American International Group (AIG) Risk Factors

Certain of our annuity and life insurance products include features that guarantee a certain level of benefits, including guaranteed minimum death benefits, guaranteed living benefits, including guaranteed minimum income benefits, and products with guaranteed interest crediting rates, including crediting rate guarantees tied to the performance of various market indices. Many of these features are accounted for at fair value as either MRBs or embedded derivatives under GAAP, and they have significant exposure to capital markets and insurance risks. An increase in valuation of liabilities associated with the guaranteed features results in a decrease in our profitability and depending on the magnitude of any such increase, could materially and adversely affect our financial condition, including our capitalization, as well as our financial strength ratings. We employ a capital markets hedging strategy to partially offset the economic impacts of movements in equity, interest rate and credit markets, however, our hedging strategy may not effectively offset movements in our GAAP equity or our statutory surplus and capital requirements and may otherwise be insufficient in relation to our obligations. Furthermore, we are subject to the risk that changes in policyholder behavior or actual levels of mortality/longevity as compared to assumptions in pricing and reserving, combined with adverse market events, could produce losses not addressed by the risk management techniques employed. These factors, individually or collectively, may have a material adverse effect on our business, financial condition, results of operations or liquidity including our ability to receive dividends from our operating companies. Changes in interest rates result in changes to the fair value liability. All else being equal, higher interest rates generally decrease the fair value of our liabilities, which increases our earnings, while low interest rates generally increase the fair value of our liabilities, which decreases our earnings. A prolonged low interest rate environment or a prolonged period of widening credit spreads may also subject us to increased hedging costs or an increase in the amount of statutory reserves that our insurance subsidiaries are required to hold for our liabilities, lowering their statutory surplus, which would adversely affect their ability to pay dividends. In addition, it may also increase the perceived value of our benefits to our policyholders, which in turn may lead to a higher than expected benefit utilization and lower than expected surrender rates of those products over time as compared to pricing assumptions. Differences between the change in fair value of the GAAP MRBs and embedded derivatives, as well as associated statutory and tax liabilities, and the value of the related hedging portfolio may occur and can be caused by movements in the level of equity, interest rate and credit markets, market volatility, policyholder behavior and mortality/longevity rates that differ from our assumptions and our inability to purchase hedging instruments at prices consistent with the desired risk and return trade-off. In addition, we may sometimes choose not to hedge or fully mitigate these risks, based on economic considerations and other factors. The occurrence of one or more of these events has in the past resulted in, and could in the future result in, an increase in the fair value of liabilities associated with the guaranteed benefits without an offsetting increase in the value of our hedges, or a decline in the value of our hedges without an offsetting decline in our liabilities, thus reducing our results of operations and shareholders' equity. For additional information on these products, see Item 1. Business – Regulation, Part II, Item 7. MD&A – Critical Accounting Estimates – Market Risk Benefits and Notes 13 and 14 to the Consolidated Financial Statements.

The Inflation Reduction Act of 2022, includes a 15 percent corporate alternative minimum tax (CAMT) on adjusted financial statement income for corporations with average profits over $1 billion over a three-year period. Although the U.S. Treasury and the Internal Revenue Service issued interim CAMT guidance during 2023, many details and specifics of application of the CAMT remain subject to future guidance. We are subject to CAMT for 2023. Our estimated CAMT liability will continue to be refined based on future guidance. New tax laws outside the U.S., in particular those enacted in response to proposals by the Organisation for Economic Cooperation and Development, could make substantive changes to the global international tax regime. Such changes could increase our global tax costs. AIG continues to monitor and assess the impact of such proposals. Finally, it is possible that tax laws will be further changed either in a technical corrections bill or entirely new legislation. It remains difficult to predict whether or when there will be any tax law changes or further guidance by the authorities in the U.S. or elsewhere in the world. New or proposed changes to tax laws may have a material adverse effect on our business, consolidated results of operations, liquidity and financial condition, as the impact of proposals on our business can vary substantially depending upon the specific changes or further guidance made and how the changes or guidance are implemented by the authorities. For additional information, see Note 23 to the Consolidated Financial Statements.

