Moody's Corporation: 10-K Risk Factor Changes

Moody’s success depends upon its ability to recruit, retain and motivate highly skilled, experienced professionals, including financial analysts, data scientists and software engineers. Competition for skilled individuals in the financial services and technology industries is intense, and Moody’s ability to attract high quality employees could be impaired if it is unable to offer competitive compensation and other incentives or if the regulatory environment mandates restrictions on or disclosures about individual employees that would not be necessary in competing industries. Rising expenses including wage inflation, and global labor shortages could adversely affect Moody’s ability to attract and retain high-quality employees. As greater focus has been placed on executive compensation at public companies, in the future, Moody’s may be required to alter its compensation practices in ways that adversely affect its ability to attract and retain talented employees. Investment banks, investors and competitors may 32 MOODY'S 2023 10-K 32 MOODY'S 2023 10-K 32 MOODY'S 2023 10-K Table of Contents Table of Contents seek to attract analyst talent by providing more favorable working conditions or offering significantly more attractive compensation packages than Moody’s. Moody’s also may not be able to identify and hire the appropriate qualified employees in some markets outside the U.S. with the required experience or skills to perform sophisticated credit analysis. We could also fail to effectively respond to evolving perceptions and goals of those in our workforce or whom we might seek to hire, including with respect to flexible working or other matters. Also, the emergence and adoption of LLM and Gen AI technologies will require upskilling and additional training of Moody's employees, making retention and training increasingly important. There is a risk that even when the Company invests significant resources in attempting to attract, train and retain qualified personnel, it will not succeed in its efforts, and its business could be harmed. Further, employee expectations in areas such as ESG have been rapidly evolving and increasing. A failure to adequately meet employee expectations may result in an inability to attract and retain talented employees. Moody’s is highly dependent on the continued services of Robert Fauber, the Company's President and Chief Executive Officer, and other senior officers and key employees. The loss of the services of skilled personnel for any reason and Moody’s inability to replace them with suitable candidates quickly or at all, as well as any negative market perception resulting from such loss, could have a material adverse effect on Moody’s business, operating results and financial condition.

Moody’s success depends upon its ability to recruit, retain and motivate highly skilled, experienced professionals, including financial analysts. Competition for skilled individuals in the financial services industry is intense, and Moody’s ability to attract high quality employees could be impaired if it is unable to offer competitive compensation and other incentives or if the regulatory environment mandates restrictions on or disclosures about individual employees that would not be necessary in competing industries. Rising expenses including wage inflation, and global labor shortages could adversely affect Moody’s ability to attract and retain high-quality employees. As greater focus has been placed on executive compensation at public companies, in the future, Moody’s may be required to alter its compensation practices in ways that adversely affect its ability to attract and retain talented employees. Investment banks, investors and competitors may seek to attract analyst talent by providing more favorable working conditions or offering significantly more attractive compensation packages than Moody’s. Moody’s also may not be able to identify and hire the appropriate qualified employees in some markets outside the U.S. with the required experience or skills to perform sophisticated credit analysis. We could also fail to effectively respond to evolving perceptions and goals of those in our workforce or whom we might seek to hire, including in response to changes brought on by the COVID-19 pandemic, with respect to flexible working or other matters. There is a risk that even when the Company invests significant resources in attempting to attract, train and retain qualified personnel, it will not succeed in its efforts, and its business could be harmed. Further, employee expectations in areas such as environmental, social matters and corporate governance have been rapidly evolving and increasing. A failure to adequately meet employee expectations may result in an inability to attract and retain talented employees. Moody’s is highly dependent on the continued services of Robert Fauber, the President and Chief Executive Officer, and other senior officers and key employees. The loss of the services of skilled personnel for any reason and Moody’s inability to replace them with suitable candidates quickly or at all, as well as any negative market perception resulting from such loss, could have a material adverse effect on Moody’s business, operating results and financial condition. MOODY'S 2022 10-K 29 MOODY'S 2022 10-K 29 MOODY'S 2022 10-K 29 Table of Contents Table of Contents

