American Water Works Company Inc.: 10-K Risk Factor Changes

Technology is an integral part of our business and operations, and any failure or disruption of the technology or related systems we implement, including as a result of a cyber incident, could significantly limit our ability to manage and operate our business effectively and efficiently, which, in turn, could cause our business and competitive position to suffer and adversely affect our results of operations. We use technology systems to, among other things, obtain meter readings, bill customers, process orders, provide customer service, and manage certain plant operations and construction projects, including systems to support environmental compliance, provide for the safety of the water distributed to customers, create and manage our financial records and other operational data, track assets, remotely monitor our plants and facilities, and manage human resources, supply chain, inventory, and accounts receivable collections. In addition, we have invested resources to develop and adopt new technologies, including cloud-based systems, which rely on the security of our infrastructure, including hardware and other components provided by third parties, to support the reliability of our services and protect our data. While any failures that we have experienced have not to date had a material adverse effect on our operations, there can be no assurance that efforts to address performance failures or other issues we may experience with implemented technology will be successful in the future and that these or future failures of water meters or other technological issues will not have a material adverse effect on us. Although we do not believe that the technology we have implemented or may in the future implement is at a materially greater risk of failure than that used by other similar organizations, our technology and operations that use or rely on technology, including cloud-based systems, remain vulnerable to damage or interruption from, among other things: failure or interruption of the technology or its related systems; loss or failure of power, internet, telecommunications or data network systems; and operator error or improper operation by, the negligent or improper supervision of, or the intentional acts of, employees, contractors and other third parties. Any or all of these events could have a material adverse impact on our business, results of operations, financial condition and cash flows.

Technology is an integral part of our business and operations, and any failure or disruption of the technology or related systems we implement could significantly limit our ability to manage and operate our business effectively and efficiently, which, in turn, could cause our business and competitive position to suffer and adversely affect our results of operations. We use technology systems to, among other things, bill customers, process orders, provide customer service, manage certain plant operations and construction projects, create and manage our financial records and other operational data, track assets, remotely monitor our plants and facilities, and manage human resources, supply chain, inventory, and accounts receivable collections. As a specific example, we depend on water meters to record and communicate the amount of water our customers use, which information in turn is used to generate customer bills, and in recent years, we have experienced greater than expected performance failures with certain water meters used in the Regulated Businesses. When failures occur, we work with meter manufacturers to determine and address the cause of such failures. While these and other failures that we have experienced have not to date had a material adverse effect on our operations, there can be no assurance that efforts to address performance failures or other issues we may experience with water meters or other implemented technology will be successful in the future and that these or future failures of water meters or other technological issues will not have a material adverse effect on us. Although we do not believe that the technology we have implemented or may in the future implement is at a materially greater risk of failure than that used by other similar organizations, our technology and operations that use or rely on technology remain vulnerable to damage or interruption from, among other things: failure or interruption of the technology or its related systems; loss or failure of power, internet, telecommunications or data network systems; and operator error or improper operation by, the negligent or improper supervision of, or the intentional acts of, employees, contractors and other third parties. Any or all of these events could have a material adverse impact on our business, results of operations, financial condition and cash flows.

Our Code of Ethics requires employees and contractors to make decisions ethically and in compliance with applicable law and regulatory requirements, and our Code of Ethics and its underlying policies, practices and procedures. All employees are required to complete training on and review the Code of Ethics on an annual basis, and violations of the Code of Ethics could result in disciplinary actions up to, and including, termination. Despite these efforts to prevent misconduct, it is possible for employees or contractors to engage in intentional or other misconduct and violate laws and regulations through, among other things, theft, fraud, misappropriation, bribery, corruption and engaging in conflicts of interest or related person transactions, or otherwise committing serious breaches of our Code of Ethics and our policies, practices and procedures. Intentional or other misconduct by employees or contractors could result in substantial liability, higher costs, increased regulatory scrutiny and significant reputational harm, any of which could have a material adverse effect on our financial condition, results of operations and cash flows. 35 35 35 Table of Contents Table of Contents

