--- ticker: BRO company: Brown & Brown Inc. filing_type: 10-K year_current: 2025 year_prior: 2024 risks_added: 4 risks_removed: 0 risks_modified: 8 risks_unchanged: 25 source: SEC EDGAR url: https://riskdiff.com/bro/2025-vs-2024/ markdown_url: https://riskdiff.com/bro/2025-vs-2024/index.md generated: 2026-05-10 --- # Brown & Brown Inc.: 10-K Risk Factor Changes 2025 vs 2024 > Source: U.S. Securities and Exchange Commission (EDGAR) > Generated: 2026-05-10 > All data extracted directly from official filings. No hallucinated content. > **[AI-Generated Summary]** The paragraph below was produced by a language > model and may contain errors. All other content on this page is deterministically > extracted from the original SEC filing. > Brown & Brown added four new risk disclosures in 2025 focused on third-party vendor dependencies, foreign currency exposure, credit rating impacts, and accounting estimate volatility, while maintaining all 25 existing risks and substantively revising eight others including non-U.S. regulatory compliance, shareholder control, and data privacy requirements. The company eliminated no previously disclosed risks, indicating a net expansion of risk factor coverage rather than a reassessment of existing exposures. The modifications to non-U.S. compliance and data privacy risks suggest heightened attention to regulatory and operational complexity in these areas. --- ## Summary | Status | Count | |--------|-------| | New risks added | 4 | | Risks removed | 0 | | Risks modified | 8 | | Unchanged | 25 | --- ## New in Current Filing: WE RELY ON A LARGE NUMBER OF VENDORS AND OTHER THIRD PARTIES TO PERFORM KEY FUNCTIONS OF OUR BUSINESS OPERATIONS AND TO PROVIDE SERVICES TO OUR CUSTOMERS. THESE VENDORS AND THIRD PARTIES MAY ACT OR FAIL TO ACT IN WAYS THAT COULD HARM OUR BUSINESS. We rely on a large number of vendors and other third parties to provide services, data and information such as technology, information security, funds transfers, business process management, and administration and support functions that are critical to the operations of our business. These third parties include agents and other brokers and intermediaries, insurance markets, data providers, payroll service providers, software and system vendors, health plan providers, custodians, risk modeling providers, and providers of human resource functions. Some of these providers are located outside the U.S., which exposes us to business disruptions and political risks inherent when conducting business outside of the U.S. As we do not control many of the actions of these third parties, we are subject to the risk that their decisions, actions, inactions or operations may adversely impact us and replacing these service providers could create significant delay in services or operations and/or additional expense A failure by the third parties to: (i) comply with service level agreements in a high quality and timely manner, particularly during periods of our peak demand for their services, (ii) maintain adequate internal controls that may impact our own financial reporting, or (iii) adequately maintain the confidentiality of any of our data or trade secrets or adequately protect or properly use other intellectual property to which they may have access, could result in economic, financial and/or reputational harm to us. These third parties also face their own technology, operating, business and economic risks, and any significant failures by them, including the improper use or disclosure of our confidential customer, employee, or Company information or failure to comply with applicable law, could cause harm to our reputation or otherwise expose us to financial liability. An interruption in or the cessation of service by any service provider as a result of systems failures, capacity constraints, non-compliance with legal, regulatory or contractual obligations, financial difficulties or for any other reason could disrupt our operations, impact our ability to offer certain products and services, and result in contractual or regulatory penalties, liability claims from customers or employees, damage to our reputation and harm to our business. --- ## New in Current Filing: FLUCTUATIONS IN FOREIGN CURRENCY EXCHANGE RATES MAY ADVERSELY AFFECT OUR FINANCIAL PERFORMANCE AND OUR RESULTS OF OPERATIONS. Our non-U.S. operations are conducted primarily in the local currencies of the respective countries in which we operate. Our Consolidated Financial Statements are denominated in U.S. dollars, and to prepare those financial statements we must translate certain financial results from local currencies into U.S. dollars using exchange rates for the current period. Fluctuations in currency exchange rates that are unfavorable may have an adverse effect on our results of operations. As a result of such translations, fluctuations in currency exchange rates from period-to-period that are unfavorable to us could result in our Consolidated Financial Statements reflecting adverse period-over-period changes in our financial performance or reflecting a period-over-period improvement in our financial performance that is not as robust as it would be without such fluctuations in the currency exchange rates. We may use derivative instruments, such as foreign currency forward and option contracts, to hedge certain exposures to fluctuations in foreign exchange rates. The use of such hedging activities may not be effective to offset any, or more than a portion, of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. --- ## New in Current Filing: A DOWNGRADE TO OUR CORPORATE CREDIT RATING, THE CREDIT RATINGS OF OUR OUTSTANDING DEBT OR OTHER MARKET SPECULATION MAY ADVERSELY AFFECT OUR BORROWING COSTS AND FINANCIAL FLEXIBILITY. A downgrade in our corporate credit rating or the credit ratings of our debt would increase our borrowing costs, including those under our credit facility, and reduce our financial flexibility. Real or anticipated changes in our credit ratings will generally affect any trading market for, or trading value of, our securities. Such changes could result from any number of factors, including the modification by a credit rating agency of the criteria or methodology it applies to particular issuers, a change in the agency's view of us or our industry, or as a consequence of actions we take to implement our corporate strategies. If we need to raise capital in the future, any credit rating downgrade could negatively affect our financing costs or access to financing sources. A change in our credit rating could also adversely impact our competitive position. In addition, under the indentures for our Senior Notes, if we experience a ratings decline together with a change of control event, we would be required to offer to purchase these notes from holders unless we had previously redeemed those notes. We may not have sufficient funds available or access to funding to repurchase tendered notes in that event, which