--- ticker: AON company: Aon plc filing_type: 10-K year_current: 2026 year_prior: 2025 risks_added: 1 risks_removed: 3 risks_modified: 5 risks_unchanged: 36 source: SEC EDGAR url: https://riskdiff.com/aon/2026-vs-2025/ markdown_url: https://riskdiff.com/aon/2026-vs-2025/index.md generated: 2026-05-10 --- # Aon plc: 10-K Risk Factor Changes 2026 vs 2025 > Source: U.S. Securities and Exchange Commission (EDGAR) > Generated: 2026-05-10 > All data extracted directly from official filings. No hallucinated content. > **[AI-Generated Summary]** The paragraph below was produced by a language > model and may contain errors. All other content on this page is deterministically > extracted from the original SEC filing. > Aon removed three risks related to NFP acquisition integration in the 2026 filing, reflecting completion of that transaction's integration phase. The company added a new risk focused on improper disclosure of confidential and personal data, signaling heightened emphasis on data protection governance. Five risks underwent substantive modifications, including enhanced focus on technology and cybersecurity risks, reputation management, and innovation strategy execution. --- ## Summary | Status | Count | |--------|-------| | New risks added | 1 | | Risks removed | 3 | | Risks modified | 5 | | Unchanged | 36 | --- ## New in Current Filing: Improper disclosure of confidential, personal, or proprietary data could result in regulatory scrutiny, legal liability, or harm to our reputation. One of our significant responsibilities is to maintain the security and privacy of our employees' and clients' confidential and proprietary information, including confidential information about our clients' and employees' compensation, medical information, and other personally identifiable information. We maintain policies, procedures, and technological safeguards designed to protect the security and privacy of this information, including its timely disposal in connection with applicable regulatory requirements. It is possible that our internal policies, procedures and technical safeguards may not be adequate to ensure that confidential, proprietary or otherwise sensitive information is timely disposed of or deleted in a manner compliant with such policies and applicable law or regulation. We have experienced cyber incidents and cannot eliminate the risk of human error, employee or vendor malfeasance, or cyber-attacks that could result in improper access to or disclosure of confidential, personal, or proprietary information. Such access or disclosure could harm our reputation and subject us to liability under our contracts and laws and regulations that protect personal data, resulting in increased costs, fines, loss of revenue, and loss of clients. The release of confidential information as a result of a security breach, human error, or otherwise could also lead to litigation or other proceedings against us by affected individuals or business partners, or by regulators, and the outcome of such proceedings, which could include penalties or fines, could have a significant negative impact on our business. --- ## No Match in Current: Risks Related to the Acquisition of NFP *This section from the 2025 filing does not have a high-confidence textual match in 2026. It may have been removed, merged, or substantially reworded.* •We may not be able to integrate the NFP business successfully or manage the combined business effectively, and many of the anticipated synergies and other benefits may not be realized or may not be realized within the expected time frame. •We have incurred and may continue to incur significant integration-related costs in connection with the acquisition of NFP. --- ## No Match in Current: We may not be able to integrate the NFP business successfully or manage the combined business effectively, and many of the anticipated synergies and other benefits of acquiring NFP may not be realized or may not be realized within the expected time frame. *This section from the 2025 filing does not have a high-confidence textual match in 2026. It may have been removed, merged, or substantially reworded.* We have devoted management attention and resources to integrating our and NFP's business practices so that we can fully realize the anticipated benefits of the NFP acquisition. Nonetheless, the business and assets acquired may not be successful or may require greater resources and investments than originally anticipated. Further, it is possible that the integration process could take longer than anticipated or that the management of the combined organizations and achievement of anticipated synergies could be more difficult than expected. The integration of NFP into our organization could also result in the disruption of ongoing businesses, processes, systems and business relationships or inconsistencies in standards, controls, procedures, practices, policies and compensation arrangements, any of which could adversely affect Aon's ability to achieve the anticipated benefits of the NFP acquisition or otherwise negatively impact our business. The integration process is subject to a number of risks and uncertainties, and no assurance can be given that the anticipated benefits of the acquisition will be realized or, if realized, the timing of their realization. Failure to achieve these anticipated benefits could adversely affect Aon's future businesses, financial condition, results of operations and prospects. --- ## No Match in Current: We have incurred and may continue to incur significant integration-related costs in connection with the acquisition of NFP. *This section from the 2025 filing does not have a high-confidence textual match in 2026. It may have been removed, merged, or substantially reworded.