# Moody's Corporation: 10-K Risk Factor Changes 2026 vs 2025 > Source: U.S. Securities and Exchange Commission (EDGAR) > Generated: 2026-05-05 > All data extracted directly from official filings. No hallucinated content. > **[AI-Generated Summary]** The paragraph below was produced by a language > model and may contain errors. All other content on this page is deterministically > extracted from the original SEC filing. > Between the 2025 and 2026 filings, Moody's Corporation's Risk Factors section shows that 19 matched risk factor sections contain meaningful text differences, while 7 matched sections remain substantially similar. One risk factor section from 2025 has no close textual match in 2026, and three risk factor sections in 2026 have no close textual matches in 2025. --- ## Summary | Status | Count | |--------|-------| | New risks added | 3 | | Risks removed | 1 | | Risks modified | 19 | | Unchanged | 7 | --- ## New in Current Filing: Table of Contents market, where there has been increased regulatory attention relating to the rapid growth of private credit, new financing structures, and CRA ratings for private credit-related instruments, issuers, and credit facilities. Evolving and/or inconsistent expectations regarding climate-risk and other sustainability disclosures and reporting could also result in increased regulatory scrutiny and new regulatory actions at a corporate and business unit level. MA's offering of products and services relating to sanctions, KYC and financial crime, as well as climate, default, and other risks may result in increased regulatory scrutiny and could expose the Company to increased risk of litigation from companies, data subjects, property owners and other third-parties, including due to potential inaccuracies in the products and services we offer, as well as regulatory recordkeeping requirements associated with our services. Additionally Moody's development of new technologies, including Gen AI and agentic AI product offerings may introduce new risks. Large language models, agentic workflows and related AI-technologies licensed by or developed by the Company, and the data used to train or power them may be incomplete or inadequate, our Gen AI or agentic AI products or platforms may result in adverse impacts to our business operations or reputation and increased regulatory scrutiny and exposure to litigation. Legal proceedings and regulatory inquiries and investigations impose additional expenses on the Company and require the attention of senior management to an extent that may significantly reduce their ability to devote time to addressing other business issues, and any of these proceedings, investigations or inquiries (including market studies) could ultimately result in adverse judgments, damages, fines, penalties or activity restrictions. Risks relating to legal proceedings are heightened in foreign jurisdictions that lack the legal protections or liability standards comparable to those that exist in the U.S. In addition, new laws and regulations have been and may continue to be enacted that establish lower liability standards, shift the burden of proof or relax pleading requirements, thereby increasing the risk of successful litigations in the U.S. and in foreign jurisdictions. These litigation risks are often difficult to assess or quantify. Moody's may not have adequate insurance or reserves to cover these risks, and the existence and magnitude of these risks often remain unknown for substantial periods of time. Furthermore, when Moody's is unable to achieve dismissals at an early stage and litigation matters proceed to trial, the aggregate legal defense costs incurred by Moody's increase substantially, as does the risk of an adverse outcome. Additionally, as litigation or the process to resolve pending matters progress, Moody's will continue to review the latest information available and may change its accounting estimates, which could require Moody's to record or increase liabilities in the consolidated financial statements in future periods. See Note 19 to the consolidated financial statements for more information regarding ongoing investigations and civil litigation that the Company currently faces. Due to the potential number of these proceedings and the significant amount of damages that could be sought, there is a risk that Moody's will be subject to judgments, settlements, fines, penalties or other adverse results that have a material adverse effect on its business, operating results and financial condition. --- ## New in Current Filing: Table of Contents and financial projections in any of these reporting units could result in a significant asset impairment charge, which would result in a non-cash charge to operating expenses. Goodwill and intangible assets are tested for impairment on an annual basis and also when events or changes in circumstances indicate that impairment may have occurred. Determining whether an impairment of goodwill exists can be especially difficult in periods of market or economic uncertainty and turmoil, and requires significant management estimates and judgment. In addition, the potential for goodwill impairment is increased during periods of economic uncertainty. An asset impairment charge could have a material adverse effect on Moody's business, operating results and financial condition. --- ## New in Current Filing: Table of Contents Company's products, fail to be comprehensive or accurate, unavailable or fail to operate effectively, and Moody's business could be adversely affected when the Company is unable to timely or effectively replace such Third-Party Technology. In addition, certain aspects of the Company's business rely on a concentrated group of vendors, and a cybersecurity breach or event and/or an error caused by one or more of such vendors could have a significant impact on the Company's operations, as well as the operations of the Company's customers and other Third-Party Technology. The Company also monitors its use of Third-Party Technology to comply with applicable license and other contractual requirements. Despite the Company's efforts, the Company cannot ensure that such third parties will permit Moody's use in the future, resulting in increased Third-Party Technology acquisition costs and loss of rights. In addition, the Company's operating costs could increase if license or other usage fees for Third-Party Technology increase or the efforts to incorporate enhancements to Third-Party Technology are substantial. Some of these third-party suppliers are also Moody's competitors, increasing the risks noted above. In the ordinary course, third-parties, including the Company's vendors, are subject to various forms of cyber-attacks or security incidents. Vulnerabilities in our vendors' software, system or networks or failure of their safeguards, policies or procedures may cause material interruptions to Moody's or our vendors' websites, applications, or data processing, or could compromise the confidentiality or integrity of the impacted information. Additionally, the Company may be exposed to threats as the Company migrates its data from legacy systems to cloud-based solutions, and becomes increasingly dependent on third parties to store cloud-based data subjects. If any of these attacks on Moody's or its vendors are successful, or if any of these risks materialize, they could have a material adverse effect on the Company's business, financial condition or results of operations. --- ## No Match in Current: Table of Contents *This section from the 2025 filing does not have a high-confidence textual match in 2026. It may have been removed, merged, or substantially reworded.* Legal and regulatory developments can result in delayed or reduced sales to MA's customers, adversely affect MA's relationship with such customers, increase the costs of doing business with such customers and/or result in MA assuming greater financial and legal risk under its agreements with such customers. --- ## Modified: Moody's Acquisitions, Dispositions and Other Strategic Transactions, Partnerships or Investments May Not Produce Anticipated Results Exposing the Company to Future Significant Impairment Charges Relating to Its Goodwill, Intangible Assets or Property and Equipment. **Key changes:** - Reworded sentence: "Moody's regularly evaluates and enters into acquisitions, dispositions or other strategic transactions, partnerships and investments to strengthen its business and grow the Company." - Reworded sentence: "At December 31, 2025, Moody's had $6,368 million of goodwill and $1,866 million of intangible assets on its balance sheet." - Reworded sentence: "Failure to achieve business objectives 28 MOODY'S 2025 10-K 28 MOODY'S 2025 10-K 28 MOODY'S 2025 10-K" **Prior (2025):** Moody's regularly evaluates and enters into acquisitions, dispositions or other strategic transactions and investments to strengthen its business and grow the Company. Such transactions and investments present significant challenges and risks. The Company faces intense competition for acquisition targets, especially in light of industry consolidation, which may affect Moody's ability to complete such transactions on favorable terms or at all. Additionally, the Company makes significant investments in technology, including software for internal use, which can be expensive, time-intensive and complex to develop and implement. The anticipated growth, synergies and other strategic objectives of completed transactions may not be fully realized, and a variety of factors may adversely affect any anticipated benefits from such transactions. Any strategic transaction involves a number of risks, including unanticipated challenges regarding integration of operations, technologies and new employees; the existence of liabilities or contingencies not disclosed to or otherwise known by the Company prior to closing a transaction; unexpected regulatory and operating difficulties and expenditures; scrutiny from competition and antitrust authorities; failure to retain key personnel of the acquired business; future developments that impair the value of purchased goodwill or intangible assets; diversion of management's focus from other business operations; failure to implement or remediate controls, procedures and policies appropriate for a larger public company at acquired companies that prior to the acquisition lacked such controls, procedures and policies; disputes or litigation arising out of acquisitions or dispositions; challenges retaining the customers of the acquired business; coordination of product, sales, marketing and program and systems management functions; integration of employees from the acquired business into Moody's organization; integration of the acquired business's accounting, information technology, human resources, legal and other administrative systems with Moody's; risks that acquired systems expose us to cybersecurity risks; and for foreign transactions, additional risks related to the integration of operations across different cultures and languages, and the economic, political and regulatory risks associated with specific countries. The anticipated benefits from an acquisition or other strategic transaction or investment may not be realized fully, or may take longer to realize than expected. As a result, the failure of acquisitions, dispositions and other strategic transactions and investments to perform as expected may have a material adverse effect on Moody's business, operating results and financial condition. At December 31, 2024, Moody's had $5,994 million of goodwill and $1,890 million of intangible assets on its balance sheet. Approximately 94% of the goodwill and intangible assets reside in the MA business and are allocated to the two reporting units within MA. The remaining 6% of goodwill and intangible assets reside in MIS and primarily relate to ICRA. Failure to achieve business objectives and financial projections in any of these reporting units could result in a significant asset impairment charge, which would result in a non-cash charge to operating expenses. Goodwill and intangible assets are tested for impairment on an annual basis and also when events or changes in circumstances indicate that impairment may have occurred. Determining whether an impairment of goodwill exists can be especially difficult in periods of market or economic uncertainty and turmoil, and requires significant management estimates and judgment. In addition, the potential for goodwill impairment is increased during periods of economic uncertainty. An asset impairment charge could have a material adverse effect on Moody's business, operating results and financial condition. MOODY'S 2024 10-K 31 MOODY'S 2024 10-K 31 MOODY'S 2024 10-K 31 **Current (2026):** Moody's regularly evaluates and enters into acquisitions, dispositions or other strategic transactions, partnerships and investments to strengthen its business and grow the Company. Such transactions and investments present significant challenges and risks. The Company faces intense competition for acquisition targets, especially in light of industry consolidation, which may affect Moody's ability to complete such transactions on favorable terms or at all. Additionally, the Company makes significant investments in technology, including software for internal use, which can be expensive, time-intensive and complex to develop and implement. The anticipated growth, synergies and other strategic objectives of completed transactions may not be fully realized, and a variety of factors may adversely affect any anticipated benefits from such transactions. Any strategic transaction involves a number of risks, including unanticipated challenges regarding integration of operations, technologies and new employees; the existence of liabilities or contingencies not disclosed to or otherwise known by the Company prior to closing a transaction; unexpected regulatory and operating difficulties and expenditures; scrutiny from competition and antitrust authorities; failure to retain key personnel of the acquired business; future developments that impair the value of purchased goodwill or intangible assets; diversion of management's focus from other business operations; failure to implement or remediate controls, procedures and policies appropriate for a larger public company at acquired companies that prior to the acquisition lacked such controls, procedures and policies; disputes or litigation arising out of acquisitions or dispositions; challenges retaining the customers of the acquired business; coordination of product, sales, marketing and program and systems management functions; integration of employees from the acquired business into Moody's organization; integration of the acquired business's accounting, information technology, human resources, legal and other administrative systems with Moody's; risks that acquired systems expose us to cybersecurity risks; and for foreign transactions, additional risks related to the integration of operations across different cultures and languages, and the economic, political and regulatory risks associated with specific countries. The anticipated benefits from an acquisition or other strategic transaction or investment may not be realized fully, or may take longer to realize than expected. As a result, the failure of acquisitions, dispositions and other strategic transactions and investments to perform as expected may have a material adverse effect on Moody's business, operating results and financial condition. At December 31, 2025, Moody's had $6,368 million of goodwill and $1,866 million of intangible assets on its balance sheet. Approximately 94% of the goodwill and intangible assets reside in