--- ticker: CBRE company: CBRE filing_type: 10-K year_current: 2024 year_prior: 2023 risks_added: 2 risks_removed: 1 risks_modified: 2 risks_unchanged: 29 source: SEC EDGAR url: https://riskdiff.com/cbre/2024-vs-2023/ markdown_url: https://riskdiff.com/cbre/2024-vs-2023/index.md generated: 2026-06-01 --- # CBRE: 10-K Risk Factor Changes 2024 vs 2023 > Source: U.S. Securities and Exchange Commission (EDGAR) > Generated: 2026-06-01 > All data extracted directly from official filings. No hallucinated content. ## Summary | Status | Count | |--------|-------| | New risks added | 2 | | Risks removed | 1 | | Risks modified | 2 | | Unchanged | 29 | --- ## New in Current Filing: Currency fluctuations could have a material adverse effect on our business, financial condition and operating results. We conduct a significant portion of our business and employ a substantial number of people outside of the U.S. and, as a result, we are subject to risks associated with doing business globally. During the year ended December 31, 2023, approximately 45% of our revenue was transacted in foreign currencies. We also report our results in U.S. dollars. As a result, the strengthening or weakening of the U.S. dollar will positively or negatively impact our reported results, including revenue and earnings as well as the assets under management for our investment management business, which could have a material adverse effect on our business, financial condition and operating results. Due to the constantly changing currency exposures to which we are subject and the volatility of currency exchange rates, we cannot predict the effect of exchange rate fluctuations upon future operating results. --- ## New in Current Filing: We have concentrations of business with large clients, which may cause increased credit risk and greater impact from the loss of certain clients and increased risks from higher limitations of liability in contracts. Having large and concentrated clients may lead to greater or more concentrated risks of loss if, among other possibilities, such a client (i) experiences its own financial problems, which may lead to larger individual credit risks; (ii) becomes bankrupt or insolvent, which may lead to our failure to be paid for services we have previously provided or funds we have previously advanced; (iii) decides to reduce its real estate operations; (iv) makes a change in its real estate strategy; (v) decides to change its providers of real estate services; or (vi) merges with another corporation or otherwise undergoes a change of control, which may result in new management taking over with a different real estate philosophy or in different relationships with other real estate providers. In addition, competitive conditions, particularly in connection with increasingly large clients, may require us to compromise on certain contract terms with respect to the payment of fees, the extent of risk transfer, or acting as principal rather than agent in connection with supplier relationships, liability limitations, credit terms and other contractual 12 12 12 Table of Contents Table of Contents terms, or in connection with disputes or potential litigation. Where competitive pressures result in higher levels of potential liability under our contracts, the cost of operational errors and other activities for which we have indemnified our clients will be greater and may not be fully insured. --- ## No Match in Current: A significant portion of our revenue is seasonal, which could cause our financial results to fluctuate significantly. *This section from the 2023 filing does not have a high-confidence textual match in 2024. It may have been removed, merged, or substantially reworded.* A significant portion of our revenue is seasonal. Historically, our revenue, operating income, net income and cash flow from operating activities tend to be lowest in the first calendar quarter, and highest in the fourth calendar quarter of each year. Earnings and cash flow have generally been concentrated in the fourth calendar quarter due to the focus on completing sales, financing and leasing transactions prior to calendar year-end. This variance among periods makes it difficult to compare our financial condition and results of operations on a quarter-by-quarter basis. In addition, as a result of the seasonal nature of our business, political, economic or other unforeseen disruptions occurring in the fourth quarter, particularly those that impact our ability to close large transactions, may have a proportionally larger effect on our financial condition and results of operations. --- ## Modified: Our business is subject to complex and evolving United States and international laws and regulations regarding privacy, data protection, and cybersecurity. Many of these laws and regulations are subject to change and uncertain interpretation and could result in claims, increased cost of operations or otherwise harm our business. **Key changes:** - Reworded sentence: "We are subject to numerous United States federal, state, local, and international laws and regulations regarding privacy, data protection and cybersecurity that govern the processing of certain data (including personal information, sensitive information, health information, and other regulated data)." - Added sentence: "For example, the European Union General Data Protection Regulation (GDPR) became effective on May 25, 2018, and has resulted and will continue to result in significantly greater compliance burdens and costs for businesses established in the European Union (EU) or European Economic Area (EEA) or who are established outside the EU or EEA and offer goods or services, or monitor the behavior of individuals located in the EU or EEA, including with respect to cross-border transfers of personal information." - Added sentence: "Under GDPR, fines of up to 20 million Euros or up to 4% of the annual global revenues of the infringer, whichever is greater, may be imposed for violations." - Added sentence: "Further, the U.K.'s withdrawal from the EU and ongoing developments in the