Chubb Limited: 10-K Risk Factor Changes

On August 16, 2022, President Biden signed the Inflation Reduction Act (IRA) of 2022 (H.R. 5376). Key tax provisions included in the Inflation Reduction Act include a 15 percent corporate alternative minimum tax (CAMT) on adjusted financial statement income for corporations with average profits over $1 billion, and a 1 percent excise tax on repurchases of corporate stock. The CAMT and the excise tax on share repurchases are effective for tax years beginning after December 31, 2022. Since enactment, the IRS and U.S. Treasury Department have issued final and proposed regulations and notices, interpreting and implementing the new provisions. Guidance on rules implementing the Inflation Reduction Act is not yet final in some areas; there are many uncertainties relating to its ultimate application and effects on our company.

On August 16, 2022, President Biden signed the Inflation Reduction Act (IRA) of 2022 (H.R. 5376). Key tax provisions included in the IRA include a 15 percent corporate alternative minimum tax (CAMT) on adjusted financial statement income for corporations with average profits over $1 billion, and a 1 percent excise tax on repurchases of corporate stock. The CAMT and the excise tax on share repurchases are effective for tax years beginning after December 31, 2022. Since enactment, the IRS and U.S. Treasury Department have issued notices to assist taxpayers in understanding and implementing the new provisions. This guidance remains subject to comment; thus, there are many uncertainties relating to its ultimate application and effects on our company.

We are subject to numerous U.S. federal and state laws and non-U.S. laws and regulations governing the protection of personal and confidential information of our clients and employees, including in relation to medical records, credit card data and financial information. These laws and regulations are increasing in complexity and number, change frequently, sometimes conflict, and could expose Chubb to significant monetary damages, regulatory enforcement actions, fines, litigation or claims, and criminal prosecution in one or more jurisdictions. For example, we are subject to the New York Department of Financial Services’ Cybersecurity Regulation (the NYDFS Cybersecurity Regulation) which mandates detailed cybersecurity standards and other obligations for all institutions, including insurance entities, authorized by the NYDFS to operate in New York. The NYDFS Cybersecurity Regulation has increased our compliance costs and could increase the risk of noncompliance and subject us to regulatory enforcement actions and penalties, as well as reputation risk. Additionally, the National Association of Insurance Commissioners (NAIC) adopted an Insurance Data Security Model Law, which requires licensed insurance entities to comply with detailed information security requirements. A number of states have enacted it into law, and it is not yet known whether or not, and to what extent, additional states will enact it. Such enactments, especially if inconsistent between states or with existing laws and regulations, could raise compliance costs or increase the risk of noncompliance, with the attendant risk of being subject to regulatory enforcement actions and penalties, as well as reputational harm. The EU General Data Protection Regulation (the GDPR) is a comprehensive regulation applying across all EU member states. All our business units (regardless of whether they are located in the EU) may be subject to the GDPR when personal data is processed in relation to the offer of goods and services to individuals within the EU. Our failure to comply with GDPR and other countries’ privacy or data security-related laws, rules or regulations could result in significant penalties imposed by regulators, which could have an adverse effect on our business, financial condition, and results of operations. Significant other comprehensive privacy laws have been enacted by other jurisdictions, most notably the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and Brazil’s Lei Geral de Protecao de Dados (LGPD), which may affect our use of data and could affect our operations and subject us to fines and actions for noncompliance. In the U.S., several other states are considering similar legislation, and there are ongoing discussions regarding a U.S. National Privacy Law. New laws similar to the GDPR and the CCPA are expected to be enacted in coming years in various countries and jurisdictions in which we operate. Regulatory standards relating to the use of artificial intelligence (AI) are evolving in the countries where we do business, and may increase risks associated with bias, unfair discrimination, transparency, and information security. State insurance regulators in the U.S. have issued and will continue to consider regulations or guidelines on the use of external data, algorithms, and AI in insurance practices. The European Parliament and European Council have also promulgated the European Union Artificial Intelligence Act, which will regulate the use of AI within the European Union. The application of existing law and introduction of new or revised laws and regulations may require changes in our operations, increase compliance costs and reduce benefits from our adoption of artificial intelligence technologies.

