---
ticker: HIG
company: Hartford Financial Services Group Inc.
filing_type: 10-K
year_current: 2024
year_prior: 2023
risks_added: 2
risks_removed: 0
risks_modified: 1
risks_unchanged: 5
source: SEC EDGAR
url: https://riskdiff.com/hig/2024-vs-2023/
markdown_url: https://riskdiff.com/hig/2024-vs-2023/index.md
generated: 2026-05-10
---

# Hartford Financial Services Group Inc.: 10-K Risk Factor Changes 2024 vs 2023

> Source: U.S. Securities and Exchange Commission (EDGAR)  
> Generated: 2026-05-10  
> All data extracted directly from official filings. No hallucinated content.

> **[AI-Generated Summary]** The paragraph below was produced by a language
> model and may contain errors. All other content on this page is deterministically
> extracted from the original SEC filing.

> Hartford Financial Services Group Inc. added a dedicated cybersecurity risk disclosure in its 2024 10-K, reflecting heightened regulatory focus on data security governance. The company substantively modified its Insurance Industry and Product Related Risks section, indicating evolving business or market conditions affecting core operations. Five existing risk factors remained unchanged, suggesting stability in Hartford's primary risk exposures across underwriting, market, and operational domains.

---

## Summary

| Status | Count |
|--------|-------|
| New risks added | 2 |
| Risks removed | 0 |
| Risks modified | 1 |
| Unchanged | 5 |

