MSCI Inc.: 10-K Risk Factor Changes

Our products and services support the investment processes of our clients, which relate to, in the aggregate, trillions of dollars in assets. Products or services we develop or license have contained, and in the future may contain, undetected errors or defects despite testing or other quality assurance practices. Use of our products or services as part of the investment process creates the risk that our clients, the parties whose assets are managed by our clients, investors in investment products linked to our indexes, the companies that we rate or assess in our ESG solutions or the shareholders of those companies, may pursue claims against us based on even a small error in our or third-party data, calculations, methodologies or analysis or a malfunction or failure in our systems, products or services. Errors or defects can exist at any point in a product’s lifecycle, but are frequently found after introduction of new products or services or enhancements to existing products or services. We continually introduce new methodologies and products, and new versions of, and updates to, our existing products or services. Despite internal testing and in some cases testing or use by clients, our 16 16 16 Table of Contents Table of Contents products or services have contained, and in the future may contain, errors in our or third-party data, calculations, methodologies or analysis, including serious defects or malfunctions. This risk may grow with the increase in the number, type and complexity of our products, such as complex client-designed indexes that may require unique and more manual implementation and maintenance. For instance, certain of our processes utilize manual data entry or collection, which subjects them to greater risk of human error. If we detect any errors before we release or deliver a product or service or publish a methodology or analysis, we might have to suspend or delay the product or service release or delivery for an extended period of time while we address the problem. We may not discover errors that affect our products or services or enhancements until after they are deployed, and we may need to provide enhancements or corrections to address such errors, and in certain cases it may be impracticable to do so. If undetected errors exist in our products or services, or if our products or services fail to perform properly due to defects, malfunctions or similar problems, it could result in harm to our brand or reputation, significantly increased costs, lost sales and revenues, delays in commercial release, third-party claims, contractual disputes, negative publicity, delays in or loss of market acceptance of our products or services, license terminations or renegotiations or unexpected expenses and diversion of resources to remedy or mitigate such errors, defects or malfunctions. The realization of any of these events could materially adversely affect our business, financial condition or results of operations. While we have provisions in our client contracts that are designed to limit our liability from claims brought by our clients or third parties relating to our products or services, these provisions could be invalidated or fail to adequately or effectively limit our liability. In addition, clients also increasingly require us to provide contractual assurances regarding our IT and operational risk management and security practices or policies, and many of our clients in the financial services sector are subject to regulations and requirements to adopt risk management processes to oversee their third-party relationships. Contractual disputes could result in the provision of credits, adverse monetary judgments and other penalties and damages. Any such claims brought against us, even if the outcome were to be ultimately favorable to us, would require attention of our management, personnel, financial and other resources and could have a negative impact on our reputation or pose a significant disruption to our normal business operations. In addition, the duration or outcome of such claims and lawsuits is difficult to predict, which could further exacerbate the adverse effect they may have on our business, financial condition or results of operations.

Our products and services support the investment processes of our clients, which relate to, in the aggregate, trillions of dollars in assets. Products or services we develop or license have contained, and in the future may contain, undetected errors or defects despite testing or other quality assurance practices. Use of our products or services as part of the investment process creates the risk that our clients, the parties whose assets are managed by our clients, investors in investment products linked to our indexes, the companies that we rate or assess in our ESG solutions or the shareholders of those companies, may pursue claims against us based on even a small error in our data, calculations, methodologies or analysis or a malfunction or failure in our systems, products or services. Errors or defects can exist at any point in a product’s lifecycle, but are frequently found after introduction of new products or services or enhancements to existing products. We continually introduce new methodologies and products, and new versions of and updates to our existing products or services. Despite internal testing and in some cases testing or use by clients, our products or services have contained, and in the future may contain, errors in our data, calculations, methodologies or analysis, including serious defects or malfunctions. This risk may grow with the increase in the number, type and complexity of our products, such as complex client-designed indexes that may require unique and more manual implementation and maintenance. If we detect any errors before we release or deliver a product or service or publish a methodology or analysis, we might have to suspend or delay the product or service release or delivery for an extended period of time while we address the problem. We may not discover errors that affect our products or services or enhancements until after they are deployed, and we may need to provide enhancements or corrections to address such errors, and in certain cases it may be impracticable to do so. If undetected errors exist in our products or services, or if our products or services fail to perform properly due to defects, malfunctions or similar problems, it could result in harm to our brand or reputation, significantly increased costs, lost sales and revenues, delays in commercial release, third-party claims, contractual disputes, negative publicity, delays in or loss of market acceptance of our products or services, license terminations or renegotiations or unexpected expenses and diversion of resources to remedy or mitigate such errors, defects or malfunctions. The realization of any of these events could materially adversely affect our business, financial condition or results of operations. While we have provisions in our client contracts that are designed to limit our liability from claims brought by our clients or third parties relating to our products or services, these provisions could be invalidated or fail to adequately or effectively limit our liability. In addition, clients also increasingly require us to provide contractual assurances regarding our IT and operational risk management and security practices or policies, and many of our clients in the financial services sector are subject to regulations and requirements to adopt risk management processes to oversee their third-party relationships. Contractual disputes could result in the provision of credits, adverse monetary judgments and other penalties and damages. Any such claims brought against us, even if the outcome were to be ultimately favorable to us, would require attention of our management, personnel, financial and other resources and could have a negative impact on our reputation or pose a significant disruption to our normal business operations. In addition, the duration or outcome of such claims and lawsuits is difficult to predict, which could further exacerbate the adverse effect they may have on our business, financial condition or results of operations.