As a global company, Moody’s is subject to taxation in the United States and various other countries and jurisdictions. As a result, our effective tax rate is determined based on the taxable income and applicable tax rates in the various jurisdictions in which the Company operates. Moody’s future tax rates could be affected by changes in the composition of earnings in countries or states with 28 MOODY'S 2023 10-K 28 MOODY'S 2023 10-K 28 MOODY'S 2023 10-K Table of Contents Table of Contents differing tax rates or other factors, including by increased earnings in jurisdictions where Moody’s faces higher tax rates, losses incurred in jurisdictions for which Moody’s is not able to realize the related tax benefit, or changes in foreign currency exchange rates. Changes in the tax, accounting and other laws, treaties, regulations, policies and administrative practices, or changes to their interpretation or enforcement, including changes applicable to multinational corporations such as the Base Erosion Profit Shifting and the global minimum tax rate initiatives being led by the OECD, which requires companies to disclose more information to tax authorities on operations around the world, and the EU’s state aid rulings, could have a material adverse effect on the Company’s effective tax rate, results of operations and financial condition and may lead to greater audit scrutiny of profits earned in various countries. In addition, Moody’s is subject to regular examination of its income tax returns by the IRS and other tax authorities around the world. Moody’s regularly assesses the likelihood of favorable or unfavorable outcomes resulting from these examinations to determine the adequacy of its provision for income taxes, including unrecognized tax benefits; however, developments in an audit or litigation could materially and adversely affect the Company. Although the Company believes its tax estimates and accruals are reasonable, there can be no assurance that any final determination will not be materially different than the treatment reflected in its income tax provisions, accruals and unrecognized tax benefits, which could materially and adversely affect the Company’s business, operating results, cash flows and financial condition. During 2023, multiple foreign jurisdictions in which the Company operates have enacted legislation to adopt a minimum tax rate described in the GloBE or Pillar Two, tax model rules issued by the OECD. A minimum ETR of 15% would apply to multinational companies with consolidated revenue above €750 million with an effective date beginning in 2024. Under the GloBE rules, a company would be required to determine a combined ETR for all entities located in a jurisdiction. If the jurisdictional tax rate is less than 15%, an additional tax will be due to bring the jurisdictional effective tax rate up to 15%. While the Pillar Two minimum tax requirement is not currently anticipated to have a material impact on the Company’s results of operations or financial position, management is evaluating and will continue to monitor the potential impact of the Pillar Two global minimum tax proposals on our consolidated financial statements and related disclosures.

As a global company, Moody’s is subject to taxation in the United States and various other countries and jurisdictions. As a result, our effective tax rate is determined based on the taxable income and applicable tax rates in the various jurisdictions in which the Company operates. Moody’s future tax rates could be affected by changes in the composition of earnings in countries or states with differing tax rates or other factors, including by increased earnings in jurisdictions where Moody’s faces higher tax rates, losses incurred in jurisdictions for which Moody’s is not able to realize the related tax benefit, or changes in foreign currency exchange rates. Changes in the tax, accounting and other laws, treaties, regulations, policies and administrative practices, or changes to their interpretation or enforcement, including changes applicable to multinational corporations such as the Base Erosion Profit Shifting and the global minimum tax rate initiatives being led by the Organization for Economic Co-operation and Development, which requires companies to disclose more information to tax authorities on operations around the world, and the European Union’s state aid rulings, could have a material adverse effect on the Company’s effective tax rate, results of operations and financial condition and may lead to greater audit scrutiny of profits earned in various countries. In addition, Moody’s is subject to regular examination of its income tax returns by the Internal Revenue Service and other tax authorities around the world. Moody’s regularly assesses the likelihood of favorable or unfavorable outcomes resulting from these examinations to determine the adequacy of its provision for income taxes, including unrecognized tax benefits; however, developments in an audit or litigation could materially and adversely affect the Company. Although the Company believes its tax estimates and accruals are reasonable, there can be no assurance that any final determination will not be materially different than the treatment reflected in its income tax provisions, accruals and unrecognized tax benefits, which could materially and adversely affect the Company’s business, operating results, cash flows and financial condition.