Our Code of Ethics requires employees and contractors to make decisions ethically and in compliance with applicable law and regulatory requirements, and our Code of Ethics and its underlying policies, practices and procedures. All employees are required to complete training on and review the Code of Ethics on an annual basis, and violations of the Code of Ethics could result in disciplinary actions up to, and including, termination. Despite these efforts to prevent misconduct, it is possible for employees or contractors to engage in intentional misconduct and violate laws and regulations through, among other things, theft, fraud, misappropriation, bribery, corruption and engaging in conflicts of interest or related person transactions, or otherwise committing serious breaches of our Code of Ethics and our policies, practices and procedures. Intentional misconduct by employees or contractors could result in substantial liability, higher costs, increased regulatory scrutiny and significant reputational harm, any of which could have a material adverse effect on our financial condition, results of operations and cash flows. 36 36 36 Table of Contents Table of Contents

There is typically a delay, known as “regulatory lag,” between the time our Regulated Businesses make a capital investment or incur an operating expense increase, including as a result of inflation or other factors, and the time when those costs are reflected in rates. In addition, billings permitted by PUCs typically are, to a considerable extent, based on the volume of water used in addition to a minimum base rate. Thus, we may experience regulatory lag between the time our revenues are affected by declining usage and the time we are able to adjust the rate per gallon of usage to address declining usage. Our inability to mitigate or reduce regulatory lag or the impacts thereof could have an adverse effect on our financial condition, results of operations, cash flows and liquidity. We endeavor to mitigate or reduce regulatory lag by pursuing constructive regulatory practices and certain regulatory mechanisms. See Item 1—Business—Regulated Businesses—Regulation and Rate Making for a discussion of these practices and mechanisms. While these practices and mechanisms may serve to mitigate or reduce regulatory lag in certain of our regulated jurisdictions, we continue to seek approval of regulatory practices and mechanisms to mitigate or reduce regulatory lag in other jurisdictions that have not approved them. Furthermore, PUCs may fail to adopt new surcharges or those permitted by applicable law, and existing practices and mechanisms may not continue in their current form, or at all, and we may be unable or become ineligible to continue to utilize them in the future. Although we intend to continue to seek regulatory PUC approval of practices or mechanisms to mitigate or reduce regulatory lag, our efforts may not be successful in whole or in part, and even to the extent successful, our business, financial condition, results of operations, cash flows and liquidity may be materially and adversely affected by regulatory lag.

There is typically a delay, known as “regulatory lag,” between the time our Regulated Businesses make a capital investment or incur an operating expense increase, including as a result of inflation or other factors, and the time when those costs are reflected in rates. In addition, billings permitted by state PUCs typically are, to a considerable extent, based on the volume of water used in addition to a minimum base rate. Thus, we may experience regulatory lag between the time our revenues are affected by declining usage and the time we are able to adjust the rate per gallon of usage to address declining usage. Our inability to mitigate or reduce regulatory lag or the impacts thereof could have an adverse effect on our financial condition, results of operations, cash flows and liquidity. We endeavor to mitigate or reduce regulatory lag by pursuing constructive regulatory practices. For example, two of our states have approved revenue stability mechanisms that adjust rates periodically to ensure that a utility’s revenue will be sufficient to cover its costs regardless of sales volume, including recognition of declining sales resulting from reduced usage, while providing an incentive for customers to use water more efficiently. In addition, 10 of our state PUCs permit rates to be adjusted outside of the general rate case process through surcharges that address certain capital investments, such as replacement of aging infrastructure. These surcharges are adjusted periodically based on factors such as project completion or future budgeted expenditures, and specific surcharges are eliminated once the related capital investment is incorporated in new PUC-approved rates. Furthermore, in setting rates, nine of our state PUCs allow us to use future test years, which extend beyond the date a general rate case is filed to allow for current or projected revenues, expenses and investments to be reflected in rates on a more timely basis. Other examples of such regulatory practices include expense mechanisms that allow us to increase rates for certain cost increases that are beyond our control, such as purchased water costs, property or other taxes, or costs for power or other fuel, conservation, chemical or other expenditures. These mechanisms enable us to adjust rates in less time after costs have been incurred than would be the case under a general rate case process without the mechanisms. While these mechanisms have mitigated or reduced regulatory lag in several of our regulated states, we continue to seek approval of regulatory practices to mitigate or reduce regulatory lag in those jurisdictions that have not approved them. Furthermore, PUCs may fail to adopt new surcharges and existing mechanisms may not continue in their current form, or at all, or we may be unable or become ineligible to continue to utilize certain of these mechanisms in the future. Although we intend to continue our efforts to seek state PUC approval of constructive regulatory practices to mitigate or reduce regulatory lag, our efforts may not be successful, or even if partially successful, our business, financial condition, results of operations, cash flows and liquidity may be materially and adversely affected.