Failure to comply with any applicable laws, rules, orders, regulations, codes or other requirements could subject us to litigation, regulatory actions, sanctions, fines or other penalties, as well as damage our brand and reputation. The financial services industry, within which we and many of our clients operate, is subject to extensive laws, rules and regulations at the federal and state levels, as well as by foreign governments, with some jurisdictions regulating indexes directly. These laws, rules and regulations are complex, evolve frequently and sometimes quickly and unexpectedly, and are subject to administrative interpretation and judicial construction in ways that are difficult to predict, and could materially adversely affect our business and our clients’ businesses. Uncertainty caused by political change globally heightens regulatory uncertainty. Additionally, we may be required to comply with multiple and potentially conflicting laws, rules or regulations in various jurisdictions, which could, individually or in the aggregate, result in materially higher compliance costs to us. It is possible that laws, rules or regulations could cause us to restrict or change the way we license and price our products and services across our offerings, including if data or information from one offering is used in another offering, or could impose additional costs on us. In addition, various government and regulatory bodies from time to time may 23 23 23 Table of Contents Table of Contents make inquiries and conduct investigations into our compliance with applicable laws and regulations and our business practices, including those related to our regulated activities and other matters. Changes to the laws, rules and regulations applicable to our clients could limit our clients’ ability to use our products and services or could otherwise impact our clients’ demand for our products and services. As such, to the extent that our clients become subject to certain laws, rules or regulations, we may incur higher costs in connection with modifying our products or services. To the extent that we rely on our clients and vendors to provide data for our products and services and certain laws, rules or regulations impact our clients’ and vendors’ ability or willingness to provide that data to us or regulate the fees for which such data can be provided, our ability to continue to produce our products and services or the related costs could be negatively impacted. The regulations and regulatory developments that most significantly impact us are described below: •Regulation Affecting Benchmarks. Compliance efforts associated with regulations affecting benchmarks or their uses and any related technical standards and guidance could have a negative impact on our business and results of operations. In particular, compliance requirements could lead to a change in our business practices, product offerings or our ability to offer indexes in certain jurisdictions, including the EU, including without limitation, by increasing our costs of doing business, including direct costs paid to regulators, diminishing our intellectual property rights, impacting the fees we can charge for our indexes, imposing constraints on our ability to meet contractual commitments to our data providers, imposing constraints on how we offer our products or causing our data providers to refuse to provide data to us, any of which could have a material adverse effect on our index products. For example, the benchmark industry is subject to regulations in the EU, such as the EU Benchmark Regulation (“EU BMR”), and in the UK. The benchmark industry is also subject to increased scrutiny and potential new or increased regulation in various other jurisdictions. Additionally, the European Securities and Markets Authority (“ESMA”) issues guidance from time to time regarding interpretations of the EU BMR. The ESMA Guidelines on ETFs and other UCITS Issues limit the types of indexes that can be used as the basis of Undertakings for Collective Investment in Transferable Securities (“UCITS”) funds and require, among other things, index constituents, together with their respective weightings, to be made easily accessible free of charge, such as via the internet, to investors and prospective investors on a delayed and periodic basis. The International Organization of Securities Commissions (“IOSCO”) recommends that benchmark administrators, on a voluntary basis, publicly disclose whether they comply with the principles for financial benchmarks published by IOSCO. Other jurisdictions have also indicated they may consider potential benchmark regulation or conduct reviews of the benchmark industry. For instance, the UK FCA launched a market study into how competition is working in the markets for benchmarks and indices. In addition, in October 2023, the EU Commission published a proposal for a regulation to amend the EU BMR. The Commission proposes that the scope of the EU BMR should be limited to qualifying benchmarks. Under the proposal, only administrators of these qualifying benchmarks would continue to be subject to the EU BMR. The heightened attention and scrutiny on benchmarks and index providers by regulators, policymakers and the media in the EU, the U.S. and other jurisdictions around the world could also result in negative publicity or comments about the role or influence of our company or the index industry generally, which could harm our reputation and credibility. Further, laws, rules, regulations and orders affecting users of our indexes can have an indirect impact on our indexes, including their construction and composition, such as sanctions that prohibit users of our indexes from investing or transacting in securities included in our indexes. •ESG Ratings. In June 2023, the European Commission published a proposal for regulation on the transparency and integrity of ESG rating activities, potentially requiring market participants providing ESG ratings to become authorized and supervised by ESMA, and we expect some of our ESG products to be in scope for the developing regulation. In addition, in July 2023, the Securities and Exchange Board of India (“SEBI”) finalized regulation governing the provision of qualifying ESG ratings, with providers required to register with SEBI and meet certain minimum requirements. A number of other countries, including the UK, Japan, Hong Kong SAR and Singapore, have completed, or are in the process of developing, legislation and/or codes of conduct for ESG rating and data providers. IOSCO has also asked regulators to consider focusing more attention on the use of ESG ratings and data products. Regulatory regimes or initiatives relating to ESG ratings and data providers could impose significant compliance burdens and costs on our ESG and Climate products and services. Furthermore, regulation in multiple jurisdictions may be inconsistent, which could create implementation challenges and result in inadvertent noncompliance. •Data Privacy Legislation. Laws, regulations, standards or contractual obligations relating