The Company’s operations rely on the secure processing, storage and transmission of confidential, sensitive, proprietary and other types of information. Such information relates to its business operations and confidential and sensitive information about its MOODY'S 2023 10-K 33 MOODY'S 2023 10-K 33 MOODY'S 2023 10-K 33 Table of Contents Table of Contents customers and employees in the Company’s computer systems and networks, and in those of its third-party vendors. The Company also often has access to MNPI and other confidential information concerning its customers, including public and private companies, sovereigns, and other third parties, and their customers, suppliers or transaction counterparties. Unauthorized disclosure of the foregoing information could cause our customers to lose faith in our ability to protect their confidential information, affecting the trading of their securities, damage their reputations or competitive positions and therefore cause customers to cease doing business with us, and potentially expose us to risk of litigation. The risks the Company faces range from cyber-attacks common to most industries, to more advanced threats that target the Company because of its prominence in the global marketplace, or due to its ratings of sovereign debt and corporate issuers. The Company and its third-party service providers, including our vendors, regularly experience cyber-attacks and data breaches of varying degrees. Cyber-attacks targeting Moody’s or Moody’s vendors’ technology and systems, whether from circumvention of security systems, denial-of-service attacks, ransomware, malware, hacking, social engineering or "phishing" attacks, computer viruses, employee or insider threats, malfeasance, supply chain attacks, physical breaches, payment fraud or other cyber-attacks some of which may be carried out by state-sponsored actors, may result in unauthorized access, exfiltration, manipulation or corruption of sensitive data, material interruptions or malfunctions in the Company’s or such vendors’ web sites or systems, applications, data processing, or disruption of other business operations. Such events may compromise the confidentiality, integrity, or availability of material information held by the Company (including information about Moody’s business, employees or customers), as well as other sensitive data, including personally identifiable information, the disclosure of which could lead to identity theft. The Company's MNPI concerning customers and clients could be improperly used by authorized or unauthorized parties, including for insider trading. The Company has implemented administrative, technical, and physical measures to detect and prevent unauthorized activity, but such precautions may not be successful. As the Company has grown and acquired businesses, IT guidelines have been developed and applied within business units or inherited from legacy organizations, which can result in internal differences in the Company's approach to IT standards until acquired entities are integrated. This creates a risk of developing unintended vulnerabilities and could result in additional costs, difficulty meeting new regulatory standards, or failing to meet customer expectations. The Company may be exposed to additional threats as it migrates its data from legacy systems to cloud-based solutions, and increased dependence on third-parties to store cloud-based data subjects the Company to further cyber risks. Further, many of our employees work remotely, which magnifies the importance of the integrity of our remote access security measures and may expose the Company to additional cyber risks. The Company has invested and continues to invest in risk management and information security measures in order to protect its systems and data, including employee training, disaster plans, and technical defenses. Although Moody’s devotes significant resources to maintain and regularly update such systems and processes, measures that Moody’s takes to avoid, detect, mitigate or recover from material incidents can be expensive, and may be insufficient, circumvented, or may become ineffective. Further, Moody’s relies on third-party technical subject matter experts to assist in managing its cyber security risk management processes. While Moody’s employs such third parties to assist in strengthening its cybersecurity defenses, there can be no guarantee that any action taken as advised by such third party will be adequate or sufficient to address the evolving threat landscape. Additionally, any measures that Moody’s takes in connection with such third parties to avoid, detect, mitigate or recover from material cyber security threats or incidents can be expensive, and may be insufficient, circumvented, or may become ineffective. Additionally, the cost and operational consequences of implementing, maintaining and enhancing further data or system protection measures could increase significantly to overcome increasingly intense, complex and sophisticated global cyber threats. Despite the Company’s best efforts, it is not fully insulated from, and has in the past experienced, security threats and system disruptions. Although past incidents have not had a material adverse effect on the Company's operating results, there can be no assurance of a similar result in the future. Because the methods used for these systems cyberattacks are rapidly changing, the Company or its third-party vendors, despite significant focus and investment, may be unable to anticipate and/or deploy sufficient protections against such incidents. Further, the extent of a particular security incident and the steps needed to investigate may not be immediately clear, and it may take a significant amount of time before such an investigation can be completed and full and reliable information about the incident, including the extent of the harm and how best to remediate it, is known. Recent well-publicized security breaches at other companies have led to enhanced government and regulatory scrutiny of the measures taken by companies to protect against cyber-attacks, and may in the future result in heightened cybersecurity compliance requirements, including additional regulatory expectations for oversight of third-party vendors and service providers. Cybersecurity incidents, including the accidental loss, inadvertent disclosure or unapproved dissemination of proprietary information or sensitive or confidential data, could cause reputational harm, loss of customers and revenue, fines, regulatory actions and scrutiny, sanctions or other statutory penalties, litigation, liability for failure to safeguard the Company’s customers’ information, or financial losses that are either not insured against or not fully covered through any insurance maintained by the Company. In addition, disclosure or media reports of actual or perceived security vulnerabilities to the Company’s systems or those of the Company’s third parties, even if no breach has been attempted or occurred, could lead to reputational harm, loss of customers and revenue, or increased regulatory actions oversight and scrutiny. Any of the foregoing may have a material adverse effect on Moody’s business, operating results and financial condition.

