in artificial intelligence, particularly in generative artificial intelligence tools, and have developed governance and oversight measures regarding its use. Certain use cases of artificial intelligence in our business processes could pose operational, legal or reputational risks where there may be incorrect outputs or bias in those systems or processes, or where there is inadequate human oversight.

We advise our clients on and provide services related to a wide range of subjects and our ability to attract and retain clients is highly dependent upon the external perceptions of our level of service, trustworthiness, business practices, financial condition, and other subjective qualities. Negative perceptions or publicity regarding these matters or others could erode trust and confidence and damage our reputation among existing and potential clients and existing and future employees, which could make it difficult for us to attract new clients and employees and retain existing ones. Negative public opinion could also result from actual or alleged conduct by us or those currently or formerly associated with us. Damage to our reputation, including as a result of negative perceptions or publicity regarding a particular business partner, class of business, environmental matters, climate change, workforce make-up, pay equity, harassment, social justice, cybersecurity, data privacy and data protection, use of artificial intelligence or innovative technology, or our inability to meet commitments or client and stakeholder expectations 12 12 12 12 12 12 with respect to such matters, could affect the confidence of our clients, rating agencies, regulators, stockholders, employees and third parties in transactions that are important to our business adversely affecting our business, financial condition, and operating results.

We advise our clients on and provide services related to a wide range of subjects and our ability to attract and retain clients is highly dependent upon the external perceptions of our level of service, trustworthiness, business practices, financial condition, and other subjective qualities. Negative perceptions or publicity regarding these matters or others could erode trust and confidence and damage our reputation among existing and potential clients and existing and future employees, which could make it difficult for us to attract new clients and employees and retain existing ones. Negative public opinion could also result from actual or alleged conduct by us or those currently or formerly associated with us. Damage to our reputation, including as a result of negative perceptions or publicity regarding a class of business, environmental matters, climate change, workforce make-up, pay equity, harassment, social justice, cyber security, data privacy and data protection, use of artificial intelligence or innovative technology, or our inability to meet commitments or client and stakeholder expectations with respect to such matters, could affect the confidence of our clients, rating agencies, regulators, stockholders, employees and third parties in transactions that are important to our business adversely affecting our business, financial condition, and operating results.

•We are incorporated in Ireland, and Irish law differs from the laws in effect in the U.S. and may afford less protection to holders of our securities. 10 10 10 10 10 10 •As an Irish public limited company, certain capital structure decisions regarding the Company will require the approval of shareholders, which may limit the Company’s flexibility to manage its capital structure. •Irish law requires us to have available “distributable profits” to pay dividends to shareholders and generally to make share repurchases and redemptions.

•We are incorporated in Ireland, and Irish law differs from the laws in effect in the U.S. and may afford less protection to holders of our securities. •As an Irish public limited company, certain capital structure decisions regarding the Company will require the approval of shareholders, which may limit the Company’s flexibility to manage its capital structure. •Irish law requires us to have available “distributable profits” to pay dividends to shareholders and generally to make share repurchases and redemptions.

•We rely on complex information technology systems and networks to operate our business. Any significant system or network disruption due to a breach in the security of our information technology systems could have a negative impact on our reputation, operations, sales, and operating results. •Improper disclosure of confidential, personal, or proprietary data could result in regulatory scrutiny, legal liability, or harm to our reputation. •Regulation in the areas of data privacy, data protection, data management, data transfer, data localization, artificial intelligence, and cybersecurity could increase our costs and affect or limit our business opportunities.

•We rely on complex information technology systems and networks to operate our business. Any significant system or network disruption due to a breach in the security of our information technology systems could have a negative impact on our reputation, operations, sales, and operating results. 10 10 10 10 10 10 •Improper disclosure of confidential, personal, or proprietary data could result in regulatory scrutiny, legal liability, or harm to our reputation.