the MA business and are allocated to the MA reporting unit. The remaining 6% of goodwill and intangible assets reside in MIS and primarily relate to ICRA. Failure to achieve business objectives 28 MOODY'S 2025 10-K 28 MOODY'S 2025 10-K 28 MOODY'S 2025 10-K --- ## Modified: Moody's Operations are Exposed to Risks from Infrastructure Malfunctions or Failures. **Key changes:** - Reworded sentence: "Moody's ability to conduct business may be materially and adversely impacted by a disruption in the infrastructure that supports its businesses and the communities in which Moody's has large employee populations, including: (i) New York City, the location of Moody's headquarters, (ii) India, (iii) major cities worldwide in which Moody's has offices, and (iv) locations that may be affected by the Russia-Ukraine military conflict and the military conflicts in the Middle East." - Reworded sentence: "Any significant failure, compromise, cyber-breach, interruption or a significant slowdown of operations of the Company's infrastructure, whether due to human error, capacity constraints, hardware failure or defect, weather (including climate-related risks), natural disasters, fire, power loss, telecommunication failures, break-ins, sabotage, intentional acts of vandalism, acts of terrorism, political unrest, pandemic, war or otherwise, may impair the Company's ability to deliver its products and services." **Prior (2025):** Moody's ability to conduct business may be materially and adversely impacted by a disruption in the infrastructure that supports its businesses and the communities in which Moody's is located, including: (i) New York City, the location of Moody's headquarters, (ii) major cities worldwide in which Moody's has offices, and (iii) locations that may be affected by the Russia-Ukraine military conflict and the military conflict in the Middle East. This may include a disruption involving physical or technological infrastructure (whether or not controlled by the Company), including the Company's electronic delivery systems, the Company's data center facilities, or the Internet, used by the Company or third parties with or through whom Moody's conducts business. Many of the Company's products and services are delivered electronically and the Company's customers depend on the Company's ability to receive, store, process, transmit and otherwise rapidly handle very substantial quantities of data and transactions on computer-based networks. Some of Moody's operations require complex processes and the Company's extensive controls to reduce the risk of error inherent in our operations cannot eliminate such risk completely. To the extent the Company grows through acquisitions, newly acquired businesses may not have invested in technological infrastructure and disaster recovery to the same extent as Moody's has. As their systems are integrated into Moody's, a vulnerability could be introduced, which could impact platforms across the Company. The Company's customers also depend on the continued capacity, reliability and security of the Company's telecommunications, data centers, networks and other electronic delivery systems, including its websites and connections to the Internet. The Company's employees also depend on these systems for internal use. Any significant failure, compromise, cyber-breach, interruption or a significant slowdown of operations of the Company's infrastructure, whether due to human error, capacity constraints, hardware failure or defect, weather (including climate-related risks), natural disasters, fire, power loss, telecommunication failures, break-ins, 28 MOODY'S 2024 10-K 28 MOODY'S 2024 10-K 28 MOODY'S 2024 10-K **Current (2026):** Moody's ability to conduct business may be materially and adversely impacted by a disruption in the infrastructure that supports its businesses and the communities in which Moody's has large employee populations, including: (i) New York City, the location of Moody's headquarters, (ii) India, (iii) major cities worldwide in which Moody's has offices, and (iv) locations that may be affected by the Russia-Ukraine military conflict and the military conflicts in the Middle East. This may include a disruption involving physical or technological infrastructure (whether or not controlled by the Company), including the Company's electronic delivery systems, the Company's data center facilities, or the Internet, used by the Company or third parties with or through whom Moody's conducts business. Many of the Company's products and services are delivered electronically and the Company's customers depend on the Company's ability to receive, store, process, transmit and otherwise rapidly handle very substantial quantities of data and transactions on computer-based networks. Some of Moody's operations require complex processes and the Company's extensive controls to reduce the risk of error inherent in our operations cannot eliminate such risk completely. To the extent the Company grows through acquisitions, newly acquired businesses may not have invested in technological infrastructure and disaster recovery to the same extent as Moody's has. As their systems are integrated into Moody's, a vulnerability could be introduced, which could impact platforms across the Company. The Company's customers also depend on the continued capacity, reliability and security of the Company's telecommunications, data centers, networks and other electronic delivery systems, including its websites and connections to the Internet. The Company's employees also depend on these systems for internal use. Any significant failure, compromise, cyber-breach, interruption or a significant slowdown of operations of the Company's infrastructure, whether due to human error, capacity constraints, hardware failure or defect, weather (including climate-related risks), natural disasters, fire, power loss, telecommunication failures, break-ins, sabotage, intentional acts of vandalism, acts of terrorism, political unrest, pandemic, war or otherwise, may impair the Company's ability to deliver its products and services. Additionally, refer to the risk factor below entitled "The Company Is Exposed to Risks Related to Cybersecurity and Protection of Confidential Information." MOODY'S 2025 10-K 25 MOODY'S 2025 10-K 25 MOODY'S 2025 10-K 25 --- ## Modified: The Company Is Exposed to Risks Related to Protection of Confidential and Personal Information **Key changes:** - Removed sentence: "For example, GDPR greatly increased the jurisdictional reach of European Union privacy law and added a broad array of requirements for processing personal data, including the public disclosure of significant data breaches." - Removed sentence: "Failure to comply with GDPR requirements could result in penalties of up to 4% of annual worldwide revenue." - Reworded sentence: "states have passed or enacted data privacy laws, including the California Privacy Rights Act of 2020 ("CPRA")." **Prior (2025):** To conduct its operations, the Company regularly moves data across national borders, and consequently is subject to a variety of continuously evolving and developing laws and regulations in the U.S. and abroad regarding privacy, data protection and data security, such as the Federal Trade Commission Act in the U.S., the GDPR in the EU, the GDPR in the U.K., the Cyber Security Law, the Data Security Law, and the Personal Information Protection Law in China and various other international, federal, state and local laws and regulations. The scope of the laws that may be applicable to Moody's is often uncertain and may be conflicting, particularly with respect to foreign laws. For example, GDPR greatly increased the jurisdictional reach of European Union privacy law and added a broad array of requirements for processing personal data, including the public disclosure of significant data breaches. Failure to comply with GDPR requirements could result in penalties of up to 4% of annual worldwide revenue. Additionally, other countries have enacted or are enacting data localization laws that require data to stay within their borders. Further, laws such as the California Consumer Privacy Act of 2018 ("CCPA"), require among other things, covered companies to provide disclosures to consumers, and affords consumers the ability to opt-out of certain sales of personal information. A number of U.S. states have enacted data privacy laws, including the California Privacy Rights Act of 2020 ("CPRA"), and laws in Virginia, Colorado, Connecticut, Utah, Montana, Oregon and Texas, which became effective in 2023 and 2024. Data privacy laws have also been passed in numerous U.S. states, including Iowa, Indiana, Tennessee, Delaware, New Jersey, Kentucky, Maryland, Minnesota, Nebraska, New Hampshire and Rhode Island that will go into effect over the course of 2024, 2025 and 2026. The effects of non-compliance with the CCPA, CPRA and other similar data privacy laws are significant, and may require the Company to modify its data processing practices and policies and to incur additional costs and expenses. All of these evolving compliance and operational requirements have required or could require in the future, changes to certain business practices, thereby increasing costs, requiring significant management time and attention, and subjecting the Company to negative publicity, as well as remedies that may harm its business, including fines, modified demands or orders, the cessation of existing business practices and exposure to litigation, regulatory actions, sanctions or other statutory penalties. **Current (2026):** To conduct its operations, the Company regularly moves data across national borders, and consequently is subject to a variety of continuously evolving and developing laws and regulations in the U.S. and abroad regarding privacy, data protection and data security, such as the Federal Trade Commission Act in the U.S., the GDPR in the EU, the GDPR in the U.K., the Cyber Security Law, the Data Security Law, and the Personal Information Protection Law in China and various other international, federal, state and local laws and regulations. The scope of the laws that may be applicable to Moody's is often uncertain and may be conflicting, particularly with respect to foreign laws. Additionally, other countries have enacted or are enacting data localization laws that require data to stay within their borders. Further, laws such as the California Consumer Privacy Act of 2018 ("CCPA"), require among other things, covered companies to provide disclosures to consumers, and affords consumers the ability to opt-out of certain sales of personal information. A number of U.S. states have passed or enacted data privacy laws, including the California Privacy Rights Act of 2020 ("CPRA"). The effects of non-compliance with the CCPA, CPRA and other similar data privacy laws are significant, and may require the Company to modify its data processing practices and policies and to incur additional costs and expenses. All of these evolving compliance and operational requirements have required or could require in the future, changes to certain business practices, thereby increasing costs, requiring significant management time and attention, and subjecting the Company to negative publicity, as well as remedies that may harm its business, including fines, modified demands or orders, the cessation of existing business practices and exposure to litigation, regulatory actions, sanctions or other statutory penalties. --- ## Modified: Table of Contents **Key changes:** - Reworded sentence: "-differing and potentially conflicting legal or civil liability, compliance and regulatory standards; -current and future regulations relating to the imposition of mandatory rotation requirements on CRAs hired by issuers of securities; -uncertain, evolving and new laws and regulations, including employment laws, various proposed and enacted data laws including those relating to data sharing, portability of data services, cybersecurity rules, and laws and regulations applicable to the financial services industries, such as the EU's implementation of DORA in January 2025, and to the protection of intellectual property and to the emergence of LLMs in the context of Gen AI and other technologies, such as the EU AI Act and other AI legislation, including the effect of these laws and regulations on our customers and on the products and services that we offer; -uncertainty regarding the future relationship and increasing tensions between the U.S." - Reworded sentence: "government with respect to doing business in China and/or by the Chinese government with respect to business conducted by foreign entities in China; -restrictive actions of governmental authorities in the jurisdictions in which we operate which may affect trade, cross-border data transfer, and foreign investment, especially during periods of heightened tension between governmental authorities in such jurisdictions, including protective measures such as export restrictions and customs duties and tariffs, government intervention favoring local competitors, data localization efforts, and restrictions on the level of foreign ownership; -competition with CRAs that have greater familiarity, longer operating histories and/or support from local governments or other institutions; -uncertainties in obtaining reliable data and creating products and services relevant to particular geographic markets; -longer payment cycles and possible problems in collecting receivables; -differing accounting principles and standards; -difficulties in staffing and managing foreign operations; -difficulties and delays in translating documentation into foreign languages; and -potentially adverse tax consequences." - Removed sentence: "Any determination or allegations, even if unfounded, that the Company has violated sanctions, anti-bribery or anti-corruption laws could have a material adverse effect on Moody's business, operating results and financial condition." - Reworded sentence: "Violations or allegations, even if unfounded, that the Company has violated such laws and regulations may result in severe fines and penalties, criminal sanctions, administrative remedies and restrictions on business conduct and could have a material adverse effect on Moody's reputation, its ability to attract and retain employees, its business, operating results and financial condition." **Prior (2025):** laws in multiple jurisdictions may need to determine a means to comply with such laws. Such conflicts could eventually affect the ability of entities to adhere to applicable laws or continue to operate in certain jurisdictions; -differing and potentially conflicting legal or civil liability, compliance and regulatory standards; -current and future regulations relating to the imposition of mandatory rotation requirements on CRAs hired by issuers of securities; -uncertain, evolving and new laws and regulations, including those applicable to the financial services industries, such as the EU's implementation of DORA in January 2025, and to the protection of intellectual property and to the emergence of LLMs in the context of Gen AI and other technologies, such as the EU AI Act, including the effect of these laws and regulations on our customers and on the products and services that we offer; -uncertainty regarding the future relationship and increasing tensions between the U.S. and China, which may result in further restrictions or actions by the U.S. government with respect to doing business in China and/or by the Chinese government with respect to business conducted by foreign entities in China; -the possibility of nationalization, expropriation, price controls and other restrictive governmental actions; -competition