Fidelis Insurance Holdings Ltd. (FIHL) Risk Factors

As a newly listed public company that qualifies as a foreign private issuer, we expect to incur significant legal, accounting, and other expenses that we did not incur as a private company, including costs resulting from public company reporting obligations under the Securities Act of 1933, as amended (the "Securities Act"), the Securities Exchange Act of 1934, as amended (the "Exchange Act"), and regulations regarding corporate governance practices. The Sarbanes-Oxley Act, the Dodd-Frank Wall Street Reform and Consumer Protection Act, the rules of the SEC, the listing requirements of NYSE, and other applicable securities rules and regulations impose various requirements on public companies, including establishment and maintenance of effective disclosure and financial controls and corporate governance practices. We have hired additional accounting, finance, and other personnel in advance of and following our becoming listed on the NYSE as part of our efforts to comply with the requirements of being a public company. Our management and other personnel will need to devote a substantial amount of time towards maintaining compliance with these requirements. These requirements will increase our legal and financial compliance costs and will make some activities more time-consuming and costly. For example, these reporting requirements, rules and regulations, coupled with the increase in potential litigation exposure associated with being a public company, could also make it more difficult for us to attract and retain qualified persons to serve on the board of directors of FIHL (the "Board") or board committees or to serve as senior managers, or to obtain certain types of insurance, including directors' and officers' insurance, on acceptable terms. As of the date of this report, we are evaluating these rules and regulations and cannot predict or estimate the amount of additional costs we may incur or the timing of such costs. These rules and regulations are often subject to varying interpretations, in many cases due to their lack of specificity, and, as a result, their application in practice may evolve over time as new guidance is provided by regulatory and governing bodies. This could result in continuing uncertainty regarding compliance matters and higher costs necessitated by ongoing revisions to disclosure and governance practices. We cannot predict or estimate the amount of additional costs we may incur as a result of becoming a public company or the timing of such costs. Any changes we make to comply with these obligations may not be sufficient to allow us to satisfy our obligations as a public company on a timely basis, or at all. Pursuant to Sarbanes-Oxley Act Section 404, we will be required to furnish a report by our management on, among other things, our internal control over financial reporting beginning with our second filing of an Annual Report on Form 20-F with the SEC for the fiscal year ending December 31, 2024. In order to maintain effective internal controls, we will need additional financial personnel, systems and resources. To achieve compliance with Sarbanes-Oxley Act Section 404 within the prescribed period, we will be engaged in a process to document and evaluate our internal control over financial reporting, which is both costly and challenging. In this regard, we will need to continue to dedicate internal resources, engage outside consultants, adopt and implement a detailed work plan to assess and document the adequacy of internal control over financial reporting, continue steps to improve control processes as appropriate, validate through testing that controls are functioning as documented, and implement a continuous reporting and improvement process for internal control over financial reporting. Despite our efforts, there is a risk that we will not be able to conclude, within the prescribed time frame or at all, that our internal control over financial reporting is effective as required by Sarbanes-Oxley Act Section 404. If we identify one or more material weaknesses, it could result in an adverse reaction in the financial markets due to a loss of confidence in the reliability of our financial statements. Furthermore, if we identity material weakness in our internal control over financial reporting in the future, we may not detect errors on a timely basis and our financial statements may be materially misstated. We or our independent registered public accounting firm may not be able to conclude on an ongoing basis that we have effective internal control over financial reporting, which could harm our operating results, cause investors to lose confidence in our reported financial information and cause the trading price of our shares to fall. In addition, as a public company we are required to file accurate and timely reports with the SEC under the Exchange Act. Any failure to report our financial results on an accurate and timely basis could result in sanctions, lawsuits, delisting of our shares from NYSE or other adverse consequences that would materially harm our business and reputation.

A change in law relating to certain perils for which the Group writes insurance or reinsurance may have a significant impact on the Group's ability to respond to certain events, including the manner and time frame for processing claims, the development of claim severity or the interpretation of the underlying policies. For example, in response to several wildfire events affecting California homeowners, the state has enacted new insurance consumer protection laws for California policyholders that took effect on January 1, 2019 and require insurers to afford certain policy protections to California insureds for future wildfire events. Such changes in law and practice in response to the recent wildfire events, as well as other changes in law and practice relating to other perils for which the Group writes insurance or reinsurance, may have a material adverse effect on the Group's business, prospects, financial condition or results of operations.

