American International Group (AIG) Risk Analysis

We have used and will continue to use outsourcing strategies and third-party providers to transform operational and back office processes and deliver contracted services in a broad range of areas. Such areas include, but are not limited to, administration or servicing of certain policies and contracts, finance, actuarial, information technology services related to infrastructure, and investment advisory and management services. The implementation of any technological advancements may be comprised of multiple workstreams that are complex and, have in the past and may in the future, require significant time and resource prioritization and result in delays due to the lack of sufficient resources to execute on a timely basis, inefficiencies stemming from changes that may be required to the program or sequencing, failure to meet operational and financial targets due to additional priorities or other factors. These risks may impair our ability to achieve anticipated improvements in our businesses may disrupt or may otherwise harm our operations which could materially and adversely affect our businesses, financial condition and operations. Further, third-party investment managers manage the majority of our investment assets. For information regarding our reliance on third-party investment managers, see Investment Portfolio and Concentration of Investments – "We rely on investment management and advisory arrangements with third-party investment managers for the majority of our investment portfolio. The historical performance of any investment manager we engage should not be considered as indicative of the future results of our investment portfolio, our future results or any returns expected on our Common Stock" above. Some of the third-party providers we use are located outside the U.S., which exposes us to business disruptions and political risks inherent to conducting business outside of the U.S. We periodically negotiate the terms of the provisions and renewal of these relationships, and there can be no assurance that such terms will remain acceptable to us, such third parties or regulators. If such third-party providers experience disruptions, fail to meet applicable licensure requirements, do not perform as anticipated or in compliance with applicable laws and regulations, terminate or fail to renew our relationships, or such third-party providers in turn rely on services from another third-party provider, who experiences such disruptions, licensure failures, nonperformance or noncompliance, termination or non- renewal of its contractual relationships, we may experience operational difficulties, an inability to meet obligations (including, but not limited to, contractual, legal, regulatory or policyholder obligations), a loss of business, increased costs or reputational harm, compromises to our data integrity, or suffer other negative consequences, all of which may have a material adverse effect on our business, consolidated results of operations, liquidity and financial condition. Third parties performing regulated activities on our behalf, such as sales and servicing of insurance products, pose a heightened risk as we may be held accountable for third-party conduct that fails to comply with applicable law. For information regarding cyber risk arising from third-party providers, see Business and Operations – "We are exposed to certain risks if we are unable to maintain the availability of our critical technology systems and data and safeguard the confidentiality and integrity of our data, which could compromise our ability to conduct business and adversely affect our consolidated business, results of operations, financial condition and liquidity" above.

The Inflation Reduction Act of 2022 includes a 15 percent corporate alternative minimum tax (CAMT) on adjusted financial statement income for corporations with average profits over $1 billion over a three-year period. While the U.S. Treasury and the Internal Revenue Service issued proposed regulations for CAMT during the third quarter of 2024, there are still certain details regarding the application of the CAMT that remain unclear and we continue to evaluate the impact of the proposed regulations along with any other guidance. New tax laws outside the U.S., in particular those enacted in response to proposals by the Organisation for Economic Co-operation and Development, could make substantive changes to the global international tax regime. Such changes could increase our global tax costs. We continue to monitor and assess the impact of such proposals. Finally, it is possible that tax laws will be further changed either in a technical corrections bill or entirely new legislation. It remains difficult to predict whether or when there will be any tax law changes or further guidance by the authorities in the U.S. or elsewhere in the world. New or proposed changes to tax laws may have a material adverse effect on our business, consolidated results of operations, liquidity and financial condition, as the impact of proposals on our business can vary substantially depending upon the specific changes or further guidance made and how the changes or guidance are implemented by the authorities. For additional information, see Note 21 to the Consolidated Financial Statements.