could result in a default under the notes. Any future debt that we incur may contain covenants regarding repurchases in the event of a change of control triggering event. --- ## New in Current Filing: CHANGES IN OUR ACCOUNTING ESTIMATES AND ASSUMPTIONS COULD NEGATIVELY AFFECT OUR FINANCIAL POSITION AND RESULTS OF OPERATIONS. We prepare our Consolidated Financial Statements in accordance with U.S. GAAP. These accounting principles require us to make estimates and assumptions that affect the reported amounts of assets and liabilities, and the disclosure of contingent assets and liabilities at the date of our Consolidated Financial Statements. We are also required to make certain judgments that affect the reported amounts of revenues and expenses during each reporting period. We periodically evaluate our estimates and assumptions including those relating to revenue recognition, valuation of goodwill and intangibles, and non-cash stock-based compensation. We base our estimates on historical experience and various forward assumptions that we believe to be reasonable based on specific circumstances. These assumptions and estimates involve the exercise of judgment and discretion, which may evolve over time in light of operational experience, regulatory direction, developments or changes in accounting principles or standards, and other factors. Actual results could differ from these estimates, or changes in assumptions, estimates, policies, or developments in the business may change our initial estimates, which could materially affect our Consolidated Financial Statements. --- ## Modified: THE RISK OF NON-COMPLIANCE WITH NON-U.S. LAWS, REGULATIONS AND POLICIES COULD ADVERSELY AFFECT OUR RESULTS OF OPERATIONS, FINANCIAL CONDITION OR STRATEGIC OBJECTIVES. **Key changes:** - Reworded sentence: "We have completed several acquisitions that have introduced us to various new geographic markets, subjecting us to additional non-U.S." **Prior (2024):** In 2022, the Company acquired GRP (Jersey) Holdco Limited and its business and the general insurance operating companies of BdB Limited companies and in 2023 Kentro Capital Limited (the "Acquisitions"). The Acquisitions introduce us to several new geographic markets, subjecting us to additional non-U.S. laws, regulations and policies which did not previously apply to us. These laws and regulations are complex, change frequently, have become more stringent over time, could increase our cost of doing business, and could result in conflicting legal requirements. These laws and regulations include international labor and employment laws and data privacy requirements. We will be subject to the risk that we, our employees and our agents may take actions determined to be in violation of any of these laws, regulations or policies, for which we might be held responsible. Actual or alleged violations could result in substantial fines, sanctions, civil or criminal penalties, curtailment of operations in certain jurisdictions, competitive or reputational harm, litigation or regulatory action and other consequences that might adversely affect our results of operations, financial condition or strategic objectives. **Current (2025):** We have completed several acquisitions that have introduced us to various new geographic markets, subjecting us to additional non-U.S. laws, regulations and policies which did not previously apply to us. These laws and regulations are complex, change frequently, have become more stringent over time, could increase our cost of doing business, and could result in conflicting legal requirements. These laws and regulations include international labor and employment laws and data privacy requirements. We will be subject to the risk that we, our employees and our agents may take actions determined to be in violation of any of these laws, regulations or policies, for which we might be held responsible. Actual or alleged violations could result in substantial fines, sanctions, civil or criminal penalties, curtailment of operations in certain jurisdictions, competitive or reputational harm, litigation or regulatory action and other consequences that might adversely affect our results of operations, financial condition or strategic objectives. 18 18 18 --- ## Modified: CERTAIN OF OUR SHAREHOLDERS HAVE SIGNIFICANT CONTROL. **Key changes:** - Reworded sentence: "At December 31, 2024, our executive officers, directors and certain of their family members collectively beneficially owned approximately 15.6% of our outstanding common stock, of which J." - Reworded sentence: "Barrett Brown, our executive vice president and the president of our Retail segment, beneficially owned approximately 15.0%." **Prior (2024):** At December 31, 2023, our executive officers, directors and certain of their family members collectively beneficially owned approximately 16.3% of our outstanding common stock, of which J. Hyatt Brown, our chairman of the board, and his sons, J. Powell Brown, our president and chief executive officer, and P. Barrett Brown, our executive vice president and the president of our Retail segment, beneficially owned approximately 15.8%. As a result, our executive officers, directors and certain of their family members have significant influence over (i) the election of our board of directors, (ii) the approval or disapproval of any other matters requiring shareholder approval and (iii) our affairs and policies. **Current (2025):** At December 31, 2024, our executive officers, directors and certain of their family members collectively beneficially owned approximately 15.6% of our outstanding common stock, of which J. Hyatt Brown, our chairman of the board, and his sons, J. Powell Brown, our president and chief executive officer, and P. Barrett Brown, our executive vice president and the president of our Retail segment, beneficially owned approximately 15.0%. As a result, our executive officers, directors and certain of their family members have significant influence over (i) the election of our board of directors, (ii) the approval or disapproval of any other matters requiring shareholder approval and (iii) our affairs and policies. 