Baldwin Insurance Group (BWIN) Risk Factors

Our commission income (including profit-sharing contingent commissions and override commissions) can vary quarterly or annually due to the timing of policy renewals and the net effect of new and lost business production. We do not control the factors that cause these variations. Specifically, Clients' demand for insurance products can influence the timing of renewals, new business and lost business (which includes policies that are not renewed and cancellations). In addition, we rely on our Insurance Company Partners for the payment of certain commissions. Quarterly and annual fluctuations in commissions and fees based on increases and decreases associated with the timing of new business, policy renewals and payments from our Insurance Company Partners may adversely affect our financial condition, results of operations and cash flows. Profit-sharing contingent commissions are special revenue-sharing override commissions paid by our Insurance Company Partners based on the attainment of certain metrics such as the profitability, volume or growth of the business placed with such companies generally during the prior year. These are not guaranteed payments and our Insurance Company Partners may change the calculations or potentially elect to stop paying them at all on an annual basis. Over the last two years contingent commissions generally have been in the range of 7.0% to 9.0% of the year's total core commissions and fees. Increases in loss ratios experienced by our Insurance Company Partners will result in a decreased profit to them and may result in decreases in payments of contingent or profit-sharing commissions to us. Due to, among other things, potentially poor macroeconomic conditions, the inherent uncertainty of loss in our Clients' industries and changes in underwriting criteria (including profitability, volume or growth thresholds), due in part to the high loss ratios experienced by our Insurance Company Partners, we cannot predict the payment of these profit-sharing contingent commissions. Further, we have no control over the ability of our Insurance Company Partners to estimate loss reserves, which affects our ability to make profit-sharing calculations. Override commissions are paid by our Insurance Company Partners based on the attainment of certain metrics such as the profitability, volume or growth of the business that we place with them and are generally paid over the course of the year or in the beginning of the following year. Because profit-sharing contingent commissions and override commissions materially affect our commissions and fees, any decrease in their payment to us could adversely affect our results of operations, profitability and our financial condition. See "-Our business had historically been highly concentrated in the Southeastern United States. While we still maintain a concentration in the Southeastern United States, our rapid growth has resulted in our having several regional concentrations of our business, such that adverse economic conditions, natural disasters, loss trends or regulatory changes in one of these regions could adversely affect our financial condition."

We have significant insurance agency and brokerage operations, and are subject to claims and litigation in the ordinary course of business resulting from alleged and actual E&O in placing insurance and rendering coverage advice. In addition, many of our Colleagues regularly interact with Clients and prospective Clients in the field, which increases the risks of property and casualty claims arising from such interactions. Further, many of our office locations are in jurisdictions (such as California, Texas and Florida) that see higher incidents of climate events (such as hurricanes, other aggressive weather patterns and earthquakes). Dealing with any of these activities can involve the expenditure of substantial amounts of money. Since E&O claims against us may allege our liability for all or part of the amounts in question, claimants may seek large damage awards. These claims can involve significant defense costs. E&O could include failure to, whether negligently or intentionally, place coverage on behalf of Clients, provide our Insurance Company Partners with complete and accurate information relating to the risks being insured or appropriately apply funds that we hold on a fiduciary basis. It is not always possible to prevent or detect E&O and other types of claims, and the precautions we take may not be effective in all cases. We have E&O insurance coverage to protect against the risk of liability resulting from our alleged and actual E&O. We also maintain a variety of other property and casualty policies of insurance providing varying degrees of protection against loss and damage to our property and liability for certain conduct of our Colleagues. Prices for these policies of insurance and the scope and limits of the coverage terms available depend on our claims history as well as market conditions that are outside of our control. While we endeavor to purchase coverage that is appropriate to our assessment of our risk, we are unable to predict with certainty the frequency, nature or magnitude of claims for direct or consequential damages or whether our policies of insurance will cover such claims. In establishing liabilities for claims, we utilize case level reviews by outside counsel and an internal analysis to estimate potential losses. The liability is reviewed annually and adjusted as developments warrant. Given the unpredictability of E&O and other claims and of litigation that could flow from them, it is possible that an adverse outcome in a particular matter could have a material adverse effect on our results of operations, financial condition or cash flow in a given quarterly or annual period.