There is increasing scrutiny and evolving expectations from investors, customers, regulators, policymakers and other stakeholders on companies' governance, risk oversight, disclosures, plans, policies and practices regarding environmental, social, governance and sustainability matters, including those related to environmental stewardship, climate change, racial justice and workplace conduct. The requirements, standards and expectations of such stakeholders may also, as a whole, reflect diverging or conflicting values or policy objectives. Governmental actions to mitigate climate and other risks related to environmental, social, governance and sustainability matters, or, conversely, to restrict actions companies may take in response to such risks, could have an adverse effect on our business and results of operations. Internationally and at the U.S. federal, state and local levels, regulators have imposed and likely will continue to impose requirements and guidance related to environmental, social, governance and sustainability matters, which will continue to evolve and may conflict with one another, impose additional costs on us and expose us to new or additional risks, including financial, regulatory, litigation, reputational and operational risks. See Item 1. Business – Regulation – Climate Change. Furthermore, certain organizations that provide information to investors have developed ratings for evaluating companies on their approach to different environmental, social and governance matters, and unfavorable ratings of our company or our industries may lead to negative investor sentiment and the diversion of investment to other companies or industries. We may not be able to meet the requirements, standards or expectations of our various stakeholders on environmental, social, governance and sustainability issues, including with respect to any current or future targets, goals, plans, standards or expectations (including any previously announced climate target, goal or plan) on these matters, whether established or set by us or third parties, due to a variety of factors, including regulatory or other developments, changes to the methodologies, assumptions and estimates that underlie our climate- and other sustainability-related targets, goals and strategy, or the actions of or information provided by third parties outside of our control, who may apply standards, methodologies, practices and policies that differ from ours. If we are unable to meet such targets, goals, plans, standards or expectations, it could result in adverse publicity, reputational harm, or loss of customer and/ or investor confidence, which could adversely affect our business and results of operations. Conversely, actions we may take toward meeting such targets, goals, plans, standards or expectations could expose us to negative investor sentiment, regulatory scrutiny, adverse publicity or reputational harm. For information on the effects of climate change on our business, see Reserves and Exposures – "Climate change may adversely affect our business and financial condition" above.

Through our operations, licenses and authorizations and network partners, we provide insurance solutions that help businesses and individuals in approximately 200 countries and jurisdictions protect their assets and manage risks. A substantial portion of our business is conducted outside the United States, and we intend to continue to grow our business in strategic markets. Operations outside the United States have in the past been, and may in the future be, affected by elevated climate risks, regional economic downturns, changes in foreign currency exchange rates and foreign interest rates, political events or upheaval, sanctions policies, nationalization and other restrictive government or regulatory actions, which could also affect our other operations. Our subsidiaries operating in foreign jurisdictions must satisfy local regulatory requirements and it is possible that these local licenses may require AIG Parent to meet certain conditions. Licenses issued by foreign authorities to our subsidiaries are subject to modification and revocation. Consequently, our insurance subsidiaries could be prevented from conducting future business in some of the jurisdictions where they currently operate. Adverse actions from any single country could adversely affect our results of operations, depending on the magnitude of the event and our financial exposure at that time in that country. We are subject to myriad regulations which govern items such as sanctions, bribery and anti-money laundering, for which failure to comply could expose us to significant penalties. Laws and regulations aimed at preventing money laundering, which in some jurisdictions apply to insurance companies, create obligations to know certain information about clients and take steps to monitor for suspicious activities. The Foreign Corrupt Practices Act makes it unlawful for certain classes of persons and entities to make payments to foreign government officials to assist in obtaining or retaining business. Also, the Department of the Treasury's Office of Foreign Assets Control administers regulations that restrict or prohibit dealings involving certain organizations, individuals and countries. The UK, the EU, Japan and other jurisdictions maintain similar laws and regulations. Although we have policies and controls in place that are designed to ensure compliance with these laws and regulations, if those controls are ineffective and/or an employee or third party fails to comply with applicable laws and regulations, we could suffer civil and criminal penalties, including disgorgement, and our business and our reputation could be adversely affected.