to privacy or data collection and use affect our ability to collect, manage, aggregate, store, transfer, use and otherwise process personal data and other information. We operate in an environment in which there are different and potentially conflicting 24 24 24 Table of Contents Table of Contents privacy or data collection laws and regulations in effect in the various U.S. states and foreign jurisdictions in which we operate, and we must understand and comply with each law and standard in each of these jurisdictions while ensuring the data is secure. Global laws in this area are rapidly increasing in the scale and depth of their requirements and are also often extra-territorial in nature. In addition, a wide range of regulators and private actors are seeking to enforce these laws across regions and borders. Furthermore, we frequently have privacy compliance requirements as a result of our contractual obligations with counterparties. There could also be a material adverse impact on our direct marketing due to the enactment of new legislation or regulation, or simply a change in practices, arising from public concern over privacy issues. Restrictions or bans could be placed, or penalties could be levied, relating to the collection, management, aggregation, storage, transfer, use and other processing of information that is currently legally available, in which case our costs related to handling information could increase materially. •Investment Advisers Act. Except with respect to certain products provided by MSCI ESG Research LLC and certain of its designated foreign affiliates, we believe our products and services do not constitute or provide investment advice as contemplated by the Advisers Act. See Part I, Item 1. “Business—Government Regulation” above. The Advisers Act imposes fiduciary duties, recordkeeping and reporting requirements, disclosure requirements, limitations on agency and principal transactions between an adviser and advisory clients, as well as general anti-fraud prohibitions. Future developments in our product lines or changes to current laws, rules, regulations or interpretations could cause this status to change, requiring other entities in our corporate family to register as investment advisers under the Advisers Act or comply with similar laws or requirements in states or foreign jurisdictions. In the U.S., the SEC has sought public comment on the role of certain third-party information providers to the asset management industry, including index providers and model providers, and whether, under particular facts and circumstances, information providers are acting as investment advisers under the Advisers Act. The specific questions in the SEC’s request for comment demonstrate that the SEC is considering whether, and to what extent, information providers, including index providers, should register as investment advisers and be subject to all aspects of the Advisers Act. The SEC’s request for comment is far-reaching and could lead to regulation pursuant to the Advisers Act or other framework. If our index business were to be deemed an investment adviser, we could be deemed a fiduciary to our clients, increasing the costs and complexity of our business. In addition, aspects of this regulatory framework may be at odds with our obligations under other benchmark regulations. The SEC has also proposed a rule that would prohibit SEC-registered investment advisers from outsourcing certain services or functions to service providers that do not meet minimum requirements. This proposed rule would impose on investment advisers due diligence, monitoring and record-keeping requirements of their service providers, and index providers, among others, are identified as service providers that could fall within the scope of the proposed requirements. This proposed rule could therefore impose additional requirements on our business. •Brexit. The United Kingdom (“UK”) exited the European Union (“EU”) on January 31, 2020 (commonly referred to as “Brexit”) and the UK’s membership in the EU single market ended on December 31, 2020. One of our subsidiaries is authorized as a UK benchmark administrator regulated by the UK FCA, we have significant operations in the EU and certain members of our senior management team are based in the UK. As a result, uncertainties related to Brexit and the new relationship between the UK and EU, potential changes in EU regulation, divergent interpretations by the UK of any replicated EU laws or additional regulation in the UK could increase our costs of doing business, or in some cases, affect our ability to do business, which could have a material adverse effect on our business, financial condition or results of operations. Specifically, the EU BMR currently provides for a transition period until December 31, 2025, allowing EU supervised entities to continue to utilize benchmarks provided by non-EU administrators. The UK Benchmarks Regulation currently provides a transitional period for third-country benchmarks to December 31, 2030 allowing UK supervised entities to continue to utilize benchmarks provided by non-UK administrators. Our ability to comply with applicable laws and regulations depends upon the maintenance of an effective compliance system which can be time consuming and costly, as well as our ability to attract and retain qualified compliance personnel. In some instances, in connection with the provision of data and services, we have incurred additional costs to implement processes and systems at the request of our clients to ensure that the products and services that they in turn provide to their clients using our data are compliant with the financial regulations to which our clients may be subject. For example, a U.S. Executive Order prohibiting many of our clients from transacting in the securities of certain Chinese companies resulted in our decision to remove these companies from relevant indexes in order to support our clients’ needs that our indexes meet their objective to be replicable in investment portfolios. To the extent that our clients are subject to increased regulation, we may be indirectly impacted and could incur increased costs that could have a negative impact on the profitability of certain products. Additionally, there has been increased attention on and scrutiny of index providers and ESG ratings and data providers by politicians, regulators, policymakers and the media, which could create negative publicity that could harm our reputation or credibility 25 25 25 Table of Contents Table of Contents as well as result in new or additional regulation that could increase our costs and have a negative impact on our business, financial condition or results of operations. For instance, in July 2023, we received a letter from a Select Committee of the U.S. House of Representatives, asking us to respond to a range of questions regarding MSCI indexes that include securities of Chinese companies. Additional scrutiny or regulatory action could have a material adverse effect on our business, financial condition or results of operations.

