Arthur J Gallagher & Co (AJG) Risk Analysis

We operate in various jurisdictions and are subject to changes in applicable tax laws, treaties, or regulations in those jurisdictions. A material change in the tax laws, treaties, or regulations, or their interpretation, of any jurisdiction with which we do business, or in which we have significant operations, could adversely affect us. For example, in October 2021, the OECD announced that 136 countries and tax jurisdictions have agreed to implement a new Pillar 2 approach to international taxation. The first detailed draft rules under that approach were published in December 2021. The U.K. and the majority of the EU have adopted some aspects of these rules. Other countries in which we have significant operations, including Australia and Canada, have announced an intention to adopt it or started the process of doing so. The new approach came into effect in 2023 in certain jurisdictions, and different countries have implemented the necessary rules in different ways, through their individual agreement to tax treaty changes and through changes to their own domestic tax laws. Pillar 1 exempts regulated financial institutions and we believe we qualify for such exemption. Pillar 2 will establish a global minimum tax rate of 15%, such that multinational enterprises with an effective tax rate in a jurisdiction below this minimum rate will need to pay additional tax, which could be collected by the parent company's tax authorities if that parent country adopts Pillar 2 or by those in other countries, depending on whether and how each country implements the OECD's approach in its tax treaties and domestic tax legislation. Depending on how the jurisdictions in which we operate, and those in which we and our subsidiaries are based, choose to implement the OECD's approach in their tax treaties and domestic tax laws, particularly if the U.S. does not adopt Pillar 2, we could be adversely affected due to our income being taxed at higher effective rates, once these new rules come into force.

We are subject to a variety of continuously evolving and developing laws and regulations globally regarding privacy, data protection, and data security, including those related to the collection, storage, handling, use, disclosure, transfer, destruction, and security of personal data. These laws apply to transfers of personal information among our affiliates, as well as to transactions we enter into with third party vendors and clients. Significant uncertainty exists as privacy and data protection laws evolve and may be interpreted and applied differently from country to country and state to state, and may create inconsistent or conflicting requirements. Some of these laws provide rights to individuals to access, correct, and delete their personal information and to obtain copies at the expense of the business entities that process their data. Some of these laws carry heavy penalties for violations, e.g., fines of up to 4% of worldwide revenue under the U.K. Data Protection Act and the European Union General Data Protection Regulation (GDPR) and up to $7,500 per intentional violation under the California Consumer Privacy Act (CCPA). In the U.S., there is pending federal legislation and a number of states have proposed their own comprehensive data privacy bills similar to the GDPR and CCPA, with some of those laws already in effect, and others coming into effect between 2024 and 2026. India and other countries where we have operations outside the U.S. have proposed or have enacted sweeping data protection laws, and in some cases we are subject to sector and personal data localization laws that may require that data or personal data stay within their borders, such as India's IRDIA (Maintenance of Insurance Records) Regulation, 2015. In addition, in the U.S., legislators are continuing to enact comprehensive cybersecurity laws. For example, we are subject to the New York State Department of Financial Services Cybersecurity Regulation for Financial Services Companies, which were substantively amended in 2023. We also expect to be subject to a variety of laws and regulations governing AI, such as the proposed EU AI Act which is expected to be enacted in 2024. These laws and regulations are still evolving, and while we are assessing how regulators may apply existing consumer protection, data protection and other similar laws to AI, there is uncertainty regarding the scope of new laws and how existing laws will apply. Due to this uncertainty, we may face challenges complying with existing and new laws, and our policies and governance frameworks may not be successful in mitigating these risks. See also "We are subject to risks associated with AI." Adhering to the increased obligations imposed by various new and emerging laws causes us to incur substantial expenses in connection with developing, implementing, and securing our systems and effectively implementing data privacy governance policies for the lawful processing of personal data. Such increased obligations also result in the allocation of additional resources towards new privacy compliance processes and enhanced technologies, further contributing to our IT and compliance costs. In addition, enforcement actions and investigations by regulatory authorities related to data security incidents and privacy violations continue to increase. The enactment of more restrictive laws, rules, regulations, or future enforcement actions or investigations could impact us through increased costs or restrictions on our business, and noncompliance could result in regulatory penalties and significant legal liability.