* Aon has incurred and expects to continue to incur a number of non-recurring costs associated with the NFP acquisition and combining the operations of the two companies, which could adversely affect Aon's ability to execute its integration plan and achieve the anticipated benefits of the NFP acquisition. Although Aon expects that the elimination of duplicative costs, as well as the realization of other efficiencies related to the integration of the businesses of Aon and NFP, should allow Aon to offset integration-related costs over time, this net benefit may not be achieved in the near term or at all. --- ## Modified: If we are unable to effectively develop and implement innovative strategies, efficiencies and new solutions for our clients, our reputation, ability to compete effectively and financial condition may be adversely affected. **Key changes:** - Reworded sentence: "Competitors may be able to innovate faster and respond better to evolving client demand and industry conditions, or may price their products in a more attractive manner." - Reworded sentence: "Our competitors have developed or are developing competing data and analytics tools, and their success in this space may impact our ability to differentiate our own data and analytics tools." - Reworded sentence: "Such risks include without limitation the investment of significant time and resources; the possibility that these efforts will not be successful or result in reputational damage to us; the possibility that the marketplace does not accept our products or services or that we are unable to retain clients that adopt our new products or services; the risk that our governance process and controls in these new areas may not be effective or consistent with legal, regulatory, or client requirements or expectations and the risk of new or additional liabilities associated with these efforts, including potential E&O or other claims." **Prior (2025):** Developing and implementing innovative strategies, efficient business practices, and new solutions to current and emerging client needs is important to our business. We may be unsuccessful in developing innovative strategies, or our competitors may be more successful in innovating and delivering services to meet new and existing client needs. Competitors may be able to innovate faster and respond better to evolving client demand and industry conditions, or may price their products in a manner that clients find more attractive than Aon's offerings. Further, new and non- traditional competitors, our clients' increasing ability and determination to self-insure, and capital market alternatives to traditional insurance and reinsurance markets cause additional forms of competition and innovation that could affect our business. If we are unsuccessful in innovating, if we cannot innovate as quickly as our competitors, if we are not able to make sufficient investment in innovation, if our competitors develop more cost-effective technologies (including through the use of artificial intelligence or other emerging technologies), or if our ideas are not accepted in the marketplace, it could have a material adverse effect on our ability to obtain and complete client engagements. For example, we have invested significantly in Aon Business Services and the development of proprietary data and analytics tools including repositories of our global insurance and reinsurance placement information, which we use to help drive results for our clients in the insurance and reinsurance placement process. Our competitors have or are developing competing data and analytics tools, and their success in this space may impact our ability to differentiate our own data and analytics tools. Innovations in software, cloud computing, data and analytics, generative artificial intelligence, or other technologies that alter how our services are delivered could significantly undermine our investment in the business if we are slow to innovate or unable to take advantage of these developments. In addition, innovation in the technology we leverage in our products and business processes, our capabilities, the sources of capital for our clients' insurance and reinsurance needs, and the entry into new lines of business, services, or products require significant investment and present additional risks to our business, particularly in instances where the technologies and markets are new or developing or where we are new participants in such markets. Such risks include the investment of significant time and resources; the possibility that these efforts will not be successful and could result in reputational damage to us; the possibility that the marketplace does not accept our products or services or that we are unable to retain clients that adopt our new products or services; and the risk of new or additional liabilities associated with these efforts, including potential E&O or other claims. For example, we continue to invest in artificial intelligence, particularly in generative artificial intelligence tools, and have developed governance and oversight measures regarding its use. Certain use cases of artificial intelligence in our business processes could pose operational, legal or reputational risks where there may be incorrect outputs or bias in those systems or processes, or where there is inadequate human oversight. **Current (2026):** Developing and implementing innovative strategies, efficient business practices, and new solutions to current and emerging client needs is important to our business. We may be unsuccessful in developing innovative strategies, or our competitors may be more successful in innovating and delivering services to meet new and existing client needs. Competitors may be able to innovate faster and respond better to evolving client demand and industry conditions, or may price their products in a more attractive manner. Further, new and non- traditional competitors (including "InsurTech" firms utilizing artificial intelligence or 11 11 11 11 11 11 other advanced technologies), our clients' increasing ability and determination to self-insure, and capital market alternatives to traditional insurance and reinsurance markets create an even more dynamic, competitive, and innovative market environment that could affect our business. If we are unsuccessful in innovating, if we cannot innovate as quickly as our competitors, if we are not able to make sufficient investment in innovation, if new or existing competitors develop more cost-effective or efficient technologies or cause disintermediation (including through the use of artificial intelligence or other emerging technologies), or if our ideas are not accepted in the marketplace, it could have a material adverse effect on our ability to obtain and complete client engagements or on our financial condition and results