Failure to comply with any applicable laws, rules, orders, regulations, codes or other requirements could subject us to litigation, regulatory actions, sanctions, fines or other penalties, as well as damage our brand and reputation. The financial services industry, within which we and many of our clients operate, is subject to extensive laws, rules and regulations at the federal and state levels, as well as by foreign governments, with some jurisdictions regulating indexes directly. These laws, rules and regulations are complex, evolve frequently and sometimes quickly and unexpectedly, and are subject to administrative interpretation and judicial construction in ways that are difficult to predict, and could materially adversely affect our business and our clients’ businesses. Uncertainty caused by political change globally heightens regulatory uncertainty. Additionally, we may be required to comply with multiple and potentially conflicting laws, rules or regulations in various jurisdictions, which could, individually or in the aggregate, result in materially higher compliance costs to us. It is possible that laws, rules or regulations could cause us to restrict or change the way we license and price our products and services across our offerings, including if data or information from one offering is used in another offering, or could impose additional costs on us. Changes to the laws, rules and regulations applicable to our clients could limit our clients’ ability to use our products and services or could otherwise impact our clients’ demand for our products and services. As such, to the extent that our clients become subject to certain laws, rules or regulations, we may incur higher costs in connection 22 22 22 Table of Contents Table of Contents with modifying our products or services. To the extent that we rely on our clients and vendors to provide data for our products and services and certain laws, rules or regulations impact our clients’ and vendors’ ability or willingness to provide that data to us or regulate the fees for which such data can be provided, our ability to continue to produce our products and services or the related costs could be negatively impacted. The regulations and regulatory developments that most significantly impact us are described below: •Brexit. The United Kingdom (“UK”) exited the European Union (“EU”) on January 31, 2020 (commonly referred to as “Brexit”) and the UK’s membership in the EU single market ended on December 31, 2020. On December 24, 2020, the UK and the EU announced that they had struck a new bilateral trade and cooperation deal governing the future relationship between the UK and the EU (the “EU-UK Trade and Cooperation Agreement”) which was formally approved by the 27 member states of the EU on December 29, 2020. In March 2021, the UK and EU agreed on a framework for voluntary regulatory cooperation and dialogue on financial services issues between them in a Memorandum of Understanding (the “MOU”), which is expected to be signed after formal steps are completed, although this has not yet occurred. There remain uncertainties related to Brexit and the new relationship between the UK and EU that will continue to be developed and defined, as well as uncertainties related to the wider trading, legal, regulatory, tax and labor environments, and the resulting impact on our business and that of our clients. For instance, under the EU Benchmarks Regulation, benchmarks provided by a third-country (i.e. non-EU) benchmark administrator may be used by EU-supervised entities in the EU if the benchmark administrator applies for recognition, endorsement or if its home jurisdiction’s regime is deemed equivalent by the European Commission. The EU Benchmarks Regulation currently provides for a transition period until December 31, 2023, allowing supervised entities to continue to utilize benchmarks provided by non-EU administrators. The European Commission has indicated that it may further extend the transition period for the use of benchmarks provided by non-EU administrators until at least January 1, 2026. One of our subsidiaries is authorized as a UK benchmark administrator regulated by the UK FCA, we have significant operations in the EU and certain members of our senior management team are based in the UK. As a result, uncertainties related to Brexit and the new relationship between the UK and EU could increase our costs of doing business, or in some cases, affect our ability to do business, which could have a material adverse effect on our business, financial condition or results of operations. •Regulation Affecting Benchmarks. Compliance efforts associated with regulations affecting benchmarks or their uses and any related technical standards and guidance could have a negative impact on our business and results of operations. In particular, compliance requirements could lead to a change in our business practices, product offerings or our ability to offer indexes in certain jurisdictions, including the EU, including without limitation, by increasing our costs of doing business, including direct costs paid to regulators, diminishing our intellectual property rights, impacting the fees we can charge for our indexes, imposing constraints on our ability to meet contractual commitments to our data providers, imposing constraints on how we offer our products or causing our data providers to refuse to provide data to us, any of which could have a material adverse effect on our index products. For example, the benchmark industry is subject to regulations in the EU, such as Regulation (EU) 2016/1011 (as amended), which is also applicable in the UK as it forms part of UK domestic law by virtue of the European Union (Withdrawal) Act 2018 (as amended), as well as increased scrutiny and potential new or increased regulation in various other jurisdictions. Additionally, the European Securities and Markets Authority (“ESMA”) issues guidance from time to time regarding interpretations of the EU Benchmarks Regulation (such as Regulation (EU) 2016/1011 (as amended) and Regulation (EU) No 600/2014). The ESMA Guidelines on ETFs and other UCITS Issues limit the types of indexes that can be used as the basis of Undertakings for Collective Investment in Transferable Securities (“UCITS”) funds and require, among other things, index constituents, together with their respective weightings, to be made easily accessible free of charge, such as via the internet, to investors and prospective investors on a delayed and periodic basis. The International Organization of Securities Commissions (“IOSCO”) recommends that benchmark administrators, on a voluntary basis, publicly disclose whether they comply with the principles for financial benchmarks published by IOSCO. Other jurisdictions have also indicated they may consider potential benchmark regulation or conduct reviews of the benchmark industry. For instance, the UK FCA has announced that it will conduct a market study into how competition is working in the markets for benchmarks and indices. The heightened attention and scrutiny on benchmarks and index providers by regulators, policymakers and the media in the EU, the U.S. and other jurisdictions around the world could result in negative publicity or comments about the role or influence of our company or the index industry generally, which could harm our reputation and credibility. Further, laws, rules, regulations and orders affecting users of our indexes can have an indirect impact on our indexes, including their construction and composition, such as sanctions that prohibit users of our indexes from investing or transacting in securities included in our indexes. •Data Privacy Legislation. Changes in laws, rules or regulations, or consumer environments relating to privacy or data collection and use may affect our ability to collect, manage, aggregate, store, transfer and use personal data. 23 23 23 Table of Contents Table of Contents There could be a material adverse impact on our direct marketing due to the enactment of legislation or industry regulations, or simply a change in practices, arising from public concern over privacy issues. Restrictions or bans could be placed, or penalties could be levied, relating to the collection, management, aggregation, storage, transfer and use of information that is currently legally available, in which case our costs related to handling information could increase materially. For example, California passed the California Consumer Privacy Act (“CCPA”), which took effect on January 1, 2020, and the California Privacy Rights Act (“CPRA”), which took effect on January 1, 2023 and significantly amends and expands the CCPA. The CCPA and CPRA regulate the processing of personal data of all Californians and imposes significant penalties for non-compliance. The European General Data Protection Regulation