17 17 17 --- ## Modified: CHANGES IN DATA PRIVACY AND PROTECTION LAWS AND REGULATIONS, OR ANY FAILURE TO COMPLY WITH SUCH LAWS AND REGULATIONS, COULD ADVERSELY AFFECT OUR BUSINESS AND FINANCIAL RESULTS. **Key changes:** - Reworded sentence: "We are subject to a variety of continuously evolving and developing laws and regulations globally regarding privacy, data protection and data security, including those related to the collection, storage, retention, handling, use, processing, disclosure, transfer, destruction and security of personal data." - Reworded sentence: "For example, the European Union's General Data Privacy Regulation ("GDPR") requires companies to satisfy requirements regarding the handling of personal and sensitive data, including its processing, protection and the ability of persons whose data is stored to correct or delete such data about themselves." - Reworded sentence: "Additionally, a judgement by the Court of Justice of the European Union on Schrems II made cross border data transfers to organizations outside of the European Economic Area more onerous and uncertain." - Reworded sentence: "have enacted and are proposing new and more robust privacy and cybersecurity laws and regulations in light of the broad-based cyber-attacks at a number of companies, including the New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies and the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act." - Reworded sentence: "We expect that there will continue to be new proposed laws and regulations concerning data privacy and security, and we cannot yet determine the impact such future laws, regulations and standards may have on our business." **Prior (2024):** We are subject to a variety of continuously evolving and developing laws and regulations globally regarding privacy, data protection and data security, including those related to the collection, storage, retention, handling, use, processing, disclosure, transfer and security of personal data. Significant uncertainty exists as privacy and data protection laws evolve and may be interpreted and applied differently from country to country and may create inconsistent or conflicting requirements. These laws apply to transfers of information among our affiliates, as well as to transactions we enter into with third-party vendors. For example, the European Union adopted a comprehensive General Data Privacy Regulation ("GDPR") in May 2016, which replaced the former EU Data Protection Directive and related country-specific legislation. The GDPR became fully effective in May 2018 and requires companies to satisfy new requirements regarding the handling of personal and sensitive data, including its processing, protection and the ability of persons whose data is stored to correct or delete such data about themselves. Failure to comply with GDPR requirements could result in penalties of up to 4% of worldwide revenue. Complying with the enhanced obligations imposed by the GDPR may result in significant costs to our business and require us to revise certain of our business practices. Additionally, a judgement by the Court of Justice of the European Union on Schrems II has made cross border data transfers to organizations outside of the European Economic Area more onerous and uncertain. In addition, legislators and regulators in the U.S. have enacted and are proposing new and more robust privacy and cybersecurity laws and regulations in light of the recent broad-based cyber-attacks at a number of companies, including but not limited to the New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies, the California Consumer Privacy Act of 2018 and the California Privacy Rights Act. Some states provide right of action for data breaches or for collection of certain categories of personal information without consent, which may result in increased litigation. Many statutory requirements, both in the United States and abroad, include obligations for companies to notify individuals of security breaches involving certain personal information, which could result from breaches experienced by us or our vendors. In addition to government regulation, privacy advocates and industry groups have and may in the future propose self-regulatory standards from time to time. These and other industry standards may legally or contractually apply to us, or we may elect to comply with such standards. We expect that there will 17 17 continue to be new proposed laws and regulations concerning data privacy and security, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. Data protection laws also include strict notification requirements for organizations related to confirmed or suspected breaches. With such a limited time available to validate indicators, there is an increased risk of reporting a false alarm or immaterial breach, which may lead to reputational damage despite there not being an actual data breach. These and similar initiatives around the world could increase the cost of developing, implementing or securing our servers and require us to allocate more resources to improved technologies, adding to our technology and compliance costs. In addition, enforcement actions and investigations by regulatory authorities related to data security incidents and privacy violations continue to increase. The enactment of more restrictive laws, rules, regulations or future enforcement actions or investigations could impact us through increased costs or restrictions on our business, and noncompliance could result in regulatory penalties and significant legal liability. **Current (2025):** We are subject to a variety of continuously evolving and developing laws and regulations globally regarding privacy, data protection and data security, including those related to the collection, storage, retention, handling, use, processing, disclosure, transfer, destruction and security of personal data. Significant uncertainty exists as privacy and data protection laws evolve and may be interpreted and applied differently from jurisdiction to jurisdiction may create inconsistent or conflicting requirements. These laws apply to transfers of information among our affiliates, as well as to transactions we enter into with third-party vendors. For example, the European Union's General Data Privacy Regulation ("GDPR") requires companies to satisfy requirements regarding the handling of personal and sensitive data, including its processing, protection and the ability of persons whose data is stored to correct or delete such data about themselves. Failure to comply with GDPR requirements could result in penalties of up to 4% of worldwide revenue. Additionally, a judgement by the Court of Justice of the European Union on Schrems II made cross border data transfers to organizations outside of the European Economic Area more onerous and uncertain. In addition, legislators and regulators in the U.S. have enacted and are proposing new and more robust privacy and cybersecurity laws and regulations in light of the broad-based cyber-attacks at a number of companies, including the New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies and the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act. Some jurisdictions provide right of action for data breaches or for collection of certain categories of personal information without consent, which may result in increased litigation. We expect additional jurisdictions to continue to adopt new privacy regulations and that existing regulations may be amended as governments continue to legislate with respect to personal data. Additionally, we are also subject to the terms of our privacy policies and contractual obligations to third parties related to privacy, data protection and information security. We also expect to be