with CRAs that have greater familiarity, longer operating histories and/or support from local governments or other institutions; -uncertainties in obtaining reliable data and creating products and services relevant to particular geographic markets; -reduced protection for intellectual property rights; -longer payment cycles and possible problems in collecting receivables; -differing accounting principles and standards; -difficulties in staffing and managing foreign operations; -difficulties and delays in translating documentation into foreign languages; -potentially adverse tax consequences; and -complexities of compliance with employment laws, various proposed and enacted data privacy laws, and cybersecurity rules in numerous jurisdictions. Additionally, Moody's is subject to complex U.S., foreign and other local laws and regulations that are applicable to its operations abroad, such as laws and regulations governing economic and trade sanctions, tariffs, embargoes, and anti-corruption including the Foreign Corrupt Practices Act of 1977, the U.K. Bribery Act of 2010 and other similar local laws. The internal controls, policies and procedures and employee training and compliance programs to deter prohibited practices the Company has implemented may not be effective in preventing employees, contractors or agents from violating or circumventing such internal policies or from material violations of applicable laws and regulations. Any determination or allegations, even if unfounded, that the Company has violated sanctions, anti-bribery or anti-corruption laws could have a material adverse effect on Moody's business, operating results and financial condition. Compliance with international and U.S. laws and regulations that apply to the Company's international operations increases the cost of doing business in foreign jurisdictions. Violations of such laws and regulations may result in severe fines and penalties, criminal sanctions, administrative remedies and restrictions on business conduct and could have a material adverse effect on Moody's reputation, its ability to attract and retain employees, its business, operating results and financial condition. **Current (2026):** -differing and potentially conflicting legal or civil liability, compliance and regulatory standards; -current and future regulations relating to the imposition of mandatory rotation requirements on CRAs hired by issuers of securities; -uncertain, evolving and new laws and regulations, including employment laws, various proposed and enacted data laws including those relating to data sharing, portability of data services, cybersecurity rules, and laws and regulations applicable to the financial services industries, such as the EU's implementation of DORA in January 2025, and to the protection of intellectual property and to the emergence of LLMs in the context of Gen AI and other technologies, such as the EU AI Act and other AI legislation, including the effect of these laws and regulations on our customers and on the products and services that we offer; -uncertainty regarding the future relationship and increasing tensions between the U.S. and China, which may result in further restrictions or actions by the U.S. government with respect to doing business in China and/or by the Chinese government with respect to business conducted by foreign entities in China; -restrictive actions of governmental authorities in the jurisdictions in which we operate which may affect trade, cross-border data transfer, and foreign investment, especially during periods of heightened tension between governmental authorities in such jurisdictions, including protective measures such as export restrictions and customs duties and tariffs, government intervention favoring local competitors, data localization efforts, and restrictions on the level of foreign ownership; -competition with CRAs that have greater familiarity, longer operating histories and/or support from local governments or other institutions; -uncertainties in obtaining reliable data and creating products and services relevant to particular geographic markets; -longer payment cycles and possible problems in collecting receivables; -differing accounting principles and standards; -difficulties in staffing and managing foreign operations; -difficulties and delays in translating documentation into foreign languages; and -potentially adverse tax consequences. Additionally, Moody's is subject to complex U.S., foreign and other local laws and regulations that are applicable to its operations abroad, such as laws and regulations governing economic and trade sanctions, tariffs, embargoes, and anti-corruption including the Foreign Corrupt Practices Act of 1977, the U.K. Bribery Act of 2010 and other similar local laws. The internal controls, policies and procedures and employee training and compliance programs to deter prohibited practices the Company has implemented may not be effective in preventing employees, contractors or agents from violating or circumventing such internal policies or from material violations of applicable laws and regulations. Compliance with international and U.S. laws and regulations that apply to the Company's international operations increases the cost of doing business in foreign jurisdictions. Violations or allegations, even if unfounded, that the Company has violated such laws and regulations may result in severe fines and penalties, criminal sanctions, administrative remedies and restrictions on business conduct and could have a material adverse effect on Moody's reputation, its ability to attract and retain employees, its business, operating results and financial condition. --- ## Modified: The Company is Exposed to Legal, Economic, Operational and Regulatory Risks of Operating in Multiple Jurisdictions. **Key changes:** - Reworded sentence: "For example, global economic uncertainty, including in the Eurozone, affects the number of securities offerings undertaken within those particular areas." - Reworded sentence: "An entity that is subject to conflicting laws in multiple jurisdictions may need to determine a means to comply with such laws." **Prior (2025):** Moody's conducts operations in various countries outside the U.S. and derives a significant portion of its revenue from foreign sources. Changes in the economic condition of the various foreign economies in which the Company operates have an impact on the Company's business. For example, economic uncertainty in the Eurozone or elsewhere, including, but not limited to, in Latin America, China or the Middle East, affects the number of securities offerings undertaken within those particular areas. In addition to the risks addressed elsewhere in this section, operations abroad expose Moody's to a number of legal, economic and regulatory risks such as: -economic and geopolitical events and market conditions, such as the Russia-Ukraine military conflict and the military conflict in the Middle East, including the effect of these events and conditions on customers, customer retention and demands for our products and services; -fluctuations in interest rates and credit spreads, and exposure to exchange rate movements between foreign currencies and USD; -restrictions on the ability to convert local currency into USD and the costs, including the tax impact, of repatriating cash held by entities outside the U.S.; -U.S. laws affecting overseas operations, including domestic and foreign export and import restrictions, tariffs and other trade barriers and restrictions, such as those related to the U.S.'s relationship with China and embargoes and sanctions laws with respect to Russia, including the Russia-Ukraine military conflict. For example, U.S. economic sanctions have increasingly targeted Chinese persons. In response, China issued a blocking statute that establishes a framework for limiting the effect of foreign sanctions on Chinese persons. Blocking statutes typically create conflicts of law. An entity that is subject to conflicting MOODY'S 2024 10-K 27 MOODY'S 2024 10-K 27 MOODY'S 2024 10-K 27 **Current (2026):** Moody's conducts operations in various countries outside the U.S. and derives a significant portion of its revenue from foreign sources. Changes in the economic condition of the various foreign economies in which the Company operates have an impact on the Company's business. For example, global economic uncertainty, including in the Eurozone, affects the number of securities offerings undertaken within those particular areas. In addition to the risks addressed elsewhere in this section, operations abroad expose Moody's to a number of legal, economic and regulatory risks such as: -economic and geopolitical events and market conditions in countries where we have large employee populations, such as the ongoing tensions between India and Pakistan, and conflicts such as the Russia-Ukraine military conflict and the military conflicts in the Middle East, including the effect of these events and conditions on customers, customer retention and demands for our products and services; -fluctuations in interest rates and credit spreads, and exposure to exchange rate movements between foreign currencies and USD; -restrictions on the ability to convert local currency into USD and the costs, including the tax impact, of repatriating cash held by entities outside the U.S.; -U.S. laws affecting overseas operations, including domestic and foreign export and import restrictions, tariffs and other trade barriers and restrictions, such as those related to the U.S.'s relationship with China and embargoes and sanctions laws with respect to Russia, including the Russia-Ukraine military conflict. For example, U.S. economic sanctions have increasingly targeted Chinese persons. In response, China issued a blocking statute that establishes a framework for limiting the effect of foreign sanctions on Chinese persons. Blocking statutes typically create conflicts of law. An entity that is subject to conflicting laws in multiple jurisdictions may need to determine a means to comply with such laws. Such conflicts could eventually affect the ability of entities to adhere to applicable laws or continue to operate in certain jurisdictions; 24 MOODY'S 2025 10-K 24 MOODY'S 2025 10-K 24 MOODY'S 2025 10-K --- ## Modified: Table of Contents **Key changes:** - Removed sentence: "and regulatory requirements on MIS's business and its customers' businesses." - Removed sentence: "If these laws and regulations, and any future rulemaking or court rulings, reduce demand for credit ratings or increase costs, MIS may be unable to pass such costs through to customers." - Removed sentence: "Additionally, legislative and regulatory initiatives that apply to CRAs and credit markets generally may affect Moody's in a disproportionate manner." - Removed sentence: "Each of these developments increase the costs and legal risk associated with the issuance of credit ratings and can have a material adverse effect on Moody's operations, profitability and competitiveness, the demand for credit ratings and the manner in which such ratings are utilized." - Removed sentence: "Certain of MA's subscription products contain credit ratings data and related research produced by MIS, and often are used by MA customers for regulatory compliance purposes, including determination of capital charges and regulatory reporting." **Prior (2025):** and regulatory requirements on MIS's business and its customers' businesses. If these laws and regulations, and any future rulemaking or court rulings, reduce demand for credit ratings or increase costs, MIS may be unable to pass such costs through to customers. Additionally, legislative and regulatory initiatives that apply to CRAs and credit markets generally may affect Moody's in a disproportionate manner. Each of these developments increase the costs and legal risk associated with the issuance of credit ratings and can have a material adverse effect on Moody's operations, profitability and competitiveness, the demand for credit ratings and the manner in which such ratings are utilized. Moody's Analytics. Certain of MA's subscription products contain credit ratings data and related research produced by MIS, and often are used by MA customers for regulatory compliance purposes, including determination of capital charges and regulatory reporting. Regulations concerning the issuance of credit ratings and the activities of CRAs, including the dissemination of ratings data, are likely to continue to be considered in the future, including, for example, provisions regarding fair and reasonable availability of ratings data, the terms and conditions associated with such data feeds, remuneration for data and the nature of the information to be included in credit opinions. Other laws, regulations and rules are being considered or are likely to be considered in the future may impact MA products and services, for example, by requiring certain information to be provided free of charge. MA's other products and services, in particular its offering of products and services relating to sanctions, KYC and financial crime, are potentially subject to various laws and regulations affecting the collection, processing and sale of data-driven solutions. These laws and regulations generally are designed to protect information relating to individuals and small businesses, including information used for consumer credit reporting purposes, the data rights of individuals, and to prevent the unauthorized collection, access to and use of personal or confidential information available in the marketplace and prohibit certain deceptive and unfair acts. Additionally, refer to the risk factor entitled "The Company Is Exposed to Risks Related to Protection of Confidential and Personal Information." New laws and regulations are likely to be enacted and existing laws and regulations may change or be interpreted and applied differently over time and from jurisdiction to jurisdiction, and it is possible they will be interpreted and applied in ways that will materially and adversely affect our business. As a result of current and future laws and regulations, our customers' and other third parties' use of our products and services, as well as our use of information supplied by our suppliers and other third parties, can lead to regulatory inquiries or actions or related private litigation against us. Changes in the applicability of laws and regulations could require MA to modify its data processing practices and policies and restrict or dictate how MA collects, maintains, combines and disseminates information, which could have a material adverse effect on Moody's business, financial condition or results of operations. In the future, the Company may be subject to significant additional expense to ensure continued compliance with laws and regulations applicable to MA and to investigate, defend or remedy actual or alleged violations. Additionally, refer to the risk factor entitled "The Company Is Exposed to Risks Related to Protection of Confidential and Personal Information." Further, MA's bank and financial services customers are subject to additional regulatory oversight. For example: -U.S. banking regulators, including the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System and the Consumer Financial Protection Bureau, as well as many state agencies, have issued guidance to insured depository institutions and other providers of financial services on assessing and managing risks associated with third-party relationships, which include all business arrangements between a financial services provider and another entity, by contract or otherwise, and generally requires banks and financial services providers to