imposes enhanced operational requirements for companies that receive or process personal data of residents of the EU and includes significant penalties for non-compliance. In Japan, the Act on the Protection of Personal Information regulates the use of personal information and personal data of “data subjects” for business purposes without regard to whether such use is within Japan. In addition, other jurisdictions, including China and India, are considering imposing or have already imposed additional restrictions on the use and transfer of personal and other types of data. •Investment Advisers Act. Except with respect to certain products provided by MSCI ESG Research LLC and certain of its designated foreign affiliates, we believe that our products and services do not constitute or provide investment advice as contemplated by the Advisers Act. See Part I, Item 1. “Business—Government Regulation” above. The Advisers Act imposes fiduciary duties, recordkeeping and reporting requirements, disclosure requirements, limitations on agency and principal transactions between an adviser and advisory clients, as well as general anti-fraud prohibitions. Future developments in our product lines or changes to current laws, rules, regulations or interpretations could cause this status to change, requiring other entities in our corporate family to register as investment advisers under the Advisers Act or comply with similar laws or requirements in states or foreign jurisdictions. In the U.S., the SEC has recently sought public comment on the role of certain third-party information providers to the asset management industry, including index providers and model providers, and whether, under particular facts and circumstances, information providers are acting as investment advisers under the Advisers Act. The specific questions in the SEC’s request for comment demonstrate that the SEC is considering whether, and to what extent, information providers, including index providers, should register as investment advisers and be subject to all aspects of the Advisers Act. The SEC’s request for comment is far-reaching and could lead to regulation pursuant to the Advisers Act or other framework. If our index business were to be deemed an investment adviser, we could be deemed a fiduciary to our clients, increasing the costs and complexity of our business. In addition, aspects of this regulatory framework may be at odds with our obligations under other benchmark regulations. The SEC has also recently proposed a rule that would prohibit SEC-registered investment advisers from outsourcing certain services or functions to service providers that do not meet minimum requirements. This proposed rule would impose on investment advisers due diligence, monitoring and record-keeping requirements of their service providers, and index providers, among others, are identified as service providers that could fall within the scope of the proposed requirements. This proposed rule could therefore impose additional requirements on our business. In some instances, in connection with the provision of data and services, we have incurred additional costs to implement processes and systems at the request of our clients to ensure that the products and services that they in turn provide to their clients using our data are compliant with the financial regulations to which our clients may be subject. For example, a U.S. Executive Order prohibiting many of our clients from transacting in the securities of certain Chinese companies resulted in our decision to remove these companies from relevant indexes in order to support our clients’ needs that our indexes meet their objective to be replicable in investment portfolios. To the extent that our clients are subject to increased regulation, we may be indirectly impacted and could incur increased costs that could have a negative impact on the profitability of certain products. Additionally, there has been increased attention on and scrutiny of index and ESG rating and data providers by politicians, regulators, policymakers and the media, which could create negative publicity that could harm our reputation or credibility as well as result in new or additional regulation that could increase our costs and have a negative impact on our business, financial condition or results of operations. For example, IOSCO has asked regulators to consider focusing more attention on the use of ESG ratings and data products. In the EU, the European Commission published a Summary Report in August 2022, following a targeted consultation on the functioning of the ESG ratings market in the EU and on the consideration of ESG factors in credit ratings, which the Commission will use to consider the need for possible policy initiatives. In addition, in December 2022, the UK government announced a consultation on the regulation of ESG ratings. Furthermore, in December 2022, the Japan Financial Services Agency published a Code of Conduct for ESG rating and data providers, and the UK FCA announced the formation of an industry-led group to develop a voluntary Code of Conduct for ESG data and ratings providers. These or similar regulatory regimes or initiatives could impose significant compliance burdens and costs on our ESG and Climate products and services. Furthermore, regulation in multiple jurisdictions may be inconsistent, which could create implementation challenges and result in inadvertent noncompliance. 24 24 24 Table of Contents Table of Contents

Any failures, disruptions, instability or vulnerabilities in our information technology architecture, platforms, vendors and service providers, production and delivery systems, software, code, networks, the Internet or other systems or applications may disrupt our operations, cause our products or services to be unavailable or fail and impose delays or additional costs in deploying our products or services, or impose conditions or restrictions on our ability to commercialize our products or services or keep them confidential and result in reputational and other harm and have a material adverse effect on our business, financial condition or results of operations. We depend heavily on the capacity, reliability and security of our information technology systems, networks and platforms and their components, including our data centers, cloud providers and other vendors and service providers, production and delivery systems as well as the Internet, to create and deliver our products and service our clients. Our employees also depend on these systems, networks, platforms and providers for internal use. Factors affecting the availability of our products and services and our information technology systems and networks, such as loss of service from third parties, operational or execution failures, human error, terrorist or other attacks, geopolitical instability or unrest, climate or weather related events (e.g., hurricanes, floods or other natural disasters), outbreak of pandemic or contagious disease, power loss, telecommunications failures, technical breakdowns, Internet failures or malicious attacks exploiting security vulnerabilities, could impair our or our third-party service provider systems’ operations or interrupt their availability for extended periods of time or impact the availability of our or our third-party service provider’s personnel. Our ability to effectively use the Internet, including our remote work force’s ability to access the Internet, may also be impaired due to infrastructure failures, service outages at third-party Internet providers, malicious attacks exploiting security vulnerabilities or increased government regulation. Disruptions, failures or slowdowns that could occur with respect to our operations, including to our information technology systems, networks and platforms, our electronic delivery systems or the Internet, could reduce confidence in our products and services, damage our brand and reputation, result in litigation and negatively affect our ability to distribute our products effectively and to service our clients, including delivering managed services or delivering real-time index data. To the extent we grow through acquisitions, newly acquired businesses may not have invested in technology and resilience to the same extent as we have. As their systems are integrated into ours, a vulnerability could be introduced that could impact us. There is no assurance that we will be able to successfully defend against such disruptions or that our disaster recovery or business continuity plans, or those of our third-party service providers (including cloud providers), will be effective in mitigating the risks and associated costs, which could be exacerbated by our shift to an increasingly remote working environment, and which could have a material impact on our business, financial condition or results of operations.