In general, a non-U.S. corporation will be a PFIC during a given year if (i) 75% or more of its gross income constitutes "passive income" (the "75% test") or (ii) 50% or more of its assets produce (or are held for the production of) passive income (the "50% test"). If FIHL were characterized as a PFIC during a given year, each U.S. Holder would be subject to a penalty tax at the time of the taxable disposition at a gain of, or receipt of, an "excess distribution" with respect to, their shares, unless such person is a 10% U.S. Shareholder (as defined below) subject to tax under the CFC rules or such person made a "qualified electing fund" ("QEF") election or, if the common shares are treated as "marketable stock" in such year, such person made a mark-to-market election. In addition, if FIHL were considered a PFIC, upon the death of any U.S. individual owning shares such individual's heirs or estate would not be entitled to a "step-up" in the basis of the shares that might otherwise be available under U.S. federal income tax laws. In addition, a distribution paid by FIHL to U.S. Holders that is characterized as a dividend and is not characterized as an excess distribution would not be eligible for reduced rates of tax as qualified dividend income if FIHL were considered a PFIC in the taxable year in which such dividend is paid or in the preceding taxable year. A U.S. Person that is a shareholder in a PFIC may also be subject to additional information reporting requirements, including the filing of an IRS Form 8621. For the above purposes, passive income generally includes interest, dividends, annuities and other investment income. The PFIC rules provide that income derived in the active conduct of an insurance business by a qualifying insurance corporation is not treated as passive income (the "insurance income exception"). The PFIC provisions also contain a look-through rule under which a foreign corporation will be treated, for purposes of determining whether it is a PFIC, as if it "received directly its proportionate share of the income…" and as if it "held its proportionate share of the assets…" of any other corporation in which it owns at least 25% of the value of the stock (the "look-through rule"). Under the look-through rule, FIHL should be deemed to own its proportionate share of the assets and to have received its proportionate share of the income of its non-U.S. insurance subsidiaries for purposes of the 75% test and the 50% test. However, the 2017 Act limits the insurance income exception to a non-U.S. insurance company that is a qualifying insurance corporation that would be taxable as an insurance company if it were a U.S. corporation and maintains insurance liabilities of more than 25% of such company's assets for a taxable year (the "25% Test") (or maintains insurance liabilities that at least equal or exceed 10% of its assets, is predominantly engaged in an insurance business and satisfies a facts-and-circumstances test that requires a showing that the failure to exceed the 25% threshold is due to runoff-related or rating-related circumstances (the "10% Test," together with the 25% Test, the "Reserve Test")). The Group believes that FIBL has met this Reserve Test and will continue to do so in the foreseeable future, in which case FIHL would not be expected to be a PFIC, although no assurance may be given that FIBL will satisfy the Reserve Test in future years. Further, the Treasury Department recently issued final and proposed regulations intended to clarify the application of the insurance income exception to the classification of a non-U.S. insurer as a PFIC and provide guidance on a range of issues relating to PFICs, including the application of the look-through rule, the treatment of income and assets of certain U.S. insurance subsidiaries for purposes of the look-through rule and the extension of the look-through rule to 25%-or-more-owned partnerships (the "2020 Regulations"). The 2020 Regulations define insurance liabilities for purposes of the Reserve Test, and tighten the Reserve Test as well as place a statutory cap on insurance liabilities, and provide guidance on the runoff-related and rating-related circumstances for purposes of the 10% Test. The 2020 Regulations, which set forth in proposed form certain requirements that must be met to satisfy the "active conduct of an insurance business" test, also propose that a non-U.S. insurer with no or a nominal number of employees that relies exclusively or almost exclusively upon independent contractors (other than related entities) to perform its core functions will not be treated as engaged in the active conduct of an insurance business. Further, for purposes of applying the 10% Test, the 2020 Regulations: (i) generally limit the rating-related circumstances exception to a non-U.S. corporation: (a) if more than half of such corporation's net written premiums for the applicable period are derived from insuring catastrophic risk, or (b) providing certain other insurance coverage that the Group is not expected to engage in, and (ii) reduce a corporation's insurance liabilities by the amount of any reinsurance recoverable relating to such liability. The Group believes that, based on the implementation of its business plan and the application of the look-through rule and the exceptions set out under Section 1297 of the Code, none of the income and assets of FIBL should be treated as passive pursuant to the 10% Test, and thus FIHL should not be characterized as a PFIC under current law for the current taxable year or for foreseeable future years to the extent a shareholder makes an election to apply the 10% Test, but because of the legal uncertainties as well as factual uncertainties with respect to the Group's planned operations, there is a risk that FIHL will be characterized as a PFIC for U.S. federal income tax purposes. In addition, because of the legal uncertainties relating to how the 2020 Regulations will be interpreted and the form in which the proposed 2020 Regulations may be finalized, no assurance can be given that FIHL will not qualify as a PFIC under final IRS guidance or any future regulatory proposal or interpretation that may be subsequently introduced and promulgated. If FIHL is considered a PFIC, it could have material adverse tax consequences for an investor that is subject to U.S. federal income taxation. Prospective investors should consult their tax advisors as to the effects of the PFIC rules. As noted above, the 10% Test will only apply if a U.S. Holder makes a valid election. A U.S. Holder seeking to elect the application of the 10% Test FIBL may do so if the Group provides the holder with, or otherwise makes publicly available, a statement or other disclosure that FIBL meet the requirements of the 10% Test (and contains certain other relevant information). The Group intends to either provide each U.S. investor with such a statement or otherwise make such a statement publicly available. A U.S. Holder may generally make an election to apply the 10% Test by completing a Form 8621 and attaching it to its original or amended U.S. federal income tax return for the taxable year to which the election relates. Investors owning a de minimis amount of FIHL stock may be deemed to have made the election automatically. U.S. Holders are urged to consult their tax advisors regarding electing to apply the 10% Test to FIBL. U.S. Holders are also urged to consult with their tax advisors and to consider making a "protective" QEF election with respect to FIHL and each of FIHL's non-U.S. subsidiaries to preserve the possibility of making a retroactive QEF election. If the Group determines that FIHL is a PFIC, the Group intends to use commercially reasonable efforts to provide the information necessary to make a QEF election for FIHL and each non-U.S. subsidiary of FIHL that is a PFIC. A U.S. Person that makes a QEF election with respect to a PFIC is currently taxable on its pro rata share of the ordinary earnings and net capital gain of such company during the years it is a PFIC (at ordinary income and capital gain rates, respectively), regardless of whether or not distributions were received. In addition, any of the PFIC's losses for a taxable year will not be available to U.S. Persons and may not be carried back or forward in computing the PFIC's ordinary earnings and net capital gain in other taxable years. U.S. Holders are also urged to consult with their tax advisors regarding the availability and consequences of making a mark-to-market election with respect to FIHL, although there can be no assurance that such election will be available, and such election likely would not be available for any subsidiary of FIHL also treated as a PFIC. In general, if a U.S. Holder were to make a timely and effective mark-to-market election, such holder would include as ordinary income each year the excess, if any, of the fair market value of the holder's common shares at the end of the taxable year over its adjusted basis in the common shares. Any gain recognized by such holder on the sale or other disposition of the common shares would be ordinary income, and any loss would be an ordinary loss to the extent of the net amount of previously included income as a result of the mark-to-market election and, thereafter, a capital loss. U.S. Holders considering a mark-to-market election for FIHL should consult with their tax advisors regarding making a QEF election for any non-U.S. subsidiary of FIHL treated as a PFIC.