We collect, use, store, transmit and otherwise process, confidential, personal and proprietary information relating to our company, acquisition targets, our employees and our clients. This information includes personally identifiable information, protected health information, financial information and intellectual property. We maintain policies, procedures and technical safeguards designed to protect the security and privacy of confidential, personal and proprietary information. Nonetheless, we cannot eliminate the risk of human error, malfeasance or highly sophisticated cyber-attacks, which are heightened as a result of the war in Ukraine and in the Middle East or other cybersecurity incidents. It is possible that our security controls, employee training and other aspects of our cybersecurity safeguards are not effective. See "The substantial increase in remote work among our employees subjects us to certain challenges and risks" above for a discussion of how remote work enhances these risks. We have and continue to invest in technology security initiatives, policies, resources and employee training. The cost and operational consequences of implementing, maintaining and enhancing appropriate technical measures is high. Given the continuously evolving cyber threat landscape, it will become increasingly difficult to detect, defend against and remediate cybersecurity incidents and data breaches. If we are unable to effectively maintain and enhance our system safeguards in line with evolving cyber threats, including in connection with the integration of acquisitions, we may incur unexpected costs, including litigation costs, regulatory enforcement action, loss of clients, reputational damage, and certain of our systems may become more vulnerable to unauthorized access. We rely on IT and third party vendors to support our business activities, including our secure processing of personal, confidential, sensitive, proprietary and other types of information. Despite ongoing efforts to improve our and our vendors' ability to protect and defend against cyber-attacks, we may not be able to protect all of our data. Cybersecurity incidents and data breaches of certain systems on which we rely have occurred, such as the ransomware incident that occurred in 2020 (as disclosed in previous filings), and we also have from time to time experienced other cybersecurity incidents such as computer viruses, unauthorized parties gaining access to our information technology systems, and privacy incidents, such as loss or inadvertent transmission of data, although to date we have not been materially impacted by such events. In the future, breaches of any third-party or internal systems may result from circumvention of security systems, denial-of-service, hacking, "phishing",computer viruses, ransomware, malware, or other cyber-attacks, employee or insider error, malfeasance, social engineering, physical breaches or other actions. Furthermore, the risk from threat actors has increased due to the rapid development of AI capabilities. We are an acquisitive organization. The process of integrating information systems of businesses we acquire is complex and exposes us to additional risk as we might not adequately identify weaknesses in the targets' information systems or information handling, privacy and security policies and protocols, which could expose us to unexpected liabilities or make our own systems and data more vulnerable to cybersecurity incidents. Any future, material cybersecurity or data incident, may cause us to experience unauthorized access, exfiltration, manipulation, corruption, loss or disclosure of our proprietary, client, employee, or other data, reputational harm, the inability to render services due to system outages or other business disruptions, loss of clients and revenue, regulatory action and scrutiny, sanctions or other statutory penalties, litigation, liability for failure to safeguard clients' information, increases in cybersecurity costs or financial losses. Any of the foregoing may be exacerbated by a delay or failure to detect a cybersecurity incident or the full extent of such incident. In addition, disclosure or media reports of actual or perceived security vulnerabilities to our systems or those of our third-party service providers, even if no breach has been attempted or occurred, could lead to reputational harm, loss of customers and revenue, or increased regulatory actions oversight and scrutiny. Such incidents could result in confidential, personal or proprietary information being lost or stolen, used to perpetuate fraud, maliciously made public, surreptitiously modified, or rendered inaccessible for a period of time. We cannot ensure that any limitations of liability provisions in our agreements with clients, vendors and other third parties with which we do business would be enforceable or adequate or would otherwise protect us from any liability with respect to claims arising from a cybersecurity, data or similar incident. As we experienced in connection with the 2020 ransomware incident referred to above, during a cybersecurity incident, we might have to take our systems offline, which could interfere with services to our clients or damage our reputation. While we endeavor to design and implement technologies, policies and procedures to identify such incidents as quickly as possible, any response would take substantial time, and there may be extensive delays before we obtain full and reliable information. During such time we would not necessarily know the extent of the harm or how best to remediate it, and certain errors or actions could be repeated or compounded before they are discovered and remediated, all of which may further increase the costs and consequences of such incident. Any of these losses may not be insured against or be fully covered by insurance we maintain. In addition, the competition for talent is high in the cybersecurity and privacy space, and we may not be able to hire, develop or retain suitable talent that we need to be capable of minimizing, identifying, mitigating or remediating these risks. With respect to our commercial arrangements with third party vendors, we have processes designed to require third party IT outsourcing, offsite storage and other vendors to agree to maintain certain standards with respect to their storage, protection and transfer of confidential, personal and proprietary information. However, we remain at risk of a cyber or data incident due to the intentional or unintentional non-compliance by a vendor's employee or agent, the breakdown of a vendor's processes, or a cybersecurity incident involving vendor's information systems. We cannot ensure that any provisions in our agreements with these vendors would be enforceable or adequate or would otherwise protect us from any liability in connection with these incidents. Any of the foregoing may have a material adverse effect on our business, financial condition and reputation.