Effective intellectual property rights protection, including in the form of contractual rights, copyright, trademark, patent and trade secret laws, may be unavailable, limited, or subject to change in some countries where we do or plan to do business. Third parties may infringe or misappropriate our intellectual property. We have, and may in the future, litigate to protect our intellectual property. Any such litigation may be costly and may not be successful. Additionally, third parties may have patents or other protections that could be infringed by our products, methods, processes or services or which could limit our ability to offer certain product features. Consequently, we have in the past been and may in the future be subject to costly litigation in the event that another party alleges that we infringe upon their intellectual property rights. Any such intellectual property litigation could prove to be both costly and unsuccessful, result in significant expense, damages, and in some circumstances, we could be enjoined from providing certain products or services to our customers. Alternatively, we could be required to enter into costly licensing arrangements with third parties to resolve infringement or contractual disputes. The loss of intellectual property protection or the inability to secure or protect our intellectual property assets could harm our reputation and have a material adverse effect on our business and our ability to compete.

We use information technology systems, infrastructure, including energy supply, and networks and other operational systems to store, retrieve, evaluate and use customer, employee and company data and information. Our business is highly dependent on our ability to access these systems and networks to perform necessary business functions. In the event of a natural disaster, unauthorized access, a terrorist attack, a major cyber-attack or other disruption, our systems, networks, and data may be inaccessible to our employees, customers or business partners for an extended period of time, and we may be unable to meet our business obligations and regulatory requirements for an extended period of time if our data or systems are disabled, manipulated, destroyed or otherwise compromised. Additionally, some of our technology systems are older, legacy-type systems that are less efficient and require an ongoing commitment of significant resources to maintain or upgrade, and in some cases may not be able to be fully protected or to implement the latest security patches. Supply chain disruptions or delays could prevent us from maintaining and implementing changes, updates and upgrades to our systems and networks in a timely manner or at all. System and network failures or outages, including with respect to third parties, have and could compromise our ability to perform business functions in a timely manner, which could harm our ability to conduct business, hurt our relationships with our business partners and customers and expose us to legal claims as well as regulatory investigations and sanctions, any of which could have a material adverse effect on our business, results of operations, financial condition and liquidity. Some of these technology systems also rely upon third-party systems and services, which themselves may rely on the systems and services of other third parties. Problems caused by, or occurring in relation to, our third-party providers' systems and services, including those resulting from breakdowns or other disruptions in information technology services provided by our third-party providers and the other third parties on which they rely, our inability to acquire third-party services on commercially acceptable terms, failure of a third-party provider to perform as anticipated or in compliance with applicable laws or regulations, inability of a third-party provider to provide the required volumes of services or our third-party providers experiencing cyberattacks or data breaches, could materially and adversely affect our business, results of operations, financial condition and liquidity. Like other global companies, the systems and networks we maintain and third-party systems and networks we or our vendors use are currently, and may in the future continue to be, subject to or targets of unauthorized or fraudulent access, including physical or electronic break-ins or unauthorized tampering, as well as attempted cybersecurity threats such as "denial of service" attacks, phishing, automated attacks, and other disruptive attacks, including ransomware. Cyber threats are constantly evolving and the techniques used in these attacks change, develop and evolve rapidly, including the use of emerging technologies, such as advancing forms of artificial intelligence and quantum computing by nation state threat actors and criminal organizations. The new cyber risks introduced by these changes in technology, such as deepfake schemes, require us to devote significant attention to identification, assessment and analysis of the risks and implementation of corresponding preventative measures. Additionally, the frequency and sophistication of such threats continue to increase and often become further heightened in connection with geopolitical tensions. Also, like other global companies, we have an increasing challenge of retaining and attracting highly qualified personnel to assist us in combatting these security threats. There is no assurance that our cybersecurity measures, including