---

## New in Current Filing: Part I - Item 1C. Cybersecurity

Item 1C. Item 1C. CYBERSECURITYThe Hartford has implemented an information protection program with established governance routines for assessing and managing risks. The Hartford employs a 'defense-in-depth' strategy that uses multiple security measures to protect the integrity of the Company's information assets. This 'defense-in-depth' strategy aligns to the National Institute of Standards and Technology Cybersecurity Framework, where controls are implemented throughout our environments to achieve five categorical objectives, including identification, protection, detection, response and recovery. Our 'defense in depth' program uses several methods to protect against intrusion by a bad actor, including such techniques as reputational filtering, anti-virus scans, intrusion prevention, multi-factor authentication, and account isolation among others. We also use numerous approaches to detect ransomware and other cyber attacks, including, among others, dark web searches, email sandboxing, endpoint detection, and intrusion detection. The Hartford continues to monitor and enhance its framework to respond to evolving cyber threats and regulations for data privacy, including the European Union General Data Protection Regulation and the California Consumer Privacy Act.We regularly assess our programs and control environment, leveraging externally conducted cyber tests and evaluations along with internally managed cyber risk assessments and testing. Additionally, the Company collaborates with industry associations, government authorities, peers and external advisors to monitor the threat environment and to inform our security practices. In connection with the regular assessment of third-party service providers performed by our procurement organization, our information protection team performs a third-party assessment of each vendor's information security practices and protocols, including its readiness to protect against and respond to cybersecurity breaches. Third-party service providers are categorized in tiers depending on the significance of their operations to the Company's business processes and risk assessments for vendors in the highest tier are completed periodically. With respect to cyber, we have procedures to verify each service provider's information security controls, and each vendor completes a cyber questionnaire that also addresses their resiliency in the event of an intrusion to their systems. We proactively communicate with suppliers to understand mitigation steps taken when major cyber exposures are identified.We are executing on a multi-year roadmap to, among other things, further improve our ability to defend against, respond to, and recover from ransomware and other cyber events; enhance application cybersecurity capabilities, including defenses against fraud attacks; and to ensure security capabilities are built into new cloud-based platforms that we adopt. We are also required to maintain strong cyber defense protocols in the states where we are authorized or licensed to write business. A number of states where our insurance companies are domiciled, including Connecticut, have adopted the NAIC Insurance Data Security Model Law. Our legal team monitors the status of new cybersecurity regulations, including notification requirements. To the best knowledge of Management, no risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. For further discussion of the Company's risks related to cybersecurity, see Part I, Item 1A,  -  Risk Factors for the risk factor "Our businesses may suffer and we may incur substantial costs if we are unable to access our systems and safeguard the security of our data in the event of a disaster, cyber breach or other information security incident." From a governance perspective, senior members of our Enterprise Risk Management, Information Protection and Internal Audit functions provide detailed, regular reports on cybersecurity matters to the Board, primarily through the Audit Committee, which oversees controls for the Company's major risk exposures and has principal responsibility for oversight of cybersecurity risk, and the Finance, Investment and Risk Management Committee ("FIRMCo"), which oversees business risk related to cyber insurance products. The topics covered by these updates include the Company's activities, policies and procedures to prevent, detect and respond to cybersecurity incidents, as well as lessons learned from cybersecurity incidents and internal and external testing of our cyber defenses.The Audit Committee is provided with updates on technology and cybersecurity risks at least four times annually, including annual reviews of the Company's cybersecurity program and technology risks and controls, and bi-annual updates on operational risks (in spring and fall). Given its importance, the full Board is invited to attend the annual cybersecurity program and time is reserved at each Audit Committee meeting for cybersecurity technology matters that warrant discussion between the standing sessions. In addition, our Enterprise Risk Management team provides FIRMCo with an assessment of cybersecurity insurance risk once per year. The Audit Committee, FIRMCo and the full Board are apprised of developments in the external environment and business strategies that present additional potential cyber risk exposure to the Company, such as modifications to on-line platforms and expanded use of cloud-based applications, on an ongoing, as-needed basis. As a result, cybersecurity and cyber risk are typically discussed more frequently than the annual minimum requirements.The Company has established an Executive Privacy & Security Council ("EPSC") that meets semi-annually. Formed in 2003, the EPSC consists of a cross-functional senior leaders, including the Chief Information Officer ("CIO"), the Chief Information Security Officer ("CISO"), the Chief Risk Officer ("CRO") and General Counsel among others. The EPSC receives a monthly written executive briefing on topics, and with metrics related to cybersecurity, including incident prevention, detection, mitigation and remediation. Quarterly, the IT Risk Council, made up of senior IT leaders, is also provided with an update of cybersecurity risks and preparedness. Various other meetings are held on cybersecurity topics periodically, including monthly business operating reviews, and meetings of the Enterprise Risk and Capital Committee ("ERCC") and executive