American Water (AWK) Risk Factors

Our internal controls, accounting policies and practices and internal information systems are designed to enable us to capture and process transactions and information in a timely and accurate manner in compliance with GAAP, taxation requirements, federal securities laws and regulations and other laws and regulations applicable to us. We have also implemented corporate governance, internal control and accounting policies and procedures in connection with the Sarbanes-Oxley Act of 2002 (the "Sarbanes-Oxley Act") and relevant SEC rules, as well as other applicable regulations. Management is also responsible for establishing and maintaining internal control over financial reporting and disclosure controls and procedures and is required to assess annually the effectiveness of these controls. While we believe these controls, policies, practices and systems are adequate to verify data integrity, unanticipated or unauthorized actions of employees or temporary lapses in internal controls due to shortfalls in oversight or resource constraints could lead to undetected errors that could result in the disallowance of cost recovery and non-compliant disclosure and reporting. The consequences of these events could have a negative impact on our results of operations, cash flows and financial condition. The inability of management to certify as to the effectiveness of these controls due to the identification of one or more material weaknesses in these controls could also harm our reputation, increase financing costs or adversely affect our ability to access the capital markets.

In June 2023, AWCC issued $1,035.0 million aggregate principal amount of its 3.625% Exchangeable Senior Notes due 2026 (the "Notes"). See Note 11-Long-Term Debt in the Notes to the Consolidated Financial Statements for a description of the Notes. In the event the conditional exchange feature of the Notes is triggered and one or more holders elect to exchange their Notes, AWCC would be required to settle any exchanged principal through the payment of cash, which could adversely affect our liquidity. In addition, in that case, even if holders do not elect to exchange their Notes, we would be required under applicable accounting rules to reclassify all or a portion of the outstanding principal of the Notes as a current rather than long-term liability, which would result in a material reduction of our net working capital. If AWCC elects to settle the portion, if any, of an exchange obligation in excess of the aggregate principal amount of the Notes being exchanged in shares of parent company common stock or a combination of cash and shares of such common stock, any sales in the public market of the common stock deliverable upon such exchange could adversely affect prevailing market prices of parent company common stock. In addition, the existence of the Notes may encourage short selling by market participants because the exchange of the Notes could be used to satisfy short positions, and any anticipated exchange of the Notes for shares of such common stock could depress the price of such common stock.

An important element of our growth strategy is the acquisition and optimization of water and wastewater systems to broaden our current, and move into new, service areas. We may not be able to acquire other systems or businesses if we cannot identify suitable acquisition opportunities or reach mutually agreeable terms with acquisition candidates, and whether or not any particular acquisition is successfully completed, these activities are expensive and time consuming and are subject to the availability of capital and personnel resources to complete such acquisitions. As consolidation activity increases in the water and wastewater industries and competition from other regulated utilities, governmental entities and other strategic and financial buyers continues to increase, the prices for suitable acquisition candidates may increase and our ability to expand through acquisitions may otherwise be limited. The negotiation and execution of potential acquisitions as well as the integration of acquired systems or businesses with our existing operations could require us to incur significant costs and cause diversion of our management's time and resources. Future acquisitions by us could result in, among other things: - unanticipated capital expenditures;- unanticipated acquisition-related expenses;- incurrence or assumption of debt, contingent liabilities and environmental liabilities and obligations, including liabilities that were unknown or undisclosed at the time of acquisition;- failure to recover acquisition adjustments or premiums due to unfavorable decisions by PUCs and other governmental authorities;- failure to maintain effective internal control over financial reporting;- recording goodwill and other intangible assets at values that ultimately may be subject to impairment charges;- fluctuations in quarterly and/or annual results;- failure to realize anticipated or perceived benefits and synergies, such as desired return on equity or profitability, cost savings and revenue enhancements; and - difficulties in integrating or assimilating acquired systems' operations, personnel, benefits, services and systems and water quality, cybersecurity and infrastructure protection measures. Some or all of these items could have a material adverse effect on our business. In addition, state laws on acquisition treatment or PUC interpretation thereof may affect our ability to recover costs associated with our investments in newly-acquired water and wastewater systems and any difficulties we encounter in the negotiation, execution or integration process could have a material adverse impact on our results of operations, reduce our net income and profitability or adversely affect our internal control over financial reporting.