There is increasing scrutiny and evolving expectations from investors, customers, regulators, policymakers and other stakeholders on companies' governance, risk oversight, disclosures, plans, policies and practices regarding environmental, social and governance matters, including those related to environmental stewardship, climate change, diversity, equity and inclusion, racial justice and workplace conduct. These standards and expectations may also, as a whole, reflect diverging or conflicting values or policy objectives. Governmental actions to mitigate climate and other risks related to environmental, social and governance matters could have an adverse effect on our business and results of operations. Internationally and at the U.S. federal and state levels, regulators have imposed and likely will continue to impose requirements and guidance related to environmental, social and governance matters, which may conflict with one another, impose additional costs on us and expose us to new or additional risks, including financial, regulatory, litigation, reputational and operational risks. See Business – Regulation – Climate Change. Certain organizations that provide information to investors have developed ratings for evaluating companies on their approach to different environmental, social and governance matters, and unfavorable ratings of our company or our industries may lead to negative investor sentiment and the diversion of investment to other companies or industries. We may not be able to meet environmental, social, governance or sustainability targets, goals, plans, standards or expectations (including any previously announced climate target, goal or plan), whether established or set by us or third parties, due to a variety of factors, including regulatory or other developments, changes to the methodologies, assumptions and estimates that underlie our climate- and other sustainability-related targets, goals and strategy, or the actions of or information provided by third parties outside of our control, who may apply standards, methodologies, practices and policies that differ from ours. If we are unable to meet such targets, goals, plans, standards or expectations, it could result in adverse publicity, reputational harm, or loss of customer and/ or investor confidence, which could adversely affect our business and results of operations. For information on the effects of climate change on our business, see Reserves and Exposures – "Climate change may adversely affect our business and financial condition" above.

We have used and will continue to use outsourcing strategies and third-party providers to transform operational and back office processes and deliver contracted services in a broad range of areas. Such areas include, but are not limited to, administration or servicing of certain policies and contracts, finance, actuarial, information technology services related to infrastructure, and investment advisory and management services for certain funds, plans and retail advisory programs we offer, as well as our own investments. In addition, we have engaged with BlackRock for use of its investment management and risk analytics technology platform, Aladdin. The implementation of Aladdin is comprised of multiple workstreams that are complex and require significant time and resource prioritization. While we have achieved key milestones in the implementation of the technology, there could be delays due to lack of sufficient resources to execute on a timely basis, inefficiencies stemming from changes that may be required to the program or sequencing, failure to meet operational and financial targets due to additional priorities or other factors. These risks may impair our ability to achieve anticipated improvements in our businesses may disrupt or may otherwise harm our operations which could materially and adversely affect our businesses, financial condition and operations. Further, we have engaged Blackstone and BlackRock to serve as our investment managers for the majority of AIG's investment assets. For information regarding our reliance on Blackstone and BlackRock as a third-party investment managers, see Investment Portfolio and Concentration of Investments – "We rely on investment management and advisory arrangements with third-party investment managers for the majority of our investment portfolio. The historical performance of Blackstone, BlackRock or any other asset manager we engage should not be considered as indicative of the future results of our investment portfolio, our future results or any returns expected on AIG Common Stock" above. Some of the third-party providers we use are located outside the U.S., which exposes us to business disruptions and political risks inherent to conducting business outside of the U.S. We periodically negotiate provisions and renewals of these relationships, and there can be no assurance that such terms will remain acceptable to us, such third parties or regulators. If such third-party providers experience disruptions, fail to meet applicable licensure requirements, do not perform as anticipated or in compliance with applicable laws and regulations, terminate or fail to renew our relationships, or such third-party providers in turn rely on services from another third-party provider, who experiences such disruptions, licensure failures, nonperformance or noncompliance, termination or non- renewal of its contractual relationships, we may experience operational difficulties, an inability to meet obligations (including, but not limited to, contractual, legal, regulatory or policyholder obligations), a loss of business, increased costs or reputational harm, compromises to our data integrity, or suffer other negative consequences, all of which may have a material adverse effect on our business, consolidated results of operations, liquidity and financial condition. Third parties performing regulated activities on our behalf, such as sales and servicing of insurance products, pose a heightened risk as we may be held accountable for third-party conduct that is not in compliance with applicable law. For information regarding cyber risk arising from third-party providers, see Business and Operations – "We are exposed to certain risks if we are unable to maintain the availability of our critical technology systems and data and safeguard the confidentiality and integrity of our data, which could compromise our ability to conduct business and adversely affect our consolidated business, results of operations, financial condition and liquidity" above.