As owners and operators of critical infrastructure, we face a heightened risk of physical attack and cyber attacks from internal or external sources, including nation-state cyber actors. Our water and wastewater systems have been, and may in the future be, vulnerable to disability or failures as a result of physical or cyber attacks, acts of war or terrorism, vandalism and other causes. By way of example, on October 3, 2024, we identified unauthorized activity within our information technology computer networks and systems, which we determined to be the result of a cybersecurity incident. See Item 7—Management's Discussion and Analysis of Financial Condition and Results of Operations—Other Matters—Cybersecurity Incident, for more information regarding this incident. Our operational and information technology systems are also vulnerable to unauthorized external or internal access, due to hacking, viruses, social engineering attacks, acts of violence, war or terrorism, and other causes. Unauthorized access to confidential information located or stored on these systems could negatively and materially impact our reputation, customers, employees, suppliers and other third parties. Such unauthorized access could be caused through, among other causes, failure to follow established policies and procedures on the part of our employees, agents, vendors, suppliers, contractors or other third parties. Further, third parties, including vendors, suppliers and contractors, who perform certain services for us or administer and maintain our networks and sensitive information, have been, and may in the future be, targets of cyber attacks and unauthorized access to their operational or information technology systems, and any cyber incident affecting our third-party business partners could significantly disrupt our operations. While we believe that we have appropriate security measures and safeguards to protect our operational and information technology systems, the recent cybersecurity incident that we experienced in October 2024 demonstrated that those protections alone may not prevent a cyber attack, and we cannot guarantee that such protections will be completely successful in preventing or mitigating a future cyber attack. The Company has completed its investigation into the scope, nature and impact of the cybersecurity incident and determined the incident did not have a material effect on the Company or its financial condition or results of operations; however, the Company remains subject to various risks as a result of this incident, including those related to litigation, governmental and regulatory scrutiny, including from putative class action lawsuits that have been filed in connection with the recent incident. See Item 3—Legal Proceedings—Cybersecurity Incident Class Action Lawsuits. 28 28 28 Table of Contents Table of Contents Future cybersecurity events could cause our operations to be disrupted, property to be damaged, and customer and other confidential information to be lost or stolen; we could experience substantial loss of revenues, response costs and other financial loss; we would likely suffer a loss or redirection of management time, attention and resources from our regular business operations; we may be subject to increased regulatory requirements; our ability to comply with environmental standards and to continue to provide reliable service to our customers may be impacted; we would likely experience litigation and other claims against us; and we may suffer damage to our reputation, any of which could have a negative impact on our business, financial condition, results of operations and cash flows. Applicable laws and regulations or contracts may require us to report cybersecurity events or breaches of securely maintained confidential data, which may cause us to incur costs related to legal claims or proceedings and regulatory fines or penalties. These types of events, and their resulting impacts, either to our facilities or assets, those of third parties, or the industry in general, may also cause us to incur additional security and insurance related costs. In addition, in the ordinary course of business, we collect and retain sensitive information, including personally identifiable information, about our customers and employees. In many cases, we outsource administration of certain functions to vendors that have been and will continue to be targets of cyber attacks. Any theft, loss or fraudulent use of customer, employee or proprietary data as a result of a cyber attack on us or a vendor, supplier, contractor or other third-party business partner could also subject us to significant litigation, liability and costs, as well as adversely impact our reputation with customers and regulators, among others. We have obtained insurance to provide coverage for a portion of the losses and damages that may result from a physical attack, cyber attack or a security breach, but such insurance is subject to a number of exclusions and may not cover the total loss or damage caused by an attack or a breach. We have incurred, and may continue to incur, certain expenses related to the October 2024 cybersecurity incident, and we maintain a cybersecurity insurance policy as part of our overall insurance program. However, adequate insurance may not be available at rates that we believe are reasonable, and the costs of responding to and recovering from a physical attack, cyber attack or security breach incident may not, in whole or in part, be covered by insurance or recoverable in rates. See Item 1A—Risk Factors Risks Related to our Industry and Business Operations—We may sustain losses that exceed or are excluded from our insurance coverage or for which we are self-insured, below for more information.