The purpose of a business and the way in which it operates in achieving its objectives, including in relation to ESG matters, are a material consideration for the Group's key stakeholders in achieving their own ESG objectives and aims. The Group has seen increased focus and scrutiny on ESG-related matters from its key stakeholders, such as its institutional investors, policyholders, employees and suppliers, as well as policymakers, regulators, rating agencies, industry organizations and local communities, which could lead to a change in approach to ESG for the Group and in the general (re)insurance industry as a whole. ESG-related initiatives, trends and risks may directly or indirectly impact the Group's business and the achievement of the Group's business plan and consequently those of its key stakeholders. A failure to transparently and consistently implement an ESG strategy, in its key markets and across operational, underwriting and investment activities, may adversely impact the Group's business plan, financial results and reputation of the Group and may negatively impact relationships with the Group's stakeholders, all of whom have expectations, concerns and aims related to ESG matters which may differ from the Group's.

The Group's future success in relation to its Outsourced MGU Underwriting Plan depends to a significant extent on the efforts of senior management and key personnel employed by Fidelis MGU to implement its business strategy. The majority of senior employees of the Group prior to January 2023, including Mr. Brindle, are now employed by Fidelis MGU. There can be no assurance, however, that such key personnel will remain employed by Fidelis MGU. There are only a limited number of available and qualified executives with substantial experience in the (re)insurance industry and the procurement of new employees could be hindered by factors outside of the Group's control. Accordingly, Fidelis MGU's loss of the services of one or more of the members of their respective senior management team or other key personnel could significantly and negatively affect its ability to execute the relevant Outsourced MGU Underwriting Plan, which could, in turn, have a material adverse effect on the Group's business and results of operations. Although Fidelis MGU has executed employment agreements with respective key personnel, such executives and other senior management are free to resign from their roles, in accordance with the notice and non-compete provisions as set out in their respective employment agreements. If any member of management or other key employee dies or becomes incapacitated, or leaves Fidelis MGU to pursue employment opportunities elsewhere, they would be responsible for locating an adequate replacement for such individual and for bearing any related cost. To the extent that Fidelis MGU is unable to locate an adequate replacement or is unable to do so within a reasonable period of time, the Group's business may be significantly and negatively affected.

The distribution model for the Group's products is built on long-term relationships with quality clients and respect for the core broker distribution model. The Group and its agents, such as Fidelis MGU, are therefore dependent upon brokers and other intermediaries to distribute products. Brokers and certain other intermediaries are independent and therefore no broker or such other intermediary is committed to recommend or sell the products of the Group. Accordingly, these relationships with brokers and other intermediaries distributing its products are important. A broker assesses which insurance companies are suitable for it and its customers by considering, among other things, the security of claims payment and service, and prospects for future investment returns in the light of a company's product offering, personnel, past investment performance, financial strength and perceived stability, ratings and the quality of the service provided to the broker and its customer. Larger insurers and reinsurers may have more commercial influence with certain insurance and reinsurance brokers, either generally or in certain underwriting lines. A broker then determines which products are most suitable by considering, among other things, product features and price. An unsatisfactory assessment of the Group and its products based on any of these factors could result in the Group generally, or in particular certain of its products, not being actively marketed by brokers to their customers. Failure to maintain a positive relationship with its brokers and competitive distribution network could result in a loss of market share or a reduction of the Group's premium volumes or an increase in policy lapses and withdrawals, which could result in reduced fee and premium income, and, in turn, have a material adverse effect on the Group's business, prospects, financial condition or results of operations.