information security and technology policies and standards, administrative, technical and physical controls and other actions by us or contracted third-parties designed as preventative, will provide fully effective protection from threats to our data, systems and networks, including malware and computer virus attacks, ransomware, unauthorized access, business e-mail compromise, misuse, denial-of-service attacks, system failures and other disruptions. We maintain insurance to cover operational risks, such as cyber risk and technology outages, but this insurance may not cover all costs associated with the consequences of information systems or personal, confidential or proprietary information being compromised. In the case of a successful ransomware attack in which our data and information systems are compromised and applicable processes to restore access are not effective, our information could be held hostage until a ransom, which may be significant, is paid. In some cases, such a compromise may not be immediately detected which may make it difficult to restore critical services, mitigate damage to assets and maintain the integrity and security of data including our policyholder, employee, agent, and other confidential information processed through our systems and networks. Additionally, since we rely heavily on information technology and systems (which is expected to increasingly include the use of artificial intelligence) and on the integrity and timeliness of data to run our businesses and service our customers, any such security event and resulting compromise of systems or data have and may impede or interrupt our business operations and our ability to service our customers, and may materially and adversely affect our business, results of operations, financial condition and liquidity. There can be no assurance that any actions taken by us to evaluate and enhance our information security and technology systems and processes, including third-party systems and services on which we rely, as well as changes designed to update and enhance our protective measures to address new threats, will decrease the risk of a system or process failure; further, such changes may create a gap in the associated security measures during the change period. Any such system or process failure or security measures gap could materially and adversely affect our business, results of operations, financial condition and liquidity. We routinely transmit, receive and store personal, confidential and proprietary information by secured email and other electronic means. Although we attempt to keep such information confidential and secure, we have been, and in the future may be, unable to do so in all events, especially with clients, vendors, service providers, counterparties and other third parties who may not have or use appropriate controls to protect personal, confidential or proprietary information. Failure to secure or appropriately handle personal, confidential or proprietary information could cause a loss of data or compromised data integrity, give rise to remediation or other expenses, expose us to liability under U.S. and international laws and regulations, subject us to litigation, investigations, sanctions, and regulatory and law enforcement action, and result in reputational harm and loss of business, any of which could have a material adverse effect on our business, results of operations, financial condition and liquidity. Furthermore, certain of our businesses are subject to compliance with laws and regulations enacted by U.S. federal and state governments, the EU or other jurisdictions or enacted by various regulatory organizations or exchanges relating to the privacy and security of the information of clients, employees or others. The variety of applicable privacy and information security laws and regulations exposes us to heightened regulatory scrutiny, requires us to incur significant technical, legal and other expenses in an effort to ensure and maintain compliance and will continue to impact our business in the future by increasing legal, operational and compliance costs. While we have taken steps to comply with privacy and information security laws, we cannot guarantee that our efforts will meet the evolving standards imposed by data protection authorities. If we are found not to be in compliance with these privacy and security laws and regulations, we may be subject to additional potential private consumer, business partner or securities litigation, regulatory inquiries, and governmental investigations and proceedings, including class-actions. Any such developments may damage our reputation and subject us to material fines and other monetary penalties and damages, divert management's time and attention, and lead to further enhanced regulatory oversight, any of which could have a material adverse effect on our business, results of operations, financial condition and liquidity. Additionally, we expect that developments in privacy and cybersecurity worldwide will increase the financial and reputational implications in the event of a significant breach of our or our third-party suppliers' information technology systems. For additional information on data protection and cybersecurity regulations, see Item 1. Business – Regulation – Privacy, Data Protection, Cybersecurity and Artificial Intelligence Requirements, and Part II, Item 7. MD&A – Enterprise Risk Management – Operational Risk Management – Cybersecurity Risk.