exercise comprehensive oversight throughout each phase of a bank or financial service provider's business arrangement with third-party service providers, and instructs banks and financial service providers to adopt risk management processes commensurate with the level of risk and complexity of their third-party relationships. This guidance requires more rigorous oversight of third-party relationships that involve certain "critical activities." -Regulators in Europe and other foreign markets in which MA is active have issued guidance similar to that issued in the U.S. relating to financial institutions' assessment and management of risks associated with third-party relationships. For example, in December 2022, the EU adopted DORA, which will apply from early 2025 and will require EU financial institutions to have a comprehensive governance and control framework of the management of information and communications technology risks, including risks relating to third-party providers of technology and data such as MA. In light of this, MA's existing or potential bank and financial services customers subject to this guidance have sought to and may further revise their third-party risk management policies and processes and the terms on which they do business with MA. -In China, MA is licensed to provide subscriptions to credit research and ratings data and other information relevant to the financial markets. China has laws applicable to Moody's that are broadly crafted, and the implementation, interpretation and enforcement of such laws are subject to the broad discretion of Chinese regulators, which could affect the Company's ability to conduct business in China. The EU AI Act has introduced a risk-based framework for regulating AI systems which applies different obligations to various actors in the AI supply chain. These rules apply to, among others, product manufacturers incorporating AI systems into regulated products sold into the EU as well as to providers whose AI systems or their outputs are made available in the EU. This Act will increase costs to MA including cost of establishing processes and procedures around applicability and implementation of the Act's requirements for MA products and services. MA also faces a risk of cost of penalties or fines due to noncompliance. MOODY'S 2024 10-K 25 MOODY'S 2024 10-K 25 MOODY'S 2024 10-K 25 **Current (2026):** MA's other products and services, in particular its offering of products and services relating to sanctions, KYC and financial crime, are potentially subject to various laws and regulations affecting the collection, processing and sale of data-driven solutions. These laws and regulations generally are designed to protect information relating to individuals and small businesses, including information used for consumer credit reporting purposes, the data rights of individuals, and to prevent the unauthorized collection, access to and use of personal or confidential information available in the marketplace and prohibit certain deceptive and unfair acts. Additionally, refer to the risk factor entitled "The Company Is Exposed to Risks Related to Protection of Confidential and Personal Information." New laws and regulations are likely to be enacted and existing laws and regulations may change or be interpreted and applied differently over time and from jurisdiction to jurisdiction, and it is possible they will be interpreted and applied in ways that will materially and adversely affect our business. As a result of current and future laws and regulations, our customers' and other third parties' use of our products and services, as well as our use of information supplied by our suppliers and other third parties, can lead to regulatory inquiries or actions or related private litigation against us. The application of current and future laws relating to data access and portability may also require changes in the way that we contract for certain of our hosted data services and provide our customers of such services with the ability to terminate their relationships with us and port their data to alternative providers, and changes in the applicability of laws and regulations could require MA to modify its data processing practices and policies and restrict or dictate how MA collects, maintains, combines and disseminates information, which could have a material adverse effect on Moody's business, financial condition or results of operations. In the future, the Company may be subject to significant additional expense to ensure continued compliance with laws and regulations applicable to MA and to investigate, defend or remedy actual or alleged violations. Additionally, refer to the risk factor entitled "The Company Is Exposed to Risks Related to Protection of Confidential and Personal Information." Further, MA's bank and financial services customers are subject to additional regulatory oversight. For example: -U.S. banking regulators, including the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System and the Consumer Financial Protection Bureau, as well as many state agencies, have issued guidance to insured depository institutions and other providers of financial services on assessing and managing risks associated with third-party relationships, which include all business arrangements between a financial services provider and another entity, by contract or otherwise, and generally requires banks and financial services providers to exercise comprehensive oversight throughout each phase of a bank or financial service provider's business arrangement with third-party service providers, and instructs banks and financial service providers to adopt risk management processes commensurate with the level of risk and complexity of their third-party relationships. This guidance requires more rigorous oversight of third-party relationships that involve certain "critical activities." -Regulators in Europe and other foreign markets in which MA is active have issued guidance similar to that issued in the U.S. relating to financial institutions' assessment and management of risks associated with third-party relationships. For example, DORA requires EU financial institutions to have a comprehensive governance and control framework of the management of ICT risks, including risks relating to third-party providers of technology and data such as MA. In light of this, MA's existing or potential bank and financial services customers subject to this guidance have sought to and may further revise their third-party risk management policies and processes and the terms on which they do business with MA. -In China, MA is licensed to provide subscriptions to credit research and ratings data and other information relevant to the financial markets. China has laws applicable to Moody's that are broadly crafted, and the implementation, interpretation and enforcement of such laws are subject to the broad discretion of Chinese regulators, which could affect the Company's ability to conduct business in China. The EU AI Act has introduced a risk-based framework for regulating AI systems which applies different obligations to various participants in the AI supply chain. Compliance with the regulation, in its current form, could increase the Company's costs and expose it to the risk of penalties or fines for noncompliance; however, the ultimate impact of the EU AI Act on the Company remains uncertain, as the European Commission has proposed measures intended to reduce the regulatory burden on businesses. In addition, numerous other foreign jurisdictions and U.S. states have proposed or enacted legislation relating to the development and use of GenAI. Legal and regulatory developments can result in delayed or reduced sales to MA's customers, adversely affect MA's relationship with such customers, increase the costs of doing business with such customers and/or result in MA assuming greater financial and legal risk under its agreements with such customers. --- ## Modified: Table of Contents **Key changes:** - Reworded sentence: "-MIS is subject to formal regulation and periodic or other inspections in the EU and other foreign jurisdictions, such as, but not limited to, the U.K., Australia, Singapore, Japan, and Hong Kong, where it operates through registered subsidiaries." - Added sentence: "Certain products currently offered by MIS may fall into scope of the EU Regulation on ESG Rating Activities, which could impose new substantive and procedural requirements on MIS relating to those products similar to those applicable to credit ratings." - Added sentence: "In addition, EU CRAs are also subject to DORA, which imposes a range of requirements in relation to the management of ICT risk, regulatory reporting, testing and the management of risks related to ICT services provided by third-parties." - Reworded sentence: "These regulations could: -affect the need for debt securities to be rated; -expand supervisory remits to include credit ratings issued outside the home jurisdiction; -increase the level of competition for credit ratings, including the distribution of credit ratings; -establish criteria for credit ratings or limit the entities authorized to provide credit ratings; -restrict the collection, use, accuracy, correction and sharing of information by CRAs; or -regulate pricing (for example, to require fees that are based on costs and are non-discriminatory) on products and services provided by MA such as those products that incorporate credit ratings and research originated by MIS." - Reworded sentence: "It is difficult to accurately assess the future impact of legislative and regulatory requirements on MIS's business and its customers' businesses." **Prior (2025):** Moody's Investors Service. MIS operates in a highly regulated industry. The current U.S. laws and regulations relating to MIS, including the Reform Act and the Dodd-Frank Act: -seek to encourage, and may result in, increased competition among CRAs and in the credit rating business; -may result in alternatives to credit ratings, changes in the pricing of credit ratings, and/or diminished intellectual property protection relating to credit ratings and related research produced by MIS; -restrict the use of information in the development or maintenance of credit ratings; -increase regulatory oversight of the credit markets and CRA operations; -provide the SEC with direct jurisdiction over CRAs that seek NRSRO status, and grant authority to the SEC to inspect the operations of CRAs; and -provide for enhanced oversight standards and specialized pleading standards, which may result in increases in the number of legal proceedings claiming liability for losses suffered by investors on rated securities and aggregate legal defense costs. In addition to the extensive and evolving U.S. laws and regulations governing the credit rating industry, foreign jurisdictions have taken measures to regulate CRAs and the markets for credit ratings that significantly impact the operations and the markets for the Company's ratings-related products and services. In particular, the EU has adopted a common regulatory framework for CRAs operating in the EU, continues to monitor the credit rating industry and analyze approaches that may strengthen existing regulation. The U.K. also has adopted a regulatory framework for CRAs that is based on the EU version. Credit ratings emanating from outside the EU are subject to ESMA's oversight if they are endorsed into the EU, and ratings endorsed into the U.K. are similarly subject to oversight of the FCA. Additionally, other foreign jurisdictions, such as Australia and Hong Kong and China, have taken measures to increase regulation of CRAs and markets for credit ratings. A failure to comply with these procedural and substantive requirements also exposes MIS to the risk of regulatory enforcement action which could result in financial penalties or, in serious cases, affect its ability to conduct credit rating activities in certain jurisdictions. For example: -MIS is subject to formal regulation and periodic or other inspections in the EU and other foreign jurisdictions, such as, but not limited to, the U.K., Australia, Singapore, Japan, and Hong Kong, where it operates through registered subsidiaries. -In the EU and the U.K., applicable rules include procedural requirements with respect to credit ratings of sovereign issuers, liability for intentional or grossly negligent failure to abide by applicable regulations, mandatory analyst rotation requirements, and restrictions on CRAs or their shareholders if certain ownership thresholds are crossed. Additional procedural and substantive requirements include conditions for the issuance of credit ratings, rules regarding the organization of CRAs, restrictions on activities deemed to create a conflict of interest, including requirements that fees be based on costs and non-discriminatory, special requirements for credit ratings of structured finance instruments. -In Hong Kong, applicable rules include liability for the intentional or negligent dissemination of false and misleading information and procedural requirements for the notification of certain matters to regulators. In addition, MIS Hong Kong is subject to a code of conduct applicable to CRAs that imposes procedural and substantive requirements on the preparation and issuance of credit ratings, restrictions on activities deemed to create a conflict of interest including the disclosure of its compensation arrangements with rated entities and special requirements for credit ratings of structured finance instruments. -In China, while MIS is not a licensed CRA, it does issue global credit ratings on Chinese issuers from offices outside of China. In addition, the Company holds a 30% investment in CCXI, a domestic CRA licensed in China. China has laws applicable to domestic CRAs as well as foreign investment in such entities and entities in general (including national security review). -In Australia, unless an exemption applies, CRAs are required to hold an Australian financial services license (AFSL) if they carry on a business of providing credit ratings in Australia. MIS Australia holds an AFSL authorizing it to provide general advice to wholesale clients only by issuing a credit rating. It is therefore required to comply with obligations as an AFSL holder including the requirement to provide financial services efficiently, honestly, and fairly, to manage conflicts of interest, and to comply with the conditions of its AFSL (which conditions include specific conditions about credit ratings). Future laws and regulations could extend to products and services not currently regulated. These regulations could: -affect the need for debt securities to be rated; -expand supervisory remits to include credit ratings issued outside the home jurisdiction; -increase the level of competition for credit ratings, including the distribution of credit ratings; -establish criteria for credit ratings or limit the entities authorized to provide credit ratings; -restrict the collection, use, accuracy, correction and sharing of information by CRAs; or -regulate pricing (for example to require fees that are based on costs and are non-discriminatory) on products and services provided by MA such as those products that incorporate credit ratings and research originated by MIS. In turn, such developments may affect MIS's communications with issuers as part of the rating assignment process, alter the manner in which MIS's credit ratings are developed, assigned and communicated, affect the manner in which MIS or its customers or users of credit ratings operate, impact the demand for MIS's credit ratings or alter the economics of the credit ratings business, including by restricting