subject to a variety of laws and regulations governing AI and RPA, such as the EU AI Act, which was enacted in August 2024. These laws and regulations are still evolving, and while we are assessing how regulators may apply existing consumer protection, data protection and other similar laws to AI, there is uncertainty regarding the scope of new laws and how existing laws will apply. Due to this uncertainty, we may face challenges complying with existing and new laws, and our policies and governance frameworks may not be successful in mitigating these risks. Many statutory requirements, both in the United States and abroad, include obligations for companies to notify individuals of security breaches involving certain personal information, which could result from breaches experienced by us or our vendors. In addition to government regulation, privacy advocates and industry groups have and may in the future propose self-regulatory standards from time to time. These and other industry standards may legally or contractually apply to us, or we may elect to comply with such standards. We expect that there will continue to be new proposed laws and regulations concerning data privacy and security, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. Data protection laws also include strict notification requirements for organizations related to confirmed or suspected breaches. With such a limited time available to validate indicators, there is an increased risk of reporting a false alarm or immaterial breach, which may lead to reputational damage despite there not being an actual data breach. These and similar initiatives around the world could increase the cost of developing, implementing or securing our servers and require us to allocate more resources towards enhanced technologies, further contributing to our technology and compliance costs. In addition, enforcement actions and investigations by regulatory authorities related to data security incidents and privacy violations continue to increase. The enactment of more restrictive laws, rules, regulations or future enforcement actions or investigations could impact us through increased costs or restrictions on our business, and noncompliance could result in regulatory penalties and significant legal liability. --- ## Modified: WE DERIVE OUR COMMISSION REVENUES FROM A LIMITED NUMBER OF INSURANCE COMPANIES AND INTERMEDIARIES, THE LOSS OF WHICH COULD RESULT IN LOSS OF CAPACITY TO WRITE BUSINESS, ADDITIONAL EXPENSE AND LOSS OF MARKET SHARE OR A MATERIAL DECREASE IN OUR COMMISSIONS. **Key changes:** - Reworded sentence: "For the years ended December 31, 2024, 2023 and 2022, no more than 5% of our total core commissions was derived from insurance policies underwritten by one insurance company." **Prior (2024):** For the year ended December 31, 2023, 2022 and 2021, no more than 5.0% of our total core commissions was derived from insurance policies underwritten by one insurance company. Should any insurance company seek to terminate its arrangements with us or to otherwise decrease the number of insurance policies underwritten for us, we believe that other insurance companies are available to underwrite the business, although some additional expense and loss of market share could result. **Current (2025):** For the years ended December 31, 2024, 2023 and 2022, no more than 5% of our total core commissions was derived from insurance policies underwritten by one insurance company. Should any insurance company or intermediary seek to terminate its arrangements with us or to otherwise decrease the number of insurance policies underwritten for us, we believe that other insurance companies or intermediaries are available to underwrite the business, although some additional expense and loss of market share could result. --- ## Modified: OUR INABILITY TO HIRE, RETAIN AND DEVELOP QUALIFIED EMPLOYEES, AS WELL AS THE LOSS OF ANY OF OUR EXECUTIVE OFFICERS OR OTHER KEY EMPLOYEES, COULD NEGATIVELY IMPACT OUR ABILITY TO RETAIN EXISTING BUSINESS, GENERATE NEW BUSINESS AND/OR INNOVATE. **Key changes:** - Reworded sentence: "There is significant competition within the insurance industry and from businesses outside the industry for exceptional employees, especially in key positions." - Reworded sentence: "Our success and future performance depend in part upon the continued services of our executive officers, senior management, and other highly skilled personnel." - Reworded sentence: "Competition for skilled professionals remains intense, and employers are implementing new offerings to attract talent, including increasing compensation, enhancing health and wellness solutions, and providing in-office and remote work options." - Reworded sentence: "Similarly, if an employee joins us from a competitor and is subject to enforceable restrictive covenants, we may be delayed in optimizing the employee's potential." **Prior (2024):** Our success depends on our ability to attract, retain and develop skilled and experienced personnel. There is significant competition from within the insurance industry and from businesses outside the industry for exceptional employees, especially in key positions. If we are not able to successfully attract, retain, develop and motivate our employees, our business, financial results and reputation could be materially and adversely affected. Our success and future performance depends in part upon the continued services of our executive officers, senior management, and other highly skilled personnel. Losing employees who manage or support substantial customer relationships or possess substantial experience or expertise could adversely affect our ability to secure and complete customer engagements, which would adversely affect our results of operations. This risk may be increased by remote or hybrid working arrangements, which may make our employees more vulnerable to solicitations by competing firms. Also, if any of our key employees were to join an existing competitor or form a competing company, some of our customers could choose to use the services of that competitor instead of our services. While our key employees are generally prohibited by contract from soliciting our employees and customers for a two-year period following separation from employment with us, they are not prohibited from competing with us. Similarly, if an employee joins us from a competitor and is subject to enforceable restrictive covenants, we may be delayed in optimizing the employee's potential. In addition, regulation or legislation impacting the workforce or the ability to enforce employment-related restrictive covenants (due to state or federal laws or regulations), may lead to increased uncertainty and competition for talent. In addition, we could be adversely affected if we fail to adequately plan for the succession of our senior leaders and key executives. The succession plans and employment arrangements we have in place with certain key