U.K." - Added sentence: "have created additional compliance obligations and some uncertainty regarding whether data protection regulation in the U.K." **Prior (2023):** We are subject to numerous United States federal, state, local, and international laws and regulations regarding privacy, data protection and cybersecurity that govern the Processing of certain data (including personal information, sensitive information, health information, and other regulated data). For example, the European Union General Data Protection Regulation (GDPR) became effective on May 25, 2018, and has resulted and will continue to result in significantly greater compliance burdens and costs for businesses with users and operations in the European Union (EU) and European Economic Area (EEA), including with respect to cross-border transfers of personal information. Under GDPR, fines of up to 20 million Euros or up to 4% of the annual global revenues of the infringer, whichever is greater, can be imposed for violations. In addition, the California Consumer Privacy Act of 2018 (CCPA) took effect on January 1, 2020, which broadly defines personal information, gives California residents expanded privacy rights and protections, and provides for civil penalties for certain violations. Furthermore, in November 2020, California voters passed the California Privacy Rights and Enforcement Act of 2020 (CPRA), which amends and expands CCPA with additional data privacy compliance requirements and establishes a regulatory agency dedicated to enforcing those requirements. Additional countries, including Brazil and China, and states including Virginia, Colorado, Utah, and Connecticut, have also passed comprehensive privacy laws with additional obligations and requirements on businesses. These laws and regulations are increasing in severity, complexity and number, change frequently, and increasingly conflict among the various jurisdictions in which we operate, which has resulted in greater 21 21 21 Table of Contents Table of Contents compliance risk and cost for us. In addition, we are also subject to the possibility of security breaches and other incidents, which themselves may result in a violation of these laws. A significant actual or potential theft, loss, corruption, exposure, fraudulent use or misuse of client, employee or other personal information or proprietary business data, whether by third parties or as a result of employee malfeasance or otherwise, perceived or actual non-compliance with our contractual or other legal obligations regarding such data or intellectual property or a violation of our privacy and security policies with respect to such data could result in significant remediation and other costs, fines, litigation or regulatory actions against us. Such an event could additionally disrupt our operations and the services we provide to clients, harm our relationships with contractors and vendors, damage our reputation, result in the loss of a competitive advantage, impact our ability to provide timely and accurate financial data and cause a loss of confidence in our services and financial reporting, which could adversely affect our business, revenues, competitive position and investor confidence. Additionally, we rely on third parties to support our information and technology networks, including cloud storage solution providers, and as a result have less direct control over our data and information technology systems. Such third parties are also vulnerable to security breaches and compromised security systems, for which we may not be indemnified and which could materially adversely affect us and our reputation. **Current (2024):** We are subject to numerous United States federal, state, local, and international laws and regulations regarding privacy, data protection and cybersecurity that govern the processing of certain data (including personal information, sensitive information, health information, and other regulated data). These laws and regulations are increasing in severity, complexity and number, change frequently, and increasingly conflict among the various jurisdictions in which we operate, which has resulted in greater compliance risk and cost for us. In addition, we are also subject to the possibility of security breaches and other incidents, which themselves may result in a violation of these laws. For example, the European Union General Data Protection Regulation (GDPR) became effective on May 25, 2018, and has resulted and will continue to result in significantly greater compliance burdens and costs for businesses established in the European Union (EU) or European Economic Area (EEA) or who are established outside the EU or EEA and offer goods or services, or monitor the behavior of individuals located in the EU or EEA, including with respect to cross-border transfers of personal information. Under GDPR, fines of up to 20 million Euros or up to 4% of the annual global revenues of the infringer, whichever is greater, may be imposed for violations. Further, the U.K.'s withdrawal from the EU and ongoing developments in the U.K. have created additional compliance obligations and some uncertainty regarding whether data protection regulation in the U.K. will further diverge from the GDPR. As of December 31, 2023, we are required to comply with the GDPR as well as the U.K. equivalent and other global data protection laws (including in Switzerland, Japan, 17 17 17 Table of Contents Table of Contents Singapore, China, United Arab Emirates, Australia, and Brazil), the implementation of which exposes us to parallel data protection regimes, each of which potentially authorizes similar fines and other enforcement actions for certain violations. In the U.S., the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) broadly defines personal information, gives California residents expanded privacy rights and protections, and provides for civil penalties for certain violations, and established a regulatory agency dedicated to enforcing those requirements. At least a dozen states including Colorado, Connecticut, Texas and