As is customary with underwriting agents and distributing brokers, the Group will generally pay all of the amounts owed on claims under its insurance and reinsurance contracts first to the applicable underwriting agent, such as Fidelis MGU, who will then pass on the payment to the various brokers or other intermediaries, and these brokers or other intermediaries (as applicable) will, in turn, pay these amounts over to the clients that have purchased insurance or reinsurance from the Group. If an underwriting agent, a broker or other intermediary fails to make its relevant payment, it is possible that the Group will be liable to the client for the deficiency because of local laws or contractual obligations. Likewise, in certain jurisdictions, when the insured or ceding insurer pays premiums for these policies to brokers or other intermediaries for payment over to the Group, these premiums might be considered to have been paid and the insured or ceding insurer will no longer be liable to the Group for those amounts, whether or not the Group actually receives the premiums "up the chain" from its agent, a broker or other intermediary. Consequently, the Group assumes a high degree of credit risk associated with brokers and other intermediaries, including in relation to any sub-delegation, around the world with respect to most of its insurance and reinsurance business, its inwards premium receivable from insureds and cedants, and on any amounts recoverable in relation to subrogation and salvage and from reinsurers. Furthermore, the concentration of the Group's business in a small number of key brokers may subject it to reduced premium income. Loss of all or a substantial portion of the business provided by one or more of the Group's key (re)insurance brokers could result in reduced premium income, which, in turn, could have a material adverse effect on the Group's business, prospects, financial condition or results of operations.

Steps taken by governments throughout the world in response to the recent economic and geopolitical climate, expansionary monetary policies and other factors have led to an inflationary environment. In operating our business, we are experiencing the effects of inflation, including increased labor and construction costs. Furthermore, the Group's operations, like those of other insurers and reinsurers, are susceptible to the effects of inflation because premiums are established before the ultimate amounts of losses and loss adjustment expenses are known. Although the Group considers the potential effects of inflation when setting premium rates, premiums may not fully offset the effects of inflation and thereby essentially result in underpricing the risks insured and reinsured by the Group. Loss reserves include assumptions about future payments for settlement of claims and claims-handling expenses, such as the value of replacing property, associated labor costs for the property business the Group writes, and litigation costs. To the extent inflation causes costs to increase above loss reserves established for claims, the Group will be required to increase loss reserves with a corresponding reduction in net income in the period in which the deficiency is identified, which could have a material adverse effect on the Group's business, prospects, financial condition or results of operations. Unanticipated higher inflation could also lead to higher interest rates, which would negatively impact the value of the Group's fixed maturity securities and potentially other investments. For example, inflation could affect the returns on fixed maturity securities, which may deliver diminished real returns in inflationary environments.

The Group underwrites a broadly diversified insurance and reinsurance portfolio across a wide range of risk classes that the Group and members of Fidelis MGU's management have successfully underwritten in the past, including property, energy, marine, aviation, political risk, credit and surety and various others, as well as whole account quota shares. There can be no assurance that the Group will not suffer losses from one or more catastrophic events in any one given geographic zone due to several factors, including the inherent uncertainties in estimating the frequency and severity of such events, potential inaccuracies and inadequacies in the data provided by clients and brokers, the limitations and inaccuracies of modeling techniques, the limitations of historical data used to estimate future losses or as a result of a decision to change the percentage of the shareholders' equity exposed to a single modeled catastrophic event. The Group's estimated probable maximum loss is determined through the use of modeling techniques, but such estimate does not represent the Group's total potential loss for such exposures. Catastrophe modeling is a relatively new discipline that utilizes a mix of historical data, scientific theory and mathematical methods. There is considerable uncertainty in the data and parameter inputs for (re)insurance industry catastrophe models. In that regard, there is no universal standard in the preparation of insured data for use in the models and the running of modeling software. The accuracy of the models depends heavily on the availability of detailed insured loss data from actual large catastrophes. Due to the limited number of events and the fact that no two events are precisely the same, there is significant potential for substantial differences between the modeled loss estimate and actual Group experience for a single large catastrophic event. This potential difference could be even greater for perils without recent loss experience, including natural catastrophe risks such as U.S. earthquakes, or less developed modeled annual severity, such as European windstorms, as well as man-made risks, such as cyber-attacks. Cyber is an example of a peril in respect of which modeling is not yet very well developed. In addition, even though wildfires in California and along the western coast of the United States have increased in frequency over recent years, the wildfire models are not as well developed as those for peak insured risks. The Group uses Fidelis MGU's catastrophe modeling, which in turn uses third party estimates of industry insured exposures. There could be significant variation between the Group's actual losses and those of the industry following a catastrophic event. In addition, actual losses may increase if the Group has reinsured some or all of its exposures and its reinsurers fail to meet their obligations or the reinsurance protections purchased are exhausted or are otherwise unavailable. The Group has direct and indirect exposure to substantial insured losses resulting from catastrophic events. The Group is exposed to natural catastrophes such as hurricanes, earthquakes, typhoons, floods, sea surges, fire, convective storms and other severe weather patterns occurring in one or more of the countries in which the Group operates or globally, as well as to human-instigated catastrophic events of terrorism, cyber-attack, war or nuclear-related events and to systemic events such as a global economic crisis. The Group is also exposed to perils that are highly influenced by a combination of natural processes and man-made factors, such as epidemics and pandemics. The predictability, severity, frequency and post-event estimation of such varied events are extremely difficult to assess, under existing models or otherwise. In addition, the Group (including via Fidelis MGU) only utilizes industry catastrophe modeling in relation to natural catastrophes and, therefore, the Group's exposure to human-instigated catastrophic events is less well modeled and may be subject to greater uncertainty. Any failures or limitations of models or incorrect estimations by the Group or by Fidelis MGU, on behalf of the Group, could have a material adverse effect on the Group's business, prospects, financial condition or results of operations.