The impact of any future revisions or changes in interpretations of existing regulations or the adoption of new laws and regulations applicable to our Regulated Businesses is uncertain. Changes in laws or regulations, the imposition of additional laws and regulations, changes in enforcement practices of regulators, government policies or court decisions can materially affect our operations, results of operations and cash flows. Certain of the individuals who serve as regulators are elected or political appointees. Therefore, elections which result in a change of political administration or new appointments may also result in changes of the individuals who serve as regulators and changes in the policies of the regulatory agencies that they serve. New laws or regulations, new interpretations of existing laws or regulations, changes in agency policy, including those made in response to shifts in public opinion, or conditions imposed during the regulatory hearing process could have the following consequences, among others: - making it more difficult for us to increase our rates and, as a consequence, to recover our costs or earn our expected rates of return;- changing the determination of the costs, or the amount of costs, that would be considered recoverable in rate cases and other regulatory proceedings;- restricting our ability to terminate our services to customers who owe us money for services previously provided or limiting our bill collection efforts;- requiring us to provide water or wastewater services at reduced rates to certain customers;- limiting or restricting our ability to acquire water or wastewater systems, purchase or dispose of assets, or issue long-term debt or equity, or making it less cost-effective for us to do so;- negatively impacting, among other things: (i) tax rates or positions or the deductibility of expenses under federal or state tax laws, (ii) the availability or amount of, or our ability to comply with the terms and conditions of, tax credits or tax abatement benefit, (iii) the amount of taxes owed or paid, including as a result of the Corporate Alternative Minimum Tax provisions, (iv) the timing of tax effects on rates or (v) the ability to utilize our net operating loss carryforwards;- increasing the associated costs of, and/or of difficulty complying with, environmental, health, safety, consumer privacy, water quality, and water quality accountability laws and regulations to which our operations are subject;- changing or placing additional limitations on change in control requirements relating to any concentration of ownership of our common stock;- making it easier for governmental entities to convert our assets to public ownership via condemnation, eminent domain or other similar process, or for governmental agencies or private plaintiffs to assess liability against us for damages under these or similar processes;- increasing the costs and/or difficulty of complying with proposed changes to federal contractor affirmative action audits;- placing limitations, prohibitions or other requirements with respect to the sharing of information and participation in transactions by or between a regulated subsidiary and us or our other affiliates, including Service Company and any of our other subsidiaries;- restricting or prohibiting our extraction of water from rivers, streams, reservoirs or aquifers; and - revoking or altering the terms of a CPCN issued to us by a state PUC or other governmental authority.

Laws and regulations are changing and increasing rapidly with respect to data and consumer privacy, security and protection. We are subject to an increasing number of complex and continually evolving data and consumer privacy, security and protection laws and regulations administered by various federal, state and local governments, including, for example, the California Privacy Rights Act, together with its amendments and implementing regulations, the Virginia Consumer Data Protection Act and the Cyber Incident Reporting for Critical Infrastructure Act of 2022. New laws and regulations may require us to disclose incidents to authorities, regulators and/or the public, when we otherwise may not have been required to disclose such incidents under previous laws and regulations, and such disclosures could negatively and materially impact our reputation, customers, employees, suppliers and other third parties. Federal and state governments have also adopted or are proposing other limitations on, or requirements regarding, the collection, distribution, use, security and storage of personally identifiable information. In addition, the Federal Trade Commission and state attorneys general are applying federal and state consumer protection laws to impose standards on the collection, use and dissemination of data. Moreover, we expect that current laws, regulations and industry standards concerning privacy, data protection and information security in the United States will continue to evolve and increase, and we cannot determine the impact that compliance with such future laws, regulations or standards will have on us or on our business. Any failure or perceived failure by us to comply with current or future federal, state, or local data or consumer privacy or security laws, regulations, policies, guidance, industry standards, or legal obligations, or any incident resulting in unauthorized access to, or the acquisition, release, or transfer of, personally identifiable information or other data relating to our customers, employees and others, may result in private or governmental enforcement actions, litigation or other claims against us, fines and penalties, or adverse perception or publicity about us and our businesses. These events could also require us to change our business practices, and the events or such changes may result in significant diversions of resources, distract management and divert the focus and attention of our security and technical personnel from other critical activities. Any of the foregoing consequences could have a material adverse effect on our business, reputation, financial condition, results of operations, cash flows and liquidity.