As operators of critical infrastructure, we may face a heightened risk of physical and cyber attacks from internal or external sources. Our water and wastewater systems may be vulnerable to disability or failures as a result of physical or cyber attacks, acts of war or terrorism, vandalism or other causes. Our operational and technology systems throughout our businesses may be vulnerable to unauthorized external or internal access, due to hacking, viruses, acts of violence, war or terrorism, and other causes. Unauthorized access to confidential information located or stored on these systems could negatively and materially impact our reputation, customers, employees, suppliers and other third parties. Further, third parties, including vendors, suppliers and contractors, who perform certain services for us or administer and maintain our sensitive information, could also be targets of cyber attacks and unauthorized access to their operational or technology systems. While we have instituted what we believe are reasonable and appropriate safeguards to protect our operational and technology systems, those safeguards may not always be effective due to the evolving nature of cyber attacks and cyber vulnerabilities. We cannot guarantee that such protections will be completely successful to prevent or mitigate a cyber attack. 29 29 29 Table of Contents Table of Contents If, despite our security measures, a significant physical attack or cyber breach occurred, our operations could be disrupted, property damaged, and customer and other confidential information lost or stolen; we could experience substantial loss of revenues, response costs and other financial loss; we could suffer a loss or redirection of management time, attention and resources from our regular business operations; we may be subject to increased regulatory requirements; and we may experience litigation and damage to our reputation, any of which could have a negative impact on our business, results of operations and cash flows. Applicable laws and regulations or contracts may require us to report cybersecurity incidents or breaches or securely maintain confidential data in the event that we experience a physical or cyber security incident. Our efforts to comply with such laws and regulations or contractual provisions, or our failure to do so, may cause us to incur costs related to legal claims or proceedings and regulatory fines or penalties. These types of events, and their resulting impacts, either to our facilities or assets, those of third parties, or the industry in general, could also cause us to incur additional security and insurance related costs. In addition, in the ordinary course of business, we collect and retain sensitive information, including personally identifiable information, about our customers and employees. In many cases, we outsource administration of certain functions to vendors that have been and will continue to be targets of cyber attacks. Any theft, loss or fraudulent use of customer, employee or proprietary data as a result of a cyber attack on us or a vendor could also subject us to significant litigation, liability and costs, as well as adversely impact our reputation with customers and regulators, among others. We have obtained insurance to provide coverage for a portion of the losses and damages that may result from a physical attack, cyber attack or a security breach, but such insurance is subject to a number of exclusions and may not cover the total loss or damage caused by an attack or a breach. In the future, adequate insurance may not be available at rates that we believe are reasonable, and the costs of responding to and recovering from a physical attack, cyber attack or security breach incident may not be covered by insurance or recoverable in rates.

The success of our business is dependent upon our ability to attract, hire and retain highly qualified and skilled employees understanding the needs of the communities in which we serve, including engineers and licensed operators, and water quality, regulatory and management professionals, with desired knowledge, experience and expertise. We may face challenges implementing our human capital management, recruitment and employee succession plans to attract and retain employees based on a number of factors, including, among others, market conditions, retirements and geography. If we are unable to meet these human capital resource challenges, our business, financial condition, results of operations and cash flows may be materially and adversely impacted.

The success of our business is dependent upon our ability to attract, hire and retain highly qualified, skilled and/or diverse talent, including engineers, licensed operators, water quality, regulatory and management professionals who have the desired experience and expertise. Similar to other organizations, the Company may have challenges implementing its human capital management, recruitment and employee succession plans to attract and retain such talent based on a number of factors including, among others, market conditions, retirements and geography. If we are unable to meet these human capital resource challenges, our business, financial condition, results of operations and cash flows may be materially and adversely impacted.