We maintain confidential, personal and proprietary information relating to our Company, our Colleagues, our Insurance Company Partners, our vendors and our actual and prospective Clients. This information could include personally identifiable information, protected health information, such as information regarding the medical history of Clients, financial information, and other categories of sensitive or protected information. We are subject to laws, rules, regulations, orders, industry standards, contractual obligations and other legal obligations relating to the collection, use, retention, security, transfer, storage, disposition and other processing of this information. These requirements may also apply to transfers of information among our affiliates, as well as to transactions we enter into with unaffiliated third-parties. Cybersecurity risks have significantly increased in recent years, in part, because of the proliferation of new technologies, the use of the internet and telecommunications technologies to exchange information and conduct transactions, and the increased sophistication and activities of computer hackers, organized crime, terrorists, and other external parties, including foreign state actors. We have in the past and may in the future be subject to cyberattacks. These cyberattacks could include computer viruses, malicious or destructive code, phishing attacks, social engineering attacks, denial of service or information, improper access by employees or third-party partners or other security breaches that have or could in the future result in the unauthorized release, gathering, monitoring, misuse, loss or destruction of our confidential, proprietary, personal, and other information concerning Colleagues, Clients, Insurance Company Partners, vendors or consumers, or otherwise materially disrupt our network access or business operations. Cybersecurity breaches, cyberattacks and other similar incidents, including, among other things, computer viruses, denial of service or information attacks, ransomware attacks, credential stuffing, social engineering, human error, fraud, unauthorized parties gaining access to our information technology systems, malware infections, phishing campaigns and vulnerability exploit attempts could disrupt the security of our internal systems and business applications or those of our vendors and impair our ability to provide services to our Clients and protect the privacy of their data. Any such incidents may also compromise confidential business information, result in intellectual property or other confidential or proprietary information being lost or stolen, including Client, Colleague or Company data, which could harm our reputation, competitive position or otherwise adversely affect our business. Cyber threats are constantly evolving, which makes it more difficult to detect cybersecurity incidents, assess their severity or impact in a timely manner, and successfully defend against them. The hybrid and remote work environment is increasing the attack surface available to criminals, as more companies and individuals work remotely and otherwise work online. Consequently, the risk of a cybersecurity incident has increased, and as cybersecurity threats evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate or remediate any information security vulnerabilities, security breaches, cyberattacks or other similar incidents. We cannot provide assurances that our preventative efforts, or those of our vendors or service providers, will be successful, and we may not be able to anticipate all security breaches, cyberattacks or other similar incidents, detect or react to such incidents in a timely manner, implement guaranteed preventive measures against such incidents, or adequately remediate any such incident. Although we maintain policies, procedures and technical safeguards designed to protect the security and privacy of confidential, personal and proprietary information, we cannot eliminate the risk of, and have in the past experienced, improper access to or disclosure of personally identifiable information and related costs to mitigate the consequences from such events. It is possible that the measures we implement, including our security controls over personal data and training of Colleagues on data security, may not prevent improper access to, disclosure of or misuse of confidential, personal or proprietary information. This could cause harm to our reputation, create legal exposure or subject us to liability under laws that protect personal data, resulting in increased costs or loss of commissions and fees. In addition, improper access to or disclosure of personal and proprietary information could occur in a target we acquire prior to the acquisition or as a result of actions taken prior to the acquisition or during the integration period. Even if we receive indemnification for such events (which may not be the cure), such events could cause harm to our reputation, create legal exposure or subject us to liability under laws that protect personal data. The occurrence of any security breach, cyberattack or other similar incident with respect to our or our vendors' systems, or our failure to make adequate or timely disclosures to the public, regulators, law enforcement agencies or affected individuals, as applicable, following any such event, could cause harm to our reputation, subject us to additional regulatory scrutiny, expose us to civil litigation, fines, damages or injunctions or subject us to liability under applicable data privacy, cybersecurity and other laws, rules and regulations, resulting in increased costs or loss of commissions and fees, any of which could have a material adverse effect on our business, financial condition and results of operations. Additionally, we cannot be certain that our insurance coverage will be adequate for cybersecurity liabilities actually incurred, that insurance will continue to be available to us on economically reasonable terms, or at all, or that our insurer will not deny coverage as to any future claim. We are subject to complex and frequently changing laws, rules and regulations in the various jurisdictions in which we operate relating to the collection, use, retention, security, transfer, storage, disposition and other processing of personal information. For example, legislators in the United States have passed new and more robust cybersecurity legislation in light of the recent broad-based cyberattacks at a number of companies. These and similar initiatives around the country could increase the cost of developing, implementing or securing our networks, tools, systems and other information technology assets and require us to allocate more resources to improved technologies, adding to our information technology and compliance costs. Ensuring that our collection, use, retention, security, transfer, storage, disposition and other processing of personal information complies with applicable laws, regulations, rules and standards regarding data privacy and cybersecurity in relevant jurisdictions can increase operating costs, impact the development of new products or services, and reduce operational efficiency. At the federal level, we are subject to, among other laws, rules and regulations, the GLBA, which requires financial institutions to, among other things, periodically disclose their privacy policies and practices relating to sharing personal information and, in some cases, enables retail customers to opt out of the sharing of certain personal information with unaffiliated third parties. The GLBA also requires financial institutions to implement an information security program that includes administrative, technical and physical safeguards to ensure the security and confidentiality of consumer records and information. We are also subject to the rules and regulations promulgated under the authority of the Federal Trade Commission, which regulates unfair or deceptive acts or practices, including with respect to data privacy and cybersecurity. Moreover, the United States Congress has recently considered, and is currently considering, various proposals for more comprehensive data privacy and cybersecurity legislation, to which we may be subject if passed. Data privacy and cybersecurity are also areas of increasing state legislative focus and we are, or may in the future become, subject to various state laws and regulations regarding data privacy and cybersecurity. For example, the California Consumer Protection Act of 2018 (the "CCPA"), which became effective on January 1, 2020, applies to for-profit businesses that conduct business in California and meet certain revenue or data collection thresholds. The CCPA gives California residents the right to, among other things, request disclosure of information collected about them and whether that information has been sold to others, request deletion of personal information (subject to certain exceptions), opt out of the sale of their personal information, and not be discriminated against for exercising these rights. The CCPA contains several exemptions, including an exemption applicable to personal information that is collected, processed, sold or disclosed pursuant to the GLBA. Further, effective in most material respects starting on January 1, 2023, the California Privacy Rights Act ("CPRA") (which was passed via a ballot initiative as part of the November 2020 election) has significantly modified the CCPA, including by expanding California residents' rights with respect to certain sensitive personal information. The CPRA also creates a new state agency which will be vested with authority to implement and enforce the CCPA and the CPRA. Other states where we do business, or may in the future do business, or from which we otherwise collect, or may in the future otherwise collect, personal information of residents have adopted or are considering adopting similar laws. For example, Virginia and Colorado have recently adopted comprehensive data privacy laws similar to the CCPA, which went into effect in January and July of 2023, respectively. In addition, laws in all 50 U.S. states generally require businesses to provide notice under certain circumstances to consumers whose personal information has been improperly accessed, disclosed or otherwise compromised as a result of a data breach. Certain state laws and regulations may be more stringent, broader in scope, or offer greater individual rights, with respect to personal information than federal or other state laws and regulations, and such laws and regulations may differ from each other, which may complicate compliance efforts and increase compliance costs. Aspects of the CCPA, the CPRA, and other federal and state laws and regulations relating to data privacy and cybersecurity, as well as their enforcement, remain unclear, and we may be required to modify our practices in an effort to comply with them. Further, while we strive to publish and prominently display privacy policies that are accurate, comprehensive, and compliant with applicable laws, regulations, rules and industry standards, we cannot ensure that our privacy policies and other statements regarding our practices will be sufficient to protect us from claims, proceedings, liability or adverse publicity relating to data privacy or cybersecurity. Although we endeavor to comply with our privacy policies, we may at times fail to do so or be alleged to have failed to do so. The publication of our privacy policies and other documentation that provide promises and assurances about privacy, data protection and cybersecurity can subject us to potential federal or state action if they are found to be deceptive, unfair, or misrepresentative of our actual practices. Any actual or perceived failure to adhere to, or successfully implement processes in response to, changing legal or regulatory requirements in this area or to comply with our privacy policies could result in legal liability, including litigation (including class actions), claims, proceedings, regulatory fines, penalties or other sanctions, governmental investigations, enforcement actions, the expenditure of substantial costs, time and other resources, damage to our reputation in the marketplace and other adverse impacts, any of which could have a material adverse effect on our business, financial condition and results of operations.