executives do not guarantee that the services of these executives will continue to be available to us. The loss of our senior leaders or other key employees, or our inability to continue to identify, recruit and retain such personnel, could materially and adversely affect our business, results of operations and financial condition. **Current (2025):** Our success depends on our ability to attract, retain and develop skilled and experienced personnel. There is significant competition within the insurance industry and from businesses outside the industry for exceptional employees, especially in key positions. If we are not able to successfully attract, retain, develop and motivate our employees, our business, financial results and reputation could be materially and adversely affected. Our success and future performance depend in part upon the continued services of our executive officers, senior management, and other highly skilled personnel. Losing employees who manage or support substantial customer relationships or possess substantial experience or expertise could adversely affect our ability to secure and complete customer engagements and/or innovate, which would adversely affect our results of operations. This risk may be increased by remote or hybrid working arrangements, which may make our employees more vulnerable to solicitations by competing firms. Competition for skilled professionals remains intense, and employers are implementing new offerings to attract talent, including increasing compensation, enhancing health and wellness solutions, and providing in-office and remote work options. We may be unable to retain our employees if we do not offer employment terms that are competitive with the rest of the labor market. We may have to devote significant resources to attract and retain talent, which could negatively affect our business, results of operations and financial condition. Also, if any of our key employees were to join a competitor or form a competing company, some of our customers could choose to use the services of that competitor instead of our services. While our key employees are generally prohibited by contract from soliciting our employees and customers for a two-year period following separation from employment with us, they are not prohibited from competing with us. Similarly, if an employee joins us from a competitor and is subject to enforceable restrictive covenants, we may be delayed in optimizing the employee's potential. In addition, regulation or legislation impacting the workforce or the ability to enforce employment-related restrictive covenants (due to applicable laws or regulations), may lead to increased uncertainty and competition for talent. Our key personnel, including our executive officers, may be subject to targeted cybersecurity or physical threats, which, if realized, could adversely affect our business. In addition to the potential impact to us if these risks are realized, which may include reputational harm, the loss of such key personnel or their inability to continue their service with us, we may incur additional expenses to offer monitoring or protection for such key personnel against these threats. In addition, we could be adversely affected if we fail to adequately plan for the succession of our senior leaders and key executives, fail to successfully execute such plan, or if such plans are not well-received by our investors, customers, business partners or employees. The succession plans and employment arrangements we have in place with certain key executives do not guarantee that the services of these executives will continue to be available to us. The loss of our senior leaders or other key employees, or our inability to continue to identify, recruit and retain such personnel, could materially and adversely affect our business, results of operations and financial condition. --- ## Modified: A CYBERSECURITY ATTACK, OR ANY OTHER INTERRUPTION IN INFORMATION TECHNOLOGY AND/OR DATA SECURITY THAT MAY IMPACT OUR OPERATIONS OR THE OPERATIONS OF THIRD PARTIES THAT SUPPORT US, COULD ADVERSELY AFFECT OUR BUSINESS, FINANCIAL CONDITION AND REPUTATION. **Key changes:** - Reworded sentence: "We rely on information technology and third-party vendors to provide effective and efficient service to our customers, process claims, and timely and accurately report information to carriers, which often involves secure processing of confidential, sensitive, proprietary and other types of information." - Reworded sentence: "We have from time to time experienced cybersecurity incidents, such as malware infections, phishing campaigns, ransomware and vulnerability exploit attempts, which to date have not had a material impact on our business." - Reworded sentence: "Despite our efforts to mitigate cybersecurity threats, we cannot guarantee our measures will prevent, contain, detect, or remediate all incidents." **Prior (2024):** We rely on information technology and third-party vendors to provide effective and efficient service to our customers, process claims, and timely and accurately report information to carriers and which often involves secure processing of confidential sensitive, proprietary and other types of information. Cybersecurity breaches of any of the systems we rely on may result from circumvention of security systems, denial-of-service attacks or other cyber-attacks, hacking, "phishing" attacks, computer viruses, ransomware, malware, employee or insider error, malfeasance, social engineering, physical breaches or other actions, any of which could expose us to data loss, monetary and reputational damages and significant increases in compliance costs. The risk of such cybersecurity breaches may be increased by our increased reliance on work-from-home or other remote work technologies. An interruption of our access to, or an inability to access, our information technology, telecommunications or other systems could significantly impair our ability to perform such functions on a timely basis. If sustained or repeated, such a business interruption, system failure or service denial could result in a deterioration of our ability to write and process new and renewal business, provide customer service, pay claims in a timely manner or perform other necessary business functions. We have from time to time experienced cybersecurity incidents, such as malware infections, phishing campaigns and vulnerability exploit attempts, which to date have not had a material impact on our business. Additionally, we are an acquisitive organization and the process of integrating the information systems of the businesses we acquire is complex and exposes us to additional risk as we might not adequately identify weaknesses in the targets' information systems, which could expose us to unexpected liabilities or make our own systems more vulnerable to attack. In the future, any material breaches of cybersecurity, or media reports of the same, even if untrue, could