of operations. For example, we have invested significantly in Aon Business Services and the development of proprietary data and analytics tools including repositories of our global insurance and reinsurance placement information, which we use to help drive results for our clients in the insurance and reinsurance placement process. Our competitors have developed or are developing competing data and analytics tools, and their success in this space may impact our ability to differentiate our own data and analytics tools. Innovations in software, cloud computing, data and analytics, generative and agentic artificial intelligence, or other technologies that alter how our services are delivered could significantly undermine our investment in the business if we are slow to innovate or unable to take advantage of these developments. In addition, innovation in the technology we leverage in our products and business processes, our capabilities, the sources of capital for our clients' insurance and reinsurance needs, and the entry into new lines of business, services, or products require significant investment and present additional risks to our business, particularly in instances where the technologies and markets are new or developing or where we are new participants in such markets. Such risks include without limitation the investment of significant time and resources; the possibility that these efforts will not be successful or result in reputational damage to us; the possibility that the marketplace does not accept our products or services or that we are unable to retain clients that adopt our new products or services; the risk that our governance process and controls in these new areas may not be effective or consistent with legal, regulatory, or client requirements or expectations and the risk of new or additional liabilities associated with these efforts, including potential E&O or other claims. For example, we continue to invest in artificial intelligence, particularly in generative artificial intelligence tools, and maintain governance and oversight measures regarding its use. Certain use cases of artificial intelligence in our business processes could pose strategic, operational, legal, ethical, regulatory or reputational risks where there may be incorrect outputs or bias in those systems or processes, potential infringement of intellectual property rights, exposure of proprietary or personal information, heightened cybersecurity risks and challenges in safely deploying, governing or controlling artificial intelligence systems or where there is inadequate human oversight. --- ## Modified: Damage to our reputation could have a material adverse effect on our business. **Key changes:** - Reworded sentence: "Damage to our reputation, including as a result of negative perceptions or publicity regarding a particular business partner, class of business, environmental matters, climate change, workforce make-up, pay equity, harassment, social justice, cybersecurity, data privacy and data protection, use of artificial intelligence or innovative technology, or our inability to meet commitments or client and stakeholder expectations 12 12 12 12 12 12 with respect to such matters, could affect the confidence of our clients, rating agencies, regulators, stockholders, employees and third parties in transactions that are important to our business adversely affecting our business, financial condition, and operating results." **Prior (2025):** We advise our clients on and provide services related to a wide range of subjects and our ability to attract and retain clients is highly dependent upon the external perceptions of our level of service, trustworthiness, business practices, financial condition, and other subjective qualities. Negative perceptions or publicity regarding these matters or others could erode trust and confidence and damage our reputation among existing and potential clients and existing and future employees, which could make it difficult for us to attract new clients and employees and retain existing ones. Negative public opinion could also result from actual or alleged conduct by us or those currently or formerly associated with us. Damage to our reputation, including as a result of negative perceptions or publicity regarding a class of business, environmental matters, climate change, workforce make-up, pay equity, harassment, social justice, cyber security, data privacy and data protection, use of artificial intelligence or innovative technology, or our inability to meet commitments or client and stakeholder expectations with respect to such matters, could affect the confidence of our clients, rating agencies, regulators, stockholders, employees and third parties in transactions that are important to our business adversely affecting our business, financial condition, and operating results. **Current (2026):** We advise our clients on and provide services related to a wide range of subjects and our ability to attract and retain clients is highly dependent upon the external perceptions of our level of service, trustworthiness, business practices, financial condition, and other subjective qualities. Negative perceptions or publicity regarding these matters or others could erode trust and confidence and damage our reputation among existing and potential clients and existing and future employees, which could make it difficult for us to attract new clients and employees and retain existing ones. Negative public opinion could also result from actual or alleged conduct by us or those currently or formerly associated with us. Damage to our reputation, including as a result of negative perceptions or publicity regarding a particular business partner, class of business, environmental matters, climate change, workforce make-up, pay equity, harassment, social justice, cybersecurity, data privacy and data protection, use of artificial intelligence or innovative technology, or our inability to meet commitments or client and stakeholder expectations 12 12 12 12 12 12 with respect to such matters, could affect the confidence of our clients, rating agencies, regulators, stockholders, employees and third parties in transactions that are important to our business adversely affecting our business, financial condition, and operating