leadership team. CYBERSECURITYThe Hartford has implemented an information protection program with established governance routines for assessing and managing risks. The Hartford employs a 'defense-in-depth' strategy that uses multiple security measures to protect the integrity of the Company's information assets. This 'defense-in-depth' strategy aligns to the National Institute of Standards and Technology Cybersecurity Framework, where controls are implemented throughout our environments to achieve five categorical objectives, including identification, protection, detection, response and recovery. Our 'defense in depth' program uses several methods to protect against intrusion by a bad actor, including such techniques as reputational filtering, anti-virus scans, intrusion prevention, multi-factor authentication, and account isolation among others. We also use numerous approaches to detect ransomware and other cyber attacks, including, among others, dark web searches, email sandboxing, endpoint detection, and intrusion detection. The Hartford continues to monitor and enhance its framework to respond to evolving cyber threats and regulations for data privacy, including the European Union General Data Protection Regulation and the California Consumer Privacy Act.We regularly assess our programs and control environment, leveraging externally conducted cyber tests and evaluations along with internally managed cyber risk assessments and testing. Additionally, the Company collaborates with industry associations, government authorities, peers and external advisors to monitor the threat environment and to inform our security practices. In connection with the regular assessment of third-party service providers performed by our procurement organization, our information protection team performs a third-party assessment of each vendor's information security practices and protocols, including its readiness to protect against and respond to cybersecurity breaches. Third-party service providers are categorized in tiers depending on the significance of their operations to the Company's business processes and risk assessments for vendors in the highest tier are completed periodically. With respect to cyber, we have procedures to verify each service provider's information security controls, and each vendor completes a cyber questionnaire that also addresses their resiliency in the event of an intrusion to their systems. We proactively communicate with suppliers to understand mitigation steps taken when major cyber exposures are identified.We are executing on a multi-year roadmap to, among other things, further improve our ability to defend against, respond to, and recover from ransomware and other cyber events; enhance application cybersecurity capabilities, including defenses against fraud attacks; and to ensure security capabilities are built into new cloud-based platforms that we adopt. We are also required to maintain strong cyber defense protocols in the states where we are authorized or licensed to write business. A number of states where our insurance companies are domiciled, including Connecticut, have adopted the NAIC Insurance Data Security Model Law. Our legal team monitors the status of new cybersecurity regulations, including notification requirements. CYBERSECURITY The Hartford has implemented an information protection program with established governance routines for assessing and managing risks. The Hartford employs a 'defense-in-depth' strategy that uses multiple security measures to protect the integrity of the Company's information assets. This 'defense-in-depth' strategy aligns to the National Institute of Standards and Technology Cybersecurity Framework, where controls are implemented throughout our environments to achieve five categorical objectives, including identification, protection, detection, response and recovery. Our 'defense in depth' program uses several methods to protect against intrusion by a bad actor, including such techniques as reputational filtering, anti-virus scans, intrusion prevention, multi-factor authentication, and account isolation among others. We also use numerous approaches to detect ransomware and other cyber attacks, including, among others, dark web searches, email sandboxing, endpoint detection, and intrusion detection. The Hartford continues to monitor and enhance its framework to respond to evolving cyber threats and regulations for data privacy, including the European Union General Data Protection Regulation and the California Consumer Privacy Act. We regularly assess our programs and control environment, leveraging externally conducted cyber tests and evaluations along with internally managed cyber risk assessments and testing. Additionally, the Company collaborates with industry associations, government authorities, peers and external advisors to monitor the threat environment and to inform our security practices. In connection with the regular assessment of third-party service providers performed by our procurement organization, our information protection team performs a third-party assessment of each vendor's information security practices and protocols, including its readiness to protect against and respond to cybersecurity breaches. Third-party service providers are categorized in tiers depending on the significance of their operations to the Company's business processes and risk assessments for vendors in the highest tier are completed periodically. With respect to cyber, we have procedures to verify each service provider's information security controls, and each vendor completes a cyber questionnaire that also addresses their resiliency in the event of an intrusion to their systems. We proactively communicate with suppliers to understand mitigation steps taken when major cyber exposures are identified. We are executing on a multi-year roadmap to, among other things, further improve our ability to defend against, respond to, and recover from ransomware and other cyber events; enhance application cybersecurity capabilities, including defenses against fraud attacks; and to ensure security capabilities are built into new cloud-based platforms that we adopt. We are also required to maintain strong cyber defense protocols in the states where we are authorized or licensed to write business. A number of states where our insurance companies are domiciled, including Connecticut, have adopted the NAIC Insurance Data Security Model Law. Our legal team monitors the status