Travel + Leisure Co (TNL) Risk Analysis

Declines in or disruptions to the travel industry including in regions and locations where we have a significant number of resorts have in the past adversely impacted us and any future declines or disruptions are also likely to adversely impact us. Risks affecting the travel industry can be localized events or global in nature and may adversely impact decisions by consumers to use and consume travel services and products, including economic factors such as economic slowdown and recession; increased cost of living and reduced discretionary income (including due to recent and potential future inflationary pressures and higher borrowing costs) and potential for increased unemployment rates; terrorist incidents and threats and associated heightened travel security measures; acts of gun violence or threats thereof; war, other hostilities and political and regional strife (including the risk that the current conflict between Ukraine and Russia or the conflicts in the Middle East expand in a manner that significantly impacts our business and operations); extreme weather conditions and natural disasters; the associated economic disruption due to concerns with high rates of infection, pandemics, contagious diseases or health epidemics, such as occurred during the COVID-19 pandemic, and the related increased governmental regulations or restrictions on and recommendations and warnings against travel in certain regions; lengthy power outages; increased pricing, financial instability and capacity constraints of air carriers; airline job actions and strikes; and potential for increases in gasoline and other fuel prices such as experienced in 2022. Extreme weather conditions and natural disasters, whether resulting from climate change or other factors, such as increased frequency and severity of hurricanes, storms and floods, coastal erosion and flooding due to higher sea levels, increased temperatures, increased wildfires, tornadoes, earthquakes, typhoons, tsunamis, drought, volcanic eruptions and other factors, have in the past adversely impacted, and in the future will likely continue to adversely impact, the accessibility or desirability of travel to certain locations, including those areas where we or our affiliated resort owners have existing properties or may develop resort properties in the future. Additionally, increased regulations related to climate change could have an adverse impact on the leisure travel industry generally. Further, Travel + Leisure Co. develops and manages resort properties and provides our exchange and travel club members access to resort properties throughout the world, a portion of which are in areas with greater exposure to the adverse effects of severe weather events and other natural disasters due to their location in coastal areas or states where wildfires are common or have increased in frequency, which could cause such resorts to suffer greater adverse effects from those events than the leisure travel industry faces in general. Based upon insurable property values as of December 31, 2024, 36% of our managed properties are located in Tier I windstorm exposure areas, 22% are located in high-risk wildfire-prone states, and 20% are located in areas with a high level of flood risk. In addition, based on the water risk assessment we conducted in 2024, we identified 59 managed resorts in high or extremely high water-stressed locations. Properties in these areas have in the past closed, and may in the future close, due to such extreme weather events and such closures have been, and in the future may be, extended for prolonged periods following such weather events while major damage is remedied and/or major renovations are undertaken and completed, whether to the resort properties themselves or to the surrounding infrastructure which supports such areas. Concern with climate change or increased extreme weather events may also impact customer preferences for future timeshare purchases, including potential decreased customer preference for geographic areas that may be viewed as subject to increased risk of extreme weather events. Natural disasters, such as the recent severe wildfires in California and the hurricanes in Florida, have increasingly caused substantial and, in certain instances, unprecedented property damage which will likely materially impact property insurance markets. Coverage and insurance rates may materially impact resort ownership unit maintenance fees to timeshare owners which could potentially make vacation ownership less attractive to some consumers. The particular geographic areas exposed to these extreme weather events and other natural disasters have increased in recent years to areas which had not historically been subject to such extreme conditions, including areas which we and our affiliated resort owners own or manage resort properties and, in the future, expect to develop additional or expanded resort properties. Any of the foregoing disruptions would also likely adversely affect our affiliated resorts, our RCI affiliates and other developers of vacation ownership resorts and timeshare property owner associations in the impacted location(s), and our travel clubs, thereby impacting our operations and financial results.

Negative public perception regarding our industry resulting from, among other things, consumer complaints regarding sales and marketing practices, consumer financing arrangements, and restrictions on exit related to our products, as well as negative comments or messaging on social media, could result in increased regulatory scrutiny and negative customer and public perceptions of us and one or more of our brands, which could result in significant reputational damage, more onerous laws, regulations, guidelines and enforcement interpretations in jurisdictions in which we operate. These actions may lead to operational delays or restrictions, as well as increased operating costs, regulatory burdens and risk of litigation, and decrease customers' willingness to buy from us or to use our travel clubs or vacation exchange platforms.