Any failures, disruptions, instability or vulnerabilities in our information technology architecture, platforms, vendors and service providers, production and delivery systems, software, code, internal network, the Internet or other systems or applications may disrupt our operations, cause our products to be unavailable or fail and impose delays or additional costs in deploying our products, or impose conditions or restrictions on our ability to commercialize our products or keep them confidential and result in reputational and other harm and have a material adverse effect on our business, financial condition or results of operations. We depend heavily on the capacity, reliability and security of our information technology systems and platforms and their components, including our data centers, cloud providers and other vendors and service providers, production and delivery systems as well the Internet, to create and deliver our products and service our clients. Our employees also depend on these systems, platforms and providers for internal use. Heavy use of our electronic delivery systems and other factors such as loss of service from third parties, operational failures, human error, terrorist or other attacks, climate or weather related events (e.g., hurricanes, floods or other natural disasters), another outbreak of pandemic or contagious disease, power loss, telecommunications failures, technical breakdowns, Internet failures or malicious attacks exploiting security vulnerabilities could impair our systems’ operations or interrupt their availability for extended periods of time or impact the availability of personnel. Our ability to effectively use the Internet, including 18 18 18 Table of Contents Table of Contents our remote work force’s ability to access the Internet, may also be impaired due to infrastructure failures, service outages at third-party Internet providers, malicious attacks exploiting security vulnerabilities or increased government regulation. Disruptions, failures or slowdowns that could occur with respect to our operations, including to our information technology systems and platforms, our electronic delivery systems or the Internet, could damage our brand and reputation, result in litigation and negatively affect our ability to distribute our products effectively and to service our clients, including delivering managed services or delivering real-time index data. To the extent we grow through acquisitions, newly acquired businesses may not have invested in technological infrastructure and disaster recovery to the same extent as we have. As their systems are integrated into ours, a vulnerability could be introduced, which could impact our platforms across the Company. There is no assurance that we will be able to successfully defend against such disruptions or that our disaster recovery or business continuity plans, or those of our third-party service providers (including cloud providers), will be effective in mitigating the risks and associated costs, which could be exacerbated by our shift to an increasingly remote working environment, and which could have a material impact on our business, financial condition or results of operations.

We are subject to income taxes, as well as non-income or indirect taxes, in the U.S. and various foreign jurisdictions. Significant judgment is required in determining our global provision for income taxes and other tax liabilities. Our income tax obligations are based in part on our corporate structure and intercompany arrangements. In the ordinary course of our global business, there are many intercompany transactions and calculations where the ultimate tax determination is uncertain, and tax authorities of the jurisdictions in which we operate may challenge our methodologies. Changes in domestic and international tax laws could negatively impact our overall effective tax rate. Over the last several years, many jurisdictions and intergovernmental organizations have been discussing or are in the process of implementing proposals that may change aspects of the existing framework under which our tax obligations are determined in many of the jurisdictions in which we operate. Recent pronouncements and directives related to this project include the implementation of a 15% global minimum tax in the near term. Many countries have begun to adopt these directives into their respective tax codes, with varying effective dates beginning January 1, 2024. Although we do not anticipate the directives to have a material impact on our financial results at this time, certain implementation details have yet to be developed and the enactment of certain of these changes has not yet taken effect in all jurisdictions in which we operate. As a result, these changes may have adverse tax consequences for us, may increase our compliance costs and may increase the amount of tax we are required to pay in certain jurisdictions. We are regularly under audit by tax authorities. From time to time, we also face proceedings, investigations or inquiries related to tax matters. We may be subject to additional tax liabilities as the jurisdictions in which we do business globally are increasingly focused on digital taxes and the treatment of remote workforces. Although we believe that our tax provisions are reasonable, there can be no assurance that the final determination of tax audits or tax disputes will not be different from what is reflected in our historical income tax provisions and accruals. To the extent we are required to pay amounts in excess of our reserves, such differences could have a material adverse effect on our Consolidated Statement of Income for a particular future period. In addition, an unfavorable tax settlement could require use of our cash and result in an increase in our effective tax rate in the period in which such resolution occurs and may have a material impact on our financial results. 28 28 28 Table of Contents Table of Contents

We are subject to income taxes, as well as non-income or indirect taxes, in the U.S. and various foreign jurisdictions. Significant judgment is required in determining our global provision for income taxes and other tax liabilities. In the ordinary course of a global business, there are many intercompany transactions and calculations where the ultimate tax determination is uncertain. Changes in domestic and international tax laws could negatively impact our overall effective tax rate. Over the last several years, many jurisdictions and intergovernmental organizations have been discussing or are in the process of implementing proposals that may change aspects of the existing framework under which our tax obligations are determined in many of the jurisdictions in which we operate, including to ensure that multinational enterprises pay a global minimum tax, among other changes. Recent pronouncements and directives related to this project suggest an implementation of the proposed 15% global minimum tax in the near term. Continued negotiations on important details of this project are ongoing, and ultimate enactment and timing in the EU, United States, UK and other jurisdictions remain uncertain. Based on our current understanding of these proposals and directives, we expect that we may be within their scope and that their implementation could impact the amount of tax we have to pay. We are regularly under audit by tax authorities. We may be subject to additional tax liabilities as the jurisdictions in which we do business globally are increasingly focused on digital taxes and the treatment of remote workforces. Although we believe that our tax provisions are reasonable, there can be no assurance that the final determination of tax audits or tax disputes will not be different from what is reflected in our historical income tax provisions and accruals. To the extent we are required to pay amounts in excess of our reserves, such differences could have a material adverse effect on our Consolidated Statement of Income for a particular future period. In addition, an unfavorable tax settlement could require use of our cash and result in an increase in our effective tax rate in the period in which such resolution occurs.