As a global insurance and reinsurance company, the Group is affected by the monetary policies of the U.S. Federal Reserve Board, The Bank of England, the European Central Bank and other central banks around the world. Following the financial crisis of 2007 and 2008, and as a result of the COVID-19 pandemic, these central banks took a number of actions to spur economic activity such as keeping interest rates low and enacting quantitative easing. More recently, these central banks have implemented monetary tightening policies, increasing interest rates in an effort to control and reduce inflation. Unconventional monetary policy from the major central banks, the reversal of such policies, the shift to monetary tightening policies and the impact on global economic growth remain key uncertainties for markets and the Group's business. For example, in one of the Group's key markets for its products, the U.S. debt ceiling and budget deficit concerns continue to present the possibility of credit-rating actions, economic slowdowns, or a recession for the U.S. The impact of any negative action regarding the U.S. government's sovereign credit rating could adversely affect the U.S. and global financial markets and economic conditions. In addition, policies that may be pursued by the then current White House administration and the legislation that may be introduced by the U.S. Congress and Senate, could result in market volatility in the short term. These developments could cause more volatility in interest rates and borrowing costs, which may negatively impact the Group's ability to access the debt markets on favorable terms. Continued adverse economic conditions could have a material adverse effect on the Group's business, financial condition and results of operations. These and any future developments and reactions of the credit markets toward these developments could cause interest rates and borrowing costs to rise, which may negatively impact the Group's ability to obtain debt financing on favorable terms. Although the Federal Reserve has increased interest rates in recent years, it may change its monetary policy at any time, including in response to economic conditions. The Federal Reserve previously cut interest rates in 2019 and 2020, which then remained relatively low throughout 2020 and most of 2021, to stimulate the economy and address the COVID-19 pandemic. However, the U.S. economy commenced showings signs of potential recovery due to the fiscal package and government stimulus plans introduced by the Biden administration as well as the Federal Reserve's continued engagement in quantitative easing. The Federal Reserve has increased the target interest rates throughout 2022 and 2023. If the Federal Reserve raises interest rates, or if interest rates otherwise rise, the Group may be exposed to unrealized losses on its fixed maturity securities. Similarly, The Bank of England's Monetary Policy Committee increased rates throughout 2022 and 2023. Since August 3, 2023 and as of the Bank of England's latest decision on December 13, 2023, the bank rate has been maintained at 5.25%. Several other central banks, including the European Central Bank, increased benchmark interest rates and signaled their intention to continue to do so citing, among other factors, the high inflationary environment. Interest rates are influenced by matters other than the Federal Reserve's monetary policy, for example, economic indicators and outlook (unemployment data, GDP growth and consumer spending), global economic conditions and central bank communication. Volatility across these factors in the U.S., the U.K. and other key markets for the Group mean that it may be impossible to reasonably predict the course of action the Federal Reserve may take in relation to changing the federal funds rate, and interest rates may increase even if monetary policy does not change. Changes in Federal Reserve policy may also impact the overall liquidity and efficiency of fixed maturity markets. The Federal Reserve has also started to unwind the quantitative easing measures enacted to combat the effects of the COVID-19 pandemic including a reduction in the amount of assets it holds on its balance sheet. As this quantitative easing is withdrawn, financial markets may react negatively and fixed maturity market liquidity may decline, leading to heightened volatility in fixed maturity investment prices and difficulty in transacting at indicated market values. The Group's exposure to interest rate risk relates primarily to the changes in market price and cash flow variability of fixed maturity instruments that are associated with changes in interest rates. The Group's investment portfolio contains interest rate sensitive instruments, such as fixed maturity securities which have been, and will likely continue to be, affected by changes in interest rates from central bank monetary policies, domestic and international economic and political conditions, levels of inflation and other factors beyond the Group's control. The Group's fixed maturity portfolio also includes asset classes such as asset-backed securities and investment-grade emerging market debt, which are riskier in nature than some of the Group's other fixed maturity instruments and could adversely impact the Group's investment portfolio. Interest rates are highly sensitive to many factors, including governmental monetary policies, inflation, domestic and international economic and political conditions and other factors beyond the Group's control and fluctuations could materially and adversely affect the Group's business, financial condition and results of operations. Steps that may be taken by central banks to raise interest rates in the future to combat higher inflation than the Group, or the wider market, had anticipated could, in turn, lead to unrealized losses on the Group's investments. Changes in the level of inflation could also result in an increased level of uncertainty in the estimation of loss reserves for the Group's lines of business with a longer tenor. Such changes in inflation will have the largest impact on the Group's fixed maturity portfolio, which, as of the date of this report, has a duration of around two years. As a result of the above factors, the Group's business, financial condition, liquidity or operating results could be adversely affected.