We have a significant amount of accounts receivable from our Insurance Company Partners with whom we place insurance. If those Insurance Company Partners were to experience liquidity problems or other financial difficulties, we could encounter delays or defaults in payments owed to us, which could have a significant adverse impact on our financial condition and results of operations. The potential for one of our Insurance Company Partners to cease writing insurance we offer our Clients could negatively impact overall capacity in the industry, which in turn could have the effect of reduced placement of certain lines and types of insurance and reduced commissions and fees and profitability for us. Questions about one of our Insurance Company Partners' perceived stability or financial strength may contribute to such Insurance Company Partners' strategic decisions to focus on certain lines of insurance to the detriment of others. The failure of an Insurance Company Partner with whom we place insurance could result in E&O claims against us by our Clients, and the failure of our Insurance Company Partners could make the E&O insurance we rely upon cost prohibitive or unavailable, which could have a significant adverse impact on our financial condition and results of operations. In addition, if any of our Insurance Company Partners merge or if one of our large Insurance Company Partners fails or withdraws from certain geographic areas or from offering certain lines of insurance, overall risk-taking capital capacity could be negatively affected, which could reduce our ability to place certain lines of insurance and, as a result, reduce our commissions and fees and profitability. Such failures or insurance withdrawals on the part of our Insurance Company Partners could occur for any number of reasons, including large unexpected payouts related to climate events or other emerging risk areas.