As owners and operators of critical infrastructure, we face a heightened risk of physical and cyber attacks from internal or external sources. Our water and wastewater systems may be vulnerable to disability or failures as a result of physical or cyber attacks, acts of war or terrorism, vandalism and other causes. Our operational and information technology systems are also vulnerable to unauthorized external or internal access, due to hacking, viruses, social engineering attacks, acts of violence, war or terrorism, and other causes. Unauthorized access to confidential information located or stored on these systems could negatively and materially impact our reputation, customers, employees, suppliers and other third parties. Such unauthorized access could be caused through, among other causes, failure to follow established policies and procedures on the part of our employees, agents, vendors, suppliers, contractors or other third parties. Further, third parties, including vendors, suppliers and contractors, who perform certain services for us or administer and maintain our networks and sensitive information, could also be targets of cyber attacks and unauthorized access to their operational or information technology systems, and any cyber incident affecting our third-party business partners could significantly disrupt our operations. By way of example, on October 7, 2024, we disclosed that, on October 3, 2024, we identified unauthorized activity within our information technology computer networks and systems, which we determined to be the result of a cybersecurity incident. See Part I, Item 2-Management's Discussion and Analysis of Financial Condition and Results of Operations-Other Matters-Cybersecurity Incident for more information regarding this incident. While we believe that we have appropriate security measures and safeguards to protect our operational and information technology systems, the recent cybersecurity incident that we experienced demonstrated that those protections alone may not prevent a cyber attack, and we cannot guarantee that such protections will be completely successful in preventing or mitigating a future cyber attack. Although the Company is unable to predict the full impact of this incident, the Company does not expect that the incident will have a material effect on the Company or its financial condition or results of operations. An understanding of the full scope, nature and impact of this incident remains subject to our ongoing investigation. The Company remains subject to various risks due to this incident, including those related to the adequacy of processes during the period of disruption, diversion of management's attention, and litigation and regulatory scrutiny, including from putative class action lawsuits that have been filed in connection with the recent incident. Cybersecurity events could cause our operations to be disrupted, property to be damaged, and customer and other confidential information to be lost or stolen; we could experience substantial loss of revenues, response costs and other financial loss; we would likely suffer a loss or redirection of management time, attention and resources from our regular business operations; we may be subject to increased regulatory requirements; we would likely experience litigation and other claims against us; and we may suffer damage to our reputation, any of which could have a negative impact on our business, financial condition, results of operations and cash flows. Applicable laws and regulations or contracts may require us to report cybersecurity events or breaches of securely maintained confidential data, which may cause us to incur costs related to legal claims or proceedings and regulatory fines or penalties. These types of events, and their resulting impacts, either to our facilities or assets, those of third parties, or the industry in general, may also cause us to incur additional security and insurance related costs. In addition, in the ordinary course of business, we collect and retain sensitive information, including personally identifiable information, about our customers and employees. In many cases, we outsource administration of certain functions to vendors that have been and will continue to be targets of cyber attacks. Any theft, loss or fraudulent use of customer, employee or proprietary data as a result of a cyber attack on us or a vendor, supplier, contractor or other third-party business partner could also subject us to significant litigation, liability and costs, as well as adversely impact our reputation with customers and regulators, among others. We have obtained insurance to provide coverage for a portion of the losses and damages that may result from a physical attack, cyber attack or a security breach, but such insurance is subject to a number of exclusions and may not cover the total loss or damage caused by an attack or a breach. We have incurred, and may continue to incur, certain expenses related to the cybersecurity incident, including expenses to respond to, remediate and investigate this matter. Although we maintain cybersecurity insurance, the full scope of the costs and related impacts of the recent cybersecurity incident remain subject to investigation, and thus we cannot be certain of the extent to which such coverage or third-party indemnification will cover such costs. In the future, adequate insurance may not be available at rates that we believe are reasonable, and the costs of responding to and recovering from a physical attack, cyber attack or security breach incident may not be covered by insurance or recoverable in rates.