We are subject to numerous U.S. federal and state laws and non-U.S. regulations governing the protection of personal and confidential information of our clients and employees, including in relation to medical records, credit card data and financial information. These laws and regulations are increasing in complexity and number, change frequently, sometimes conflict, and could expose Chubb to significant monetary damages, regulatory enforcement actions, fines and/or criminal prosecution in one or more jurisdictions. For example, we are subject to the New York Department of Financial Services’ Cybersecurity Regulation (the NYDFS Cybersecurity Regulation) which mandates detailed cybersecurity standards and other obligations for all institutions, including insurance entities, authorized by the NYDFS to operate in New York. The NYDFS Cybersecurity Regulation has increased our compliance costs and could increase the risk of noncompliance and subject us to regulatory enforcement actions and penalties, as well as reputation risk. Additionally, the National Association of Insurance Commissioners (NAIC) adopted an Insurance Data Security Model Law, which requires licensed insurance entities to comply with detailed information security requirements. A number of states have enacted it into law, and it is not yet known whether or not, and to what extent, additional states will enact it. Such enactments, especially if inconsistent between states or with existing laws and regulations could raise compliance costs or increase the risk of noncompliance, with the attendant risk of being subject to regulatory enforcement actions and penalties, as well as reputational harm. The EU General Data Protection Regulation (the GDPR) is a comprehensive regulation applying across all EU member states. All our business units (regardless of whether they are located in the EU) may be subject to the GDPR when personal data is processed in relation to the offer of goods and services to individuals within the EU. Our failure to comply with GDPR and other countries’ privacy or data security-related laws, rules or regulations could result in significant penalties imposed by regulators, which could have an adverse effect on our business, financial condition, and results of operations. Significant other comprehensive privacy laws have been enacted by other jurisdictions, most notably the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and Brazil’s Lei Geral de Protecao de Dados (LGPD), which may affect our use of data and could affect our operations and subject us to fines and actions for noncompliance. In the U.S., several other states are considering similar legislation, and there are ongoing discussions regarding a National Privacy Law. New laws similar to the GDPR and the CCPA are expected to be enacted in coming years in various countries and jurisdictions in which we operate. Regulatory standards relating to the use of artificial intelligence are evolving in the countries where we do business, and may increase risks associated with bias, unfair discrimination, transparency, and information security. The application of existing law and introduction of new or revised laws and regulations may require changes in our operations and increase compliance costs.

Swiss law imposes certain withholding tax and other restrictions on a Swiss company’s ability to return earnings or capital to its shareholders, including through the repurchase of its own shares. We may only repurchase shares to the extent that sufficient freely distributable reserves are available. In addition, Swiss law requires that the total par value of Chubb's treasury shares must not be in excess of 10 percent of its total share capital, although, to the extent permitted by Swiss law, exemptions from the 10 percent limit apply for repurchased treasury shares dedicated for cancellation under our shareholder-approved capital band or for shares acquired pursuant to a shareholder-ratified repurchase program and dedicated for cancellation. As a result, in order to maintain our share repurchase program, our shareholders must either periodically approve our capital band authorizing our Board to reduce our share capital or, as necessary, ratify our share repurchase program authorizing our Board to acquire shares in excess of the 10 percent limit. If our shareholders do not approve either of the foregoing, we may be restricted or unable to return capital to shareholders through share repurchases in the future. Furthermore, our current repurchase program relies on bank counterparties for execution and Swiss tax rulings confirmed by the competent tax authority for a certain period. 26 26 26 Table of Contents Table of Contents We can re-apply for such tax rulings in the future but cannot guarantee that they will also be granted going forward. Any future revocation, lapse, expiration, or loss of our Swiss tax rulings or the inability to conduct repurchases in accordance with these rulings could jeopardize our ability to continue repurchasing our shares.

Swiss law imposes certain withholding tax and other restrictions on a Swiss company’s ability to return earnings or capital to its shareholders, including through the repurchase of its own shares. We may only repurchase shares to the extent that sufficient freely distributable reserves are available. In addition, Swiss law requires that the total par value of Chubb's treasury shares must not be in excess of 10 percent of its total share capital, although an exemption from the 10 percent limit applies for repurchased treasury shares dedicated for cancellation and acquired pursuant to a shareholder-ratified repurchase program. As a result, in order to maintain our share repurchase program, our shareholders must periodically approve a reduction in our share capital through the cancellation of designated blocks of repurchased shares held in treasury and may from time to time as necessary, in a separate vote, ratify our share repurchase program. If our shareholders do not approve the cancellation of repurchased shares or, if necessary, ratify our share repurchase program, we may be restricted or unable to return capital to shareholders through share repurchases in the future. Furthermore, our current repurchase program relies on Swiss tax rulings. 26 26 26 Table of Contents Table of Contents Any future revocation, lapse, expiration, or loss of our Swiss tax rulings or the inability to conduct repurchases in accordance with these rulings could jeopardize our ability to continue repurchasing our shares.

