Marsh & McLennan Companies Inc.: 10-K Risk Factor Changes

We depend in large part on our technology systems for conducting business, as well as for providing the data and analytics we use to manage our business. As a result, our business success is dependent on maintaining the effectiveness of existing technology systems and on continuing to develop and enhance technology systems that support our business processes and strategic initiatives in a cost and resource efficient manner, particularly as our business processes become more digital. We have a number of strategic initiatives involving investments in or partnerships with technology companies as part of our growth strategy, as well as investments in technology, including generative AI, and infrastructure to support our own systems. These investments may be costly and require significant capital expenditures, may not be profitable or may be less profitable than what we have experienced historically. In addition, investments in technology systems may not deliver the benefits or perform as expected, or may be replaced or become obsolete more quickly than expected, which could result in operational difficulties or additional costs. In some cases, we also depend on key vendors and partners to provide technology and other support for our strategic initiatives. If these vendors or partners fail to perform their obligations or otherwise cease to work with us, our ability to execute on our strategic initiatives could be adversely affected. If we do not keep up with technological changes or execute effectively on our strategic initiatives, our business and results of operations could be adversely impacted. In addition, to remain competitive in many of our business areas, we must anticipate and respond effectively to the threat of digital disruption and other technological change such as generative AI. The threat comes from traditional players, such as insurers, through disintermediation as well as from new entrants, such as technology companies, "Insurtech" start-up companies and others. In the past few years, there has been a substantial increase in private equity investments into these Insurtech companies. These players are focused on using technology and innovation, including AI, digital platforms, data analytics, robotics and blockchain, to simplify and improve the client experience, increase efficiencies, alter business models and effect other potentially disruptive changes in the industries in which we operate. We are actively investing in generative AI tools. While our internal generative AI tool, LenAI, was designed to meet our standards for data security and to address and mitigate the risks associated with this new technology, our use of generative AI in certain products and services may present risks and challenges that remain uncertain due to 21 21 21 the relative novelty of this technology. These risks may include enhanced governmental or regulatory scrutiny, litigation or ethical concerns. While we are implementing certain mitigation measures and governance to the proliferation of AI tools, these measures may be inadequate or may not meet a growing number of legal and regulatory requirements related to AI. Competitive Risks

We depend in large part on our technology systems for conducting business, as well as for providing the data and analytics we use to manage our business. As a result, our business success is dependent on maintaining the effectiveness of existing technology systems and on continuing to develop and enhance technology systems that support our business processes and strategic initiatives in a cost and resource efficient manner, particularly as our business processes become more digital. We have a number of strategic initiatives involving investments in or partnerships with technology companies as part of our growth strategy, as well as investments in technology and infrastructure to support our own systems. These investments may be costly and require significant capital expenditures, may not be profitable or may be less profitable than what we have experienced historically. In addition, investments in technology systems may not deliver the benefits or perform as expected, or may be replaced or become obsolete more quickly than expected, which could result in operational difficulties or additional costs. In some cases, we also depend on key vendors and partners to provide technology and other support for our strategic initiatives. If these vendors or partners fail to perform their obligations or otherwise cease to work with us, our ability to execute on our strategic initiatives could be adversely affected. If we do not keep up with technological changes or execute effectively on our strategic initiatives, our business and results of operations could be adversely impacted. In addition, to remain competitive in many of our business areas, we must anticipate and respond effectively to the threat of digital disruption and other technological change. The threat comes from traditional players, such as insurers, through disintermediation as well as from new entrants, such as technology companies, "Insurtech" start-up companies and others. In the past few years, there has been a substantial increase in private equity investments into these Insurtech companies. These players are focused on using technology and innovation, including artificial intelligence (AI), digital platforms, data analytics, robotics and blockchain, to simplify and improve the client experience, increase efficiencies, alter business models and effect other potentially disruptive changes in the industries in which we operate. Legal and Regulatory Risks