or mandating business models for CRAs. It is difficult to accurately assess the future impact of legislative 24 MOODY'S 2024 10-K 24 MOODY'S 2024 10-K 24 MOODY'S 2024 10-K **Current (2026):** -MIS is subject to formal regulation and periodic or other inspections in the EU and other foreign jurisdictions, such as, but not limited to, the U.K., Australia, Singapore, Japan, and Hong Kong, where it operates through registered subsidiaries. -In the EU and the U.K., applicable rules include procedural requirements with respect to credit ratings of sovereign issuers, liability for intentional or grossly negligent failure to abide by applicable regulations, mandatory analyst rotation requirements, and restrictions on CRAs or their shareholders if certain ownership thresholds are crossed. Additional procedural and substantive requirements include conditions for the issuance of credit ratings, rules regarding the organization of CRAs, restrictions on activities deemed to create a conflict of interest, including requirements that fees be based on costs and non-discriminatory, special requirements for credit ratings of structured finance instruments. Certain products currently offered by MIS may fall into scope of the EU Regulation on ESG Rating Activities, which could impose new substantive and procedural requirements on MIS relating to those products similar to those applicable to credit ratings. In addition, EU CRAs are also subject to DORA, which imposes a range of requirements in relation to the management of ICT risk, regulatory reporting, testing and the management of risks related to ICT services provided by third-parties. -In Hong Kong, applicable rules include liability for the intentional or negligent dissemination of false and misleading information and procedural requirements for the notification of certain matters to regulators. In addition, MIS Hong Kong is subject to a code of conduct applicable to CRAs that imposes procedural and substantive requirements on the preparation and issuance of credit ratings, restrictions on activities deemed to create a conflict of interest including the disclosure of its compensation arrangements with rated entities and special requirements for credit ratings of structured finance instruments. -In China, while MIS is not a licensed CRA, it does issue global credit ratings on Chinese issuers from offices outside of China. In addition, the Company holds a 30% investment in CCXI, a domestic CRA licensed in China. China has laws applicable to domestic CRAs as well as foreign investment in such entities and entities in general (including national security review). -In Australia, unless an exemption applies, CRAs are required to hold an Australian financial services license (AFSL) if they carry on a business of providing credit ratings in Australia. MIS Australia holds an AFSL authorizing it to provide general advice to wholesale clients only by issuing a credit rating. It is therefore required to comply with obligations as an AFSL holder including the requirement to provide financial services efficiently, honestly, and fairly, to manage conflicts of interest, and to comply with the conditions of its AFSL (which conditions include specific conditions about credit ratings). Future laws and regulations could extend to products and services not currently regulated. These regulations could: -affect the need for debt securities to be rated; -expand supervisory remits to include credit ratings issued outside the home jurisdiction; -increase the level of competition for credit ratings, including the distribution of credit ratings; -establish criteria for credit ratings or limit the entities authorized to provide credit ratings; -restrict the collection, use, accuracy, correction and sharing of information by CRAs; or -regulate pricing (for example, to require fees that are based on costs and are non-discriminatory) on products and services provided by MA such as those products that incorporate credit ratings and research originated by MIS. In turn, such developments may affect MIS's communications with issuers as part of the rating assignment process, alter the manner in which MIS's credit ratings are developed, assigned and communicated, affect the manner in which MIS or its customers or users of credit ratings operate, impact the demand for MIS's credit ratings or alter the economics of the credit ratings business, including by restricting or mandating business models for CRAs. It is difficult to accurately assess the future impact of legislative and regulatory requirements on MIS's business and its customers' businesses. If these laws and regulations, and any future rulemaking or court rulings, reduce demand for credit ratings or increase costs, MIS may be unable to pass such costs through to customers. Additionally, legislative and regulatory initiatives that apply to CRAs and credit markets generally may affect Moody's in a disproportionate manner. Each of these developments increases the costs and legal risk associated with the issuance of credit ratings and can have a material adverse effect on Moody's operations, profitability and competitiveness, the demand for credit ratings and the manner in which such ratings are utilized. Moody's Analytics. Certain of MA's subscription products contain credit ratings data and related research produced by MIS, and often are used by MA customers for regulatory compliance purposes, including determination of capital charges and regulatory reporting. Regulations concerning the issuance of credit ratings and the activities of CRAs, including the dissemination of ratings data, are likely to continue to be considered in the future, including, for example, provisions regarding fair and reasonable availability of ratings data, the terms and conditions associated with such data feeds, remuneration for data and the nature of the information to be included in credit opinions. Other laws, regulations and rules that are being considered or are likely to be considered in the future may impact MA products and services, for example, by requiring certain information to be provided free of charge. MOODY'S 2025 10-K 21 MOODY'S 2025 10-K 21 MOODY'S 2025 10-K 21 --- ## Modified: Table of Contents **Key changes:** - Reworded sentence: "others may develop alternative, proprietary systems for assessing risk, including credit and climate risk." **Prior (2025):** competes indirectly against consulting firms and technology and information providers, some of whom are also suppliers to Moody's; these indirect competitors could in the future choose to compete directly with Moody's, cease doing business with Moody's or change the terms under which they do business with Moody's in a way that could negatively impact our business. In addition, customers or others may develop alternative, proprietary systems for assessing risk, including credit and climate risk. Such developments could affect demand for Moody's products and services and its growth prospects. Further, the increased availability in recent years of free or relatively inexpensive information, online and through the use of Gen AI, may reduce the demand for Moody's products and services. Moody's growth prospects and operating margins also could be adversely affected by Moody's failure to make necessary or optimal capital infrastructure expenditures and improvements and the inability of its information technologies to provide adequate capacity and capabilities to meet increased demands of producing quality ratings and research products at levels achieved by competitors. Any inability of Moody's to compete successfully may have a material adverse effect on its business, operating results and financial condition. **Current (2026):** others may develop alternative, proprietary systems for assessing risk, including credit and climate risk. Such developments could affect demand for Moody's products and services and its growth prospects. Further, the increased availability in recent years of free or relatively inexpensive information, online and through the use of Gen AI, may reduce the demand for Moody's products and services. Moody's growth prospects and operating margins also could be adversely affected by Moody's failure to make necessary or optimal capital infrastructure expenditures and improvements and the inability of its information technologies to provide adequate capacity and capabilities to meet increased demands of producing quality ratings and research products at levels achieved by competitors. Any inability of Moody's to compete successfully may have a material adverse effect on its business, operating results and financial condition. --- ## Modified: The Introduction of Competing Products, Technologies or Services by Other Companies Can Negatively Impact the Nature and Economics of the Company's Business. **Key changes:** - Reworded sentence: "The ability to develop, successfully launch and maintain innovative products, technologies and services that anticipate customers' and investors' changing requirements and utilize emerging technological trends in a timely and cost-effective manner is a key factor in maintaining a competitive market position." - Reworded sentence: "Competitors may develop quantitative methodologies or related services, including services based on Gen AI or utilizing agentic AI workflows, for assessing credit or climate risk that customers and market participants may deem preferable, more cost-effective or more valuable than the risk assessment methods currently employed by Moody's." **Prior (2025):** The markets for credit ratings, research, credit risk management services, business intelligence and analytical services are highly competitive and characterized by rapid technological change, including change based on our Gen AI offerings, disruption by the Gen AI offerings of others, changes in customer and investor demands, and evolving regulatory requirements, industry standards and market preferences. The ability to develop and successfully launch and maintain innovative products, technologies and services that anticipate customers' and investors' changing requirements and utilize emerging technological trends in a timely and cost-effective manner is a key factor in maintaining a competitive market position. Moody's competitors include both established companies with significant financial resources, brand recognition, market experience and technological expertise, and smaller companies which may be more agile and better poised to quickly adopt new or emerging technologies or respond to customer requirements. Competitors may develop quantitative methodologies or related services, including services based on Gen AI, for assessing credit risk that customers and market participants may deem preferable, more cost-effective or more valuable than the credit risk assessment methods currently employed by Moody's, or may position, price or market their products in manners that differ from those utilized by Moody's. The increased presence of Gen AI in the market could also lead to increased expectations from customers and market participants that higher quality information will be delivered on advanced timelines. Moody's also MOODY'S 2024 10-K 29 MOODY'S 2024 10-K 29 MOODY'S 2024 10-K 29 **Current (2026):** The markets for credit ratings, research, credit risk management services, business intelligence and analytical services are highly competitive and characterized by rapid technological change, including change based on our Gen AI offerings, disruption by the Gen AI offerings of others, changes in customer and investor demands, and evolving regulatory requirements, industry standards and market preferences. The ability to develop, successfully launch and maintain innovative products, technologies and services that anticipate customers' and investors' changing requirements and utilize emerging technological trends in a timely and cost-effective manner is a key factor in maintaining a competitive market position. Moody's competitors include both established companies with significant financial resources, brand recognition, market experience and technological expertise, and smaller companies which may be more agile and better poised to quickly adopt new or emerging technologies or respond to customer requirements. Competitors may develop quantitative methodologies or related services, including services based on Gen AI or utilizing agentic AI workflows, for assessing credit or climate risk that customers and market participants may deem preferable, more cost-effective or more valuable than the risk assessment methods currently employed by Moody's. Moody's also competes indirectly against consulting firms and technology and information providers, some of whom are also suppliers to Moody's; these indirect competitors could in the future choose to compete directly with Moody's, cease doing business with Moody's or change the terms under which they do business with Moody's in a way that could negatively impact our business. In addition, customers or 26 MOODY'S 2025 10-K 26 MOODY'S 2025 10-K 26 MOODY'S 2025 10-K --- ## Modified: The Company Is Dependent on the Use of Third-Party Software, Data, Hosted Solutions, Data Centers, Cloud and Network Infrastructure (Together, the "Third-Party Technology"), and Any Reduction in Third-Party Product Quality or Service Offerings, Could Have a Material Adverse Effect on the Company's Business, Financial Condition or Results of Operations. **Key changes:** - Reworded sentence: "The Third-Party Technology Moody's uses can become obsolete or restrictive, incompatible with future versions of the 30 MOODY'S 2025 10-K 30 MOODY'S 2025 10-K 30 MOODY'S 2025 10-K" **Prior (2025):** Moody's relies on Third-Party Technology in connection with its product development and offerings and operations. The Company depends on the ability of Third-Party Technology providers to deliver and support reliable products, provide sufficient cloud computing capacity to meet demand, enhance their current products, develop new products on a timely and cost-effective basis, provide data necessary to develop and maintain its products and respond to emerging industry standards and other technological changes. The Third-Party Technology Moody's uses can become obsolete or restrictive, incompatible with future versions of the Company's products, fail to be comprehensive or accurate, unavailable or fail to operate effectively, and Moody's business could be adversely affected when the Company is unable to timely or effectively replace such Third-Party Technology. In addition, certain aspects of the Company's business rely on a concentrated group of vendors, and a cybersecurity breach or event and/or an error caused by one or more of such vendors could have a significant impact on the Company's operations, as well as the operations of the Company's customers and other Third-Party Technology. The Company also monitors its use of Third-Party Technology to comply with applicable license and other contractual requirements. Despite the Company's efforts, the Company cannot ensure that such third parties will permit Moody's use in the future, resulting in increased Third-Party Technology acquisition costs and loss of rights. In addition, the Company's operating costs could increase if license or other usage fees for Third-Party Technology increase or the efforts to incorporate enhancements to Third-Party Technology are substantial. Some of these third-party suppliers are also Moody's competitors, increasing the risks noted above. In the ordinary course, third-parties, including the Company's vendors, are subject to various forms of cyber-attacks or security incidents. Vulnerabilities in our vendors' software, system