The Group's business is subject to cybersecurity, privacy and data protection laws, regulations, rules, standards and contractual obligations in the jurisdictions in which we operate, which can increase the cost of doing business, compliance risks and potential liability. These cybersecurity, privacy and data protection laws, regulations, rules, standards and contractual obligations in the United States and other jurisdictions in which we operate are complex and evolving, and legislators and regulators are increasingly focused on these issues. Ensuring that our collection, use, transfer, storage and other processing of personal information complies with such requirements can increase operating costs, impact the development of new products or services, and reduce operational efficiency. Since May 25, 2018, the European General Data Protection Regulation (the "E.U. GDPR") has been directly applicable in all E.U. member states. The U.K.'s General Data Protection Regulation and Data Protection Act 2018 (collectively, the "U.K. GDPR") is the retained E.U. law version of E.U. GDPR (the U.K. GDPR and the E.U. GDPR collectively, the "GDPR"). The Group is subject to the GDPR when offering goods and services to E.U. and/or U.K.-based data subjects, as applicable (regardless of whether through Group companies in the E.U. and/or the U.K.). The GDPR imposes comprehensive data privacy compliance obligations in relation to our collection, processing, sharing, disclosure, transfer and other use of data relating to an identifiable living individual or "personal data," as applicable, including: the obligation to appoint data protection officers in certain circumstances; new rights for individuals to be "forgotten" and rights to data portability; the principle of accountability; and the obligation to make public notification of significant data breaches. The GDPR also retains and adds to existing requirements, including restrictions on transfers of personal data outside of the EEA/U.K., as applicable, and the requirement to include specific data protection provisions in agreements with data processors. The GDPR also regulates cross-border transfers of personal data out of the EEA and the U.K. Recent legal developments in Europe have created complexity and uncertainty regarding such transfers, in particular in relation to transfers to the United States. On July 16, 2020, the Court of Justice of the European Union (the "CJEU") invalidated the E.U.-U.S. Privacy Shield Framework, or Privacy Shield, under which personal data could be transferred from the EEA (and the U.K.) to relevant self-certified U.S. entities. The CJEU further noted that reliance on the standard contractual clauses ("SCCs") (a standard form of contract approved by the European Commission as an adequate personal data transfer mechanism and potential alternative to the Privacy Shield) alone may not necessarily be sufficient in all circumstances and that transfers must be assessed on a case-by-case basis. Subsequent European court and regulator decisions have taken a restrictive approach to international data transfers. In July 2023, the European Commission adopted an adequacy decision concluding the new E.U.-U.S. data privacy framework (the "E.U.-U.S. DPF") constitutes a lawful data transfer mechanism under E.U. law for participating U.S. entities; however, the E.U.-U.S. DPF may be in flux as such adequacy decision has been challenged, and is likely to face additional challenges at the CJEU. Moreover, although as of the date of this report the U.K. has an adequacy decision from the European Commission, such that SCCs are not required for the transfer of personal data from the EEA to the U.K., that decision will sunset in June 2025 unless extended and it may be revoked in the future by the European Commission if the U.K. data protection regime is reformed in ways that deviate substantially from the GDPR. Adding further complexity for international data flows, in March 2022, the U.K. adopted its own International Data Transfer Agreement for transfers of personal data out of the U.K. to so-called third countries, as well as an international data transfer addendum that can be used with the SCCs for the same purpose. In addition, in June 2023, the U.S. and U.K. announced a commitment in principle to establish a "data bridge" to extend the E.U.-U.S. DPF to the flow of U.K. personal data under the U.K. GDPR to participating entities in the U.S. Such data bridge could not only be challenged but also may be affected by any challenges to the E.U.-U.S. DPF. As the enforcement landscape further develops, and supervisory authorities issue further guidance on-and revised standard contractual clauses for-international data transfers, we could suffer additional costs, complaints and/or regulatory investigations or fines; we may have to stop using certain tools and vendors and make other operational changes (whether infrastructural, procedural or personnel) which could otherwise affect the manner in which we provide our services, and could adversely affect our business, operations and financial condition. The E.U. has also proposed legislation (including the E.U. Data Act) that would regulate non-personal data and establish new cybersecurity standards, and other countries, including the U.K., may similarly do so in the future. If we are otherwise unable to transfer data, including personal data, between and among countries and regions in which we operate, it could affect the manner in which we provide our products and services, the geographical location or segregation of our relevant systems and operations, and could adversely affect our financial results. While we have implemented certain controls and procedures designed to comply with the requirements of the GDPR, U.K. GDPR and the cybersecurity, privacy and data protection laws of other jurisdictions in which we operate, such procedures and controls may not be effective in ensuring compliance or preventing unauthorized transfers of personal data. We are also subject to evolving E.U. and U.K. privacy laws on cookies, tracking technologies and e-marketing. Recent European court and regulator decisions are driving increased attention to cookies and similar tracking technologies. In the E.U. and U.K., informed consent is required for the placement of certain cookies or similar tracking technologies on an individual's device and for direct electronic marketing. Consent is tightly defined and includes a prohibition on pre-checked consents and a requirement to obtain separate consents for each type of cookie or similar technology. If the trend of increasing enforcement by regulators of the strict approach to opt-in consent for all but essential use cases, as seen in recent guidance and decisions continues, this could lead to substantial costs, require significant systems changes, limit the effectiveness of our marketing activities, divert the attention of our technology personnel, adversely affect our margins, and subject us to additional liabilities. In light of the complex and evolving nature of E.U., E.U. member state and U.K. privacy laws on cookies and tracking technologies, there can be no assurances that we will be successful in our efforts to comply with such laws; violations of such laws could result in regulatory investigations, fines, orders to cease/ change our use of such technologies, as well as civil claims including class actions, and