Geopolitical and macroeconomic conditions, including from multiple major wars, escalating conflict throughout the Middle East and rising tension in the South China Sea, slower GDP growth or recession, lower interest rates, capital markets volatility and inflation affect our clients' businesses and the markets they serve. These conditions, including inflationary expense pressure with our clients, may reduce demand for our services or depress pricing for those services, which could have a material adverse effect on our results of operations. For example, the war in Ukraine and the escalating conflict throughout the Middle East have resulted in worldwide geopolitical and macroeconomic uncertainty and may negatively impact other regional and global economic markets (including Europe, the Middle East and the U.S.), companies in other countries (particularly those that have done business with Russia or have substantial exposure to, or operations in, impacted countries) and various sectors, industries and markets for securities and commodities globally, such as oil and natural gas, and may increase financial market volatility and adversely impact regional and global economic markets, industries and companies. Moreover, the COVID-19 pandemic impacted businesses, including our clients, third-party vendors and business partners, globally in every geography in which we operate. In addition, the potentially divergent laws and regulations as a result of Brexit may continue to lead to economic and legal uncertainty, causing increased economic volatility or disrupting the markets and clients we serve. Changes in macroeconomic and geopolitical conditions could also shift demand to services for which we do not have a competitive advantage, and this could negatively affect the amount of business that we are able to obtain. 14 14 14 More generally, our investments, including our minority investments in other companies as well as our cash investments and those held in a fiduciary capacity, are subject to general credit, liquidity, counterparty, foreign exchange, market and interest rate risks. For example, fluctuations in interest rates and foreign exchange rates between the U.S. dollar and foreign currencies may adversely affect our results of operations. Lower interest rates may lead to a decline in our fiduciary income. These risks may be exacerbated by global macroeconomic conditions, market volatility and regulatory, financial and other difficulties affecting the companies in which we have invested or that may be faced by financial institution counterparties. During times of stress in the banking industry, counterparty risk can quickly escalate, potentially resulting in substantial trading and investment losses for corporate and other investors. In addition, we may incur investment losses as a result of unusual and unpredictable market developments, and we may experience lower earnings if the yields on investments begin to decline. If the banking system or the fixed income, interest rate, credit or equity markets deteriorate, the value and liquidity of our investments could be adversely affected. Finally, the value of the Company's assets held in other jurisdictions, including cash holdings, may decline due to foreign exchange fluctuations. Legal and Regulatory Risks

Geopolitical and macroeconomic conditions, including conflicts such as the war in Ukraine, slower GDP growth or recession, capital markets volatility and inflation affect our clients' businesses and the markets they serve. These conditions, including inflationary expense pressure with our clients, may reduce demand for our services or depress pricing for those services, which could have a material adverse effect on our results of operations. For example, the war in Ukraine has continued to result in worldwide geopolitical and macroeconomic uncertainty and may negatively impact other regional and global economic markets (including Europe and the United States), companies in other countries (particularly those that have done business with Russia) and various sectors, industries and markets for securities and commodities globally, such as oil and natural gas, and may increase financial market volatility and adversely impact regional and global economic markets, industries and companies. Moreover, for nearly three years, the COVID-19 pandemic has impacted businesses, including our clients, third-party vendors and business partners, globally in every geography in which we operate. The ultimate extent of the impact of COVID-19, including the impact of hybrid working arrangements, on us will depend on future developments that we are unable to 16 16 16 predict. In addition, the continuing legal uncertainty, negotiations and potentially divergent laws and regulations as a result of Brexit may continue to lead to economic and legal uncertainty, causing increased economic volatility or disrupting the markets and clients we serve. Changes in macroeconomic and geopolitical conditions could also shift demand to services for which we do not have a competitive advantage, and this could negatively affect the amount of business that we are able to obtain. More generally, our investments, including our minority investments in other companies as well as our cash investments and those held in a fiduciary capacity, are subject to general credit, liquidity, counterparty, foreign