Virginia, have also passed comprehensive privacy laws protecting residents acting in their individual or household capacities, and several states, most notably Illinois, have passed laws regulating the processing of biometric information. These state laws impose additional obligations and requirements on impacted businesses. We are also subject to an increasing number of reporting obligations in respect of material cybersecurity incidents. These reporting requirements have been proposed or implemented by a number of regulators in different jurisdictions, may vary in their scope and application, and could contain conflicting requirements. Certain of these rules and regulations may require us to report a cybersecurity incident before we have been able to fully assess its impact or remediate the underlying issue. Efforts to comply with such reporting requirements could divert management's attention from our cybersecurity incident response and could potentially reveal system vulnerabilities to threat actors. Failure to timely report cybersecurity incidents under these rules could also result in regulatory investigations, litigation, monetary fines, sanctions, or subject us to other forms of liability. A significant actual or potential theft, loss, corruption, exposure, fraudulent use or misuse of client, employee or other personal information or proprietary business data, whether by third parties or as a result of employee malfeasance or otherwise, perceived or actual non-compliance with our contractual or other legal obligations regarding such data or intellectual property or a violation of our privacy and security policies with respect to such data could result in significant remediation and other costs, fines, litigation or regulatory actions against us. Such an event could additionally disrupt our operations and the services we provide to clients, harm our relationships with contractors and vendors, damage our reputation, result in the loss of a competitive advantage, impact our ability to provide timely and accurate financial data and cause a loss of confidence in our services and financial reporting, which could adversely affect our business, revenues, competitive position and investor confidence. Additionally, we rely on third parties to support our information and technology networks, including cloud storage solution providers, and as a result have less direct control over our data and information technology systems. Such third parties are also vulnerable to security breaches and compromised security systems, for which we may not be indemnified and which could materially adversely affect us and our reputation. --- ## Modified: Our operations are subject to international social, political and economic risks in foreign countries. **Key changes:** - Reworded sentence: "International economic trends, foreign governmental policy actions and the following factors may have a material adverse effect on the performance of our business: •difficulties and costs of staffing and managing international operations among diverse geographies, languages and cultures; •currency restrictions, transfer-pricing regulations and adverse tax consequences, which may affect our ability to transfer capital and profits; •adverse changes in regulatory or tax requirements and regimes or uncertainty about the application of or the future of such regulatory or tax requirements and regimes; •responsibility for complying with numerous, potentially conflicting and frequently complex and changing laws in multiple jurisdictions (e.g., with respect to data privacy and protection, sustainability, corrupt practices, embargoes, trade sanctions, employment and licensing); •the impact of regional or country-specific business cycles and economic instability, including those related to public health or safety events; •greater difficulty in collecting accounts receivable or delays in client payments in some geographic regions; •rising interest rates and less available and more expensive debt capital resulting from efforts by central banks outside the U.S." - Reworded sentence: "Our international operations require us to comply with a broad range of complex legal and regulatory environments in which we operate." - Reworded sentence: "9 9 9 Table of Contents Table of Contents We have committed additional resources to expand our worldwide sales and marketing activities, to globalize our service offerings and products in select markets and to develop local sales and support channels." **Prior (2023):** We conduct a significant portion of our business and employ a substantial number of people outside of the U.S. and, as a result, we are subject to risks associated with doing business globally. During the year ended December 31, 2022, approximately 43% of our revenue was transacted in foreign currencies. Fluctuations in foreign currency exchange rates may result in corresponding fluctuations in revenue and earnings as well as the assets under management for our investment management business, which could have a material adverse effect on our business, financial condition and operating results. Due to the constantly changing currency exposures to which we are subject and the volatility of currency exchange rates, we cannot predict the effect of exchange rate fluctuations upon future operating results. In addition, international economic trends, foreign governmental policy actions and the following factors may have a material adverse effect on the performance of our business: •difficulties and costs of staffing and managing international operations among diverse geographies, languages and cultures; •currency restrictions, transfer-pricing regulations and adverse tax consequences, which may affect our ability to transfer capital and profits; •adverse changes in regulatory or tax requirements and regimes or uncertainty about the application of or the future of such regulatory or tax requirements and regimes; •responsibility for complying with numerous, potentially conflicting and frequently complex and changing laws in multiple jurisdictions (e.g., with respect