Our operations rely on the secure collection, retrieval, storage, transmission and other processing of confidential, sensitive, proprietary and other types of data and information that is managed internally and with third-party vendors. We and our vendors are subject to security risks, including cyber-attacks and other security incidents, such as phishing scams or other social engineering attacks, hacking, tampering, intrusions, viruses, malware (including ransomware) and denial-of-service attacks. Cybersecurity risks also may derive from fraud or malice on the part of our employees or third parties, or may result from human error, software bugs, server malfunctions, software or hardware failure or other technological failure. In some cases, these risks are heightened when employees are working remotely. Our and our vendors’ use of mobile and cloud technologies may also increase our risk for such threats. We may be exposed to more targeted and more sophisticated cyber-attacks and other security incidents aimed at accessing certain information on our systems and networks because of our role or prominence in the global marketplace, including client portfolio data, the composition of our indexes and MSCI ESG Research ratings of corporate issuers. Any such threats may cause material interruptions or malfunctions in our or our vendors’ products or services, networks, systems, websites, applications, data or data processing, or may otherwise compromise the availability, confidentiality or integrity of data or information in our possession. Additionally, while we conduct due diligence during the acquisition process, acquired businesses may not have invested as heavily in security measures and technology, and this may introduce additional security risk. In the past, we have experienced cyber-attacks of varying degrees, including denial-of-service attacks. There can be no assurance that there will not be material adverse effects relating to these types of incidents in the future, in particular as these incidents have generally become increasingly frequent, sophisticated, difficult to detect and difficult to successfully defend against and may see their frequency increased, and effectiveness enhanced, by the use of AI. Our security measures or those of our third-party providers, including any cloud-based technologies, may prove insufficient depending upon the attack or threat posed. Cyber-attacks, security incidents or third-party reports of perceived security vulnerability to our systems or networks, even if no intrusion has occurred, could damage our brand and reputation, result in litigation, regulatory actions, investigations, sanctions or other penalties, lead to loss of client confidence, which would harm our ability to retain clients and gain new ones, and lead to financial losses and reputational damage. Any of the foregoing could lead to unexpected or higher than estimated costs. We may also incur additional costs as a result of increasing and refining our internal processes and IT controls and policies and procedures related to security, processing integrity and confidentiality or privacy.

Our operations rely on the secure processing, storage and transmission of confidential, sensitive, proprietary and other types of data and information that is managed internally and with third-party vendors. We and our vendors are subject to security risks, including cyber-attacks and other security breaches, such as phishing scams, hacking, tampering, intrusions, viruses, ransomware, malware and denial-of-service attacks. In some cases, these risks are heightened when employees are working remotely. Our and our vendors’ use of mobile and cloud technologies may also increase our risk for such threats. We may be exposed to more targeted and more sophisticated cyber and other security attacks aimed at accessing certain information on our systems because of our role or prominence in the global marketplace, including client portfolio data, the composition of our indexes and MSCI ESG Research ratings of corporate issuers. Any such threats may cause material interruptions or malfunctions in our or our vendors’ products or services, networks, systems, websites, applications, data or data processing, or may otherwise compromise the availability, confidentiality or integrity of data or information in our possession. While we have not experienced cyber or other security incidents that are individually, or in the aggregate, material to the Company, we have experienced cyber-attacks of varying degrees in the past, including denial-of-service attacks. There can be no assurance that there will not be material adverse effects relating to these types of incidents in the future, in particular as these incidents have generally become increasingly frequent, sophisticated, difficult to detect and difficult to successfully defend against. Our security measures or those of our third-party providers, including any cloud-based technologies, may prove insufficient depending upon the attack or threat posed. Cyber-attacks, security breaches or third-party reports of perceived security vulnerability to our systems, even if no breach has occurred, could damage our brand and reputation, result in litigation, regulatory actions, sanctions or other penalties, lead to loss of client confidence, which would harm our ability to retain clients and gain new ones, and lead to 19 19 19 Table of Contents Table of Contents financial losses. Any of the foregoing could lead to unexpected or higher than estimated costs. We may also incur additional costs as a result of increasing and refining our internal processes and IT controls and policies and procedures related to security, processing integrity and confidentiality or privacy.

For an overview of our current outstanding indebtedness, see “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” Although we believe that our cash flows will be sufficient to service our outstanding indebtedness, we cannot provide assurance that we will generate and maintain cash flows sufficient to permit us to pay the principal, premium, if any, and interest on our indebtedness. Our ability to make payments on indebtedness and to fund planned capital expenditures depends on our ability to generate and access cash in the future, which, in turn, is subject to general economic, financial, competitive, regulatory and other factors, many of which are beyond our control. If we are unable to pay our obligations as they mature, we may need to refinance all or a portion of our indebtedness on or before maturity. If we are unable to secure additional financing on terms favorable or acceptable to us or at all, we could also be forced to sell assets to make up for any shortfall in our payment obligations. If we cannot refinance or otherwise pay our obligations as they mature and fund our liquidity needs, our business, financial condition, results of operations, cash flows, liquidity, ability to obtain financing and ability to compete in our industry could be materially adversely affected. We may need or want to refinance our existing debt or incur additional debt from time to time to finance working capital, capital expenditures, investments or acquisitions, or for other purposes. If we do so, we may be subject to less favorable terms. The risks related to our level of indebtedness could also intensify, including by making it difficult for us to optimally capitalize and manage the cash flow for our business or placing us at a competitive disadvantage compared to our competitors that have less indebtedness. Furthermore, the terms of our debt agreements include restrictive covenants that limit, among other