exchange, market and interest rate risks. For example, in 2022, market conditions caused exchange rates to fluctuate significantly. These fluctuations in foreign exchange rates between the U.S. dollar and foreign currencies may adversely affect our results of operations. These risks may be exacerbated by global macroeconomic conditions, market volatility and regulatory, financial and other difficulties affecting the companies in which we have invested or that may be faced by financial institution counterparties. During times of stress in the banking industry, counterparty risk can quickly escalate, potentially resulting in substantial trading and investment losses for corporate and other investors. In addition, we may incur investment losses as a result of unusual and unpredictable market developments, and we may continue to experience reduced investment earnings if the yields on investments deemed to be low risk remain at or near their current low levels. If the banking system or the fixed income, interest rate, credit or equity markets deteriorate, the value and liquidity of our investments could be adversely affected. Finally, the value of the Company's assets held in other jurisdictions, including cash holdings, may decline due to foreign exchange fluctuations. Cybersecurity, Data Protection and Technology Risks

Improper collection, use, disclosure, cross border transfer, retention and other processing of confidential, personal, or proprietary data could result in regulatory scrutiny, legal and financial liability, or harm to our reputation. In operating our business and providing services and solutions to clients, we store and transfer sensitive employee and client data, including personal data, in and across multiple jurisdictions. We collect data from client and individuals located all over the world and leverage systems and teams to process it. As a result, we are subject to a variety of laws and regulations in the U.S., Europe and around the world regarding privacy, data protection, data security and cyber security. These laws and regulations are continuously evolving and developing. Some of these laws and regulations are increasing the level of data handling restrictions, including rules on data localization, all of which could affect our operations and result in regulatory liability and high fines. In particular, high-profile data breaches at major companies continue to be disclosed regularly, which is leading to even greater regulatory scrutiny and fines at the highest levels they have ever been. These fines are not limited to data breaches and regulators are increasingly focusing on other data processing activities including those related to ad-tech and “data subject” rights. The number of laws that apply to us keeps increasing and the interpretation of such laws is often uncertain and may be conflicting. 19 19 19 At the international level, we are subject to an increasing number of comprehensive privacy laws including, for example, those passed in Indonesia, the Kingdom of Saudi Arabia and India. Many of these laws, which are modeled after the GDPR, have greatly increased the jurisdictional reach of privacy laws and added a broad array of requirements for handling personal data, such as the public disclosure of data breaches, data protection impact assessments, data portability and the appointment of data protection officers in some cases. Following the UK’s withdrawal from the EU, we are also subject to the UK General Data Protection Regulation (“UK GDPR”), a version of the GDPR as implemented into UK law, and this law may not mirror the GDPR, thereby adding operational complexity and legal risk. Given the breadth and depth of changes in data protection obligations, including classifying data and committing to a range of administrative, technical and physical controls to protect data and enable data transfers across borders, our compliance with such laws will continue to require time, resources and review of the technology and systems we use. Despite a proliferation of regulatory guidance papers, there remains uncertainty in key areas related to these laws, and that uncertainty could result in potential liability for our failure to meet our obligations, including the possibility of significant fines some of which can amount to 4% or more of our global revenue. Further, despite recent developments, including a new U.S.- EU Data Privacy Framework and the U.S.-UK Data Bridge, there remains a high level of uncertainty concerning the future of the flow of personal information between the U.S. and EU, between the U.S. and the UK and between the UK and the EU, and that uncertainty may impair our ability to offer our existing and planned products and services or increase our cost of doing business. Some of the global laws enacted in recent years, including those in China and the Kingdom of Saudi Arabia, also include data localization elements that will require that certain personal data stay within their borders. These requirements are complex and our efforts to comply with them require significant resources, and we cannot guarantee we are or will be in full compliance with such laws at all times. At the U.S. federal level, we are subject to various privacy laws and regulations, including those promulgated under the authority of the U.S. Federal Trade Commission, which has the authority to regulate and enforce against unfair or deceptive acts or practices in or affecting commerce, including with respect to data privacy and cybersecurity. At