or networks or failure of their safeguards, policies or procedures may cause material interruptions to Moody's or our vendors' websites, applications, or data processing, or could compromise the confidentiality or integrity of the impacted information. Additionally, the Company may be exposed to additional threats as the Company migrates its data from legacy systems to cloud-based solutions, and becomes increasingly dependent on third parties to store cloud-based data subjects. To date, such attacks have not resulted in a material adverse impact to Moody's business operations, but there can be no guarantee the Company will not experience such an impact in the future. If any of these risks materialize, they could have a material adverse effect on the Company's business, financial condition or results of operations. **Current (2026):** Moody's relies on Third-Party Technology in connection with its product development and offerings and operations. The Company depends on the ability of Third-Party Technology providers to deliver and support reliable products, provide sufficient cloud computing capacity to meet demand, enhance their current products, develop new products on a timely and cost-effective basis, provide data necessary to develop and maintain its products and respond to emerging industry standards and other technological changes. The Third-Party Technology Moody's uses can become obsolete or restrictive, incompatible with future versions of the 30 MOODY'S 2025 10-K 30 MOODY'S 2025 10-K 30 MOODY'S 2025 10-K --- ## Modified: The Company Is Exposed to Risks Related to Cybersecurity and Protection of Confidential Information. **Key changes:** - Reworded sentence: "The Company's operations rely on the secure access to and processing, storage and transmission of confidential, sensitive, proprietary and other types of information." - Reworded sentence: "Unauthorized disclosure of the foregoing information could cause our customers to lose faith in our ability to protect their confidential information, affecting the trading of their securities, damage their reputations or competitive positions and therefore cause customers to cease doing business with us, and potentially expose us to risk of litigation or investigations and penalties from data protection or other regulators." - Reworded sentence: "Cyber-attacks targeting Moody's or Moody's vendors' technology and systems, whether from circumvention of security systems, exploitation of security vulnerabilities, denial-of-service attacks, ransomware, malware, hacking, social engineering or "phishing" attacks, deepfake attacks, computer viruses, employee or insider threats, malfeasance, supply chain attacks, physical breaches, vendor email compromise, payment fraud or other cyber-attacks some of which may be carried out by state-sponsored actors, may result in unauthorized access, exfiltration, manipulation, encryption or corruption of sensitive data, material interruptions or malfunctions in the Company's or such vendors' web sites or systems, applications, data processing, or disruption of other business operations." - Reworded sentence: "The Company has implemented administrative, technical, and physical measures to detect, prevent and respond to unauthorized activity, but such precautions may not be successful." - Reworded sentence: "MOODY'S 2025 10-K 29 MOODY'S 2025 10-K 29 MOODY'S 2025 10-K 29" **Prior (2025):** The Company's operations rely on the secure processing, storage and transmission of confidential, sensitive, proprietary and other types of information. Such information relates to its business operations and confidential and sensitive information about its customers and employees in the Company's computer systems and networks, and in those of its third-party vendors. The Company also often has access to MNPI and other confidential information concerning its customers, including public and private companies, sovereigns, and other third parties, and their customers, suppliers or transaction counterparties. Unauthorized disclosure of the foregoing information could cause our customers to lose faith in our ability to protect their confidential information, affecting the trading of their securities, damage their reputations or competitive positions and therefore cause customers to cease doing business with us, and potentially expose us to risk of litigation. The risks the Company faces range from cyber-attacks common to most industries, to more advanced threats that target the Company because of its prominence in the global marketplace, or due to its ratings of sovereign debt and corporate issuers. The Company and its third-party service providers, including our vendors, regularly experience cyber-attacks and data breaches of varying degrees. Cyber-attacks targeting Moody's or Moody's vendors' technology and systems, whether from circumvention of security systems, denial-of-service attacks, ransomware, malware, hacking, social engineering or "phishing" attacks, deepfake attacks, computer viruses, employee or insider threats, malfeasance, supply chain attacks, physical breaches, vendor email compromise, payment fraud or other cyber-attacks some of which may be carried out by state-sponsored actors, may result in unauthorized access, exfiltration, manipulation or corruption of sensitive data, material interruptions or malfunctions in the Company's or such vendors' web sites or systems, applications, data processing, or disruption of other business operations. Such events may compromise the confidentiality, integrity, or availability of material information held by the Company (including information about Moody's business, employees or customers), as well as other sensitive data, including personally identifiable information, the disclosure of which could lead to identity theft. The Company's MNPI concerning customers and clients could be improperly used by authorized or unauthorized parties, including for insider trading. The Company has implemented administrative, technical, and physical measures to detect and prevent unauthorized activity, but such precautions may not be successful. As the Company has grown and acquired businesses, IT guidelines have been developed and applied within business units or inherited from legacy organizations, which can result in internal differences in the Company's approach to IT standards until acquired entities are integrated. This creates a risk of developing unintended vulnerabilities and could result in additional costs, difficulty meeting new regulatory standards, or failing to meet customer expectations. The Company may be exposed to additional threats as it migrates its data from legacy systems to cloud-based solutions, and increased dependence on third-parties to store cloud-based data subjects the Company to further cyber risks. Further, many of our employees work remotely, which magnifies the importance of the integrity of our remote access security measures and may expose the Company to additional cyber risks. The Company has invested and continues to invest in risk management and information security measures in order to protect its systems and data, including employee training, disaster plans, and technical defenses. Although Moody's devotes significant resources to maintain and regularly update such systems and processes, measures that Moody's takes to avoid, detect, mitigate or recover from material incidents can be expensive, and may be insufficient, circumvented, or may become ineffective. Further, Moody's relies on third-party technical subject matter experts to assist in managing its cyber security risk management processes. While Moody's employs such third parties to assist in strengthening its cybersecurity defenses, there can be no guarantee that any action taken as advised by such third party will be adequate or sufficient to address the evolving threat landscape. Additionally, any measures that Moody's takes in connection with such third parties to avoid, detect, mitigate or recover from material cyber security threats or incidents can be expensive, and may be insufficient, circumvented, or may become ineffective. Additionally, the cost and operational consequences of implementing, maintaining and enhancing further data or system protection measures could increase significantly to overcome increasingly intense, complex and sophisticated global cyber threats. Gen AI has contributed to an increase in the prevalence and sophistication of cyber threats, expanding the Company's exposure to disruptions. Despite the Company's best efforts, it is not fully insulated from, and has in the past experienced, security threats and system disruptions. Although past incidents have not had a material adverse effect on the Company's operating results, there can be no assurance of a similar result in the future. Because the methods used for these systems cyberattacks are rapidly changing, the Company or its third-party vendors, despite significant focus and investment, may be unable to anticipate and/or deploy sufficient protections against such incidents. Further, the extent of a particular security incident and the steps needed to investigate may not be immediately clear, and it may take a significant amount of time before such an investigation can be completed and full and reliable information about the incident, including the extent of the harm and how best to remediate it, is known. Recent well-publicized security breaches at other companies have led to enhanced government and regulatory scrutiny of the measures taken by companies to protect against cyber-attacks, and may in the future result in heightened cybersecurity compliance requirements, including additional regulatory expectations for oversight of third-party vendors and service providers. Cybersecurity incidents, including the accidental loss, inadvertent disclosure or unapproved dissemination of proprietary information or sensitive or 32 MOODY'S 2024 10-K 32 MOODY'S 2024 10-K 32 MOODY'S 2024 10-K **Current (2026):** The Company's operations rely on the secure access to and processing, storage and transmission of confidential, sensitive, proprietary and other types of information. Such information relates to its business operations and confidential and sensitive information about its customers and employees in the Company's computer systems and networks, and in those of its third-party vendors. The Company also often has access to MNPI and other confidential information concerning its customers, including public and private companies, sovereigns, and other third parties, and their customers, suppliers or transaction counterparties. Unauthorized disclosure of the foregoing information could cause our customers to lose faith in our ability to protect their confidential information, affecting the trading of their securities, damage their reputations or competitive positions and therefore cause customers to cease doing business with us, and potentially expose us to risk of litigation or investigations and penalties from data protection or other regulators. The risks the Company faces range from cyber-attacks common to most industries, to more advanced threats that target the Company because of its prominence in the global marketplace, or due to its ratings of sovereign debt and corporate issuers. The Company and its third-party service providers, including our vendors, regularly experience cyber-attacks and data breaches of varying degrees. Cyber-attacks targeting Moody's or Moody's vendors' technology and systems, whether from circumvention of security systems, exploitation of security vulnerabilities, denial-of-service attacks, ransomware, malware, hacking, social engineering or "phishing" attacks, deepfake attacks, computer viruses, employee or insider threats, malfeasance, supply chain attacks, physical breaches, vendor email compromise, payment fraud or other cyber-attacks some of which may be carried out by state-sponsored actors, may result in unauthorized access, exfiltration, manipulation, encryption or corruption of sensitive data, material interruptions or malfunctions in the Company's or such vendors' web sites or systems, applications, data processing, or disruption of other business operations. Such events may compromise the confidentiality, integrity, or availability of material information held by the Company (including information about Moody's business, employees or customers), as well as other sensitive data, including personally identifiable information, the disclosure of which could lead to identity theft. The Company's MNPI concerning customers and clients could be improperly used by authorized or unauthorized parties, including for insider trading. The Company has implemented administrative, technical, and physical measures to detect, prevent and respond to unauthorized activity, but such precautions may not be successful. As the Company has grown and acquired businesses, IT guidelines have been developed and applied within business units or inherited from legacy organizations, which can result in internal differences in the Company's approach to IT standards until acquired entities are integrated. This creates a risk of developing unintended vulnerabilities and could result in additional costs, difficulty meeting new regulatory standards, or failing to meet customer expectations. The Company may be exposed to additional threats as it migrates its data from legacy systems to cloud-based solutions, and increased dependence on third-parties to store cloud-based data subjects the Company to further cyber risks. Further, many of our employees work remotely, which magnifies the importance of the integrity of our remote access security measures and may expose the Company to additional cyber risks. MOODY'S 2025 10-K 29 MOODY'S 2025 10-K 29 MOODY'S 2025 10-K 29 --- ## Modified: Our Reputation or Business Could Be Negatively Impacted by Sustainability Matters and Our Reporting of Such Matters **Key changes:** - Reworded sentence: "Over the past several years, both in the United States and internationally, regulators, certain investors and other stakeholders have focused on various sustainability matters, including environmental impact, human capital, and human rights." - Reworded sentence: "We could be subject to litigation or regulatory enforcement actions regarding the accuracy, sufficiency or completeness of our sustainability-related disclosures." **Prior (2025):** Over the past several years, both in the United States and internationally, regulators, certain investors and other stakeholders have focused on various environmental, social policy, human rights, and other sustainability matters. We communicate certain sustainability initiatives, goals and commitments (including with respect to environmental matters, social matters and other matters), in our various public disclosures, Task Force on Climate-related Financial Disclosures Report, on our website, in our filings with the SEC and elsewhere. These goals or commitments could be challenging to achieve and costly to implement, and could result in scrutiny, criticism or claims from certain stakeholders, including governmental authorities, regulators, shareholders and customers that could negatively impact our business or reputation. Furthermore, MIS incorporates climate and other sustainability-related risks in its rating process, which also could cause reputational risk or could lead to litigation. The Company could fail to achieve, or be perceived to fail to achieve, our net zero 2040 commitment or other sustainability-related initiatives, goals or commitments. Furthermore, we could be criticized for the timing, scope or nature of these initiatives, goals or commitments, or for any changes