Risk Factors - MCO

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

$MCO Risk Factor changes from 00/02/15/23/2023 to 00/02/14/25/2025

ITEM 1A.

RISK FACTORSPlease carefully consider the following discussion of significant factors, events and uncertainties that make an investment in the Company’s securities risky and provide important information for the understanding of the “forward-looking” statements discussed in Item 7 of this Form 10-K and elsewhere. RISK FACTORSPlease carefully consider the following discussion of significant factors, events and uncertainties that make an investment in the Company’s securities risky and provide important information for the understanding of the “forward-looking” statements discussed in Item 7 of this Form 10-K and elsewhere.

These risk factors should be read in conjunction with the other information in this annual report on Form 10-K.The events and consequences discussed in these risk factors could, in circumstances the Company may not be able to accurately predict, recognize, or control, have a material adverse effect on Moody’s business, financial condition, operating results (including components of the Company’s financial results such as sales and profits), cash flows and stock price. These risk factors do not identify all risks that Moody’s faces. The Company could also be affected by factors, events, or uncertainties that are not presently known to the Company or that the Company currently does not consider to present significant risks.

In addition to the effects of general economic conditions, including inflation and related monetary policy actions in response to inflation, changes in international conditions, including the impact of ongoing or new developments in the Russia-Ukraine military conflict and the military conflict in the Middle East, and resulting global disruptions on our business and operations discussed in Item 7 of this Form 10-K and in the risk factors below, additional or unforeseen effects from the global economic climate may give rise to or amplify many of these risks discussed below. In addition to the effects of general economic conditions, including inflation and related monetary policy actions in response to inflation, and resulting global disruptions on our business and operations discussed in Item 7 of this Form 10-K and in the risk factors below, additional or unforeseen effects from the global economic climate may give rise to or amplify many of these risks discussed below. A. Legal and Regulatory RisksMoody’s Faces Risks Related to Laws and Regulations that Affect the Financial Industry, Including the Credit Rating Industry, Moody's Businesses and Moody’s Customers.Moody’s is subject to extensive regulation by federal, state and local authorities in the U.S. and by foreign jurisdictions. and in foreign jurisdictions. These regulations, the most important of which are discussed in further detail below, are complex, continually evolving and have tended to become more stringent over time. Additionally, changes in the Presidential administration, changes in Congress, and recent judicial actions may increase the uncertainty with regard to potential changes in these laws and regulations and the enforcement of any new or existing legislation or directives by government authorities.

See “Regulation” in Part I, Item 1 of this annual report on Form 10-K for more information.Further, speculation concerning the impact of legislative and regulatory initiatives, including initiatives related to the emerging technology of AI systems, operational resilience, data privacy and climate-related risks, among others, that our products and services incorporate, and the increased uncertainty over potential liability and adverse legal or judicial determinations may negatively affect Moody's stock price, affect demand for our products and services, increase our costs of operations and impact our future business plans. Further, the Company's compliance and efforts to reduce the risk of fines, penalties or other sanctions can result in significant expenses. The Company’s compliance and efforts to mitigate the risk of fines, penalties or other sanctions can result in significant expenses. Legal proceedings that are increasingly lengthy can result in uncertainty over and exposure to liability. MOODY'S 2024 10-K 23Table of ContentsMoody's Investors Service. MIS operates in a highly regulated industry. The current U.S. laws and regulations relating to MIS, including the Reform Act and the Dodd-Frank Act:–seek to encourage, and may result in, increased competition among CRAs and in the credit rating business;–may result in alternatives to credit ratings, changes in the pricing of credit ratings, and/or diminished intellectual property protection relating to credit ratings and related research produced by MIS;–restrict the use of information in the development or maintenance of credit ratings;–increase regulatory oversight of the credit markets and CRA operations;–provide the SEC with direct jurisdiction over CRAs that seek NRSRO status, and grant authority to the SEC to inspect the operations of CRAs; and–provide for enhanced oversight standards and specialized pleading standards, which may result in increases in the number of legal proceedings claiming liability for losses suffered by investors on rated securities and aggregate legal defense costs.In addition to the extensive and evolving U.S. laws and regulations governing the credit rating industry, foreign jurisdictions have taken measures to regulate CRAs and the markets for credit ratings that significantly impact the operations and the markets for the Company's ratings-related products and services. In particular, the EU has adopted a common regulatory framework for CRAs operating in the EU, continues to monitor the credit rating industry and analyze approaches that may strengthen existing regulation. In particular, the EU has adopted a common regulatory framework for CRAs operating in the EU and continues to monitor the credit rating industry and analyze approaches that may strengthen existing