the U.S. state level, we are subject to laws and regulations related to privacy, such as the CCPA which introduced concepts such as transparency and rights like access and deletion, that have been enacted by over a dozen states with many more on the verge of enacting such laws. These laws establish a privacy framework for covered businesses, including various obligations imposed on them related to the personal information they collect and use, and offer various rights for their state residents. Some of these laws provide a private right of action for violations and in some cases damages may be significant. Many of these laws diverge from the CCPA and create their own set of rules and this proliferation of inconsistent state level privacy laws will add operational complexity and increased risk of noncompliance or violations which could trigger enforcement action or litigation. In addition to data protection and data privacy laws, foreign countries and U.S. states are enacting AI and cybersecurity laws and regulations. For example, in late 2023 the New York State Department of Financial Services (NYDFS) issued amendments to its previous cybersecurity regulations which imposed obligations on companies such as Marsh McLennan, including for example, requiring companies to provide evidence of how they are implementing their data retention, data governance and data classifications policies and procedures. A number of states have also adopted laws covering data collected by insurance licensees that include security and breach notification requirements. All of these evolving compliance and operational requirements impose significant costs that are likely to increase over time, may divert resources from other initiatives and projects and could restrict the way services involving data are offered, all of which may adversely affect our results of operations. Many statutory requirements, both in the U.S. and abroad, include obligations for companies to notify individuals of security breaches involving certain personal information, which could result from breaches experienced by us or our vendors. For example, laws in all 50 U.S. states generally require businesses to provide notice under certain circumstances to consumers whose personal information has been disclosed as a result of a breach. In addition to government regulation, our agreements with certain third parties may require us to notify them in the event of a security breach. Further, privacy advocates and industry groups have and may in the future propose self-regulatory standards. These laws, rules and industry standards may legally or contractually apply to us, or we may elect to comply with them. We expect that there will continue to be new proposed laws and regulations concerning data privacy and security, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. Many of these laws and rules also include strict notification requirements for organizations related to confirmed or suspected breaches. This narrow notification window is often too short to 20 20 20 fully validate the facts, and there is an increased risk of reporting a false alarm or immaterial breach, which may lead to reputational damage despite there not being an actual data breach. We post public privacy policies and other documentation regarding our collection, use, disclosure, cross-border transfer, retention, and other processing of personal information. Although we endeavor to comply with our published policies and other documentation, we may at times fail to do so or may be perceived to have failed to do so. Moreover, despite our efforts, we may not be successful in achieving compliance if our employees, contractors, service providers, vendors or other third parties with whom we do business fail to comply with our published policies and documentation. Such failures could carry similar consequences or subject us to potential enforcement actions or investigations if they are found to be deceptive, unfair or misrepresentative of our actual practices. Furthermore, enforcement actions and investigations by regulatory authorities related to data security incidents and privacy violations, including an ongoing focus on compliance related to website "cookies" and other online trackers, as well as the use of online session recording tools in some countries or U.S. states, continue to increase. Privacy violations, including unauthorized use disclosure or transfer of sensitive, personal or confidential client or Company data, whether through systems failure, employee negligence, fraud or misappropriation, by the Company, our vendors or other parties with whom we do business (if they fail to meet the standards we impose) could damage our reputation and subject us to significant litigation, monetary damages, regulatory enforcement actions, fines and criminal prosecution in one or more jurisdictions. Given the complexity of operationalizing the various privacy laws mentioned above, the maturity level of proposed compliance frameworks and the continued lack of certainty on how to implement their requirements, we and our clients are at risk of enforcement actions taken by data protection authorities around the world or litigation from consumer advocacy groups acting on behalf of data subjects. We may not be able to respond quickly or effectively to regulatory, legislative and other developments, and these changes may in turn impair our ability to offer our existing or planned products and services and increase our cost of doing business.