The OECD has published a framework for taxation that in many respects is different than long standing international tax principles. This framework, along with related administrative guidance, could redefine what income is taxed in which country and institute a 15 percent global minimum tax in 2024 or later years. To date, many EU and other countries have enacted the 15 percent global minimum tax. Switzerland has enacted aspects of these rules, effective on January 1, 2025, including the income inclusion rule but not the under taxed profits rule. 31 31 31 Table of Contents Table of Contents On January 15, 2025, the OECD issued administrative guidance that, if incorporated into law, could cause additional tax to be payable to the extent the deferred tax asset we established upon enactment of Bermuda’s corporate income tax in 2023 reverses after 2026. It is uncertain at this time whether and to what extent the jurisdictions in which we operate will implement this guidance. On January 20, 2025, President Trump issued a memorandum announcing that the OECD framework has “no force or effect in the United States” and disavowing any commitments previously made by the United States with respect to the framework. The memorandum also directs the U.S. Secretary of the Treasury to develop and present to President Trump a list of protective measures or other options towards foreign countries that are either not in compliance with any tax treaty with the United States or have tax rules that are “extraterritorial or disproportionately affect American companies.” The possible uneven enactment of the OECD framework by various jurisdictions coupled with the United States’ response to these rules could cause uncertainties to and increases in our income taxes. Several multilateral organizations, including the EU and the OECD have, in recent years, expressed concern about some countries not participating in adequate tax information exchange arrangements and have threatened those that do not agree to cooperate with punitive sanctions by member countries. It is still unclear what all these sanctions might be, which countries might adopt them, and when or if they might be imposed. We cannot provide assurance that the Tax Information Exchange Agreements (TIEAs) that have been entered into by Switzerland and Bermuda will be sufficient to preclude the sanctions described above, which, if ultimately adopted, could adversely affect us.

The OECD has published a framework for taxation that in many respects is different than long standing international tax principles. This framework and proposed changes could redefine what income is taxed in which country and institute a 15 percent global minimum tax in 2024 or later years. To date, many EU and other countries have enacted the 15 percent global minimum tax. Switzerland has enacted aspects of these rules but has not enacted the income inclusion rule or under taxed payment rule. The enactment of these reforms remains uncertain at this time, but if enacted could cause uncertainties to and increases in our income taxes. Several multilateral organizations, including the EU and the OECD have, in recent years, expressed concern about some countries not participating in adequate tax information exchange arrangements and have threatened those that do not agree to cooperate with punitive sanctions by member countries. It is still unclear what all these sanctions might be, which countries might adopt them, and when or if they might be imposed. We cannot assure, however, that the Tax Information Exchange Agreements (TIEAs) that have been entered into by Switzerland and Bermuda will be sufficient to preclude all of the sanctions described above, which, if ultimately adopted, could adversely affect us or our shareholders. 31 31 31 Table of Contents Table of Contents

Swiss law allows our shareholders to authorize the Board of Directors to issue new shares within a pre-defined range under our capital band without further shareholder approval. Because such capital band is limited in duration, the authorization must be periodically renewed by our shareholders. Swiss law also does not provide as much flexibility as other jurisdictions in the various terms that can attach to different classes of stock and reserves for approval by shareholders many corporate actions that are not reserved for shareholders in other jurisdictions, such as approval of dividends. We cannot provide assurance that Swiss law requirements relating to our capital management will not have an adverse effect on Chubb or our shareholders.

Swiss law allows our shareholders to authorize share capital which can be issued by the Board of Directors without shareholder approval, but this authorization must be renewed by the shareholders every two years. Swiss law also does not provide as much flexibility in the various terms that can attach to different classes of stock as permitted in other jurisdictions. Swiss law also reserves for approval by shareholders many corporate actions over which the Board of Directors had authority prior to our re-domestication to Switzerland. For example, dividends must be approved by shareholders. While we do not believe that Swiss law requirements relating to our capital management will have an adverse effect on Chubb, we cannot assure that situations will not arise where such flexibility would have provided substantial benefits to our shareholders.

Losses may result from, among other things, fraud, errors, failure to document transactions properly, failure to obtain proper internal authorization, failure to comply with underwriting or other internal guidelines, or failure to comply with regulatory requirements. It is not always possible to deter or prevent employee misconduct, and the precautions that we take to prevent and detect this activity may not be effective in all cases. Resultant losses could adversely affect our business, results of operations, and financial condition. Strategic

Losses may result from, among other things, fraud, errors, failure to document transactions properly, failure to obtain proper internal authorization, failure to comply with underwriting or other internal guidelines, or failure to comply with regulatory requirements. It is not always possible to deter or prevent employee misconduct, and the precautions that we take to prevent and detect this activity may not be effective in all cases. Resultant losses could adversely affect our business, results of operations, and financial condition. Strategic