Our business is regulated by federal, state and local governments in the countries in which we operate. In addition, U.S. and international, federal, state and local regulators may enact new laws and regulations that may reduce our revenues, cause our expenses to increase or require us to modify our business practices substantially. We are, and may be in the future, subject to regulatory inquiries and investigations from time to time arising under laws and regulations applicable to our business, including, among others, those governing timeshare (including required government registrations), consumer financings and other lending, information security, data protection and privacy, credit card and payment card security standards, marketing, sales, consumer protection and advertising, unfair and deceptive trade practices, fraud, bribery and corruption, telemarketing (including do-not-call and call-recording regulations), licensing, labor, employment, anti-discrimination, health care, health and safety, accessibility, immigration, gaming, environmental (including climate change) and remediation, intellectual property, securities, stock exchange listing, accounting, tax and regulations applicable under the Dodd-Frank Act, Office of Foreign Asset Control, Americans with Disabilities Act, the Sherman Act, and the Foreign Corrupt Practices Act and local equivalents in international jurisdictions (including the United Kingdom Bribery Act). As a result, we may be subject to actions, fines, civil and/or criminal penalties, injunctions and potential criminal prosecution. In the past, when we have been subjected to regulatory inquiries or investigations, the amount of the fines involved were not material to our business, financial condition or results of operations. However, future fines, penalties or other remedies that regulators might seek to impose could materially adversely affect our business, financial condition or results of operations.

We are subject to taxation at the federal, state and local levels in the U.S., and various other countries and jurisdictions. Our future effective tax rate and future cash flows could be affected by changes in the composition of earnings in jurisdictions with differing tax rates, changes in statutory rates and other legislative changes, changes in the valuation of our deferred tax assets and liabilities, changes in determinations regarding the jurisdictions in which we are subject to tax, and our ability to repatriate earnings from foreign jurisdictions. From time to time, U.S. federal, state and local, and foreign governments make substantive changes to tax rules and their application. For example, effective beginning for the 2023 tax year, the Inflation Reduction Act of 2022 made changes to the U.S. corporate income tax system, including a 15% minimum tax on adjusted financial statement income for certain large corporations and a 1% excise tax on share repurchases. We currently are not subject to the 15%minimum tax, but we will continue to monitor as this could change. Further changes to the tax laws may be contemplated both in the U.S. and certain other countries, which could result in materially higher corporate taxes than would be incurred under existing tax law and could otherwise adversely affect our financial condition or results of operations. The international tax environment remains highly uncertain and increasingly complex as evidenced by initiatives put forth by the Organization for Economic Co-operation and Development ("OECD"), which includes the introduction of a global minimum tax at a rate of 15% under the OECD's Pillar Two rules. A number of countries around the world have enacted or are in the process of enacting legislation implementing OECD's Pillar Two rules. As of December 31, 2024, based on the countries in which we do business that have enacted legislation effective January 1, 2024, the impact of these rules to our financial statements was not material. For the rules effective January 1, 2025, we do expect the impact to increase our effective tax rate but overall the rules are not expected to have a material impact on our financial statements. This may change as other countries enact similar legislation and further guidance is released. We continue to closely monitor regulatory developments to assess potential impacts. The OECD may continue to release guidance, and enacting legislation may continue to be implemented, that could impact our assessment as to the impact of Pillar Two on our consolidated financial statements and operations. We are subject to ongoing and periodic tax audits and disputes in U.S. federal and various state, local, and foreign jurisdictions. An unfavorable outcome from any tax audit could result in higher tax costs, penalties and interest, thereby adversely affecting our financial condition or results of operations.