In 2023, we generated approximately 36% of our combined brokerage and risk management revenues outside the U.S. Our business outside the U.S. presents operational, economic and other risks that are different from, or greater than, the risks we face doing comparable business in the U.S. These include, among others, risks relating to: - Maintaining awareness of and complying with a wide variety of labor practices and foreign laws, including those relating to labor and employment, data privacy requirements, AI prohibitions on corrupt payments to government officials, export and import duties, environmental policies, sustainability disclosures, as well as laws and regulations applicable to U.S. business operations abroad. We are subject to the risk that we, our employees, our agents, or our affiliated entities, or their respective officers, directors, employees and agents, take actions determined to be in violation of any of these laws, regulations or policies, for which we might be held responsible. Actual or alleged violations could result in substantial fines, sanctions, civil or criminal penalties, debarment from government contracts, curtailment of operations in certain jurisdictions, competitive or reputational harm, litigation or regulatory action and other consequences that might adversely affect our results of operations, financial condition or strategic objectives. While we believe that relations with work councils and trade unions in these countries are and will continue to be satisfactory, work stoppages could occur and we may not be successful in negotiating new collective bargaining agreements. In addition, collective bargaining negotiations may (1) result in significant increases in the cost of labor, (2) divert management's attention away from operating the business or (3) break down and result in the disruption of operations. The occurrence of any of the preceding conditions could result in increased costs and impair our ability to operate our business. These and other international regulatory risks and labor related risks are described below under "Regulatory, Legal and Accounting Risks";- We own interests in firms where we do not exercise management control (such as Casanueva Perez S.A.P.I. de C.V. in Mexico and Renomia, A.S. in the Czech Republic) and are therefore unable to direct or manage the business to realize the anticipated benefits, including mitigation of risks, that could be achieved through full ownership;- The potential costs, difficulties and risks associated with local regulations across the globe, including the risk of personal liability for directors and officers (for example, in the U.K.) and "piercing the corporate veil" risks under the corporate law regimes of certain countries;- Difficulties in staffing and managing foreign operations. For example, we are growing our Latin American operations through acquisitions of local family-owned insurance brokerage firms. If we lose a local key employee, hiring and retaining talent locally or finding an internal candidate qualified to transfer to such location could be difficult;- Less flexible employee relationships, which in certain circumstances has limited our ability to prohibit employees from competing with us after they are no longer employed with us or recover damages, and made it more difficult and expensive to terminate their employment;- Some of our foreign subsidiaries receive revenues or incur obligations in currencies that differ from their functional currencies. We must also translate the financial results of our foreign subsidiaries into U.S. dollars. Although we have used foreign currency hedging strategies in the past and currently have some in place, such risks cannot be eliminated entirely, and significant changes in exchange rates may adversely affect our results of operations;- Conflicting regulations in the countries in which we do business;- Political and economic instability (including risks relating to undeveloped or evolving legal systems, unstable governments, acts of terrorism and outbreaks of war, including between Russia and Ukraine, and in the Middle East);- Coordinating our communications, policies and logistics across geographic distances, multiple time zones and in different languages, including during times of crisis management;- Risks relating to our post-Brexit plan to address the loss of passporting rights between the U.K. and EU with respect to insurance brokerage services. Our plan (implemented in September 2020) involved transferring the European Economic Area (EEA) clients of our U.K.