Upgrades and improvements to computer systems and networks, or the implementation of new systems, may require substantial amounts of management's time and financial resources to complete, and may also result in system or network defects or operational errors due to multiple factors, including employees' ability to effectively use the new or upgraded system. We have implemented, and will continue to implement, technology to improve our business processes and customer interactions (including, without limitation, in connection with the installation or upgrade of our enterprise resource planning systems, and to support our cybersecurity program), and have installed new, and upgraded existing, technology systems. Any technical or other difficulties in upgrading and improving existing or implementing new technology systems may increase costs beyond those anticipated and have an adverse or disruptive effect on our operations and reporting processes, including our internal control over financial reporting. We may also experience difficulties integrating current systems with new or upgraded systems, which may impact our ability to serve our customers effectively or efficiently. Although we make efforts to minimize any adverse impact on our controls, business and operations, we cannot assure that all such impacts have been or will be mitigated, and any such impacts could harm our business (individually or collectively) and have a material adverse effect on our results of operations, financial condition and cash flows.

The volume of water we sell during the warmer months, typically in the summer, is generally greater than during other months, due primarily to increased water usage for irrigation systems, swimming pools, cooling systems and other applications. Throughout the year, and particularly during typically warmer months, the volume of water sold tends to vary with temperature, rainfall levels and rainfall frequency. In the event that temperatures during the typically warmer months are cooler than normal, or if there is more rainfall than normal, the amount of water we sell may decrease and adversely affect our revenues. Two of our jurisdictions, California and Illinois, currently have revenue stability mechanisms that permit us to recover the revenues authorized in a general rate case, regardless of sales volume. Revenue stability mechanisms are designed to recognize declining sales resulting from reduced consumption, while providing an incentive for customers to use water more efficiently. In those jurisdictions that have not adopted a revenue stability mechanism, our operating results could continue to be affected by seasonality.

The issue of climate variability is receiving increasing attention nationally and worldwide. There is consensus among climate scientists that there will be worsening of weather volatility in the future associated with climate variability. Many climate variability predictions present several potential challenges to water and wastewater utilities, including us, such as: - increased frequency and duration of droughts;- increased precipitation and flooding;- increased frequency and severity of storms and other weather events;- challenges associated with changes in temperature or increases in ocean levels;- potential degradation of water quality;- decreases in available water supply and changes in water usage patterns;- increases in the number, length and severity of disruptions in service;- increased costs to repair damaged facilities; or - increased costs to reduce risks associated with the increasing frequency and severity of natural events, including to improve the resiliency and reliability of our water and wastewater treatment and conveyance facilities and systems. Because of the uncertainty of weather volatility related to climate variability, we cannot predict its potential impact on our business, financial condition, results of operations, cash flows and liquidity. Furthermore, both Federal and state laws and regulations have been enacted or proposed that seek to reduce or limit greenhouse gas emissions and require or would require additional reporting, monitoring and disclosure, and these regulations may become more pervasive or stringent in light of changing governmental agendas and priorities, although the exact nature and timing of these changes is uncertain. Although some or all potential expenditures and costs associated with the impact of climate variability and related laws and regulations on our Regulated Businesses could be recovered through rates, infrastructure replacement surcharges or other regulatory mechanisms, there can be no assurance that state PUCs would authorize rate increases to enable us to recover such expenditures and costs, in whole or in part.