of new cybersecurity regulations, including notification requirements. To the best knowledge of Management, no risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. For further discussion of the Company's risks related to cybersecurity, see Part I, Item 1A,  -  Risk Factors for the risk factor "Our businesses may suffer and we may incur substantial costs if we are unable to access our systems and safeguard the security of our data in the event of a disaster, cyber breach or other information security incident." From a governance perspective, senior members of our Enterprise Risk Management, Information Protection and Internal Audit functions provide detailed, regular reports on cybersecurity matters to the Board, primarily through the Audit Committee, which oversees controls for the Company's major risk exposures and has principal responsibility for oversight of cybersecurity risk, and the Finance, Investment and Risk Management Committee ("FIRMCo"), which oversees business risk related to cyber insurance products. The topics covered by these updates include the Company's activities, policies and procedures to prevent, detect and respond to cybersecurity incidents, as well as lessons learned from cybersecurity incidents and internal and external testing of our cyber defenses.The Audit Committee is provided with updates on technology and cybersecurity risks at least four times annually, including annual reviews of the Company's cybersecurity program and technology risks and controls, and bi-annual updates on operational risks (in spring and fall). Given its importance, the full Board is invited to attend the annual cybersecurity program and time is reserved at each Audit Committee meeting for cybersecurity technology matters that warrant discussion between the standing sessions. In addition, our Enterprise Risk Management team provides FIRMCo with an assessment of cybersecurity insurance risk once per year. The Audit Committee, FIRMCo and the full Board are apprised of developments in the external environment and business strategies that present additional potential cyber risk exposure to the Company, such as modifications to on-line platforms and expanded use of cloud-based applications, on an ongoing, as-needed basis. As a result, cybersecurity and cyber risk are typically discussed more frequently than the annual minimum requirements.The Company has established an Executive Privacy & Security Council ("EPSC") that meets semi-annually. Formed in 2003, the EPSC consists of a cross-functional senior leaders, including the Chief Information Officer ("CIO"), the Chief Information Security Officer ("CISO"), the Chief Risk Officer ("CRO") and General Counsel among others. The EPSC receives a monthly written executive briefing on topics, and with metrics related to cybersecurity, including incident prevention, detection, mitigation and remediation. Quarterly, the IT Risk Council, made up of senior IT leaders, is also provided with an update of cybersecurity risks and preparedness. Various other meetings are held on cybersecurity topics periodically, including monthly business operating reviews, and meetings of the Enterprise Risk and Capital Committee ("ERCC") and executive leadership team. To the best knowledge of Management, no risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the Company, including its business strategy, results of operations, or financial condition. For further discussion of the Company's risks related to cybersecurity, see Part I, Item 1A,  -  Risk Factors for the risk factor "Our businesses may suffer and we may incur substantial costs if we are unable to access our systems and safeguard the security of our data in the event of a disaster, cyber breach or other information security incident." From a governance perspective, senior members of our Enterprise Risk Management, Information Protection and Internal Audit functions provide detailed, regular reports on cybersecurity matters to the Board, primarily through the Audit Committee, which oversees controls for the Company's major risk exposures and has principal responsibility for oversight of cybersecurity risk, and the Finance, Investment and Risk Management Committee ("FIRMCo"), which oversees business risk related to cyber insurance products. The topics covered by these updates include the Company's activities, policies and procedures to prevent, detect and respond to cybersecurity incidents, as well as lessons learned from cybersecurity incidents and internal and external testing of our cyber defenses. The Audit Committee is provided with updates on technology and cybersecurity risks at least four times annually, including annual reviews of the Company's cybersecurity program and technology risks and controls, and bi-annual updates on operational risks (in spring and fall). Given its importance, the full Board is invited to attend the annual cybersecurity program and time is reserved at each Audit Committee meeting for cybersecurity technology matters that warrant discussion between the standing sessions. In addition, our Enterprise Risk Management team provides FIRMCo with an assessment of cybersecurity insurance risk once per year. The Audit Committee, FIRMCo and the full Board are apprised of developments in the external environment and business strategies that present additional potential cyber risk exposure to the Company, such as modifications to on-line platforms and expanded use of cloud-based applications, on an ongoing, as-needed basis. As a result, cybersecurity and cyber risk are typically discussed more frequently than the annual minimum requirements. The Company has established an Executive Privacy & Security Council ("EPSC") that meets semi-annually. Formed in 2003, the EPSC consists of a cross-functional senior leaders, including the Chief Information Officer ("CIO"), the Chief Information Security Officer ("CISO"), the Chief Risk Officer ("CRO") and General Counsel among others. The EPSC receives a monthly written executive briefing on topics, and with metrics related to cybersecurity, including incident prevention, detection, mitigation and remediation. Quarterly, the IT Risk Council, made up of senior IT leaders, is also provided with an update of cybersecurity risks and preparedness. Various other meetings are held on cybersecurity topics periodically, including monthly business operating reviews, and meetings of the Enterprise Risk and Capital Committee ("ERCC") and executive leadership team. 36 36 36