Many factors influence our reputation and the value of our brands, including the perception held by our customers and other key stakeholders and the communities in which we do business. Our business faces increasing scrutiny related to environmental, social and governance activities and risk of damage to our reputation and the value of our brands if we fail to act responsibly or comply with regulatory requirements in a number of areas, such as business ethics and compliance, safety and security, responsible tourism, public health, environmental stewardship and sustainability, supply chain management, climate change, diversity, human rights and modern slavery, philanthropy and support for local communities. We have publicly stated our goals related to environmental sustainability, which include reducing our water intensity and GHG emissions (Scope 1 + Scope 2) and increasing our renewable energy consumption at our owned, managed, and leased assets. In part, we must work through applicable property owners' associations that we do not control to achieve these goals. We may also take additional actions related to climate change and environmental sustainability voluntarily or in response to increased regulations in the future that would materially increase the costs to develop and operate our resorts, which could have an adverse impact on our profitability even though such actions may be necessary to increase the long-term sustainability of our business. We also must continue to develop appropriate internal and disclosure controls designed such that our disclosed achievements against our environmental goals are accurately reported. Current and future international operations expose us to additional challenges and risks that may not be inherent in operating solely in the U.S. due to different social or cultural norms and practices that are not customary in the U.S., geographical distance and language barriers, including our ability to sell products and services, enforce intellectual property rights and staff and manage operations.

In connection with our business, we and our service providers collect and retain large volumes of certain types of personal and proprietary information pertaining to our customers, shareholders, and employees. Such information includes, but is not limited to, large volumes of customer credit and payment card information, customer travel documents, other identification documents, account numbers, and other personally identifiable information. We are subject to attack by cyber-criminals (including nation state-sponsored or nation state-supported organizations, terrorist organizations, criminal enterprises and other actors) operating on a global basis attempting to gain access to such information as well as our source code information, and the integrity and protection of that customer, shareholder, and employee data and proprietary information is critical to us. While we maintain what we believe are reasonable security controls over personal and proprietary information (including the personal information of customers, shareholders, and employees), and our information technology staff regularly assesses and identifies vulnerabilities in our information technology and cybersecurity systems and controls, breaches of or breakdowns in our systems that result in the theft, loss, access to, fraudulent use or other unauthorized release of personal, confidential or other proprietary information, source code information, or other data have occurred in the past and may occur in the future. While we have sought and will continue to seek to appropriately address and remedy these vulnerabilities as they are identified, we cannot assure you that all such vulnerabilities will be adequately or timely remediated to prevent unauthorized access to our information technology systems in the future. In addition, any such cyber-attacks could persist for an extended period of time without detection, which could likely have a material adverse effect on our brands, reputation, customer confidence in us, business, financial condition and results of operations, as well as subject us to significant regulatory actions and fines, litigation, losses, third-party damages and other liabilities. Such a breach or a breakdown could also materially increase our costs to protect such information and to protect and insure against such risks. Our and our third-party service providers' vulnerability to attack exists in relation to known and unknown threats. As a consequence, the security measures we deploy are not perfect or impenetrable, and we may likely be unable to anticipate or prevent all unauthorized access attempts made on our systems or those of our third-party service providers. Data breaches and other serious cyber incidents have increased globally, along with the sophistication of the methods and techniques of the intrusions and complexity of the attacks, including use of viruses, ransomware and other malicious software, phishing and other ever-evolving efforts to discover and exploit any design flaws, bugs or other security vulnerabilities. Continued geopolitical turmoil (including the ongoing conflict between Russia and Ukraine and the ongoing conflicts in the Middle East) has heightened the risk of cyber-attacks. We have experienced and likely will continue to experience, such cyber-attacks. Further, because methods used by third-party actors to obtain unauthorized access to or interference with information systems are ever-evolving, they may not be identified until long after they are used against a target and, as a result, our cybersecurity measures then in place may be inadequate in preventing any such intrusion or in identifying or assessing the breadth or significance of any such intrusion. Also, the same cybersecurity threats exist for the third parties with whom we interact (such as parties providing us software or services) or share information, and cyber-attacks on third parties with which we interact or which possess, use or have access to our customer, and other information have in the past adversely impacted us in the same way as a direct cyber-attack on us. Additionally, we currently have a hybrid work environment in which many corporate associates work both in the office and remotely on an ongoing basis. The increase in the number of our associates working remotely has increased certain risks to our business, including increased demand on our information technology resources and systems, and greater potential for phishing and other cybersecurity attacks. While to date no such cyber-attacks have had, individually or in the aggregate, any known material adverse impact on our operations or financial results, we cannot guarantee that cyber-attacks have not gone generally undetected or without general recognition of magnitude or will not continue to occur in the future, any of which could materially adversely affect our brands, reputation, consumer confidence in us, costs, and profitability. Our information technology infrastructure (including our, and our third-party service providers', information systems and legacy proprietary online reservation and management systems) has been and will likely continue to be vulnerable to system failures such as server malfunction or software or hardware failures, computer hacking, phishing attacks, user error, cyber-terrorism, loss of data, computer viruses, ransomware and malware installation, and other intentional or unintentional interference, negligence, fraud, misuse and other unauthorized attempts to access or interfere with these systems and our personal and proprietary information. In addition, as we continue to transition from our legacy systems to new, cloud-based technologies and other technology systems, we will likely continue to face issues that may negatively impact customers, other individuals and third parties. In addition, as we pursue new initiatives that are designed to improve our operations and cost structure, the expansion and implementation of new technologies and systems (including our increasing use, and the likely increasing use by our third-party service providers, of artificial intelligence ("AI") technologies) carries significant potential risks, including failure to operate as designed, potential loss of or corruption of information, changes in security processes, implementation delays, and disruption of operations. The increased scope and complexity of our information technology infrastructure and systems could contribute to the risk of future material security breaches or breakdowns, any of which could have a material adverse impact on our business, brands, reputation, and results of operations. Further, if we fail to fully assess, identify and address all cybersecurity risks associated with acquisitions (such as our recent acquisition of Accor Vacation Club) or fail successfully to integrate all information technology systems of such acquired businesses into and with our existing technology framework and cybersecurity controls, we would become increasingly vulnerable to all of the above risks. Additionally, we are subject to federal, state, and international laws and regulations relating to the collection, use, retention, security and transfer of personally identifiable information and individual payment data. The information, security and privacy requirements imposed by such laws and regulations are constantly evolving and are becoming increasingly demanding in the U.S., both at the federal and state levels, and in other jurisdictions where we operate. Aspects of these laws and regulations, as well as their enforcement, remain unclear, and foreign laws and regulations are often more restrictive or burdensome than those in the U.S. Moreover, we have incurred and will likely continue to incur significant costs relating to compliance with these laws and regulations, including costs related to updating certain business practices and systems. Further, any changes to laws or regulations, including new restrictions or requirements applicable to our business, or an increase in enforcement of existing laws and regulations, such as restricting use or sharing of consumer data, including for marketing or advertising or limiting the use of, limiting our ability to provide certain consumer data to our customers, or otherwise regulating artificial intelligence ("AI") and machine learning (including the use of algorithms and automated processing), could expose us to additional costs and liability. In addition, should we violate or not comply with any applicable laws, regulations, contractual requirements relating to data security and privacy, such as the recently adopted SEC rules requiring public companies to disclose material cybersecurity incidents to which they become subject on a Current Report on Form 8-K, or with our own privacy and security policies, either intentionally or unintentionally, or through the acts of intermediaries, it could have a material adverse effect on our brands, marketing, reputation, business, financial condition, and results of operations, as well as subject us to significant fines, litigation, losses, third-party damages and other liabilities.