regulation. The U.K. also has adopted a regulatory framework for CRAs that is based on the EU version. Credit ratings emanating from outside the EU are subject to ESMA's oversight if they are endorsed into the EU, and ratings endorsed into the U. Credit ratings emanating from outside the EU are subject to ESMA’s oversight if they are endorsed into the EU. K. are similarly subject to oversight of the FCA. Additionally, other foreign jurisdictions, such as Australia and Hong Kong and China, have taken measures to increase regulation of CRAs and markets for credit ratings. Additionally, other foreign jurisdictions have taken measures to increase regulation of CRAs and markets for credit ratings. A failure to comply with these procedural and substantive requirements also exposes MIS to the risk of regulatory enforcement action which could result in financial penalties or, in serious cases, affect its ability to conduct credit rating activities in certain jurisdictions. A failure to comply with these procedural and substantive requirements also exposes MIS Hong Kong to the risk of regulatory enforcement action which could result in financial penalties or, in serious cases, affect its ability to conduct credit rating activities in Hong Kong. For example:–MIS is subject to formal regulation and periodic or other inspections in the EU and other foreign jurisdictions, such as, but not limited to, the U.K., Australia, Singapore, Japan, and Hong Kong, where it operates through registered subsidiaries.–In the EU and the U.K., applicable rules include procedural requirements with respect to credit ratings of sovereign issuers, liability for intentional or grossly negligent failure to abide by applicable regulations, mandatory analyst rotation requirements, and restrictions on CRAs or their shareholders if certain ownership thresholds are crossed., applicable rules include procedural requirements with respect to credit ratings of sovereign issuers, liability for intentional or grossly negligent failure to abide by applicable regulations, mandatory rotation requirements of CRAs hired by issuers of securities for credit ratings of resecuritizations, and restrictions on CRAs or their shareholders if certain ownership thresholds are crossed. Additional procedural and substantive requirements include conditions for the issuance of credit ratings, rules regarding the organization of CRAs, restrictions on activities deemed to create a conflict of interest, including requirements that fees be based on costs and non-discriminatory, special requirements for credit ratings of structured finance instruments.–In Hong Kong, applicable rules include liability for the intentional or negligent dissemination of false and misleading information and procedural requirements for the notification of certain matters to regulators. –In Hong Kong, applicable rules include liability for the intentional or negligent dissemination of false and misleading information and procedural requirements for the notification of certain matters to regulators. In addition, MIS Hong Kong is subject to a code of conduct applicable to CRAs that imposes procedural and substantive requirements on the preparation and issuance of credit ratings, restrictions on activities deemed to create a conflict of interest including the disclosure of its compensation arrangements with rated entities and special requirements for credit ratings of structured finance instruments.–In China, while MIS is not a licensed CRA, it does issue global credit ratings on Chinese issuers from offices outside of China. –In China, while MIS is not a licensed CRA, it does issue global credit ratings on Chinese issuers from offices outside of China. In addition, the Company holds a 30% investment in CCXI, a domestic CRA licensed in China. China has laws applicable to domestic CRAs as well as foreign investment in such entities and entities in general (including national security review). –In Australia, unless an exemption applies, CRAs are required to hold an Australian financial services license (AFSL) if they carry on a business of providing credit ratings in Australia. MIS Australia holds an AFSL authorizing it to provide general advice to wholesale clients only by issuing a credit rating. It is therefore required to comply with obligations as an AFSL holder including the requirement to provide financial services efficiently, honestly, and fairly, to manage conflicts of interest, and to comply with the conditions of its AFSL (which conditions include specific conditions about credit ratings).Future laws and regulations could extend to products and services not currently regulated. Future laws and regulations could extend to products and services not currently regulated. These regulations could:–affect the need for debt securities to be rated;–expand supervisory remits to include credit ratings issued outside the home jurisdiction;–increase the level of competition for credit ratings, including the distribution of credit ratings;–establish criteria for credit ratings or limit the entities authorized to provide credit ratings;–restrict the collection, use, accuracy, correction and sharing of information by CRAs; or–regulate pricing (for example to require fees that are based on costs and are non-discriminatory) on products and services provided by MA such as those products that incorporate credit ratings and research originated by MIS. These regulations could: (i) affect the need for debt securities to be rated, (ii) expand supervisory remits to include credit ratings issued outside the home jurisdiction and used for regulatory purposes, (iii) increase the level of competition in the market for credit ratings, (iv) establish criteria for credit ratings or limit the entities authorized to provide credit ratings, (v) restrict the collection, use, accuracy, correction and sharing of personal information by CRAs, or (vi) regulate pricing (for example to require fees that are based on costs and are non-discriminatory) on products and services provided by MA such as those products that incorporate credit