cause us to experience reputational harm, loss of customers and revenue, loss of proprietary data, regulatory actions and scrutiny, sanctions or other statutory penalties, litigation, liability for failure to safeguard customers' information or financial losses. Such losses may not be insured against or not fully covered through insurance we maintain. We cannot entirely eliminate all risk of improper access to private information, and the cost and operational consequences of implementing, maintaining and enhancing further system protections measures could increase significantly as cybersecurity threats increase. As 13 13 these threats evolve, cybersecurity incidents will be more difficult to detect, defend against and remediate. Any of the foregoing may have a material adverse effect on our business, financial condition and reputation. **Current (2025):** We rely on information technology and third-party vendors to provide effective and efficient service to our customers, process claims, and timely and accurately report information to carriers, which often involves secure processing of confidential, sensitive, proprietary and other types of information. We face potential threats due to new and increasingly sophisticated methods of attack. Cybersecurity breaches of any of the systems we rely on may result from circumvention of security systems, denial-of-service attacks or other cyber-attacks, software bugs, malicious or destructive code, hacking, social engineering attacks (including "phishing" attacks and digital or telephonic impersonation), computer viruses, ransomware, malware, employee or insider error or threats, malfeasance, social engineering, physical breaches or other actions, any of which could expose us to unauthorized access, exfiltration, manipulation, corruption, loss or disclosure of proprietary, customer, employee or other data, the inability to render services due to system outages or other business disruptions, regulatory action and scrutiny, monetary and reputational damages and significant increases in compliance costs. Any of the foregoing may be exacerbated by a delay or failure to detect a cybersecurity incident or the full extent of such incident. A compromise may not manifest itself for months, or even years, and we may not be able to detect a compromise in a timely manner. In addition, disclosure or media reports of actual or perceived security vulnerabilities to our systems or those of our third-party service providers, even if no breach has been attempted or occurred, could lead to reputational harm, loss of customers and revenue, or increased regulatory actions and scrutiny. The risk of such cybersecurity breaches may be increased by our reliance on work-from-home or other remote work technologies. An interruption of our access to, or an inability to access, our information technology, telecommunications or other systems could significantly impair our ability to perform such functions on a timely basis. If sustained or repeated, such a business interruption, system failure or service denial could result in a deterioration of our ability to write and process new and renewal business, provide customer service, pay claims in a timely manner or perform other necessary business functions. We have from time to time experienced cybersecurity incidents, such as malware infections, phishing campaigns, ransomware and vulnerability exploit attempts, which to date have not had a material impact on our business. 12 12 12 We are an acquisitive organization, and the process of integrating the information systems of the businesses we acquire is complex and exposes us to additional risks as we might not adequately identify weaknesses in the acquired company's information systems, which could expose us to unexpected liabilities or make our own systems more vulnerable to attack. In the future, any material breaches of cybersecurity, or media reports of the same, even if untrue, could cause us to experience reputational harm, loss of customers and revenue, loss of proprietary data, regulatory actions and scrutiny, sanctions or other statutory penalties, litigation, liability for failure to safeguard customers' information, impairment of invested capital or financial losses. Such losses may not be insured against or not fully covered through insurance we maintain. Despite our efforts to mitigate cybersecurity threats, we cannot guarantee our measures will prevent, contain, detect, or remediate all incidents. The costs and operational consequences of enhancing system protections could rise significantly as threats increase. While we endeavor to design and implement technologies, policies and procedures to identify such incidents as quickly as possible, any response could take substantial time, and there may be extensive delays before we obtain full and reliable information. During such time we would not necessarily know the extent of the harm or how best to remediate it, and certain errors or actions could be repeated or compounded before they are discovered and remediated, all of which may further increase the costs and consequences of such incident. Any of these losses may not be insured against or be fully covered by insurance we maintain. Additionally, our control over and ability to monitor the cybersecurity practices of our third-party vendors and service providers, and other third parties with whom we do business, remains limited, and there can be no assurance that we can prevent, mitigate, or remediate the risk of any compromise or failure in the cybersecurity infrastructure owned or controlled by such third parties. Additionally, any contractual protections with such third parties, including our right to indemnification, if any, may be limited or insufficient to prevent a negative impact on our business from such compromise or failure. As these threats evolve, cybersecurity incidents will be more difficult to detect, defend against, mitigate and remediate. Any of the foregoing may have a material adverse effect on our business, financial condition and reputation. --- ## Modified: OUR GROWTH STRATEGY DEPENDS, IN PART, ON THE ACQUISITION OF OTHER INSURANCE INTERMEDIARIES AND RELATED BUSINESSES, WHICH MAY NOT BE AVAILABLE ON ACCEPTABLE TERMS IN THE FUTURE OR WHICH, IF CONSUMMATED, MAY NOT BE ADVANTAGEOUS TO US. **Key changes:** - Reworded sentence: "Our growth strategy partially includes the acquisition of other insurance intermediaries and related businesses." - Reworded sentence: "Additionally, failure to successfully identify and complete acquisitions would likely result in slower growth." - Added sentence: "Additional post-acquisition risks include integration into our existing culture, risks related to retention of personnel, entry into unfamiliar or complex markets or lines of business, contingencies or liabilities, such as violations of sanctions laws or anti-corruption laws, risk relating to ensuring compliance with licensing and