We rely on information technologies and systems to operate our business, which involves reliance on third-party service providers and on uninterrupted operation of service facilities, including those used for our travel clubs businesses, reservation systems, payments systems, vacation exchange systems, property management, communications, procurement, member record databases, call centers, operation of our loyalty programs and administrative systems. We also maintain physical facilities to support these systems and related services. Our backup systems and disaster recovery systems, or those of our third-party service providers, may be insufficient to address or prevent breakdown of systems, loss of critical information or prolonged interruption. A natural disaster, cyberattack, disruption or other impairment in our technology capabilities and service facilities (including IT systems, data centers and backup systems, or those of our third-party service providers) could result in denial or interruption of service, significant investment in resources to restore and remedy such systems, prolonged outages and interruption, financial losses, customer claims, litigation or damage to our reputation, or otherwise harm our business and financial results. In addition, any failure of our ability to provide our reservation systems, as a result of failures related to us or our third-party providers, may deter prospective resort owners from entering into agreements with us, and may expose us to liability from other parties with whom we have contracted to provide reservation services. Similarly, any failure to keep pace with developments in technology and technology infrastructures (including continuing upgrades to our technology systems which interface with customers), which is a significant part of our business, could impair our operations, financial results and competitive position. Further, any failure to keep pace with new or innovative use of technologies (including digital technologies within the leisure travel and timeshare industry, as well as evolutionary changes in social media (including third-party social media sites) which consumers increasingly rely upon for assessments and decisions concerning travel and vacation information) could adversely impact our competitive position and future prospects. Our industry is marked by rapid technological developments and innovations (such as the use of AI and machine learning) and evolving industry standards. The development, adoption and use for AI and machine learning technologies are still in their early stages and the development of AI technologies is complex, involving technical challenges associated with achieving the desired level of accuracy, efficiency, and reliability. Developing, testing, and deploying resource-intensive AI systems may require additional investment and increase our costs and any failure of our business continuity planning as to any of these matters could have a material adverse impact on our business, brand, and financial results.