Improper collection, use disclosure, cross border transfer, and retention of confidential, personal, or proprietary data could result in regulatory scrutiny, legal and financial liability, or harm to our reputation. In operating our business and providing services and solutions to clients, we store and transfer sensitive employee and client data, including personal data, in and across multiple jurisdictions. We collect data from client and individuals located all over the world and leverage systems and teams to process it. As a result, we are subject to a variety of laws and regulations in the United States, Europe and around the world regarding privacy, data protection, data security and cyber security. These laws and regulations are continuously evolving and developing. Some of these laws and regulations are increasing the level of data handling restrictions, including rules on data localization, all of which could affect our operations and result in regulatory liability and high fines. In particular, high-profile data breaches at major companies continue to be disclosed regularly, which is leading to even greater regulatory scrutiny and fines at the highest levels they have ever been. These fines are not limited to data breaches and regulators are increasingly focusing on other data processing activities including those related to ad-tech and “data subject” rights. The scope and interpretation of the laws that are or may be applicable to us are often uncertain and may be conflicting. For example, the GDPR, which became effective in May 2018, greatly increased the 19 19 19 European Commission’s jurisdictional reach of its laws and added a broad array of requirements for handling personal data, such as the public disclosure of data breaches, privacy impact assessments, data portability and the appointment of data protection officers in some cases. In the U.S., CPRA was passed in late 2020 and has greatly expanded the requirements under the California Consumer Privacy Act (CCPA). Despite a proliferation of regulatory guidance papers, there remains uncertainty in key areas related to the GDPR and the CPRA, and that uncertainty could result in potential liability for our failure to meet our obligations under the GDPR and the CPRA. Given the breadth and depth of changes in data protection obligations, including classifying data and committing to a range of administrative, technical and physical controls to protect data and enable data transfers outside of the E.U., our compliance with laws such as the GDPR and the CPRA will continue to require time, resources and review of the technology and systems we use. Further, the European Union Court of Justice's "Schrems II" decision and Brexit continue to generate uncertainty with regard to the future of the flow of personal information between the U.S. and E.U and between the United Kingdom and the E.U., and that uncertainty may impair our ability to offer our existing and planned products and services or increase our cost of doing business. Following the implementation of the GDPR, other jurisdictions have sought to amend, or propose legislation to amend, their existing data protection laws to align with the requirements of the GDPR with the aim of obtaining an adequate level of data protection to facilitate the transfer of personal data to most jurisdictions from the E.U. Accordingly, the challenges we face in the E.U. will likely also apply to other jurisdictions that adopt laws similar to the GDPR or regulatory frameworks of equivalent complexity. For example, Indonesia passed the Personal Data Protection Bill in 2022, Australia and Canada are seeking to make major amendments to their existing privacy laws and India is engaging in an ongoing effort to enact a new privacy law. Some of the laws enacted in recent years, including those in China and the Kingdom of Saudi Arabia, the laws include data localization elements that will require that certain personal data stay within their borders. In the U.S., following the passage of the CCPA and CPRA, four other states (Colorado, Connecticut, Utah and Virginia) passed privacy laws and there remains continued legislative interest in passing laws in additional states, as well as a federal privacy law, though the prospects of such a law passing soon have diminished. In addition to data protection laws, countries and states in the U.S. are enacting cybersecurity laws and regulations. For example, in 2017 the New York State Department of Financial Services (NYDFS) issued cybersecurity regulations which imposed an array of detailed security measures on covered entities. These requirements were phased in and the last of them came into effect on March 1, 2019. The NYDFS has now proposed an array of modifications to those rules which if passed would impose significant new requirements. A number of states have also adopted laws covering data collected by insurance licensees that include security and breach notification requirements. And at the federal level, the Securities and Exchange Commission is seeking to impose new cybersecurity requirements, including new reporting obligations, on publicly traded companies. All of these evolving compliance and operational requirements impose significant costs that are likely to increase over time, may divert resources from other initiatives and projects and could restrict the