regulatory requirements and tax and accounting issues." - Added sentence: "We may enter new lines of business, implement new technologies, or offer new products and services within existing lines of business either through acquisitions or through initiatives to generate organic revenue growth." - Added sentence: "These new lines of business, technologies, products, and services may present us with additional risks, particularly in instances where the markets are new or not fully developed or where participants in such markets are new entrants." **Prior (2024):** Our growth strategy partially includes the acquisition of other insurance intermediaries. Our ability to successfully identify suitable acquisition candidates, complete acquisitions, successfully integrate acquired businesses into our operations, and expand into new markets requires us to implement and continuously improve our operations and our financial and management information systems. Integrated, acquired businesses may not achieve levels of revenues or profitability comparable to our existing operations, or otherwise perform as expected. In addition, we compete for acquisition and expansion opportunities with firms and banks that may have substantially greater resources than we do. If we are unable to identify appropriate acquisition targets, or if our competitors are more successful in identifying acquisition targets at favorable valuations, we may fail to achieve desired strategic goals and capabilities, and our results of operations may be adversely affected. Acquisitions also involve a number of risks, such as diversion of management's attention; difficulties in the integration of acquired operations and retention of employees; increase in expenses and working capital requirements, which could reduce our return on invested capital; entry into unfamiliar markets or lines of business; unanticipated problems or legal liabilities; estimation of the acquisition earn-out payables; and tax and accounting issues, some or all of which could have a material adverse effect on our results of operations, financial condition and cash flows. Post-acquisition deterioration of operating performance could also result in lower or negative earnings contribution and/or goodwill impairment charges. **Current (2025):** Our growth strategy partially includes the acquisition of other insurance intermediaries and related businesses. Our ability to successfully identify suitable acquisition candidates, negotiate transactions on favorable terms, complete acquisitions, successfully integrate acquired businesses into our operations, and expand into new markets requires us to implement and continuously improve our operations and our financial and management information systems. Integrated, acquired businesses may not achieve levels of revenues or profitability comparable to our existing operations, or otherwise perform as expected. In addition, we compete for acquisition and expansion opportunities with firms and banks that may have substantially greater resources than we do. If we are unable to identify appropriate acquisition targets, or if our competitors are more successful in identifying acquisition targets at favorable valuations, we may fail to achieve desired strategic goals and capabilities, and our results of operations may be adversely affected. Additionally, failure to successfully identify and complete acquisitions would likely result in slower growth. Acquisitions also involve a number of risks, such as diversion of management's attention; difficulties in the integration of acquired operations and retention of employees; increase in expenses and working capital requirements, which could reduce our return on invested capital; entry into unfamiliar markets or lines of business; unanticipated problems or legal liabilities; estimation of acquisition earn-outs; and tax and accounting issues, some or all of which could have a material adverse effect on our results of operations, financial condition and cash flows. Post-acquisition deterioration of operating performance could also result in lower or negative earnings contribution and/or goodwill impairment charges. Additional post-acquisition risks include integration into our existing culture, risks related to retention of personnel, entry into unfamiliar or complex markets or lines of business, contingencies or liabilities, such as violations of sanctions laws or anti-corruption laws, risk relating to ensuring compliance with licensing and regulatory requirements and tax and accounting issues. We may enter new lines of business, implement new technologies, or offer new products and services within existing lines of business either through acquisitions or through initiatives to generate organic revenue growth. These new lines of business, technologies, products, and services may present us with additional risks, particularly in instances where the markets are new or not fully developed or where participants in such markets are new entrants. Such risks include the investment of significant time and resources; the possibility that these efforts will not be successful and could result in reputational damage to us; the possibility that the marketplace does not accept our products or services, that new technologies are not effective, or that we are unable to retain customers that adopt our new products or services; and the risk of new or additional liabilities associated with these efforts, including potential errors and omissions or other claims. External factors, such as compliance with new or revised regulations, competitive alternatives and shifting market preferences may also impact the successful implementation of a line of business, product or service. Additionally, when we dispose of businesses, such as the sale of our third-party claims administration and adjusting services business in the fourth quarter of 2023, we face certain risks, including the risk that we continue to be subject to certain liabilities of those businesses following those dispositions and may not be able to negotiate for limitations on those liabilities. We are also subject to the risk that the sales price is less than the amount reflected on our balance sheet. --- ## Modified: RAPID TECHNOLOGICAL CHANGE MAY REQUIRE ADDITIONAL RESOURCES AND TIME TO ADEQUATELY RESPOND TO DYNAMICS, WHICH MAY ADVERSELY AFFECT OUR BUSINESS AND OPERATING RESULTS. **Key changes:** - Reworded sentence: "The internet, for example, is increasingly used to securely transmit benefits and related information to customers, operate our day-to-day activities, and to facilitate business-to-business information exchange and transactions." - Reworded sentence: "If the information we rely upon to run our businesses was found to be inaccurate or unreliable or if we fail to effectively maintain our information systems and data integrity, we could experience operational disruptions, regulatory or other legal problems, increases