In many jurisdictions, including in the E.U. and the U.S., we are subject to laws and regulations relating to the collection, use, retention, security, and transfer of the confidential information of third parties, including our clients’ and employees’ confidential information. These laws and regulations are frequently changing and are becoming increasingly complex and sometimes conflict among the various jurisdictions and countries in which we provide services both in terms of substance and enforceability. This makes compliance challenging and expensive. In addition, many privacy laws and related rules and regulations require us to provide individuals with information on how their personal data is used within Aon or collected from our websites. Additionally, certain jurisdictions’ regulations include notice provisions that may require us to inform affected clients or employees, or the applicable regulatory authority, in the event of a breach of confidential information before we fully understand or appreciate the extent of the breach. These disclosure and notice provisions present operational challenges and related risk. In particular, there have been a number of recently adopted privacy laws around the globe including but not limited to significant privacy rulings in the E.U., which have imposed significant changes to the way companies export personal data. New guidance issued by regulators has and will continue to require significant time and resources to implement and may 24 24 24 24 24 24 require significant effort to review changes to IT systems and transfer methods. Non-compliance with new and existing laws could result in proceedings against us by governmental entities or others and additional costs in connection therewith. We expect additional jurisdictions to continue to adopt new regulations in these areas and that existing regulations may be amended as governments continue to legislate in respect of personal data. We have incurred expenses and devoted resources, and will continue to incur expenses and devote resources, to bring our practices into compliance with these regulations and future regulations. Our failure to comply with or successfully implement processes in response to changing regulatory requirements in this area could result in legal liability, proceedings or fines against us by governmental entities or others, or impair our reputation in the marketplace. Further, regulatory initiatives in these areas are more frequently including provisions allowing authorities to impose substantial fines and penalties, and therefore, failure to comply could also have a significant financial impact. A growing number of jurisdictions, particularly in the E.U. and U.S., have introduced and enacted laws and regulations regarding the responsible development and use of artificial intelligence and similar tools. These new regulations and any subsequent laws or regulations may present additional complexity and risk to our business, particularly but not limited to where these laws overlap with privacy laws designed to protect individuals.

One of our significant responsibilities is to maintain the security and privacy of our employees’ and clients’ confidential and proprietary information, including confidential information about our clients’ and employees’ compensation, medical information, and other personally identifiable information. We maintain policies, procedures, and technological safeguards designed to protect the security and privacy of this information, including its timely disposal in connection with applicable regulatory requirements. It is possible that our internal policies, procedures and technical safeguards may not be adequate to ensure that confidential, proprietary or otherwise sensitive information is timely disposed of or deleted in a manner compliant with such policies and applicable law or regulation. We have experienced cyber incidents and cannot eliminate the risk of human error, employee or vendor malfeasance, or cyber-attacks that could result in improper access to or disclosure of confidential, personal, or proprietary information. Such access or disclosure could harm our reputation and subject us to liability under our contracts and laws and regulations that protect personal data, resulting in increased costs, fines, loss of revenue, and loss of clients. The release of confidential information as a result of a security breach, human error, or otherwise could also lead to litigation or other proceedings against us by affected individuals or business partners, or by regulators, and the outcome of such proceedings, which could include penalties or fines, could have a significant negative impact on our business. In many jurisdictions, including in the E.U. and the U.S., we are subject to laws and regulations relating to the collection, use, retention, security, and transfer of this information. These laws and regulations are frequently changing and are becoming increasingly complex and sometimes conflict among the various jurisdictions and countries in which we provide services both in terms of substance and in terms of enforceability. This makes compliance challenging and expensive. In addition, many privacy laws and related rules and regulations require us to provide individuals with information on how their personal data is used within Aon or collected from our websites. Additionally, certain jurisdictions’ regulations include notice provisions that may require us to inform affected clients or employees, or the applicable regulatory authority, in the event of a breach of confidential information before we fully understand or appreciate the extent of the breach. These disclosure and notice provisions present operational challenges and related risk. In particular, there have been a number of recently adopted privacy laws around the globe including in China and Brazil, and significant privacy rulings in the E.U. relating to the “Schrems II” case, which imposed significant changes to the way companies export personal data from the E.U. We have had to implement new requirements set out in these laws within our business before the effective date, requiring significant time and resources. This new guidance issued to firms by the European Regulators has and will continue to require significant time to implement and may require significant effort to review and effect applicable changes to IT systems and transfer methods. Non-compliance with new and existing laws could result in proceedings against us by governmental entities or others and additional costs in connection therewith. We expect additional jurisdictions to continue to adopt new privacy regulations and that existing regulations may be amended as governments continue to legislate in respect of personal data. We have incurred expenses and devoted resources, and will continue to incur expenses and devote resources, to bring our practices into compliance with these regulations and future regulations. Our failure to comply with or successfully implement processes in response to changing regulatory requirements in this area could result in legal liability, result in proceedings or fines against us by governmental entities or others, or impair our reputation in the marketplace. Further, regulatory initiatives in the area of data privacy and data 24 24 24 24 24 24 protection are more frequently including provisions allowing authorities to impose substantial fines and penalties, and therefore, failure to comply could also have a significant financial impact. A growing number of jurisdictions, particularly in the U.S., have introduced and enacted laws and regulations regarding automated decision making that may encompass artificial intelligence and non-artificial intelligence algorithmic tools. These new regulations and any subsequent laws or regulations may present additional complexity and risk to our business, particularly but not limited to where these laws overlap with privacy laws designed to protect individuals.