way services involving data are offered, all of which may adversely affect our results of operations. Many statutory requirements, both in the United States and abroad, include obligations for companies to notify individuals of security breaches involving certain personal information, which could result from breaches experienced by us or our vendors. In addition to government regulation, privacy advocates and industry groups have and may in the future propose self-regulatory standards from time to time. These and other industry standards may legally or contractually apply to us, or we may elect to comply with such standards. We expect that there will continue to be new proposed laws and regulations concerning data privacy and security, and we cannot yet determine the impact such future laws, regulations and standards may have on our business. Data protection laws also include strict notification requirements for organizations related to confirmed or suspected breaches. With such a limited time available to validate indicators, there is an increased risk of reporting a false alarm or immaterial breach, which may lead to reputational damage despite there not being an actual data breach. Furthermore, enforcement actions and investigations by regulatory authorities related to data security incidents and privacy violations, including a recent focus on website "cookies" compliance in some 20 20 20 countries, continue to increase. Privacy violations, including unauthorized use disclosure or transfer of sensitive or confidential client or Company data, whether through systems failure, employee negligence, fraud or misappropriation, by the Company, our vendors or other parties with whom we do business (if they fail to meet the standards we impose) could damage our reputation and subject us to significant litigation, monetary damages, regulatory enforcement actions, fines and criminal prosecution in one or more jurisdictions. Given the complexity of operationalizing the various privacy laws such as the GDPR and the CPRA, the maturity level of proposed compliance frameworks and the continued lack of certainty on how to implement their requirements, we and our clients are at risk of enforcement actions taken by E.U. and other data protection authorities or litigation from consumer advocacy groups acting on behalf of data subjects. We may not be able to respond quickly or effectively to regulatory, legislative and other developments, and these changes may in turn impair our ability to offer our existing or planned products and services and increase our cost of doing business.

Our effective tax rate may fluctuate in the future as a result of the current U.S. tax regime and the continuing issuance of interpretive guidance related to the operations of U.S.-based multinational corporations. These include significant provisions in U.S. income tax law that may have a meaningful impact on our income tax expense and require significant judgments and estimates in interpretation and calculations. Current tax legislation includes, among other provisions, limitations on the deductibility of net interest expense, a minimum tax on most non-U.S. income called Global Intangible Low-Taxed Income ("GILTI"), and the Base Erosion and Anti-Abuse Tax ("BEAT"). In addition, a recently enacted book minimum tax could increase the impact of these provisions on our income tax expense. Given the significant complexity of the rules, and the potential for additional guidance from the U.S. Treasury, the Securities and Exchange Commission, the Financial Accounting Standards Board or other regulatory authorities, recognized impacts in future periods could be significantly different from our current estimates. Such uncertainty may also result in increased scrutiny from, or disagreements with, tax authorities. As a U.S.-domiciled company, any such increases would likely have a disproportionate impact on us compared to our foreign-based competitors. 27 27 27 Global Operations

Our effective tax rate may fluctuate in the future as a result of the current U.S. tax regime and the continuing issuance of interpretive guidance related to the operations of U.S.-based multinational corporations. These include significant provisions in U.S. income tax law that may have a meaningful impact on our income tax expense and require significant judgments and estimates in interpretation and calculations. Current tax legislation includes, among other provisions, limitations on the deductibility of net interest expense, a minimum tax on most non-U.S. income called Global Intangible Low-Taxed Income ("GILTI"), and the Base Erosion and Anti-Abuse Tax ("BEAT"). In addition, a recently enacted book minimum tax could increase the impact of these provisions on our income tax expense. Given the 29 29 29 significant complexity of the rules, and the potential for additional guidance from the U.S. Treasury, the Securities and Exchange Commission, the Financial Accounting Standards Board or other regulatory authorities, recognized impacts in future periods could be significantly different from our current estimates. Such uncertainty may also result in increased scrutiny from, or disagreements with, tax authorities. As a U.S.-domiciled company, any such increases would likely have a disproportionate impact on us compared to our foreign-based competitors. Global Operations