reputational damage. Since we are under the supervision of relevant data protection authorities in both the EEA and the U.K., we may be fined under both the E.U. GDPR and U.K. GDPR for the same breach. Penalties for certain breaches are up to the greater of EUR 20 million/ GBP 17.5 million or 4% of our global annual turnover. In addition to fines, a breach of the GDPR may result in regulatory investigations, reputational damage, orders to cease/ change our data processing activities, enforcement notices, assessment notices for a compulsory audit and/or civil claims (including class actions). In the United States, we may also be subject to numerous federal, state and local cybersecurity, privacy and data protection laws, regulations and rules governing the collection, sharing, use, retention, disclosure, security, transfer, storage and other processing of personal information, including federal and state cybersecurity, privacy and data protection laws, data breach notification laws, and data disposal laws. For example, at the federal level, we are subject to, among other laws and regulations, the rules and regulations promulgated under the authority of the Federal Trade Commission (which has the authority to regulate and enforce against unfair or deceptive acts or practices in or affecting commerce, including acts and practices with respect to cybersecurity, privacy and data protection). In addition, in July 2023, the SEC adopted new cybersecurity rules for public companies that are subject to the reporting requirements of the Exchange Act. Under these new rules, foreign private issuers must disclose a material cybersecurity incident promptly following management's determination that the incident is material. Companies also must include enhanced cybersecurity risk assessment and management, strategy and governance disclosures, including disclosures regarding management's role in overseeing the registered company's cybersecurity risk management and compliance program, in their annual reports. Further, the United States Congress has recently considered, and, as of the date of this report, is considering, various proposals for comprehensive federal cybersecurity, privacy and data protection legislation, to which we may become subject if passed. It is anticipated that our operations in Bermuda will also become subject to data protection laws in the near future. Bermuda introduced the Personal Information Protection Act 2016 ("PIPA") in 2016 to regulate and protect the use of personal information. PIPA applies to any organization (meaning any individual, entity or public authority) that uses personal information in Bermuda where that personal information is used by automated or other means which form, or are intended to form, part of a structured filing system. Under PIPA "personal information" means any information about an identified or identifiable individual (meaning a natural person), and "use" is broadly defined to include carrying out any operation on or possessing personal information. PIPA will come into force effective January 1, 2025. To the extent that the Group uses or holds individuals' personal information in Bermuda, the Group will need to comply with the provisions of PIPA at that time. In general, an organization must adopt suitable measures and policies to give effect to its obligations and to the rights of individuals set out in PIPA, and may only use an individual's personal information where one or more of the prescribed conditions for use is met. Organizations must designate a privacy officer, and must provide individuals with a clear and easily accessible statement about its personal information practices and policies, which must include: the fact that personal information is being used; the purposes for which personal information is or might be used; the identity and types of individuals or organizations to whom personal information might be disclosed; the identity and location of the organization, including information on how to contact it about its handling of personal information; the name of the privacy officer; and the choices and means the organization provides to an individual for limiting the use of, and for accessing, rectifying, blocking, erasing and destroying, their personal information. Personal information held by an organization must be adequate, relevant and not excessive in relation to the purposes for which it is used, and must be accurate and kept up to date to the extent necessary for its use. An organization must protect personal information that it holds with appropriate and proportional safeguards against risk, including loss; unauthorized access, destruction, use, modification or disclosure; or any other misuse. Where an organization engages (by contract or otherwise) the services of a third party in connection with the use of personal information, including transfers to overseas third parties, the organization remains responsible at all times for ensuring compliance with PIPA. Oversight and enforcement of PIPA is the responsibility of Bermuda's Privacy Commissioner. The Privacy Commissioner has certain investigatory, order making and enforcement powers, including issuing formal warnings, public admonishment or disclosure for prosecution for offenses under PIPA, including corporate offenses committed with the consent or connivance of corporate officers, which could result in a fine or imprisonment. In addition, the BMA has recognized that cyber incidents can cause significant financial losses and/or reputational impacts across the insurance industry and has implemented the Insurance Sector Operational Cyber Risk Management Code of Conduct (the "Cyber Risk Code") to ensure that those operating in the Bermuda insurance sector can mitigate such risks. The Cyber Risk Code prescribes the duties, requirements, standards, procedures and principles which all insurers, insurance managers and insurance intermediaries (agents, brokers and insurance market place providers) registered under the Insurance Act must comply. The Cyber Risk Code is designed to promote the stable and secure management of information technology systems of regulated entities and requires that all registrants implement their own technology risk programs, determine what their top risks are and develop an appropriate risk response. This requires all registrants to develop a cyber-risk policy which is to be delivered pursuant to an operational cyber risk management program and appoint an appropriately qualified member of staff or outsourced resource to the role of Chief Information Security Officer. The role of the Chief Information Security Officer is to deliver the operational cyber risk management program. It is expected that the cyber risk policy will be approved by the registrant's board of directors at least annually. The BMA will assess a registrant's compliance with the Cyber Risk Code in a proportionate manner relative to the nature, scale and complexity of its business. While it is acknowledged that some registrants will use a third party to provide technology services and that they may outsource their IT resources (for example, to an insurance manager where applicable), when so outsourced, the overall responsibility for the outsourced functions will remain with the registrant's board of directors. Failure to comply with the requirements of the Cyber Risk Code will be taken into account by the BMA in determining