The Company’s operations rely on the secure processing, storage and transmission of confidential, sensitive, proprietary and other types of information relating to its business operations and confidential and sensitive information about its customers and employees in the Company’s computer systems and networks, and in those of its third party vendors. Unauthorized disclosure of 30 MOODY'S 2022 10-K 30 MOODY'S 2022 10-K 30 MOODY'S 2022 10-K Table of Contents Table of Contents this information could cause our customers to lose faith in our ability to protect their confidential information and therefore cause customers to cease doing business with us. The risks the Company faces range from cyber-attacks common to most industries, to more advanced threats that target the Company because of its prominence in the global marketplace, or due to its ratings of sovereign debt. Breaches of Moody’s or Moody’s vendors’ technology and systems, whether from circumvention of security systems, denial-of-service attacks or other cyber-attacks some of which may be carried out by state-sponsored actors, hacking, “phishing” attacks, computer viruses, social media impersonation, ransomware, or malware, employee or insider error, malfeasance, social engineering, physical breaches or other actions, may result in manipulation or corruption of sensitive data, material interruptions or malfunctions in the Company’s or such vendors’ web sites or systems, applications, data processing, or disruption of other business operations, or may compromise the confidentiality and integrity of material information held by the Company (including information about Moody’s business, employees or customers), as well as sensitive personally identifiable information (PII), the disclosure of which could lead to identity theft. Measures that Moody’s takes to avoid, detect, mitigate or recover from material incidents can be expensive, and may be insufficient, circumvented, or may become ineffective. Additionally, the Company may be exposed to additional threats as the Company migrates its data from legacy systems to cloud-based solutions, and increased dependence on third parties to store cloud-based data subjects the Company to further cyber risks. Further, many of our employees work remotely, which magnifies the importance of the integrity of our remote access security measures and may expose the Company to additional cyber risks. The Company has invested and continues to invest in risk management and information security measures in order to protect its systems and data, including employee training, disaster plans, and technical defenses. The cost and operational consequences of implementing, maintaining and enhancing further data or system protection measures could increase significantly to overcome increasingly intense, complex, and sophisticated global cyber threats. Despite the Company’s best efforts, it is not fully insulated from, and has in the past experienced, security threats and system disruptions. Although past incidents have not had a material adverse effect on the Company's operating results, there can be no assurance of a similar result in the future. Because the methods used for these systems cyberattacks are rapidly changing, the Company, despite significant focus and investment, may be unable to anticipate/deploy sufficient protections against such incidents. Further, the extent of a particular security incident and the steps needed to investigate may not be immediately clear, and it may take a significant amount of time before such an investigation can be completed and full and reliable information about the incident, including the extent of the harm and how best to remediate it, is known. Recent well-publicized security breaches at other companies have led to enhanced government and regulatory scrutiny of the measures taken by companies to protect against cyber-attacks, and may in the future result in heightened cybersecurity compliance requirements, including additional regulatory expectations for oversight of vendors and service providers. Cybersecurity incidents, including the accidental loss, inadvertent disclosure or unapproved dissemination of proprietary information or sensitive or confidential data, could cause reputational harm, loss of customers and revenue, fines, regulatory actions and scrutiny, sanctions or other statutory penalties, litigation, liability for failure to safeguard the Company’s customers’ information, or financial losses that are either not insured against or not fully covered through any insurance maintained by the Company. In addition, disclosure or media reports of actual or perceived security vulnerabilities to the Company’s systems or those of the Company’s third parties, even if no breach has been attempted or occurred, could lead to reputational harm, loss of customers and revenue, or increased regulatory actions oversight and scrutiny. Any of the foregoing may have a material adverse effect on Moody’s business, operating results and financial condition.