things, our and our existing and future subsidiaries’ financial flexibility. If we are unable to comply with the restrictions and covenants in our debt agreements, there could be a default that, in some cases, if continuing, could result in the accelerated payment of our debt obligations or the termination of borrowing commitments on the part of the lenders under our revolving credit facility (the “Revolving Credit Facility) under the Second Amended and Restated Credit Agreement (the “Credit Agreement”), dated as of January 26, 2024, by and among the Company, JPMorgan Chase Bank, N.A., as administrative agent and the lenders from time to time party thereto, as amended, supplemented, modified or amended and restated from time to time. As of December 31, 2023, there were no amounts outstanding under the Revolving Credit Facility. As of December 31, 2023, the term loan A facility (the “TLA Facility”) under our prior credit agreement dated as of June 9, 2022 (the “Prior Credit Agreement”), was fully drawn. On the closing of the Credit Agreement on January 26, 2024, the revolving loans under the Credit Agreement were drawn in an amount sufficient to prepay all amounts outstanding under the TLA Facility. Any borrowings under the Revolving Credit Facility under our Credit Agreement are primarily based on the Secured Overnight Financing Rate (“SOFR”), which replaced the USD London Interbank Offered Rate (“LIBOR”) as the reference rate. Because SOFR differs fundamentally from LIBOR, there is no assurance that SOFR will perform in the same way as LIBOR would have performed at any time, and there is no guarantee that it is a comparable substitute for LIBOR. While we will continue to use SOFR, certain factors may impact SOFR, including factors causing SOFR to cease to exist, new methods of calculating SOFR to be established, or the use of alternative reference rates. These consequences are not entirely predictable and could have an adverse impact on our financing costs and our results of operations. Because we have incurred variable rate indebtedness, and we may incur additional variable rate indebtedness, we are subject to interest rate risk generally, which could cause our debt service obligations to increase significantly. Reference rates used to determine the applicable interest rates for our variable rate debt began to rise significantly 27 27 27 Table of Contents Table of Contents recently. If interest rates continue to increase, the debt service obligations on such indebtedness will continue to increase even if the amount borrowed remains the same, and our net income and cash flows, including cash available for servicing our indebtedness, will correspondingly decrease.

For an overview of our current outstanding indebtedness, see “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” Although we believe that our cash flows will be sufficient to service our outstanding indebtedness, we cannot provide assurance that we will generate and maintain cash flows sufficient to permit us to pay the principal, premium, if any, and interest on our indebtedness. Our ability to make payments on indebtedness and to fund planned capital expenditures depends on our ability to generate and access cash in the future, which, in turn, is subject to general economic, financial, competitive, regulatory and other factors, many of which are beyond our control. If we are unable to pay our obligations as they mature, we may need to refinance all or a portion of our indebtedness on or before maturity. If we are unable to secure additional financing on terms favorable or acceptable to us or at all, we could also be forced to sell assets to make up for any shortfall in our payment obligations. If we cannot refinance or otherwise pay our obligations as they mature and fund our liquidity needs, our business, financial condition, results of operations, cash flows, liquidity, ability to obtain financing and ability to compete in our industry could be materially adversely affected. We may need or want to refinance our existing debt or incur additional debt from time to time to finance working capital, capital expenditures, investments or acquisitions, or for other purposes. If we do so, we may be subject to less favorable terms. The risks related to our level of indebtedness could also intensify, including by making it difficult for us to optimally capitalize and manage the cash flow for our business or placing us at a competitive disadvantage compared to our competitors that have less indebtedness. Furthermore, the terms of our debt agreements include restrictive covenants that limit, among other things, our and our existing and future subsidiaries’ financial flexibility. If we are unable to comply with the restrictions and covenants in our debt agreements, there could be a default that, in some cases, if continuing, could result in the accelerated payment of our debt obligations or the termination of borrowing commitments on the part of the lenders under our revolving credit facility (the “Revolving Credit Facility) or our term loan A facility (the “TLA Facility”) under the Amended and Restated Credit Agreement (the “Credit Agreement”), dated as of June 9, 2022, by and among the Company, the guarantors party thereto, JPMorgan Chase Bank, N.A., as administrative agent and the lenders from time to time party thereto, as amended, supplemented, modified or amended and restated from time to time. As of December 31, 2022, there were no amounts outstanding under our Revolving Credit Facility, and the TLA Facility was fully drawn. In 2017, the UK Financial Conduct Authority (the “FCA”), which regulates London Interbank Offered Rate (“LIBOR”), announced that the FCA will no longer persuade or compel banks to submit rates for the calculation of the LIBOR benchmark after 2021. The administrator for LIBOR announced on March 5, 2021 that it will permanently cease to publish most LIBOR settings beginning on January 1, 2022 and cease to publish the overnight, one-month, three-month, six-month and 12-month USD LIBOR settings on July 1, 2023. Accordingly, the FCA has stated that it does not intend to persuade or compel banks to submit to LIBOR after such respective dates. Until such time, however, FCA panel banks have agreed to continue to support LIBOR. The U.S. Federal Reserve, in conjunction with the Alternative Reference Rates Committee, a steering committee comprised of large U.S. financial institutions, is recommending replacing USD LIBOR with the Secured Overnight Financing Rate (“SOFR”), a new index calculated by short-term repurchase agreements, backed by Treasury securities. In 2022, we amended our prior credit agreement to, among other things, replace LIBOR with SOFR. Any borrowings under the credit facilities under our Credit Agreement are primarily based on SOFR. It is unknown whether SOFR will attain market acceptance as a replacement for LIBOR and, because SOFR differs fundamentally from LIBOR, there is no assurance that SOFR will perform in the same way as LIBOR would have performed at any time, and there is no guarantee that it is a comparable substitute for LIBOR. As a result, we cannot reasonably predict the potential effect, if any, of the replacement of LIBOR with SOFR or the establishment of other alternative reference rates on our business, financial condition or results of operations. In addition, we have incurred variable rate indebtedness under the TLA Facility, and we may incur variable rate indebtedness under our Revolving Credit Facility, which subjects us to interest rate risk generally and could cause our debt service obligations to increase significantly. 26 26 26 Table of Contents Table of Contents