whether a registrant is conducting its business in a sound and prudent manner as prescribed by the Insurance Act and may result in the BMA exercising its powers of intervention and investigation. Other than the above, continuing regulatory developments in the national laws and regulations of individual E.U. member states, the U.K. and Bermuda in relation to the processing of personal data, has increased and may continue to increase the Group's compliance obligations and has necessitated and may continue to necessitate the review and implementation of updated policies and processes relating to the Group's collection and use of personal data. Any further and/or ongoing increase in compliance obligations could also lead to increased compliance costs, which may have an adverse impact on the Group's business, prospects, financial condition or results of operations. If any person, including any of the Group's employees or those with whom the Group shares personal data, negligently disregards or intentionally breaches the Group's established controls with respect to personal data that the Group holds, the Group could be subject to significant monetary damages, regulatory enforcement actions, fines and/or criminal prosecution in one or more jurisdictions. In addition, a data breach could result in negative publicity, which could damage the Group's reputation and have an adverse effect on the Group's business, prospects, financial condition or results of operations. The Group takes seriously its obligation to comply with all relevant data privacy regulation. This includes the operation of appropriate technical controls such as encryption and multifactor authentication, as well as providing for the publication of applicable policies and procedures such as the Privacy Policy and Cookie Notice on the Group's public-facing website. The Group also operates a supplier due diligence process which includes provision for assessing the data privacy arrangements of suppliers to check that they operate appropriate controls. Moreover, the Group has an in-house legal team with knowledge of relevant privacy regulation, and which is able to engage outside counsel as necessary when expert data privacy assistance is required. While we strive to publish and prominently display privacy policies that are accurate, comprehensive, and compliant with applicable laws, regulations, rules and standards, we cannot ensure that our privacy policies and other statements regarding our practices will be sufficient to protect us from claims, proceedings, liability or adverse publicity relating to cybersecurity, privacy or data protection. The publication of our privacy policies and other documentation that provide promises and assurances about cybersecurity, privacy and data protection can subject us to potential government or legal investigation or action if they are found to be deceptive, unfair, or misrepresentative of our actual practices. Overall, our compliance efforts are further complicated by the fact that cybersecurity, privacy and data protection laws, regulations, rules and standards around the world are rapidly evolving, may be subject to uncertain or inconsistent interpretations and enforcement, and may conflict among various jurisdictions. Such cybersecurity, privacy and data protection requirements, and new or modified requirements that may be adopted in the future, may increase our compliance costs. Any failure or perceived failure to comply with our privacy policies, or applicable cybersecurity, privacy and data protection laws, regulations, rules, standards or contractual obligations, or any compromise of security that results in unauthorized access to, or unauthorized loss, destruction, use, modification, acquisition, disclosure, release or transfer of personal information, may lead to significant fines, judgments, awards, penalties, sanctions, reputational harm, increased regulatory scrutiny, litigation, requirements to modify or cease certain operations or practices, the expenditure of substantial costs, time and other resources, proceedings or actions against us, governmental investigations, enforcement actions, or other liability. Any of the foregoing could distract our management and technical personnel, increase our costs of doing business, adversely affect the demand for our products and services, and ultimately result in the imposition of liability, any of which could have a material adverse effect on our business, financial condition and results of operations.

The availability and price of insurance and reinsurance coverage has been affected by factors such as the global economic recession, stock market performance, interest rates, high inflationary environment and the occurrence of global catastrophic events. Recent examples of the latter are Hurricanes Florence, Dorian, Michael, Laura, Sally, Ida and Ian, Typhoons Faxai, Hagibis, Jebi, Mangkhut and Trami, the U.S. Midwest derecho, Winter Storm Uri, the California wildfires in recent years and Storm Bernd, which caused widespread European floods, the COVID-19 pandemic and floods in Australia and South Africa and the 2024 Noto earthquake in Japan, as well as the ongoing Ukraine Conflict and the escalation of conflict in the Middle East. Volatility in regional and global economic growth has the potential to reduce the amount of GPW in the Group's business lines such as marine, where such volatility may result in a decline in shipbuilding projects or marine traffic and aviation lines in the event of a significant reduction in passenger volumes and departures. Within energy lines, the recent volatility in oil prices, brought around by fears of supply issues in light of the ongoing Ukraine Conflict and conflict in the Middle East, affects asset prices and may impact existing and future exploration and extraction projects, also producing broader financial distress within the energy industry. Although Russian energy exports are continuing, Western nations must explore their options and seek alternative energy sources. The Organisation for Economic Cooperation and Development (the "OECD") nations responded to the crisis by releasing more barrels from their strategic reserves, which was aimed at stabilizing the prices. There is no guarantee that these efforts will impact oil prices in any meaningful way as this unprecedented economic and political situation has not been fully modeled yet and the prices are expected to remain extremely volatile. This dynamic in the energy sector may result in increased demand for insurance, but limits (particularly in respect of business interruption) may be higher and claims may be more significant. Fluctuations in demand for insurance and reinsurance products or over- or under-supply of capacity can result in governmental intervention in the insurance and reinsurance markets, which may affect the risks which may be available for the Group to consider underwriting, or render terms and pricing unattractive. At the same time, threats of further terrorist attacks and political unrest in Europe, the Middle East, North Africa, the U.S., Australasia and Asia, and continued uncertainty arising directly and indirectly from turbulence in the global financial markets, have adversely affected general economic, market and political conditions, increasing many of the risks associated with the Group's business worldwide. See Item 3.D. Risk Factors "Risks Relating to Recent Events".