CME Group Inc.: 10-K Risk Factor Changes

In connection with our expanded global operations, we face certain risks inherent in doing business internationally. These risks include: •fluctuations in currency exchange rates; 23 23 23 Table of Contents Table of Contents •complying with extensive and complex compliance requirements, regulations and oversight by regulators other than our primary functional regulators; •difficulties in staffing and associated costs in managing multiple international locations; •general economic, social and political conditions; •protectionist laws and business practices that favor local businesses in some countries; •reduced protection for intellectual property rights in some countries; •language and cultural differences; and •potentially adverse tax consequences. If we are unable to manage the complexity of our global operations successfully, or if the risks above become substantial for us, our financial performance and operating results could suffer. Further, any measures we may implement to reduce risks of our international operations may not be effective, may increase our expenses and may require significant management time and effort. As our consolidated financial statements are presented in U.S. dollars, we must translate our foreign subsidiaries’ financial statements from local currencies into U.S. dollars at exchange rates in effect during or at the end of each reporting period. Therefore, any increases or decreases in the value of the U.S. dollar against the other currencies may affect our operating income and the value of balance sheet items denominated in foreign currencies.

In connection with our expanded global operations, we face certain risks inherent in doing business internationally. These risks include: •fluctuations in currency exchange rates; •complying with extensive and complex compliance requirements, regulations and oversight by regulators other than our primary functional regulators, including sanctions and anti-bribery laws; •difficulties in staffing and associated costs in managing multiple international locations; •general economic, social and political conditions; •protectionist laws and business practices that favor local businesses in some countries; •reduced protection for intellectual property rights in some countries; •language and cultural differences; and •potentially adverse tax consequences. If we are unable to manage the complexity of our global operations successfully, or if the risks above become substantial for us, our financial performance and operating results could suffer. Further, any measures we may implement to reduce risks of our international operations may not be effective, may increase our expenses and may require significant management time and effort. As our consolidated financial statements are presented in U.S. dollars, we must translate our foreign subsidiaries’ financial statements from local currencies into U.S. dollars at exchange rates in effect during or at the end of each reporting period. Therefore, any increases or decreases in the value of the U.S. dollar against the other currencies may affect our operating income and the value of balance sheet items denominated in foreign currencies. The E.U.-U.K. Trade and Cooperation Agreement was effective on January 1, 2021. As a result of Brexit, we have established a CME Group business in the Netherlands, a member of the European Union, which allows BrokerTec and EBS to continue trading in regulated financial instruments to customers in the European Economic Area; however, this has resulted in, and may continue to result in, increased legal, compliance and operational costs.