in operating expenses, loss of existing customers, difficulty in attracting new customers and/or maintaining third-party relationships or suffer other adverse consequences." - Added sentence: "Additionally, we use artificial intelligence ("AI") and robotic processing automation ("RPA") in our business, including with respect to services provided to our customers." - Added sentence: "We have internal policies governing the use of AI and RPA by our employees designed to protect us from breaches of data privacy, errors and omissions liability and regulatory enforcement risk; however, our employees could violate these policies and expose us to such risks." - Added sentence: "Furthermore, our exposure to these risks may increase if our vendors, suppliers, or other third-party providers employ AI or RPA in relation to the products or services they provide to us, as we have limited control over such use in third-party products or services." **Prior (2024):** Frequent technological changes, new products and services and evolving industry standards are influencing the insurance business. The internet, for example, is increasingly used to securely transmit benefits and related information to customers and to facilitate business-to-business information exchange and transactions. 14 14 We are continuously taking steps to upgrade and expand our information systems capabilities, including how we electronically interact with our customers and insurance carriers. Maintaining, protecting and enhancing these capabilities to keep pace with evolving industry and regulatory standards, and changing customer preferences, requires an ongoing commitment of significant resources. If the information we rely upon to run our businesses was found to be inaccurate or unreliable or if we fail to effectively maintain our information systems and data integrity, we could experience operational disruptions, regulatory or other legal problems, increases in operating expenses, loss of existing customers, difficulty in attracting new customers, or suffer other adverse consequences. Our technological development projects may not deliver the benefits we expect once they are completed or may be replaced or become obsolete more quickly than expected, which could result in the accelerated recognition of expenses. If we do not effectively and efficiently manage and upgrade our technology portfolio regularly, or if the costs of doing so are higher than we expect, our ability to provide competitive services to new and existing customers in a cost-effective manner and our ability to implement our strategic initiatives could be adversely impacted. **Current (2025):** Frequent technological changes, new products and services and evolving industry standards are influencing the insurance business. The internet, for example, is increasingly used to securely transmit benefits and related information to customers, operate our day-to-day activities, and to facilitate business-to-business information exchange and transactions. We are continuously taking steps to upgrade and expand our information systems capabilities, including how we electronically interact with our customers, vendors, insurance carriers and other intermediaries. Maintaining, protecting and enhancing these capabilities to keep pace with evolving industry and regulatory standards, and changing customer preferences, requires an ongoing commitment of significant resources. If the information we rely upon to run our businesses was found to be inaccurate or unreliable or if we fail to effectively maintain our information systems and data integrity, we could experience operational disruptions, regulatory or other legal problems, increases in operating expenses, loss of existing customers, difficulty in attracting new customers and/or maintaining third-party relationships or suffer other adverse consequences. Our technological development projects may not deliver the benefits we expect once they are completed or may need to be replaced or become obsolete more quickly than expected, which could result in the accelerated recognition of expenses or write-offs. If we do not effectively and efficiently manage and upgrade our technology portfolio regularly, or if the costs of doing so are higher than we expect, our ability to provide competitive services to new and existing customers in a cost-effective manner and our ability to implement our strategic initiatives could be adversely impacted. Additionally, we use artificial intelligence ("AI") and robotic processing automation ("RPA") in our business, including with respect to services provided to our customers. We have internal policies governing the use of AI and RPA by our employees designed to protect us from breaches of data privacy, errors and omissions liability and regulatory enforcement risk; however, our employees could violate these policies and expose us to such risks. Furthermore, our exposure to these risks may increase if our vendors, suppliers, or other third-party providers employ AI or RPA in relation to the products or services they provide to us, as we have limited control over such use in third-party products or services. These risks include the input or processing of confidential information, including material non-public information, in contravention of our policies or contractual restrictions to which any of the foregoing are subject, or in violation of applicable laws or regulations, including 14 14 14 those relating to data protection. If any of these risks materialize, such information could become part of a dataset that is accessible by other third-party AI or RPA applications and/or users. Additionally, AI and RPA heavily rely on the collection and analysis of extensive data sets and interaction between systems. Due to the impracticality of incorporating all relevant data into the models or algorithms used by AI and RPA it is inevitable that data sets within these models will contain inaccuracies and errors, and potential biases. This could potentially render such models inadequate or flawed, negatively impacting the effectiveness of the technology. We are exposed to the risks associated with these inaccuracies, errors and biases, along with the adverse impacts that such flawed models could have on our business and operations. Furthermore, governance and ethical issues relating to the use of AI or RPA may also result in reputational harm, liability and/or financial losses. AI, RPA and related applications are developing rapidly. The use of these technologies by our competitors may give them a competitive advantage that cannot be predicted at this time, and it may negatively affect our assumptions regarding the competitive landscape of our business. Consequently, it is difficult to predict all risks associated with these new technologies, which may eventually impact our business, results of operations, or financial condition. --- *Data sourced from SEC EDGAR. Last updated 2026-05-10.*