To conduct its operations, the Company regularly moves data across national borders, and consequently is subject to a variety of continuously evolving and developing laws and regulations in the U.S. and abroad regarding privacy, data protection and data security, such as the Federal Trade Commission Act in the U.S., the GDPR in the EU, the GDPR in the U.K., the Cyber Security Law, the Data Security Law, and the Personal Information Protection Law in China and various other international, federal, state 34 MOODY'S 2023 10-K 34 MOODY'S 2023 10-K 34 MOODY'S 2023 10-K Table of Contents Table of Contents and local laws and regulations. The scope of the laws that may be applicable to Moody’s is often uncertain and may be conflicting, particularly with respect to foreign laws. For example, GDPR, which became effective in May 2018, greatly increased the jurisdictional reach of European Union privacy law and added a broad array of requirements for processing personal data, including the public disclosure of significant data breaches. Failure to comply with GDPR requirements could result in penalties of up to 4% of annual worldwide revenue. Additionally, other countries have enacted or are enacting data localization laws that require data to stay within their borders. Further, laws such as the California Consumer Privacy Act of 2018 ("CCPA"), require among other things, covered companies to provide disclosures to consumers, and affords consumers the ability to opt-out of certain sales of personal information. A number of U.S. states have enacted data privacy laws, including the California Privacy Rights Act of 2020 (“CPRA”), and laws in Virginia, Colorado, Connecticut and Utah which became effective in 2023. Data privacy laws have also been passed in numerous U.S. states, including Iowa, Indiana, Tennessee, Montana, Texas, Delaware, New Jersey and Oregon that will go into effect over the course of 2024, 2025 and 2026. The effects of non-compliance with the CCPA, CPRA and other similar data privacy laws are significant, and may require the Company to modify its data processing practices and policies and to incur additional costs and expenses. All of these evolving compliance and operational requirements have required or could require in the future, changes to certain business practices, thereby increasing costs, requiring significant management time and attention, and subjecting the Company to negative publicity, as well as remedies that may harm its business, including fines, modified demands or orders, the cessation of existing business practices and exposure to litigation, regulatory actions, sanctions or other statutory penalties.

To conduct its operations, the Company regularly moves data across national borders, and consequently is subject to a variety of continuously evolving and developing laws and regulations in the United States and abroad regarding privacy, data protection and data security such as the Federal Trade Commission Act in the United States, the General Data Protection Regulation (“GDPR”) in the European Union, the General Data Protection Regulation in the U.K., the Cyber Security Law, the Data Security Law, and the Personal Information Protection Law in China and various other international, federal, state and local laws and regulations. The scope of the laws that may be applicable to Moody’s is often uncertain and may be conflicting, particularly with respect to foreign laws. For example, GDPR, which became effective in May 2018, greatly increased the jurisdictional reach of European Union privacy law and added a broad array of requirements for processing personal data, including the public disclosure of significant data breaches. Failure to comply with GDPR requirements could result in penalties of up to 4% of annual worldwide revenue. Additionally, other countries have enacted or are enacting data localization laws that require data to stay within their borders. Further, laws such as the California Consumer Privacy Act of 2018 ("CCPA"), require among other things, covered companies to provide disclosures to consumers, and affords consumers the ability to opt-out of certain sales of personal information. The California Privacy Rights Act of 2020 (“CPRA”) became effective on January 1, 2023. The effects of non-compliance with the CCPA, CPRA and other similar data privacy laws in other jurisdictions are significant, and may require the Company to modify its data processing practices and policies and to incur additional costs and expenses. All of these evolving compliance and operational requirements have required changes to certain business practices, thereby increasing costs, requiring significant management time and attention, and subjecting the Company to negative publicity, as well as remedies that may harm its business, including fines, modified demands or orders, the cessation of existing business practices, and exposure to litigation, regulatory actions, sanctions or other statutory penalties. MOODY'S 2022 10-K 31 MOODY'S 2022 10-K 31 MOODY'S 2022 10-K 31 Table of Contents Table of Contents