We believe that our business success and future growth depends, in part, on the continued services of our senior management team, including our President and CEO, Michael D. Brown, and on our ability to successfully implement succession plans for members of our senior management team. The loss of any members of our senior management team, or the failure to identify qualified successors for such positions, could adversely affect our strategic growth and customer relationships, and impede our ability to execute our business strategies. Additionally, lack of sufficient effective leadership may lead to low morale, higher turnover, and decreased ability to execute our strategy. Also, insufficient numbers of talented associates could constrain our ability to maintain and expand our business. We compete with other companies both within and outside of our industry for talented personnel. If we cannot recruit, train, develop and retain sufficient numbers of talented associates, we could experience increased associate turnover, decreased guest satisfaction, low morale, inefficiency, or internal control failures.

We carry insurance for general liability, property, business interruption, cybersecurity, directors and officers ("D&O"), and other insurable risks with respect to our business operations. We also self-insure for certain risks up to certain monetary limits. The terms and conditions or the amounts of coverage of our insurance may not at all times be sufficient to pay or reimburse us for the amount of our liabilities, losses or replacement costs. There are risks for which we do not carry insurance for the full range of possible outcomes or at all concerning a potential loss or liability, due to the cost, availability or terms and conditions of such insurance. As a result, we may incur liabilities or losses in the operation of our business that are substantial and not sufficiently covered by the insurance we maintain, or at all, which could have a material adverse effect on our business, financial condition and results of operations. Following the significant property and casualty losses incurred by the insurance industry due to hurricanes, wildfires, cybersecurity breaches and other events, as well as market dynamics (such as those resulting from the recent rapid increase in interest rates), insurance costs have increased and may be higher (and availability may be lower) in future periods. In addition, increased storm intensity, increased wildfires and rising sea levels as well as other natural disasters, whether resulting from climate change or other factors, have increased and will likely in the future increase the cost and decrease the available coverage levels of property insurance, particularly in certain geographies which have been or may be viewed as more likely in the future to be subject to such events and natural disasters.

Our international operations are subject to numerous risks, including exposure to local economic conditions; potential adverse changes in the diplomatic relations of foreign countries with the U.S.; hostility from local populations; potential changes in the regulation of timeshare products by foreign countries, such as occurred in Australia; political instability; threats or acts of war, hostilities, or terrorism; the presence and acceptance of varying levels of business corruption in international markets and the effect of various anti-corruption and other laws; restrictions and taxes on the withdrawal of foreign investment and earnings; government policies against businesses or properties owned by non-U.S. citizens; investment restrictions or requirements; diminished ability to legally enforce our contractual rights in foreign countries; forced nationalization of assets by local, state or national governments; foreign exchange restrictions; fluctuations in foreign currency exchange rates, including negative impacts of the weakening of foreign currencies in geographic regions in which we operate relative to the U.S. dollar; our ability to, or our decision whether or not in particular instances to, hedge against foreign currency effects, and whether we are successful in any such hedging transactions; conflicts between local laws and U.S. laws including laws that impact our rights to protect our intellectual property; withholding and other taxes on remittances and other payments by subsidiaries; and changes in and application of foreign taxation structures including value added taxes. Any of these risks or any adverse outcome resulting from the financial instability or performance of foreign economies, the instability or weakening of other currencies and the related volatility on foreign exchange and interest rates, could impact our results of operations, financial position or cash flows.