Our businesses operate in highly competitive environments, both domestically and overseas. Our principal competitors are other property and casualty insurance organizations. We compete through a combination of risk acceptance criteria, product pricing, and terms and conditions. Reductions of our credit ratings or IFS ratings or negative publicity may make it more difficult to compete to retain existing customers and to maintain our historical levels of business with existing customers, counterparties and distribution relationships. A decline in our position as to any one or more of these factors could adversely affect our profitability. Technological advancements and innovation in the insurance industry, including those related to evolving customer preferences, the digitization of insurance products and services, data ingestion and exchange with trading partners, acceleration of automated underwriting, and use of artificial intelligence and electronic processes present competitive risks. Technological advancements and innovation are occurring in distribution, underwriting, recordkeeping, advisory, marketing, claims and operations at a rapid pace, and that pace may increase, particularly as companies increasingly use data analytics and technology as part of their business strategy. If we are unable to effectively implement these technological advancements in our business, including the use of artificial intelligence, in a way that matches or exceeds our competitors, we may suffer competitive harm as a result, which could adversely impact our reputation, results of operations and financial condition. For further discussion on regulatory developments with respect to emerging technologies, see Regulation above. Further, additional costs may also be incurred in order to implement changes to automate and digitize procedures critical to our distribution channels in order to increase flexibility of access to our services and products. While we seek opportunities to leverage technological advancements and innovation for our customers' benefit, our business and results of operations could be materially and adversely affected if external technological advancements or innovation, or the regulation of technological advancements or innovation, limit our ability to retain existing business, write new business at adequate rates or on appropriate terms, or impact our ability to adapt or deploy current products as quickly and effectively as our competitors.

We maintain relationships with a number of key distributors, which results in certain distributor concentration. Distributors have in the past, and may in the future, elect to renegotiate the terms of existing relationships, such that those terms may not remain attractive or acceptable to us, limit the products they sell, including the types of products offered by us, or otherwise reduce or terminate their distribution relationships with us, with or without cause. This could be due to various reasons, such as industry consolidation of distributors or other industry changes that increase the competition for access to distributors, developments in laws or regulations that affect our business or industry, including the marketing and sale of our products and services, adverse developments in our business, the distribution of products with features that do not meet minimum thresholds set by the distributor, strategic decisions that impact our business, adverse rating agency actions or concerns about market-related risks. Alternatively, renegotiated terms may not be attractive or acceptable to distributors, or we may terminate one or more distribution agreements due to, for example, a loss of confidence in, or a change in control of, one of the third-party distributors. An interruption or reduction in certain key relationships could materially affect our ability to market our products and could materially and adversely affect our business, results of operations, financial condition and liquidity. Key distribution partners could merge, consolidate, change their business models in ways that affect how our products are sold, or terminate their distribution contracts with us, or new distribution channels could emerge and adversely impact the effectiveness of our distribution efforts. Also, if we are unsuccessful in attracting, retaining and training key distribution partners, or are unable to maintain our distribution relationships, our sales could decline, which could have a material adverse effect on our business, results of operations, financial condition and liquidity. In addition, substantially all of our distributors are permitted to sell our competitors' products. If our competitors offer products that are more attractive than ours or pay higher commission rates to the distribution partners than we do or for other reasons outside of our control, these distribution partners could concentrate their efforts in selling our competitors' products instead of ours. In addition, we can, in certain circumstances, be held responsible for the actions of our third-party distributors, including registered representatives, insurance agents and agencies, marketing organizations, and their respective employees, agents and representatives, in connection with the marketing and sale of our products by such parties, including the security of their operations and their handling of confidential information and personal data, in a manner that is deemed not compliant with applicable laws and regulations. This is particularly acute with respect to unaffiliated distributors where we may not be able to directly monitor or control the manner in which our products are sold through third-party firms despite our risk assessment, training and compliance programs. Further, misconduct by employees and agents in the sale of our products could also result in violations of laws by us or our subsidiaries, regulatory sanctions and serious reputational or financial harm to us. The precautions we take to prevent and detect the foregoing activities may not be effective. If our products are distributed in a manner alleged to be inappropriate, or third-party distributors experience a security or data breach due to deficient operational controls, we could suffer reputational and/or other financial harm to our business.