to data privacy and protection, corrupt practices, embargoes, trade sanctions, employment and licensing); •the impact of regional or country-specific business cycles and economic instability, including those related to public health or safety events; •greater difficulty in collecting accounts receivable or delays in client payments in some geographic regions; •rising interest rates and less available and more expensive debt capital resulting from efforts by central banks outside the U.S. to rein in inflation; •foreign ownership restrictions in certain countries, particularly in Asia Pacific and the Middle East, or the risk that such restrictions will be adopted in the future; and •changes in laws or policies governing foreign trade or investment and use of foreign operations or workers, and any negative sentiments towards multinational companies as a result of any such changes to laws or policies as well as other geopolitical risks. We maintain anti-corruption and anti-money-laundering compliance programs throughout the company as well as programs designed to enable us to comply with any potential government economic sanctions, embargoes or other import/export controls. However, coordinating our activities to deal with the broad range of complex legal and regulatory environments in which we operate presents significant challenges. We may not be successful in complying with regulations in all situations and violations may result in criminal or material civil sanctions and other costs against us or our employees, and may have a material adverse effect on our reputation and business. Furthermore, our efforts to comply with developments in these laws may adversely impact our business. For example, in 2022, we exited most of our business in Russia in light of newly adopted U.S. sanctions. 13 13 13 Table of Contents Table of Contents We have committed additional resources to expand our worldwide sales and marketing activities, to globalize our service offerings and products in select markets and to develop local sales and support channels. If we are unable to successfully implement these plans, maintain adequate long-term strategies that successfully manage the risks associated with our global business or adequately manage operational fluctuations, our business, financial condition or results of operations could be harmed. In addition, we have established operations and seek to grow our presence in many emerging markets to further expand our global platform. However, we may not be successful in effectively evaluating and monitoring the key business, operational, legal and compliance risks specific to those markets. The political and cultural risks present in emerging countries could also harm our ability to successfully execute our operations or manage our businesses there. **Current (2024):** International economic trends, foreign governmental policy actions and the following factors may have a material adverse effect on the performance of our business: •difficulties and costs of staffing and managing international operations among diverse geographies, languages and cultures; •currency restrictions, transfer-pricing regulations and adverse tax consequences, which may affect our ability to transfer capital and profits; •adverse changes in regulatory or tax requirements and regimes or uncertainty about the application of or the future of such regulatory or tax requirements and regimes; •responsibility for complying with numerous, potentially conflicting and frequently complex and changing laws in multiple jurisdictions (e.g., with respect to data privacy and protection, sustainability, corrupt practices, embargoes, trade sanctions, employment and licensing); •the impact of regional or country-specific business cycles and economic instability, including those related to public health or safety events; •greater difficulty in collecting accounts receivable or delays in client payments in some geographic regions; •rising interest rates and less available and more expensive debt capital resulting from efforts by central banks outside the U.S. to rein in inflation; •foreign ownership restrictions in certain countries, particularly in Asia Pacific and the Middle East, or the risk that such restrictions will be adopted in the future; and •changes in laws or policies governing foreign trade or investment and use of foreign operations or workers, and any negative sentiments towards multinational companies as a result of any such changes to laws or policies as well as other geopolitical risks. Our international operations require us to comply with a broad range of complex legal and regulatory environments in which we operate. We may not be successful in complying with regulations in all situations and violations may result in criminal or material civil sanctions and other costs against us or our employees, and may have a material adverse effect on our reputation and business. Furthermore, our efforts to comply with developments in these laws may adversely impact our business. 9 9 9 Table of Contents Table of Contents We have committed additional resources to expand our worldwide sales and marketing activities, to globalize our service offerings and products in select markets and to develop local sales and support channels. If we are unable to successfully implement these plans, maintain adequate long-term strategies that successfully manage the risks associated with our global business or adequately manage operational fluctuations, our business, financial condition or results of operations could be harmed. In addition, we have established operations and seek to grow our presence in many emerging markets to further expand our global platform. However, we may not be successful in effectively evaluating and monitoring the key business, operational, legal and compliance risks specific to those markets. The political and cultural risks present in emerging countries could also harm our ability to successfully execute our operations or manage our businesses there. --- *Data sourced from SEC EDGAR. Last updated 2026-06-01.*