ratings and research originated by MIS. In turn, such developments may affect MIS’s communications with issuers as part of the rating assignment process, alter the manner in which MIS’s credit ratings are developed, assigned and communicated, affect the manner in which MIS or its customers or users of credit ratings operate, impact the demand for MIS’s credit ratings or alter the economics of the credit ratings business, including by restricting or mandating business models for CRAs. For example, new laws and regulations may affect MIS’s communications with issuers as part of the rating assignment process, alter the manner in which MIS’s credit ratings are developed, assigned and communicated, affect the manner in which MIS or its customers or users of credit ratings operate, impact the demand for MIS’s credit ratings and alter the economics of the credit ratings business, including by restricting or mandating business models for CRAs. It is difficult to accurately assess the future impact of legislative 24 MOODY'S 2024 10-KTable of Contentsand regulatory requirements on MIS’s business and its customers’ businesses. If these laws and regulations, and any future rulemaking or court rulings, reduce demand for credit ratings or increase costs, MIS may be unable to pass such costs through to customers.If these laws and regulations, and any future rulemaking or court rulings, reduce demand for credit ratings or increase costs, Moody’s may be unable to pass such costs through to customers. Additionally, legislative and regulatory initiatives that apply to CRAs and credit markets generally may affect Moody’s in a disproportionate manner. Although these legislative and regulatory initiatives apply to CRAs and credit markets generally, they may affect Moody’s in a disproportionate manner. Each of these developments increase the costs and legal risk associated with the issuance of credit ratings and can have a material adverse effect on Moody’s operations, profitability and competitiveness, the demand for credit ratings and the manner in which such ratings are utilized. Moody's Analytics. Certain of MA’s subscription products contain credit ratings data and related research produced by MIS, and often are used by MA customers for regulatory compliance purposes, including determination of capital charges and regulatory reporting.Regulations concerning the issuance of credit ratings and the activities of CRAs, including the dissemination of ratings data, are likely to continue to be considered in the future, including, for example, provisions regarding fair and reasonable availability of ratings data, the terms and conditions associated with such data feeds, remuneration for data and the nature of the information to be included in credit opinions. Other laws, regulations and rules are being considered or are likely to be considered in the future may impact MA products and services, for example, by requiring certain information to be provided free of charge. MA’s other products and services, in particular its offering of products and services relating to sanctions, KYC and financial crime, are potentially subject to various laws and regulations affecting the collection, processing and sale of data-driven solutions. These laws and regulations generally are designed to protect information relating to individuals and small businesses, including information used for consumer credit reporting purposes, the data rights of individuals, and to prevent the unauthorized collection, access to and use of personal or confidential information available in the marketplace and prohibit certain deceptive and unfair acts. Additionally, refer to the risk factor entitled “The Company Is Exposed to Risks Related to Protection of Confidential and Personal Information.”New laws and regulations are likely to be enacted and existing laws and regulations may change or be interpreted and applied differently over time and from jurisdiction to jurisdiction, and it is possible they will be interpreted and applied in ways that will materially and adversely affect our business. As a result of current and future laws and regulations, our customers’ and other third parties’ use of our products and services, as well as our use of information supplied by our suppliers and other third parties, can lead to regulatory inquiries or actions or related private litigation against us. Changes in the applicability of laws and regulations could require MA to modify its data processing practices and policies and restrict or dictate how MA collects, maintains, combines and disseminates information, which could have a material adverse effect on Moody’s business, financial condition or results of operations. In the future, the Company may be subject to significant additional expense to ensure continued compliance with laws and regulations applicable to MA and to investigate, defend or remedy actual or alleged violations. Additionally, refer to the risk factor entitled “The Company Is Exposed to Risks Related to Protection of Confidential and Personal Information.”Further, MA’s bank and financial services customers are subject to additional regulatory oversight. For example:–U.S. banking regulators, including the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System and the Consumer Financial Protection Bureau, as well as many state agencies, have issued guidance to insured depository institutions and other providers of financial services on assessing and managing risks associated with third-party relationships, which include all business arrangements between a financial services provider and another entity, by contract or otherwise, and generally requires banks and financial services providers to exercise comprehensive oversight throughout each phase of a bank or financial service provider’s business arrangement with third-party service providers, and instructs banks and financial service providers to adopt risk management processes commensurate with the level of risk and complexity of their third-party relationships. This guidance requires more rigorous oversight of third-party relationships that involve certain "critical activities."