The success of our business depends, in part, on our ability to maintain and increase trading volume in our markets. To do so, we must maintain and expand our product offerings, our customer base and our trade execution facilities, our pre-and post-trade services and clearing facilities. Our success also depends on our ability to offer competitive prices and services in an increasingly price-sensitive business. For example, some of our competitors have engaged in aggressive pricing strategies in the past, such as lowering the fees they charge for taking liquidity and increasing liquidity payments or rebates. We cannot provide assurances that we will be able to continue to expand our products and services, that we will be able to retain our current customers or attract new customers or that we will not be required to modify our pricing structure to compete effectively. Changes in our pricing structure may result in a decrease to our profit margin. Our clearing firm clients must meet certain capital requirements and must deposit collateral to meet performance bond and guaranty fund requirements. There is no guarantee the collateral deposited will continue to maintain its value. To the extent a clearing member were to experience a decrease in capital and be unable to meet requirements, it may be required to decrease its trading activity. Additionally, from time to time, certain customers may represent a significant portion of the open interest in our individual product lines or contracts, and a substantial decrease in their trading activity could have a negative impact on the liquidity of the particular product line or contract. If we fail to maintain trading volume, as a result of a loss of customers or decrease in trading activity; expand our product offerings or execution facilities; or are unable to attract new customers, our business and revenues will be adversely affected. Declines in trading volume may also negatively impact market liquidity, which could lead to further loss of trading volume. Because our cost structure is largely fixed, if demand for our products and services and our resulting revenues decline, we may not be able to adjust our cost structure on a timely basis, and our profitability could be adversely affected. Our role in the global marketplace places us at greater risk than other public companies for a cyber attack and other cyber-security risks. Our technology, our customers, our people and our third-party service providers are vulnerable to cyber-security threats, which could result in wrongful use of our data or our customers’ data or cause interruptions in our operations, our customers' operations, or our third-party service providers' operations, which could cause us to lose customers and trading volume and result in substantial liabilities. We also could be required to incur significant expense to protect or remediate damage to our systems and/or investigate any alleged attack. We regard the secure storage and transmission of data and the ability to continuously transact and clear on our electronic trading platforms as critical elements of our operations and our operational resiliency. Our technology, our customers, our people and our third-party service providers may be vulnerable to targeted attacks, such as "phishing" attacks, unauthorized access, fraud, business email compromise, computer viruses, denial of service attacks, terrorism, "ransomware" attacks, attacks created through artificial intelligence, firewall or encryption failures or other security or operational risks. Criminal groups, political activist groups and nation-state actors have targeted the financial services industry in general, including as a result of wars, and our role in the global marketplace places us at significant risk for a cyber attack and other information security threats. While to date we have not experienced cyber incidents that are individually, or in the aggregate, material, we and certain of our third party providers have experienced cyber attacks of varying degrees in the past. Our usage of mobile, web, and cloud technologies, such as those pursuant to our partnership with Google Cloud, may increase our risk of a cyber attack. Our security defenses may also be impacted or breached due to employee error, malfeasance, system errors or vulnerabilities. Additionally, outside parties may attempt to fraudulently induce employees, users, customers or our third party providers to disclose sensitive information in order to gain access to our technology systems and data, or our customers’ systems and data, or our third parties' systems and data. Any such breach or unauthorized access could result in significant legal and financial exposure, damage to our reputation, and a loss of confidence in the services we provide that could potentially have an adverse effect on our business, while resulting in regulatory penalties or the imposition of additional obligations by regulators or others. The regulatory environment related to information security, privacy, data collection, data usage and use of artificial intelligence is increasingly rigorous and complex, and any failure to comply may carry significant penalties and reputational damage. We have designed our cyber defense program to mitigate such attacks and security risks through administrative, physical and technical safeguards. As part of our global information security and privacy programs, we employ resources to prevent, detect and respond to cyber attacks and security risks that could impact our people, processes and technology infrastructure, including rapid response to zero-day vulnerabilities. However, our security measures or those of our third-party providers, including any cloud-based technologies, may prove insufficient depending upon the attack or threat posed. Any security attack or breach could result in system failures and delays, malfunctions in our operations, loss of customers or lower trading volume, loss of competitive position, damage to our reputation, disruption of our business, legal liability or regulatory fines and significant 19 19 19 Table of Contents Table of Contents costs, which in turn may cause our revenues and earnings to decline and could have a material impact on our financial condition or results of operations. We may be subject to litigation and financial losses that exceed our insurance policy limits or are not covered under any of our current policies.

We regard the secure storage and transmission of data and the ability to continuously transact and clear on our electronic trading platforms as critical elements of our operations and our operational resiliency. Our technology, our customers, our people and our third-party service providers may be vulnerable to targeted attacks, such as "phishing" attacks, unauthorized access, fraud, computer viruses, denial of service attacks, terrorism, "ransomware" attacks, attacks created through artificial intelligence, firewall or encryption failures or other security or operational risks. Criminal groups, political activist groups and nation-state actors have targeted the financial services industry in general, including as a result of wars, and our role in the global marketplace places us at significant risk for a cyber attack and other information security threats. While to date we have not experienced cyber incidents that are individually, or in the aggregate, material, we and certain of our third party providers have experienced cyber attacks of varying degrees in the past. Our usage of mobile, web, and cloud technologies, such as those pursuant to our partnership with Google Cloud, may increase our risk of a cyber attack. Our security defenses may also be impacted or breached due to employee error, malfeasance, system errors or vulnerabilities. Additionally, outside parties may attempt to fraudulently induce employees, users, customers or our third party providers to disclose sensitive information in order to gain access to our technology systems and data, or our customers’ data. Any such breach or unauthorized access could result in significant legal and financial exposure, damage to our reputation, and a loss of confidence in the services we provide that could potentially have an adverse effect on our business, while resulting in regulatory penalties or the imposition of additional obligations by regulators or others. The regulatory environment related to information security, privacy, data collection, data usage and use of artificial intelligence is increasingly rigorous and complex, and any failure to comply may carry significant penalties and reputational damage. We have designed our cyber defense program to mitigate such attacks and security risks through administrative, physical and technical safeguards. As part of our global information security and privacy programs, we employ resources to prevent, detect and respond to cyber attacks and security risks that could impact our people, processes and technology infrastructure, including rapid response to zero-day vulnerabilities. However, our security measures or those of our third-party providers, including any cloud-based technologies, such as those pursuant to our partnership with Google Cloud, may prove insufficient depending upon the attack or threat posed. Any security attack or breach could result in system failures and delays, malfunctions in our operations, loss of customers or lower trading volume, loss of competitive position, damage to our reputation, disruption of our business, legal liability or regulatory fines and significant costs, which in turn may cause our revenues and earnings to decline. We may be subject to litigation and financial losses that exceed our insurance policy limits or are not covered under any of our current policies.