---

## New in Current Filing: Part I - Item 1C. Cybersecurity

Both the CIO and the CISO have expertise assessing and managing cybersecurity risks. The CIO has served in her current role since 2019 and served in similar technology leadership roles before her current role. She has eighteen years of executive leadership experience in the financial services industry and twenty-eight years of overall technology experience, during which time she has led large scale business transformation, delivered innovative technology strategies and has overseen and modernized complex technology portfolios. The CISO has held several senior-level information technology roles in his twenty-five-year tenure with the Company and has served in his current role since 2021. In his various roles, he has been responsible for providing senior leadership in the areas of information security, IT governance risk & compliance, business continuity, and disaster recovery. Both the CIO and the CISO have expertise assessing and managing cybersecurity risks. The CIO has served in her current role since 2019 and served in similar technology leadership roles before her current role. She has eighteen years of executive leadership experience in the financial services industry and twenty-eight years of overall technology experience, during which time she has led large scale business transformation, delivered innovative technology strategies and has overseen and modernized complex technology portfolios. Both the CIO and the CISO have expertise assessing and managing cybersecurity risks. The CIO has served in her current role since 2019 and served in similar technology leadership roles before her current role. She has eighteen years of executive leadership experience in the financial services industry and twenty-eight years of overall technology experience, during which time she has led large scale business transformation, delivered innovative technology strategies and has overseen and modernized complex technology portfolios. The CISO has held several senior-level information technology roles in his twenty-five-year tenure with the Company and has served in his current role since 2021. In his various roles, he has been responsible for providing senior leadership in the areas of information security, IT governance risk & compliance, business continuity, and disaster recovery. The CISO has held several senior-level information technology roles in his twenty-five-year tenure with the Company and has served in his current role since 2021. In his various roles, he has been responsible for providing senior leadership in the areas of information security, IT governance risk & compliance, business continuity, and disaster recovery.

---

## Modified: Insurance Industry and Product Related Risks

**Key changes:**

- Reworded sentence: "Estimating the ultimate gross reserves needed for unpaid losses and related expenses for A&E claims is particularly difficult for insurers and reinsurers."
- Reworded sentence: "We remain directly liable to claimants and if the reinsurer does not fulfill its obligations under the agreement or if future adverse development exceeds the $1.5 billion 25 25 25"