results. --- ## Modified: Risks Related to Being an Irish-incorporated Company **Key changes:** - Reworded sentence: "10 10 10 10 10 10 •As an Irish public limited company, certain capital structure decisions regarding the Company will require the approval of shareholders, which may limit the Company's flexibility to manage its capital structure." **Prior (2025):** •We are incorporated in Ireland, and Irish law differs from the laws in effect in the U.S. and may afford less protection to holders of our securities. •As an Irish public limited company, certain capital structure decisions regarding the Company will require the approval of shareholders, which may limit the Company's flexibility to manage its capital structure. •Irish law requires us to have available "distributable profits" to pay dividends to shareholders and generally to make share repurchases and redemptions. **Current (2026):** •We are incorporated in Ireland, and Irish law differs from the laws in effect in the U.S. and may afford less protection to holders of our securities. 10 10 10 10 10 10 •As an Irish public limited company, certain capital structure decisions regarding the Company will require the approval of shareholders, which may limit the Company's flexibility to manage its capital structure. •Irish law requires us to have available "distributable profits" to pay dividends to shareholders and generally to make share repurchases and redemptions. --- ## Modified: Risks Related to Technology, Cybersecurity, and Data Protection **Key changes:** - Reworded sentence: "•Improper disclosure of confidential, personal, or proprietary data could result in regulatory scrutiny, legal liability, or harm to our reputation." **Prior (2025):** •We rely on complex information technology systems and networks to operate our business. Any significant system or network disruption due to a breach in the security of our information technology systems could have a negative impact on our reputation, operations, sales, and operating results. 10 10 10 10 10 10 •Improper disclosure of confidential, personal, or proprietary data could result in regulatory scrutiny, legal liability, or harm to our reputation. **Current (2026):** •We rely on complex information technology systems and networks to operate our business. Any significant system or network disruption due to a breach in the security of our information technology systems could have a negative impact on our reputation, operations, sales, and operating results. •Improper disclosure of confidential, personal, or proprietary data could result in regulatory scrutiny, legal liability, or harm to our reputation. •Regulation in the areas of data privacy, data protection, data management, data transfer, data localization, artificial intelligence, and cybersecurity could increase our costs and affect or limit our business opportunities. --- ## Modified: Regulation in the areas of data privacy, data protection, data management, data transfer, data localization, artificial intelligence, and cybersecurity could increase our costs and affect or limit our business opportunities. **Key changes:** - Removed sentence: "One of our significant responsibilities is to maintain the security and privacy of our employees' and clients' confidential and proprietary information, including confidential information about our clients' and employees' compensation, medical information, and other personally identifiable information." - Removed sentence: "We maintain policies, procedures, and technological safeguards designed to protect the security and privacy of this information, including its timely disposal in connection with applicable regulatory requirements." - Removed sentence: "It is possible that our internal policies, procedures and technical safeguards may not be adequate to ensure that confidential, proprietary or otherwise sensitive information is timely disposed of or deleted in a manner compliant with such policies and applicable law or regulation." - Removed sentence: "We have experienced cyber incidents and cannot eliminate the risk of human error, employee or vendor malfeasance, or cyber-attacks that could result in improper access to or disclosure of confidential, personal, or proprietary information." - Removed sentence: "Such access or disclosure could harm our reputation and subject us to liability under our contracts and laws and regulations that protect personal data, resulting in increased costs, fines, loss of revenue, and loss of clients." **Prior (2025):** One of our significant responsibilities is to maintain the security and privacy of our employees' and clients' confidential and proprietary information, including confidential information about our clients' and employees' compensation, medical information, and other personally identifiable information. We maintain policies, procedures, and technological safeguards designed to protect the security and privacy of this information, including its timely disposal in connection with applicable regulatory requirements. It is possible that our internal policies, procedures and technical safeguards may not be adequate to ensure that confidential, proprietary or otherwise sensitive information is timely disposed of or deleted in a manner compliant with such policies and applicable law or regulation. We have experienced cyber incidents and cannot eliminate the risk of human error, employee or vendor malfeasance, or cyber-attacks that could result in improper access to or disclosure of confidential, personal, or proprietary information. Such access or disclosure could harm our reputation and subject us to liability under our contracts and laws and regulations that protect personal data, resulting in increased costs, fines, loss of revenue, and loss of clients. The release of confidential information as a result of a security breach, human error, or otherwise could also lead to litigation or other proceedings against us by affected individuals or business partners, or by regulators, and the outcome of such proceedings, which could include penalties or fines, could have a significant negative impact on our business. In many jurisdictions, including in the E.U. and the U.S., we are subject to laws and regulations relating to the collection, use, retention, security, and