AIG provides insurance solutions that help businesses and individuals in approximately 190 countries and jurisdictions protect their assets and manage risks through AIG operations and network partners. A substantial portion of our business is conducted outside the United States, and we intend to continue to grow our business in strategic markets. Operations outside the United States have in the past been, and may in the future be, affected by elevated climate risks, regional economic downturns, changes in foreign currency exchange rates, political events or upheaval, sanctions policies, nationalization and other restrictive government or regulatory actions, which could also affect our other operations. AIG subsidiaries operating in foreign jurisdictions must satisfy local regulatory requirements and it is possible that these local licenses may require AIG Parent to meet certain conditions. Licenses issued by foreign authorities to our subsidiaries are subject to modification and revocation. Consequently, our insurance subsidiaries could be prevented from conducting future business in some of the jurisdictions where they currently operate. Adverse actions from any single country could adversely affect our results of operations, depending on the magnitude of the event and our financial exposure at that time in that country. AIG is subject to myriad regulations which govern items such as sanctions, bribery and anti-money laundering, for which failure to comply could expose us to significant penalties. The USA Patriot Act of 2011 requires companies to know certain information about their clients and to monitor their transactions for suspicious activities. The Foreign Corrupt Practices Act makes it unlawful for certain classes of persons and entities to make payments to foreign government officials to assist in obtaining or retaining business. Also, the Department of the Treasury's Office of Foreign Assets Control administers regulations that restrict or prohibit dealings involving certain organizations, individuals and countries. The UK, the EU, Japan and other jurisdictions maintain similar laws and regulations. Although we have policies and controls in place that are designed to ensure compliance with these laws, if those controls are ineffective and/or an employee or third party fails to comply with applicable laws and regulations, we could suffer civil and criminal penalties, including disgorgement, and our business and our reputation could be adversely affected.

Effective intellectual property rights protection, including in the form of contractual rights, copyright, trademark, patent and trade secret laws, may be unavailable, limited, or subject to change in some countries where we do or plan to do business. Third parties may infringe or misappropriate our intellectual property. We have, and may in the future, litigate to protect our intellectual property. Any such litigation may be costly and may not be successful. Additionally, third parties may have patents or other protections that could be infringed by our products, methods, processes or services or which could limit our ability to offer certain product features. Consequently, we have in the past been and may in the future be subject to costly litigation in the event that another party alleges that we infringe upon their intellectual property rights. Any such intellectual property litigation could prove to be both costly and unsuccessful result in significant expense, damages, and in some circumstances we could be enjoined from providing certain products or services to our customers. Alternatively, we could be required to enter into costly licensing arrangements with third parties to resolve infringement or contractual disputes. The loss of intellectual property protection or the inability to secure or enforce the protection of our intellectual property assets could harm our reputation and have a material adverse effect on our business and our ability to compete.