-based regulated entities to a Swedish subsidiary authorized in the EEA, and providing some services through a U.K. branch of such subsidiary. Although this "reverse branch" model is typical of other brokers of a similar size, EU regulators continue to assess their approach to this model, including as a result of, among other developments, the supervisory statement issued by the European Insurance and Occupational Pensions Authority (EIOPA) in February 2023. While we are continuously assessing the impact of these developments, it is difficult to predict such impact on our current plan;- Unfavorable audits and exposure to additional liabilities relating to various non-income taxes (such as payroll, sales, use, value-added, net worth, property and goods and services taxes) in foreign jurisdictions. In addition, our future effective tax rates could be unfavorably affected by changes in tax rates, discriminatory or confiscatory taxation, changes in the valuation of our deferred tax assets or liabilities, changes in tax laws or their interpretation and the financial results of our international subsidiaries. The Organization for Economic Cooperation and Development (which we refer to as the OECD) continues to issue reports and recommendations as part of its Base Erosion and Profit Shifting project (which we refer to as BEPS), and in response many countries in which we do business have adopted, or are expected to adopt, rules which will change various aspects of the existing framework under which our tax obligations are determined. For example, the majority of EU countries and the U.K. have incorporated some elements of BEPS Pillar 2 into their national laws. Other countries in which we have significant operations, such as Australia and Canada, have either announced an intention to adopt it or started the process of doing so. Additionally, other jurisdictions in which we do business are also reacting to these efforts; for example, Bermuda enacted a corporate tax regime for the first time in 2023. We anticipate further significant developments across several jurisdictions in which we operate in 2024 and 2025;- Legal or political constraints on our ability to maintain or increase prices;- Cash balances held in foreign banks and institutions where governments have not specifically enacted formal guarantee programs;- Epidemics or pandemics at a regional or global level;- Lost business or other financial harm due to protectionism in the U.S. and in countries around the world, including adverse trade policies, governmental actions affecting the flow of goods, services and currency, and governmental restrictions on the transfer of funds to us from our operations outside the U.S.; and - The trade and military policies of the U.S. government could further develop in ways that exacerbate the risks described above, or introduce new risks for our international operations. If any of these risks materialize, our results of operations and financial condition could be adversely affected.

Our ability to conduct business may be adversely affected by a disruption in the infrastructure that supports our business. This includes infrastructure controlled by third-party vendors and suppliers. Such disruptions could be caused by various factors, such as cybersecurity incidents (for example, as disclosed in previous filings, we experienced a ransomware attack in 2020), security breaches, human error, capacity constraints, hardware failures or defects, natural disasters, climate and weather events, pandemics, fires, power outages, telecommunication failures, break-ins, sabotage, intentional acts of vandalism, acts of terrorism, civil disruption, political violence and unrest, or war. While we have disaster recovery procedures in place, they may not be effective. Additionally, insurance may not continue to be available at reasonable prices and may not address all potential losses or compensate us for the possible loss of clients or increase in claims and lawsuits directed against us. Further, because we do not control infrastructure owned by third parties, we cannot guarantee that such parties have effective recovery procedures, or sufficient funds or insurance to recover any damages, losses or other liabilities that we may incur due to business interruptions caused by disruptions to their infrastructure. The risk of business disruption is more pronounced in certain geographic areas where a significant portion of our business is concentrated. For example, we have substantial operations in India that provide important client support and other back-office services for our global organization. To date, the dispute between India and Pakistan involving the Kashmir region, rising tensions between India and China, incidents of terrorism in India, the potential for civil unrest and general geopolitical uncertainties have not adversely affected our operations in India. However, such factors could potentially affect our operations there in the future. If our access to these services is disrupted, our client relationships could be harmed, our liability for E&O could increase, and our reputation could be damaged, causing our business, operating results and financial condition to be adversely affected.