–Regulators in Europe and other foreign markets in which MA is active have issued guidance similar to that issued in the U.S. relating to financial institutions' assessment and management of risks associated with third-party relationships. For example, in December 2022, the EU adopted DORA, which will apply from early 2025 and will require EU financial institutions to have a comprehensive governance and control framework of the management of information and communications technology risks, including risks relating to third-party providers of technology and data such as MA. In light of this, MA’s existing or potential bank and financial services customers subject to this guidance have sought to and may further revise their third-party risk management policies and processes and the terms on which they do business with MA.–In China, MA is licensed to provide subscriptions to credit research and ratings data and other information relevant to the financial markets. China has laws applicable to Moody’s that are broadly crafted, and the implementation, interpretation and enforcement of such laws are subject to the broad discretion of Chinese regulators, which could affect the Company’s ability to conduct business in China.The EU AI Act has introduced a risk-based framework for regulating AI systems which applies different obligations to various actors in the AI supply chain. These rules apply to, among others, product manufacturers incorporating AI systems into regulated products sold into the EU as well as to providers whose AI systems or their outputs are made available in the EU. This Act will increase costs to MA including cost of establishing processes and procedures around applicability and implementation of the Act’s requirements for MA products and services. MA also faces a risk of cost of penalties or fines due to noncompliance.MOODY'S 2024 10-K 25Table of ContentsLegal and regulatory developments can result in delayed or reduced sales to MA’s customers, adversely affect MA’s relationship with such customers, increase the costs of doing business with such customers and/or result in MA assuming greater financial and legal risk under its agreements with such customers.The Company Faces Exposure to Litigation and Government Regulatory Proceedings, Investigations and Inquiries (Including Competition Market Studies) Related to Rating Opinions and Other Business Practices.The Company Faces Exposure to Litigation and Government Regulatory Proceedings, Investigations and Inquiries Related to Rating Opinions and Other Business Practices. Moody’s faces exposure to litigation and government and regulatory proceedings, investigations and inquiries (including market studies) related to MIS’s ratings actions, as well as other business practices and products within both MIS and MA.Moody’s faces exposure to litigation and government and regulatory proceedings, investigations and inquiries related to MIS’s ratings actions, as well as other business practices and products within both MIS and MA. When the market value of credit-dependent instruments has declined or defaults have occurred, whether as a result of difficult economic times, rapid changes in interest rates, decreased liquidity, turbulent markets or otherwise, the number of investigations and legal proceedings that Moody’s has faced has increased significantly. When the market value of credit-dependent instruments has declined or defaults have occurred, whether as a result of difficult economic times, turbulent markets or otherwise, the number of investigations and legal proceedings that Moody’s has faced has increased significantly. Parties who invest in securities rated by MIS or issued by MIS-rated entities have pursued claims against MIS or Moody’s for losses they faced in their portfolios. Parties who invest in securities rated by MIS have pursued claims against MIS or Moody’s for losses they faced in their portfolios. For instance, Moody’s faced numerous class action lawsuits and other litigation, government investigations and inquiries (including market studies) concerning events linked to the U. For instance, Moody’s faced numerous class action lawsuits and other litigation, government investigations and inquiries concerning events linked to the U. S. subprime residential mortgage sector and broader deterioration in the credit markets during and after the financial crisis of 2007-2008. subprime residential mortgage sector and broader deterioration in the credit markets during the financial crisis of 2007-2008. Evolving and/or inconsistent expectations regarding climate-risk and other sustainability disclosures and reporting could also result in increased regulatory scrutiny and new regulatory actions at a corporate and business unit level. MA’s offering of products and services relating to sanctions, KYC and financial crime may result in increased regulatory scrutiny and could expose the Company to increased risk of litigation from data subjects and other third-parties, including due to potential inaccuracies in the products and services we offer, as well as regulatory recordkeeping requirements associated with our services. Additionally, as Moody’s develops its Gen AI product offerings and/or increases its use of Gen AI, the Company may face increased regulatory scrutiny and exposure to increased litigation. Legal proceedings and regulatory inquiries and investigations impose additional expenses on the Company and require the attention of senior management to an extent that may significantly reduce their ability to devote time to addressing other business issues, and any of these proceedings, investigations or inquiries (including market studies) could ultimately result in adverse judgments, damages, fines, penalties or activity restrictions. All of these evolving compliance and operational requirements have required changes to certain business practices, thereby increasing costs, requiring significant management time and attention, and subjecting the Company to negative publicity, as