We use information technology systems, infrastructure and networks and other operational systems to store, retrieve, evaluate and use customer, employee and company data and information. Our business is highly dependent on our ability to access these systems and networks to perform necessary business functions. In the event of a natural disaster, unauthorized access, a terrorist attack, a major cyber attack or other disruption, our systems, networks, and data may be inaccessible to our employees, customers or business partners for an extended period of time, and we may be unable to meet our business obligations and regulatory requirements for an extended period of time if our data or systems are disabled, manipulated, destroyed or otherwise compromised. Additionally, some of our technology systems are older, legacy-type systems that are less efficient and require an ongoing commitment of significant resources to maintain or upgrade. Some of these systems cannot be fully protected because of the inability to implement the latest security patches. Supply chain disruptions or delays could prevent us from maintaining and implementing changes, updates and upgrades to our systems and networks in a timely manner or at all. System and network failures or outages could compromise our ability to perform business functions in a timely manner, which could harm our ability to conduct business, hurt our relationships with our business partners and customers and expose us to legal claims as well as regulatory investigations and sanctions, any of which could have a material adverse effect on our business, results of operations, financial condition and liquidity. Some of these technology systems also rely upon third-party systems and services, which themselves may rely on the systems and services of other third parties. Problems caused by, or occurring in relation to, our third-party providers' systems and services, including those resulting from breakdowns or other disruptions in information technology services provided by our third-party providers and the other third-parties on which they rely, our inability to acquire third-party services on commercially acceptable terms, failure of a third-party provider to perform as anticipated or in compliance with applicable laws or regulations, inability of a third-party provider to provide the required volumes of services or our third-party providers experiencing cyberattacks or data breaches, could materially and adversely affect our business, results of operations, financial condition and liquidity. Like other global companies, the systems and networks we maintain and third-party systems and networks we use have in the past been, and may in the future be, subject to or targets of unauthorized or fraudulent access, including physical or electronic break-ins or unauthorized tampering, as well as attempted cybersecurity threats such as "denial of service" attacks, phishing, automated attacks, and other disruptive attacks, including ransomware. Cyber threats are constantly evolving and the techniques used in these attacks change, develop and evolve rapidly, including the use of emerging technologies, such as broader forms of artificial intelligence and quantum computing by nation state threat actors and criminal organizations. The new cyber risks introduced by these changes in technology require us to devote significant attention to identification, assessment and analysis of the risks and implementation of corresponding preventative measures. Additionally, the frequency and sophistication of such threats continue to increase and often become further heightened in connection with geopolitical tensions. Also, like other global companies, we have an increasing challenge of retaining and attracting highly qualified personnel to assist us in combatting these security threats. There is no assurance that our cybersecurity measures, including information security and technology policies and standards, administrative, technical and physical controls and other actions by us or contracted third-parties designed as preventative, will provide fully effective protection from threats to our data, systems and networks, including malware and computer virus attacks, ransomware, unauthorized access, business e-mail compromise, misuse, denial-of-service attacks, system failures and other disruptions. AIG maintains insurance to cover operational risks, such as cyber risk and technology outages, but this insurance may not cover all costs associated with the consequences of information systems or personal, confidential or proprietary information being compromised. In the case of a successful ransomware attack in which our data and information systems are compromised and applicable restore control processes to restore access are not effective, our information could be held hostage until a ransom, which may be significant, is paid. In some cases, such a compromise may not be immediately detected which may make it difficult to restore critical services, mitigate damage to assets and maintain the integrity and security of data including our policyholder, employee, agent, and other confidential information processed through our systems and networks. Additionally, since we rely heavily on information technology and systems (which increasingly will include the use of artificial intelligence) and on the integrity and timeliness of data to run our businesses and service our customers, any such security event and resulting compromise of systems or data may impede or interrupt our business operations and our ability to service our customers, and otherwise may materially and adversely affect our business, results of operations, financial condition and liquidity. There can be no assurance that any actions taken by us to evaluate and enhance our information security and technology systems and processes, including third-party systems and services on which we rely, as well as changes designed to update and enhance our protective measures to address new threats, will decrease the risk of a system or process failure or may create a gap in the associated security measures during the change period. Any such system or process failure or security measures gap could materially and adversely affect our business, results of operations, financial condition and liquidity. We routinely transmit, receive and store personal, confidential and proprietary information by secured email and other electronic means. Although we attempt to keep such information confidential and secure, we may be unable to do so in all events, especially with clients, vendors, service providers, counterparties and other third parties who may not have or use appropriate controls to protect personal, confidential or proprietary information. Failure to secure or appropriately handle personal, confidential or proprietary information could cause a loss of data or compromised data integrity, give rise to remediation or other expenses, expose us to liability under U.S. and international laws and regulations, and subject us to litigation, investigations, sanctions, and regulatory and law enforcement action, and result in reputational harm and loss of business, which could have a material adverse effect on our business, results of operations, financial condition and liquidity. Furthermore, certain of our businesses are subject to compliance with laws and regulations enacted by U.S. federal and state governments, the EU or other jurisdictions or enacted by various regulatory organizations or exchanges relating to the privacy and security of the information of clients, employees or others. The variety of applicable privacy and information security laws and regulations exposes us to heightened regulatory scrutiny, requires us to incur significant technical, legal and other expenses in an effort to ensure and maintain compliance and will continue to impact our business in the future by increasing legal, operational and compliance costs. While we have taken steps to comply with privacy and information security laws, we cannot guarantee that our efforts will meet the evolving standards imposed by data protection authorities. If we are found not to be in compliance with these privacy and security laws and regulations, we may be subject to additional potential private consumer, business partner or securities litigation, regulatory inquiries, and governmental investigations and proceedings, including class-actions. Any such developments may damage our reputation and subject us to material fines and other monetary penalties and damages, divert management's time and attention, and lead to enhanced regulatory oversight, any of which could have a material adverse effect on our business, results of operations, financial condition and liquidity. Additionally, we expect that developments in privacy and cybersecurity worldwide will increase the financial and reputational implications following a significant breach of our or our third-party suppliers' information technology systems. For additional information on data protection and cybersecurity regulations, see Item 1. Business – Regulation – Privacy, Data Protection, Cybersecurity and Artificial Intelligence Requirements, and Part II, Item 7. MD&A – Enterprise Risk Management – Operational Risk Management – Cybersecurity Risk.