We derive much of our revenue from commissions and fees for our brokerage services. We do not determine the premiums on which our commissions are generally based. Moreover, premiums are cyclical in nature and may vary widely based on market conditions. Because of market cycles for insurance and reinsurance product pricing, which we cannot predict or control, our brokerage revenues and profitability can be volatile or remain depressed for significant periods of time. As underwriting enterprises continue to outsource the production of premium revenue to non-affiliated brokers or agents such as us, those companies may seek to further minimize their expenses by reducing the commission rates payable to agents or brokers. The reduction of these commission rates, along with general volatility and/or declines in premiums, may significantly affect our profitability. Because we do not determine the timing or extent of premium pricing changes, it is difficult to forecast our commission revenues precisely, including whether they will significantly decline. As a result, we may have to adjust our budgets for future acquisitions, capital expenditures, dividend payments, debt repayments and other expenditures to account for unexpected changes in revenues, and any decreases in premium rates may adversely affect the results of our operations. In addition, there have been and may continue to be various trends in the insurance and reinsurance markets toward alternative insurance markets including, among other things, greater levels of self-insurance, captives, rent-a-captives, risk retention groups and non-insurance capital markets-based solutions to traditional insurance. While historically we have been able to participate in certain of these activities on behalf of our clients and obtain fee revenue for such services, there can be no assurance that we will realize revenues and profitability as favorable as those realized from our traditional brokerage activities. Our ability to generate premium based commission revenue may also be challenged by the growing desire of some clients to compensate brokers based upon flat fees rather than a percentage of premium. This could negatively impact us because fees are generally not indexed for inflation and might not increase with premiums as commissions do or with the level of service provided.

The insurance brokerage, reinsurance brokerage and employee benefit consulting businesses are highly competitive and many insurance brokerage, reinsurance brokerage and employee benefit consulting organizations actively compete with us in one or more areas of our business around the world. Two of the firms we compete with in the global brokerage and risk management markets have larger revenues than ours. In addition, many other smaller firms that operate nationally or that are strong in a particular country, region or locality may have, in that country, region or locality, an office with revenues as large as or larger than those of our corresponding local office. Our third party claims administration operation also faces significant competition from stand-alone firms as well as divisions of larger firms. Over the past decade or more, private equity sponsors have invested heavily in the insurance brokerage and third party claims administration industries, creating new competitors and strengthening existing ones. Across all of our operations, Insurtech and technology-based start-ups are entering the business. In most cases, these businesses complement or enhance our offerings, but in some cases, they compete with us. We believe that the primary factors determining our competitive position with other organizations in our industry are the quality of the services we render, the personalized attention we provide, the individual and corporate expertise of the brokers and consultants providing the actual service to the client, our data and analytics capabilities, and our ability to help our clients manage their overall risk exposure and insurance or reinsurance costs. Losing business to competitors offering similar services or products at a lower cost or having other competitive advantages would adversely affect our business. Consolidation among our existing competitors could create additional competitive pressure on us as such firms grow their market share, take advantage of strategic and operational synergies and develop lower cost structures. In addition, any increase in competition due to new legislative or industry developments could adversely affect us. These developments include: - Increased capital-raising by underwriting enterprises, which could result in new risk-taking capital in the industry, which in turn may lead to lower insurance premiums and commissions;- Underwriting enterprises selling insurance directly to insureds without the involvement of a broker or other intermediary;- Changes in our business compensation model as a result of regulatory developments;- Federal and state governments establishing programs to provide health insurance (such as a single-payer system) or, in certain cases, property insurance in catastrophe-prone areas or other alternative market types of coverage, that compete with, or completely replace, insurance products currently offered by underwriting enterprises;- Climate-change regulation in the U.S. and around the world moving us toward a low-carbon economy, which could create new competitive pressures around climate resilience consulting services and innovative insurance solutions;- Continued consolidation in the financial services industry, leading to larger financial services institutions offering a wider variety of services including insurance brokerage and risk management services;- Increased competition from new market participants such as banks, accounting firms, consulting firms and Internet or other technology firms offering risk management or insurance brokerage services, or new distribution channels for insurance such as payroll firms and professional employer organizations; and - Third party capital providers have entered the insurance and reinsurance risk transfer market offering products and capital directly to our clients. Their presence in the market increases the competitive pressures that we face. New competition as a result of these or other legislative or industry developments could cause the demand for our products and services to decrease, which could in turn adversely affect our results of operations and financial condition.