**Prior (2023):**

Unfavorable loss development may adversely affect our business, financial condition, results of operations or liquidity. We establish property and casualty and group benefits loss reserves to cover our estimated liability for the payment of all unpaid losses and loss expenses incurred with respect to premiums earned on our policies. Loss reserves are estimates of what we expect the ultimate settlement and administration of claims will cost, less what has been paid to date. These estimates are based upon actuarial projections and on our assessment of currently available data, as well as estimates of claims severity and frequency, legal theories of liability and other factors. For risks due to evolving changes in social, economic and environmental conditions, see the Risk Factor, "Unexpected and unintended claim and coverage issues under our insurance contracts may adversely impact our financial performance." Loss reserve estimates are refined periodically as experience develops and claims are reported and settled, potentially resulting in increases to our reserves. Increases in reserves would be recognized as an expense during the periods in which these determinations are made, thereby adversely affecting our results of operations for those periods. In addition, since reserve estimates of aggregate loss costs for prior years are used in pricing our insurance products, inaccurate reserves can lead to our products not being priced adequately to cover actual losses and related loss expenses in order to generate a profit. In property and casualty, we continue to receive A&E claims, the vast majority of which relate to policies written before 1986. Estimating the ultimate gross reserves needed for unpaid losses and related expenses for asbestos and environmental claims is particularly difficult for insurers and reinsurers. The actuarial tools and other techniques used to estimate the ultimate cost of more traditional insurance exposures tend to be less precise when used to estimate reserves for some A&E exposures. Moreover, the assumptions used to estimate gross reserves for A&E claims, such as claim frequency over time, average severity, and how various policy provisions will be interpreted, are subject to significant uncertainty. It is also not possible to predict changes in the legal and legislative environment and their effect on the future development of A&E claims. These factors, among others, make the variability of gross reserves estimates for these longer-tailed exposures significantly greater than for other more traditional exposures. Effective December 31, 2016, the Company entered into an agreement with National Indemnity Company ("NICO"), a subsidiary of Berkshire Hathaway Inc. ("Berkshire") whereby the Company is reinsured for subsequent adverse development on substantially all of its net A&E reserves up to an aggregate net limit of $1.5 billion. We remain directly liable to claimants and if the reinsurer does not fulfill its obligations under the agreement or if future adverse development exceeds the $1.5 billion aggregate limit, we may need to increase our recorded net reserves which could have a material adverse effect on our financial condition, results of operations or liquidity. For additional information related to risks associated with the adverse development cover, see Note 11 - Reserve for Unpaid Losses and Loss Adjustment Expenses of Notes to Consolidated Financial Statements.We are vulnerable to losses from catastrophes, both natural and man-made.Our insurance operations expose us to claims arising out of catastrophes. Catastrophes can be caused by various unpredictable natural events, including, among others, earthquakes, hurricanes, hailstorms, severe winter weather, wind storms, fires, tornadoes, and pandemics. Catastrophes can also be man-made, such as terrorist attacks, civil unrest, cyber-attacks, explosions or infrastructure failures. For international events, catastrophes may include some events designated as major losses by Lloyd's of London and, accordingly, includes incurred losses arising from exposures in Ukraine and Russia as a result of Russia's invasion of Ukraine.The geographic distribution of our business subjects us to catastrophe exposure for events occurring in a number of areas, including, but not limited to: hurricanes in Florida, the Gulf Coast, the Northeast and the Atlantic coast regions of the United States; tornadoes and hail in the Midwest and Southeast; earthquakes in geographical regions exposed to seismic activity; wildfires in the West; and the spread of disease, which can occur throughout multiple geographic locations. We are also exposed to catastrophe losses in other parts of the world through our global specialty business. Any increases in the values and concentrations of insureds and property in these areas would increase the severity of catastrophic events in the future. In addition, changes in climate and/or weather patterns may increase the frequency and/or intensity of severe weather and natural catastrophe events potentially leading to increased insured losses. Potential examples include, but are not limited to:•an increase in the frequency or intensity of wind and thunderstorm and tornado/hailstorm events due to increased convection in the atmosphere, •more frequent and larger wildfires in certain geographies,•higher incidence of deluge flooding, and •the potential for an increase in frequency and severity of hurricane events.Insufficient incorporation of climatic trends into widely used catastrophe models and internal tools to assess risk from natural catastrophe perils could lead to ineffective evaluation and management of catastrophe risk. For a further discussion of climate-related risks, see the above-referenced Risk Factor, "Changing climate and weather patterns may adversely affect our business, financial condition and results of operation."Our businesses also have exposure to global or nationally occurring pandemics caused by highly infectious and potentially fatal diseases spread through human, animal or plant populations.In the event of one or more catastrophes, policyholders may be unable to meet their obligations to pay premiums on our insurance policies. Further, our liquidity could be constrained by a catastrophe, or multiple catastrophes. In addition, in part because accounting rules do not permit insurers to reserve for additional information related to risks associated with the adverse development cover, see Note 11 - Reserve for Unpaid Losses and Loss Adjustment Expenses of Notes to Consolidated Financial Statements. We are vulnerable to losses from catastrophes, both natural and man-made. Our insurance operations expose us to claims arising out of catastrophes. Catastrophes can be caused by various unpredictable natural events, including, among others, earthquakes, hurricanes, hailstorms, severe winter weather, wind storms, fires, tornadoes, and pandemics. Catastrophes can also be man-made, such as terrorist attacks, civil unrest, cyber-attacks, explosions or infrastructure failures. For international events, catastrophes may include some events designated as major losses by Lloyd's of London and, accordingly, includes incurred losses arising from exposures in Ukraine and Russia as a result of Russia's invasion of Ukraine. The geographic distribution of our business subjects us to catastrophe exposure for events occurring in a number of areas, including, but not limited to: hurricanes in Florida, the Gulf Coast, the Northeast and the Atlantic coast regions of the United States; tornadoes and hail in the Midwest and Southeast; earthquakes in geographical regions exposed to seismic activity; wildfires in the West; and the spread of disease, which can occur throughout multiple geographic locations. We are also exposed to catastrophe losses in other parts of the world through our global specialty business. Any increases in the values and concentrations of insureds and property in these areas would increase the severity of catastrophic events in the future. In addition, changes in climate and/or weather patterns may increase the frequency and/or intensity of severe weather and natural catastrophe events potentially leading to increased insured losses. Potential examples include, but are not limited to: •an increase in the frequency or intensity of wind and thunderstorm and tornado/hailstorm events due to increased convection in the atmosphere, •more frequent and larger wildfires in certain geographies, •higher incidence of deluge flooding, and •the potential for an increase in frequency and severity of hurricane events. Insufficient incorporation of climatic trends into widely used catastrophe models and internal tools to assess risk from natural catastrophe perils could lead to ineffective evaluation and management of catastrophe risk. For a further discussion of climate-related risks, see the above-referenced Risk Factor, "Changing climate and weather patterns may adversely affect our business, financial condition and results of operation." Our businesses also have exposure to global or nationally occurring pandemics caused by highly infectious and potentially fatal diseases spread through human, animal or plant populations. In the event of one or more catastrophes, policyholders may be unable to meet their obligations to pay premiums on our insurance policies. Further, our liquidity could be constrained by a catastrophe, or multiple catastrophes. In addition, in part because accounting rules do not permit insurers to reserve for 24 24 24