Our businesses operate in highly competitive environments, both domestically and overseas. Our principal competitors are other large multinational insurance organizations, as well as banks, investment banks and other nonbank financial institutions. General Insurance and Life and Retirement compete through a combination of risk acceptance criteria, product pricing, and terms and conditions. Reductions of our credit ratings or IFS ratings or negative publicity may make it more difficult to compete to retain existing customers and to maintain our historical levels of business with existing customers, counterparties and distribution relationships. A decline in our position as to any one or more of these factors could adversely affect our profitability. Technological advancements and innovation in the insurance industry, including those related to evolving customer preferences, the digitization of insurance products and services, data ingestion and exchange with trading partners, acceleration of automated underwriting, and use of artificial intelligence and electronic processes present competitive risks. Technological advancements and innovation are occurring in distribution, underwriting, recordkeeping, advisory, marketing, claims and operations at a rapid pace, and that pace may increase, particularly as companies increasingly use data analytics and technology as part of their business strategy. If we are unable to effectively implement these technological advancements in our business, including the use of artificial intelligence, in a way that matches or exceeds our competitors, we may suffer competitive harm as a result, which could adversely impact our reputation, results of operations and financial condition. For further discussion on regulatory developments with respect to emerging technologies, see – Regulation below. Further, additional costs may also be incurred in order to implement changes to automate procedures critical to our distribution channels in order to increase flexibility of access to our services and products. While we seek opportunities to leverage technological advancements and innovation for our customers' benefit, our business and results of operations could be materially and adversely affected if external technological advancements or innovation, or the regulation of technological advancements or innovation, limit our ability to retain existing business, write new business at adequate rates or on appropriate terms, render our insurance products less suitable or impact our ability to adapt or deploy current products as quickly and effectively as our competitors.

We maintain relationships with a number of key distributors, which results in certain distributor concentration. Distributors have in the past, and may in the future, elect to renegotiate the terms of existing relationships, such that those terms may not remain attractive or acceptable to us, limit the products they sell, including the types of products offered by us, or otherwise reduce or terminate their distribution relationships with us, with or without cause. This could be due to various reasons, such as industry consolidation of distributors or other industry changes that increase the competition for access to distributors, developments in laws or regulations that affect our business or industry, including the marketing and sale of our products and services, adverse developments in our business, the distribution of products with features that do not meet minimum thresholds set by the distributor, strategic decisions that impact our business, adverse rating agency actions or concerns about market-related risks. Alternatively, renegotiated terms may not be attractive or acceptable to distributors, or we may terminate one or more distribution agreements due to, for example, a loss of confidence in, or a change in control of, one of the third-party distributors. An interruption or reduction in certain key relationships could materially affect our ability to market our products and could materially and adversely affect our business, results of operations, financial condition and liquidity. Key distribution partners could merge, consolidate, change their business models in ways that affect how our products are sold, or terminate their distribution contracts with us, or new distribution channels could emerge and adversely impact the effectiveness of our distribution efforts. An increase in bank, wirehouse and broker-dealer consolidation activity could increase competition for access to distributors, result in greater distribution expenses and impair our ability to market certain of our products through these channels. Also, if we are unsuccessful in attracting, retaining and training key distribution partners, or are unable to maintain our distribution relationships, our sales could decline, which could have a material adverse effect on our business, results of operations, financial condition and liquidity. In addition, substantially all of our distributors are permitted to sell our competitors' products. If our competitors offer products that are more attractive than ours or pay higher commission rates to the distribution partners than we do or for other reasons outside of our control, these distribution partners could concentrate their efforts in selling our competitors' products instead of ours. In addition, we can, in certain circumstances, be held responsible for the actions of our third-party distributors, including broker- dealers, registered representatives, insurance agents and agencies, marketing organizations, and their respective employees, agents and representatives, in connection with the marketing and sale of our products by such parties, including the security of their operations and their handling of confidential information and personal data, in a manner that is deemed not compliant with applicable laws and regulations. This is particularly acute with respect to unaffiliated distributors where we may not be able to directly monitor or control the manner in which our products are sold through third-party firms despite our risk assessment, training and compliance programs. Further, misconduct by employees, agents and representatives of our broker-dealer subsidiaries in the sale of our products could also result in violations of laws by us or our subsidiaries, regulatory sanctions and serious reputational or financial harm to us. The precautions we take to prevent and detect the foregoing activities may not be effective. If our products are distributed to customers for whom they are unsuitable or distributed in a manner alleged to be inappropriate, or third-party distributors experience a security or data breach due to deficient operational controls, we could suffer reputational and/or other financial harm to our business. For information regarding suitability standards, see Item 1. Business – Regulation – Regulatory Regimes – United States.