transfer of this information. These laws and regulations are frequently changing and are becoming increasingly complex and sometimes conflict among the various jurisdictions and countries in which we provide services both in terms of substance and in terms of enforceability. This makes compliance challenging and expensive. In addition, many privacy laws and related rules and regulations require us to provide individuals with information on how their personal data is used within Aon or collected from our websites. Additionally, certain jurisdictions' regulations include notice provisions that may require us to inform affected clients or employees, or the applicable regulatory authority, in the event of a breach of confidential information before we fully understand or appreciate the extent of the breach. These disclosure and notice provisions present operational challenges and related risk. In particular, there have been a number of recently adopted privacy laws around the globe including in China and Brazil, and significant privacy rulings in the E.U. relating to the "Schrems II" case, which imposed significant changes to the way companies export personal data from the E.U. We have had to implement new requirements set out in these laws within our business before the effective date, requiring significant time and resources. This new guidance issued to firms by the European Regulators has and will continue to require significant time to implement and may require significant effort to review and effect applicable changes to IT systems and transfer methods. Non-compliance with new and existing laws could result in proceedings against us by governmental entities or others and additional costs in connection therewith. We expect additional jurisdictions to continue to adopt new privacy regulations and that existing regulations may be amended as governments continue to legislate in respect of personal data. We have incurred expenses and devoted resources, and will continue to incur expenses and devote resources, to bring our practices into compliance with these regulations and future regulations. Our failure to comply with or successfully implement processes in response to changing regulatory requirements in this area could result in legal liability, result in proceedings or fines against us by governmental entities or others, or impair our reputation in the marketplace. Further, regulatory initiatives in the area of data privacy and data 24 24 24 24 24 24 protection are more frequently including provisions allowing authorities to impose substantial fines and penalties, and therefore, failure to comply could also have a significant financial impact. A growing number of jurisdictions, particularly in the U.S., have introduced and enacted laws and regulations regarding automated decision making that may encompass artificial intelligence and non-artificial intelligence algorithmic tools. These new regulations and any subsequent laws or regulations may present additional complexity and risk to our business, particularly but not limited to where these laws overlap with privacy laws designed to protect individuals. **Current (2026):** In many jurisdictions, including in the E.U. and the U.S., we are subject to laws and regulations relating to the collection, use, retention, security, and transfer of the confidential information of third parties, including our clients' and employees' confidential information. These laws and regulations are frequently changing and are becoming increasingly complex and sometimes conflict among the various jurisdictions and countries in which we provide services both in terms of substance and enforceability. This makes compliance challenging and expensive. In addition, many privacy laws and related rules and regulations require us to provide individuals with information on how their personal data is used within Aon or collected from our websites. Additionally, certain jurisdictions' regulations include notice provisions that may require us to inform affected clients or employees, or the applicable regulatory authority, in the event of a breach of confidential information before we fully understand or appreciate the extent of the breach. These disclosure and notice provisions present operational challenges and related risk. In particular, there have been a number of recently adopted privacy laws around the globe including but not limited to significant privacy rulings in the E.U., which have imposed significant changes to the way companies export personal data. New guidance issued by regulators has and will continue to require significant time and resources to implement and may 24 24 24 24 24 24 require significant effort to review changes to IT systems and transfer methods. Non-compliance with new and existing laws could result in proceedings against us by governmental entities or others and additional costs in connection therewith. We expect additional jurisdictions to continue to adopt new regulations in these areas and that existing regulations may be amended as governments continue to legislate in respect of personal data. We have incurred expenses and devoted resources, and will continue to incur expenses and devote resources, to bring our practices into compliance with these regulations and future regulations. Our failure to comply with or successfully implement processes in response to changing regulatory requirements in this area could result in legal liability, proceedings or fines against us by governmental entities or others, or impair our reputation in the marketplace. Further, regulatory initiatives in these areas are more frequently including provisions allowing authorities to impose substantial fines and penalties, and therefore, failure to comply could also have a significant financial impact. A growing number of jurisdictions, particularly in the E.U. and U.S., have introduced and enacted laws and regulations regarding the responsible development and use of artificial intelligence and similar tools. These new regulations and any subsequent laws or regulations may present additional complexity and risk to our business, particularly but not limited to where these laws overlap with privacy laws designed to protect individuals. --- *Data sourced from SEC EDGAR. Last updated 2026-05-10.*