to them. To the extent that our required and voluntary disclosures about such sustainability matters increase, we could be criticized for the accuracy, sufficiency or completeness of such disclosures. We could be subject to litigation or regulatory enforcement actions regarding the accuracy, sufficiency or completeness of our sustainability-related 30 MOODY'S 2024 10-K 30 MOODY'S 2024 10-K 30 MOODY'S 2024 10-K **Current (2026):** Over the past several years, both in the United States and internationally, regulators, certain investors and other stakeholders have focused on various sustainability matters, including environmental impact, human capital, and human rights. We communicate our goals and initiatives related to these matters via various public disclosures available on our website, in our filings with the SEC, and elsewhere. Failure to achieve these goals or complete initiatives could result in scrutiny, criticism or claims from certain stakeholders, including governmental authorities, regulators, shareholders and customers that could negatively impact our business or reputation. Furthermore, MIS incorporates climate and other sustainability-related risks in its rating process, which also could cause reputational risk or could lead to regulatory action or litigation. Several regulatory oversight regimes for ESG ratings providers which may impose new regulatory requirements on Moody's include the EU regulation on the transparency and integrity of ESG rating activities, adopted by the European Parliament and Council in November 2024 and published in the Official Journal of the EU in December 2024, or draft legislation published by the United Kingdom in 2024 to empower the FCA to supervise ESG rating providers. The Company could fail to achieve, or be perceived to fail to achieve, our sustainability-related initiatives, goals or commitments. Furthermore, we could be criticized for the timing, scope or nature of these initiatives, goals or commitments, or for any changes to them. To the extent that our required and voluntary disclosures about such sustainability matters increase, we could be criticized for the accuracy, sufficiency or completeness of such disclosures. We could be subject to litigation or regulatory enforcement actions regarding the accuracy, sufficiency or completeness of our sustainability-related disclosures. Our pursuit of, or MOODY'S 2025 10-K 27 MOODY'S 2025 10-K 27 MOODY'S 2025 10-K 27 --- ## Modified: Moody's Faces Risks Related to Intellectual Property Rights. **Key changes:** - Reworded sentence: "We also incorporate third-party software, including open-source software components, in certain of our products and services." **Prior (2025):** Moody's considers many aspects of its products and services to be proprietary. Failure to protect the Company's intellectual property adequately could harm its reputation and affect the Company's ability to compete effectively. Businesses the Company acquires also involve intellectual property portfolios, which increase the challenges the Company faces in protecting its strategic advantage. In addition, the Company's operating results can be adversely affected by inadequate or changing legal and technological protections for intellectual property and proprietary rights in some jurisdictions and markets, including if and how rights in these markets evolve to address unauthorized or unintended use of intellectual property from new technologies like Gen AI. The lack of strong legal and technological intellectual property protections in foreign jurisdictions in which we operate may increase our vulnerability and may pose risks to our business. From time to time, laws are passed that require publication of certain information, in some cases at no cost, that the Company considers to be its intellectual property and that it currently sells or licenses for a fee, which could result in lost revenue. 26 MOODY'S 2024 10-K 26 MOODY'S 2024 10-K 26 MOODY'S 2024 10-K **Current (2026):** Moody's considers many aspects of its products and services to be proprietary. Failure to protect the Company's intellectual property adequately could harm its reputation and affect the Company's ability to compete effectively. Businesses the Company acquires also involve intellectual property portfolios, which increase the challenges the Company faces in protecting its strategic advantage. In addition, the Company's operating results can be adversely affected by inadequate or changing legal and technological protections for intellectual property and proprietary rights in some jurisdictions and markets, including if and how rights in these markets evolve to address unauthorized or unintended use of intellectual property from new technologies like Gen AI. The lack of strong legal and technological intellectual property protections in foreign jurisdictions in which we operate may increase our vulnerability and may pose risks to our business. From time to time, laws are passed that require publication of certain information, in some cases at no cost, that the Company considers to be its intellectual property and that it currently sells or licenses for a fee, which could result in lost revenue. We also incorporate third-party software, including open-source software components, in certain of our products and services. Our reliance on third-party and open-source software exposes us to risks of non-compliance, including potential audits, litigation, injunctions, and the forced disclosure of our proprietary intellectual property, which could materially impact our financial results and operations. Unauthorized third parties may also try to obtain and use technology or other information that the Company regards as proprietary. It is also possible that Moody's competitors or other entities could obtain patents or other intellectual property rights related to the types of products and services that Moody's offers, and attempt to require Moody's to stop developing or marketing the products or services, to modify or redesign the products or services to avoid infringing, or to obtain licenses from the holders of the intellectual property in order to continue developing and marketing the products and services. Even if Moody's attempts to assert or protect its intellectual property rights through litigation, it may require considerable cost, time and resources to do so, and there is no guarantee that the Company will be successful. The Company's ability to establish, maintain and protect its intellectual MOODY'S 2025 10-K 23 MOODY'S 2025 10-K 23 MOODY'S 2025 10-K 23 --- ## Modified: The Company Faces Exposure to Litigation and Government Regulatory Proceedings, Investigations and Inquiries (Including Competition Market Studies) Related to Rating Opinions, Analytics Services and Other Business Practices. **Key changes:** - Reworded sentence: "Moody's may face additional government investigations and inquiries related to the private credit 22 MOODY'S 2025 10-K 22 MOODY'S 2025 10-K 22 MOODY'S 2025 10-K" **Prior (2025):** Moody's faces exposure to litigation and government and regulatory proceedings, investigations and inquiries (including market studies) related to MIS's ratings actions, as well as other business practices and products within both MIS and MA. When the market value of credit-dependent instruments has declined or defaults have occurred, whether as a result of difficult economic times, rapid changes in interest rates, decreased liquidity, turbulent markets or otherwise, the number of investigations and legal proceedings that Moody's has faced has increased significantly. Parties who invest in securities rated by MIS or issued by MIS-rated entities have pursued claims against MIS or Moody's for losses they faced in their portfolios. For instance, Moody's faced numerous class action lawsuits and other litigation, government investigations and inquiries (including market studies) concerning events linked to the U.S. subprime residential mortgage sector and broader deterioration in the credit markets during and after the financial crisis of 2007-2008. Evolving and/or inconsistent expectations regarding climate-risk and other sustainability disclosures and reporting could also result in increased regulatory scrutiny and new regulatory actions at a corporate and business unit level. MA's offering of products and services relating to sanctions, KYC and financial crime may result in increased regulatory scrutiny and could expose the Company to increased risk of litigation from data subjects and other third-parties, including due to potential inaccuracies in the products and services we offer, as well as regulatory recordkeeping requirements associated with our services. Additionally, as Moody's develops its Gen AI product offerings and/or increases its use of Gen AI, the Company may face increased regulatory scrutiny and exposure to increased litigation. Legal proceedings and regulatory inquiries and investigations impose additional expenses on the Company and require the attention of senior management to an extent that may significantly reduce their ability to devote time to addressing other business issues, and any of these proceedings, investigations or inquiries (including market studies) could ultimately result in adverse judgments, damages, fines, penalties or activity restrictions. Risks relating to legal proceedings are heightened in foreign jurisdictions that lack the legal protections or liability standards comparable to those that exist in the U.S. In addition, new laws and regulations have been and may continue to be enacted that establish lower liability standards, shift the burden of proof or relax pleading requirements, thereby increasing the risk of successful litigations in the U.S. and in foreign jurisdictions. These litigation risks are often difficult to assess or quantify. Moody's may not have adequate insurance or reserves to cover these risks, and the existence and magnitude of these risks often remain unknown for substantial periods of time. Furthermore, when Moody's is unable to achieve dismissals at an early stage and litigation matters proceed to trial, the aggregate legal defense costs incurred by Moody's increase substantially, as does the risk of an adverse outcome. Additionally, as litigation or the process to resolve pending matters progress, Moody's will continue to review the latest information available and may change its accounting estimates, which could require Moody's to record or increase liabilities in the consolidated financial statements in future periods. See Note 21 to the consolidated financial statements for more information regarding ongoing investigations and civil litigation that the Company currently faces. Due to the potential number of these proceedings and the significant amount of damages that could be sought, there is a risk that Moody's will be subject to judgments, settlements, fines, penalties or other adverse results that have a material adverse effect on its business, operating results and financial condition. **Current (2026):** Moody's faces exposure to litigation and government and regulatory proceedings, investigations and inquiries (including market studies) related to MIS's ratings actions, as well as other business practices and products within both MIS and MA. When the market value of credit-dependent instruments has declined or defaults have occurred, whether as a result of difficult economic times, rapid changes in interest rates, decreased liquidity, turbulent markets or otherwise, the number of investigations and legal proceedings that Moody's has faced has increased significantly. Parties who invest in securities rated by MIS or issued by MIS-rated entities have pursued claims against MIS or Moody's for losses they faced in their portfolios. For instance, Moody's faced numerous class action lawsuits and other litigation, government investigations and inquiries (including market studies) concerning events linked to the U.S. subprime residential mortgage sector and broader deterioration in the credit markets during and after the financial crisis of 2007-2008. Moody's may face additional government investigations and inquiries related to the private credit 22 MOODY'S 2025 10-K 22 MOODY'S 2025 10-K 22 MOODY'S 2025 10-K --- ## Modified: Moody's Faces Risks Related to Laws and Regulations that Affect the Financial Industry, Including the Credit Rating Industry, Moody's Businesses and Moody's Customers. **Key changes:** - Reworded sentence: "Additionally, in the U.S., changes in the Presidential administration, changes in Congress, and recent judicial actions may increase the uncertainty with regard to potential changes in these laws and regulations and the enforcement of any new or existing legislation or directives by government authorities." - Reworded sentence: "Speculation concerning the impact of legislative, regulatory and government initiatives, including initiatives related to the emerging technology of AI systems, operational resilience, data privacy and climate-related risks, among others, that our products and services incorporate, and the increased uncertainty over potential liability and adverse legal or judicial determinations may negatively affect Moody's stock price, affect demand for our products and services, increase our costs of operations and impact our future business plans." - Reworded sentence: "Moody's Investors Service." **Prior (2025):** Moody's is subject to extensive regulation by federal, state and local authorities in the U.S. and by foreign jurisdictions. These regulations, the most important of which are discussed in further detail below, are complex, continually evolving and have tended to become more stringent over time. Additionally, changes in the Presidential administration, changes in Congress, and recent judicial actions may increase the uncertainty with regard to potential changes in these laws and regulations and the enforcement of any new or existing legislation or directives by government authorities. See "Regulation" in Part I, Item 1 of this annual report on Form 10-K for more information. Further, speculation concerning the impact of legislative and regulatory initiatives, including initiatives related to the emerging technology of AI systems, operational resilience, data privacy and climate-related risks, among others, that our products and services incorporate, and the increased uncertainty over potential liability and adverse legal or judicial determinations may negatively affect Moody's stock price, affect demand for our products and services, increase our costs of operations and impact our future business plans. Further, the Company's compliance and efforts to reduce the risk of fines, penalties or other sanctions can result in significant expenses. Legal proceedings that are increasingly lengthy can result in uncertainty over and exposure to liability. MOODY'S 2024 10-K 23 MOODY'S 2024 10-K 23 MOODY'S 2024 10-K 23 **Current (2026):** Moody's is subject to extensive regulation by federal, state and local authorities in the U.S. and by foreign jurisdictions. These regulations, the most important of which are discussed in further detail below, are complex, continually evolving and have tended to become more stringent over time. Additionally, in the U.S., changes in the Presidential administration, changes in Congress, and recent judicial actions may increase the uncertainty with regard to potential changes in these laws and regulations and the enforcement of any new or existing legislation or directives by government authorities. See "Regulation" in Part I, Item 1 of this annual report on Form 10-K for more information. Speculation concerning the impact of legislative, regulatory and