In the past, state regulators have scrutinized the manner in which insurance brokers are compensated. For example, the Attorney General of the State of New York brought charges against members of the insurance brokerage community. These actions have created uncertainty concerning longstanding methods of compensating insurance brokers. Given that the insurance brokerage industry has faced scrutiny from regulators in the past over its compensation practices, and the transparency and discourse to Clients regarding brokers' compensation, it is possible that regulators may choose to revisit the same or other practices in the future. If they do so, compliance with new regulations along with any sanctions that might be imposed for past practices deemed improper could have an adverse impact on our future results of operations and inflict significant reputational harm on our business.

While we maintain some of our critical information technology systems, we also depend on third-party service providers to provide important information technology services relating to, among other things, agency management services, sales and service support, network, device and event monitoring, cybersecurity, electronic communications and certain finance functions. If the service providers to which we outsource these functions do not perform effectively, we may not be able to achieve the expected cost savings and may have to incur additional costs to correct errors made by such service providers. Depending on the function involved, such errors may also lead to business disruption, processing inefficiencies, the loss of or damage to intellectual property through a security breach, the loss of sensitive, personal or confidential data through a security breach, or otherwise. While we and our third-party service providers have not experienced any significant disruption, failure or breach impacting our or their information technology systems, any such disruption, failure or breach could adversely affect our business, financial condition and results of operations.

Our reputation is one of our key assets. We advise our Clients on and provide services related to a wide range of subjects and our ability to attract and retain Clients depends greatly on the external perceptions of our level of service, trustworthiness, business practices, financial condition and other subjective qualities. If a Client is not satisfied with our services, it could cause us to incur additional costs and impair profitability or lose the Client relationship altogether, which may negatively impact other Clients' perception regarding us. Our success is also dependent on maintaining a good reputation with existing and potential Colleagues, investors, Insurance Company Partners, vendors, regulators and the communities in which we operate. Negative perceptions or publicity regarding these or other matters, including our association with Clients or business partners who themselves have a damaged reputation, or from actual or alleged conduct by us or our Colleagues, could damage our reputation. Any of these matters could have a material adverse effect on our business, financial condition and results of operations.

Our operations are dependent upon our ability to protect our personnel, offices, and technology infrastructure against damage from business continuity events that could have a significant disruptive effect on our operations. Should we experience a local or regional disaster or other business continuity problem, such as an earthquake, hurricane, terrorist attack, pandemic, protest or riot, security breach, power loss, telecommunications failure or other natural or man-made disaster, our continued success will depend, in part, on the availability of personnel, office facilities, and the proper functioning of computer, telecommunication and other related systems and operations. In events like these, we can experience near-term operational challenges in particular areas of our operations. We could potentially lose key executives, personnel, client data or experience material adverse interruptions to our operations or delivery of services to Clients in a disaster recovery scenario. We may experience additional disruption due to system upgrades, outages, an increase in remote work or other impacts as a result of health epidemics or pandemics. Our inability to successfully recover should we experience a disaster or other business continuity problem, could materially interrupt our business operations and cause material financial loss, loss of human capital, regulatory actions, reputational harm, damaged client relationships, or legal liability. Our insurance coverage with respect to natural disasters is limited and is subject to deductibles and coverage limits. Such coverage may not be adequate, or may not continue to be available at commercially reasonable rates and terms.