**Current (2024):**

Unfavorable loss development may adversely affect our business, financial condition, results of operations or liquidity. We establish property and casualty and group benefits loss reserves to cover our estimated liability for the payment of all unpaid losses and loss expenses incurred with respect to premiums earned on our policies. Loss reserves are estimates of what we expect the ultimate settlement and administration of claims will cost, less what has been paid to date. These estimates are based upon actuarial projections and on our assessment of currently available data, as well as estimates of claims severity and frequency, legal theories of liability and other factors. For risks due to evolving changes in social, economic and environmental conditions, see the Risk Factor, "Unexpected and unintended claim and coverage issues under our insurance contracts may adversely impact our financial performance." Loss reserve estimates are refined periodically as experience develops and claims are reported and settled, potentially resulting in increases to our reserves. Increases in reserves would be recognized as an expense during the periods in which these determinations are made, thereby adversely affecting our results of operations for those periods. In addition, since reserve estimates of aggregate loss costs for prior years are used in pricing our insurance products, inaccurate reserves can lead to our products not being priced adequately to cover actual losses and related loss expenses in order to generate a profit. In property and casualty, we continue to receive A&E claims, the vast majority of which relate to policies written before 1986. Estimating the ultimate gross reserves needed for unpaid losses and related expenses for A&E claims is particularly difficult for insurers and reinsurers. The actuarial tools and other techniques used to estimate the ultimate cost of more traditional insurance exposures tend to be less precise when used to estimate reserves for some A&E exposures. Moreover, the assumptions used to estimate gross reserves for A&E claims, such as claim frequency over time, average severity, and how various policy provisions will be interpreted, are subject to significant uncertainty. It is also not possible to predict changes in the legal and legislative environment and their effect on the future development of A&E claims. These factors, among others, make the variability of gross reserves estimates for these longer-tailed exposures significantly greater than for other more traditional exposures. Effective December 31, 2016, the Company entered into an agreement with National Indemnity Company ("NICO"), a subsidiary of Berkshire Hathaway Inc. ("Berkshire") whereby the Company is reinsured for subsequent adverse development on substantially all of its net A&E reserves up to an aggregate net limit of $1.5 billion. We remain directly liable to claimants and if the reinsurer does not fulfill its obligations under the agreement or if future adverse development exceeds the $1.5 billion 25 25 25

---

*Data sourced from SEC EDGAR. Last updated 2026-05-10.*