Our third party claims administration operations face a variety of risks distinct from those faced by the rest of our business, including the risks that: - Epidemics and pandemics that reduce in-person business activity have a greater negative impact because they result in a reduction in the number of claims processed, as experienced during the years 2020, 2021, and the beginning of 2022. If a new epidemic or pandemic were to emerge, these operations could face similar negative impacts in the future;- RISX-FACS, our proprietary risk management information system, on which our ability to provide clients with insurance claim settlement and administration services is highly dependent, becomes inoperable for some reason. In addition, we are increasing our use of cloud storage and cloud computing application services supported, upgraded and maintained by third-party vendors. A disruption affecting RISX-FACS, third-party cloud services or any other infrastructure supporting our business, including key client relationship management software, could have a material adverse effect on our operations, cause reputational harm and damage our employee and client relationships;- The favorable trend among both underwriting enterprises and self-insured entities toward outsourcing various types of claims administration and risk management services will reverse or slow, causing our revenues or revenue growth to decline;- Concentration of large amounts of revenue with certain clients results in greater exposure to the potential negative effects of lost business due to changes in management at such clients or changes in state government policies, in the case of our government-entity clients, or for other reasons;- Contracting terms will become less favorable or the margins on our services will decrease due to increased competition, regulatory constraints or other developments;- We do not satisfy regulatory requirements related to third party administrators or regulatory developments, including those relating to security, cybersecurity and data privacy as we manage a large amount of highly sensitive and confidential information including personally identifiable information, protected health information and financial information, will impose additional burdens, costs or business restrictions that make our business less profitable;- Volatility in our case volumes, which are dependent upon a number of factors and difficult to forecast accurately, could impact our revenues;- Wage inflation, difficulty attracting and retaining talent, and rising technology costs, all of which have been challenging to control since 2020, may impact our ability to remain competitive in the marketplace and profitably fulfill our existing contracts (other than those that provide cost-plus or other margin protection);- We may be unable to develop further efficiencies in our claims-handling business and may be unable to obtain or retain certain clients if we fail to make adequate improvements in technology or operations; and - Underwriting enterprises or certain large self-insured entities may create in-house servicing capabilities that compete with our third party administration and other administration, servicing and risk management products, and we could face additional competition from potential new entrants into the global claims management services market. If any of these risks materialize, our results of operations and financial condition could be adversely affected.

Our reputation is one of our key assets. We advise our clients on and provide services related to a wide range of subjects and our ability to attract and retain clients is highly dependent upon the external perceptions of our expertise, level of service, ability to protect client information, trustworthiness, business practices, financial condition and other subjective qualities such as ethics, culture and values. Our success is also dependent on maintaining a good reputation with existing and potential employees, investors, regulators and the communities in which we operate. Negative perceptions or publicity regarding these matters, including our association with clients or business partners with damaged reputations, or from actual or alleged conduct by us or our employees, including corruption or bribery allegations (for example, those in connection with the previously-disclosed investigation of our business in Ecuador) or cybersecurity incidents (for example, as disclosed in previous filings, we experienced a ransomware attack in 2020) could damage our reputation. Negative publicity resulting from one of our marketing partnerships (for example, with a sports team or league) could damage our brand and/or our reputation. Our reputation could also be harmed by negative perceptions or publicity regarding sustainability or ESG matters, including concerns with environmental, climate change, workforce diversity, political spending, pay equity, harassment, racial justice, cybersecurity and data privacy matters, as well as backlash against sustainability or ESG initiatives generally. Negative publicity may be posted on social media or other Internet forums, whether or not true, and the speed and pervasiveness with which information can be disseminated through these channels, in particular social media, may magnify the risks noted above. Any resulting erosion of trust and confidence could make it difficult for us to attract and retain clients, employees or investors; result in lower ESG ratings, exclusion of our stock from ESG-oriented indices, and reduced demand for our stock from ESG-focused investment funds; increase our cost of borrowing; or harm our relationships with regulators and the communities in which we operate. Any of these matters could have a material adverse effect on our business, financial condition and results of operations. As we venture into new jurisdictions and markets globally, negative reputational events (whether arising from regulatory matters or otherwise) may have a disproportionate impact in locations or markets where our employee and client presence is limited. Any negative publicity could potentially hinder our growth prospects in such locations or markets. See below for additional risk factors regarding climate change and ESG initiatives and disclosures.