government initiatives, including initiatives related to the emerging technology of AI systems, operational resilience, data privacy and climate-related risks, among others, that our products and services incorporate, and the increased uncertainty over potential liability and adverse legal or judicial determinations may negatively affect Moody's stock price, affect demand for our products and services, increase our costs of operations and impact our future business plans. Further, the Company's compliance and efforts to reduce the risk of fines, penalties or other sanctions can result in significant expenses. Legal proceedings that are increasingly lengthy can result in uncertainty over and exposure to liability. Moody's Investors Service. MIS operates in a highly regulated industry. The current U.S. laws and regulations relating to MIS, including the Reform Act and the Dodd-Frank Act: -seek to encourage, and may result in, increased competition among CRAs and in the credit rating business; -may result in alternatives to credit ratings, changes in the pricing of credit ratings, and/or diminished intellectual property protection relating to credit ratings and related research produced by MIS; -restrict the use of information in the development or maintenance of credit ratings; -increase regulatory oversight of the credit markets and CRA operations; -provide the SEC with direct jurisdiction over CRAs that seek NRSRO status, and grant authority to the SEC to inspect the operations of CRAs; and -provide for enhanced oversight standards and specialized pleading standards, which may result in increases in the number of legal proceedings claiming liability for losses suffered by investors on rated securities and aggregate legal defense costs. In addition to the extensive and evolving U.S. laws and regulations governing the credit rating industry, foreign jurisdictions have taken measures to regulate CRAs and the markets for credit ratings that significantly impact the operations and the markets for the Company's ratings-related products and services. In particular, the EU has adopted a common regulatory framework for CRAs operating in the EU, continues to monitor the credit rating industry and analyzes approaches that may strengthen existing regulation. The U.K. also has adopted a regulatory framework for CRAs that is based on the EU version. Credit ratings emanating from outside the EU are subject to ESMA's oversight if they are endorsed into the EU, and ratings endorsed into the U.K. are similarly subject to oversight of the FCA. Additionally, other foreign jurisdictions, such as Australia and Hong Kong and China, have taken measures to increase regulation of CRAs and markets for credit ratings. A failure to comply with these procedural and substantive requirements also exposes MIS to the risk of regulatory enforcement action, which could result in financial penalties or, in serious cases, affect its ability to conduct credit rating activities in certain jurisdictions. For example: 20 MOODY'S 2025 10-K 20 MOODY'S 2025 10-K 20 MOODY'S 2025 10-K --- ## Modified: Table of Contents **Key changes:** - Reworded sentence: "property and proprietary rights against theft, misappropriation or infringement could be materially and adversely affected by insufficient and/or changing proprietary rights and intellectual property legal protections in some jurisdictions and markets." **Prior (2025):** Unauthorized third parties may also try to obtain and use technology or other information that the Company regards as proprietary. It is also possible that Moody's competitors or other entities could obtain patents or other intellectual property rights related to the types of products and services that Moody's offers, and attempt to require Moody's to stop developing or marketing the products or services, to modify or redesign the products or services to avoid infringing, or to obtain licenses from the holders of the intellectual property in order to continue developing and marketing the products and services. Even if Moody's attempts to assert or protect its intellectual property rights through litigation, it may require considerable cost, time and resources to do so, and there is no guarantee that the Company will be successful. The Company's ability to establish, maintain and protect its intellectual property and proprietary rights against theft, misappropriation or infringement could be materially and adversely affected by insufficient and/or changing proprietary rights and intellectual property legal protections in some jurisdictions and markets. These risks, and the cost, time and resources needed to address them, may increase as the Company's business grows and its profile rises in countries with intellectual property regimes that are less protective than the rules and regulations applied in the United States. **Current (2026):** property and proprietary rights against theft, misappropriation or infringement could be materially and adversely affected by insufficient and/or changing proprietary rights and intellectual property legal protections in some jurisdictions and markets. These risks, and the cost, time and resources needed to address them, may increase as the Company's business grows and its profile rises in countries with intellectual property regimes that are less protective than the rules and regulations applied in the United States. --- ## Modified: Table of Contents **Key changes:** - Reworded sentence: "actual or perceived failure to achieve our sustainability-related initiatives, goals or commitments could negatively impact our reputation or otherwise materially harm our business." **Prior (2025):** disclosures. Our actual or perceived failure to achieve our sustainability-related initiatives, goals or commitments could negatively impact our reputation or otherwise materially harm our business. **Current (2026):** actual or perceived failure to achieve our sustainability-related initiatives, goals or commitments could negatively impact our reputation or otherwise materially harm our business. In addition, there has been a recent increase in "anti-ESG" sentiment in the United States by certain activists, institutions and governmental entities criticizing ESG or climate-focused products and services. We may face scrutiny, reputational risk, lawsuits or heightened scrutiny from these parties regarding our sustainability initiatives, goals and commitments, even where such initiatives, goals and commitments are expected or required in other jurisdictions outside the United States. To the extent we continue to make disclosures about our sustainability initiatives, goals and commitments, we could be criticized for such matters, which could negatively impact our reputation or otherwise materially harm our business. --- ## Modified: Our business could be negatively impacted by physical and transitional climate risks. **Key changes:** - Reworded sentence: "As a global company, our employees and offices are subject to physical climate risks." - Added sentence: "We are also subject to changes in policies, technologies, or market preferences that are intended to address the effects of climate related risks, as well as ongoing legislative and regulatory uncertainties and changes regarding climate risk management and practices." - Added sentence: "These considerations could impact us and our customers and result in increased regulatory, compliance or operational costs." - Added sentence: "Furthermore, a number of states in which we operate have enacted or proposed statutes and regulations addressing climate and sustainability issues, while certain other states and governments in non-U.S." - Added sentence: "countries where we operate have enacted, or have proposed to enact, divergent and sometimes conflicting statutes, regulations or policies." **Prior (2025):** As a global company, our employees and offices are subject to risks related to the impact of climate change. We have offices in locations that are vulnerable to the effects of climate change and extreme weather. In addition, continued reliable energy sources are critical for business continuity globally and those sources too can be impacted by extreme weather. The frequency and impact of extreme weather events on critical infrastructure has the potential to disrupt the Company's ongoing operations, as well as the operations of our vendors and customers, and may result in losses and additional costs to maintain or resume operations. **Current (2026):** As a global company, our employees and offices are subject to physical climate risks. We have offices in locations that are vulnerable to the effects of extreme weather. In addition, continued reliable energy sources are critical for business continuity globally and those sources too can be impacted by extreme weather. The frequency and impact of extreme weather events on critical infrastructure has the potential to disrupt the Company's ongoing operations, as well as the operations of our vendors and customers, and may result in losses and additional costs to maintain or resume operations. We are also subject to changes in policies, technologies, or market preferences that are intended to address the effects of climate related risks, as well as ongoing legislative and regulatory uncertainties and changes regarding climate risk management and practices. These considerations could impact us and our customers and result in increased regulatory, compliance or operational costs. Furthermore, a number of states in which we operate have enacted or proposed statutes and regulations addressing climate and sustainability issues, while certain other states and governments in non-U.S. countries where we operate have enacted, or have proposed to enact, divergent and sometimes conflicting statutes, regulations or policies. Our products and services may fail to meet the needs and expectations of our customers in response to future changes in policies, technologies or market preferences, which could adversely impact our business, operating results and financial condition. --- ## Modified: Table of Contents **Key changes:** - Reworded sentence: "The Company has invested and continues to invest in risk management and information security measures in order to protect its systems and data, including employee training, disaster and incident response plans, and technical defenses." **Prior (2025):** confidential data, could cause reputational harm, loss of customers and revenue, fines, regulatory actions and scrutiny, sanctions or other statutory penalties, litigation, liability for failure to safeguard the Company's customers' information, or financial losses that are either not insured against or not fully covered through any insurance maintained by the Company. In addition, disclosure or media reports of actual or perceived security vulnerabilities to the Company's systems or those of the Company's third parties, even if no breach has been attempted or occurred, could lead to reputational harm, loss of customers and revenue, or increased regulatory actions oversight and scrutiny. Any of the foregoing may have a material adverse effect on Moody's business, operating results and financial condition. **Current (2026):** The Company has invested and continues to invest in risk management and information security measures in order to protect its systems and data, including employee training, disaster and incident response plans, and technical defenses. Although Moody's devotes significant resources to maintain and regularly update such systems and processes, measures that Moody's takes to avoid, detect, mitigate or recover from material incidents can be expensive, and may be insufficient, circumvented, or may become ineffective. Further, Moody's relies on third-party technical subject matter experts to assist in managing its cyber security risk management processes. While Moody's employs such third parties to assist in strengthening its cybersecurity defenses, there can be no guarantee that any action taken as advised by such third party will be adequate or sufficient to address the evolving threat landscape. Additionally, any measures that Moody's takes in connection with such third parties to avoid, detect, mitigate or recover from material cyber security threats or incidents can be expensive, and may be insufficient, circumvented, or may become ineffective. Additionally, Gen AI has contributed to an increase in the prevalence and sophistication of cyber threats, expanding the Company's exposure to potential breaches and systems disruptions. Despite the Company's best efforts, it is not fully insulated from, and has in the past experienced, security threats and system disruptions. As Gen AI technologies continue to advance, threat actors will develop increasingly sophisticated methods as well as technology and tools to facilitate the commission of cyber-attacks and develop new cyber-crime business models such as Ransomware-as-a-Service (RaaS) or Vulnerabilities-as-a-Service (VaaS). This may include the use of Gen AI to automate and enhance phishing schemes, advance malware, carry out more effective cyber-attacks. As Gen AI technologies advance, these cyber threats will increase in number and may also become more difficult to detect and stop. As a result, the cost and operational consequences of implementing, maintaining and enhancing further data or system protection measures could increase significantly to overcome increasingly intense, complex and sophisticated global cyber threats. Although past incidents have not had a material adverse effect on the Company's operating results, there can be no assurance of a similar result in the future. Because the methods used for these systems cyberattacks are rapidly changing, the Company or its third-party vendors, despite significant focus and investment, may be unable to anticipate and/or deploy sufficient protections against such incidents. Further, the extent of a particular security incident and the steps needed to investigate may not be immediately clear, and it may take a significant amount of time before such an investigation can be completed and full and reliable information about the incident, including the extent of the harm and how best to remediate it, is known. Recent well-publicized security breaches at other companies have led to enhanced government and regulatory scrutiny of the measures taken by companies to protect against cyber-attacks, and may in the future result in heightened cybersecurity compliance requirements, including additional regulatory expectations for oversight of third-party vendors and service providers. Cybersecurity incidents, including the accidental loss, inadvertent disclosure or unapproved dissemination of proprietary information or sensitive or confidential data, could trigger governmental notice requirements and public disclosures, cause reputational harm, loss of customers and revenue, fines, regulatory actions and scrutiny, sanctions or other statutory penalties, litigation, liability for failure to safeguard the Company's customers' information, or financial losses that are either not insured against or not fully covered through any insurance maintained by the Company. In addition, disclosure or media reports of actual or perceived security vulnerabilities to the Company's systems or those of the Company's third parties, even if no breach has been attempted or occurred, could lead to reputational harm, loss of customers and revenue, or increased regulatory actions oversight and scrutiny. Any of the foregoing may have a material adverse effect on Moody's business, operating results and financial condition. --- *Data sourced from SEC EDGAR. Last updated 2026-05-05.*