well as remedies that may harm its business, including fines, modified demands or orders, the cessation of existing business practices, and exposure to litigation, regulatory actions, sanctions or other statutory penalties. Risks relating to legal proceedings are heightened in foreign jurisdictions that lack the legal protections or liability standards comparable to those that exist in the U.S. In addition, new laws and regulations have been and may continue to be enacted that establish lower liability standards, shift the burden of proof or relax pleading requirements, thereby increasing the risk of successful litigations in the U.S. and in foreign jurisdictions. These litigation risks are often difficult to assess or quantify. Moody’s may not have adequate insurance or reserves to cover these risks, and the existence and magnitude of these risks often remain unknown for substantial periods of time. Furthermore, when Moody’s is unable to achieve dismissals at an early stage and litigation matters proceed to trial, the aggregate legal defense costs incurred by Moody’s increase substantially, as does the risk of an adverse outcome.Additionally, as litigation or the process to resolve pending matters progress, Moody’s will continue to review the latest information available and may change its accounting estimates, which could require Moody’s to record or increase liabilities in the consolidated financial statements in future periods.Additionally, as litigation or the process to resolve pending matters progresses, Moody’s will continue to review the latest information available and may change its accounting estimates, which could require Moody’s to record or increase liabilities in the consolidated financial statements in future periods. See Note 21 to the consolidated financial statements for more information regarding ongoing investigations and civil litigation that the Company currently faces. Due to the potential number of these proceedings and the significant amount of damages that could be sought, there is a risk that Moody’s will be subject to judgments, settlements, fines, penalties or other adverse results that have a material adverse effect on its business, operating results and financial condition. Due to the number of these proceedings and the significant amount of damages sought, there is a risk that Moody’s will be subject to judgments, settlements, fines, penalties or other adverse results that have a material adverse effect on its business, operating results and financial condition. The Company Is Exposed to Risks Related to Its Compliance and Risk Management Programs.Moody’s operates in a number of countries, and as a result the Company is required to comply with and quickly adapt to numerous international and U.S. federal, state and local laws and regulations. The Company’s ability to comply with applicable laws and regulations, including anti-corruption, antitrust, economic and trade sanctions, and securities trading laws, the Reform Act, the Dodd-Frank Act and regulations thereunder, is largely dependent on its establishment and maintenance of compliance, review and reporting systems, as well as its ability to attract and retain qualified compliance and risk management personnel. The Company’s ability to comply with applicable laws and regulations, including anti-corruption, antitrust and securities trading laws, is largely dependent on its establishment and maintenance of compliance, review and reporting systems, as well as its ability to attract and retain qualified compliance and risk management personnel. Moody’s policies and procedures to identify, evaluate and manage the Company’s risks, including risks resulting from acquisitions and from Gen AI developments (such as maintaining the quality and integrity of data of Gen AI product offerings), may not be fully effective, and Moody’s employees or agents may engage in misconduct, fraud or other errors. Moody’s policies and procedures to identify, evaluate and manage the Company’s risks, including risks resulting from acquisitions, may not be fully effective, and Moody’s employees or agents may engage in misconduct, fraud or other errors. It is not always possible to deter such errors, and the precautions the Company takes to prevent and detect this activity may not be effective in all cases. If Moody’s employees violate its policies or if the Company’s risk management methods are not effective, the Company may be subject to criminal and civil liability, the suspension of the Company’s employees, fines, penalties, regulatory sanctions, injunctive relief, exclusion from certain markets or other penalties, and may suffer harm to its reputation, financial condition and operating results.Moody’s Faces Risks Related to Protecting Its Intellectual Property Rights.Moody’s considers many aspects of its products and services to be proprietary. Failure to protect the Company’s intellectual property adequately could harm its reputation and affect the Company’s ability to compete effectively. Businesses the Company acquires also involve intellectual property portfolios, which increase the challenges the Company faces in protecting its strategic advantage. In addition, the Company’s operating results can be adversely affected by inadequate or changing legal and technological protections for intellectual property and proprietary rights in some jurisdictions and markets, including if and how rights in these markets evolve to address unauthorized or unintended use of intellectual property from new technologies like Gen AI. In addition, the Company’s operating results can be adversely affected by inadequate or changing legal and technological protections for intellectual property and proprietary rights in some jurisdictions and markets. The lack of strong legal and technological intellectual property protections in foreign jurisdictions in which we operate may increase our vulnerability and may pose risks to our business. From time to time, laws are passed that require publication of certain information, in some cases at no cost, that the Company considers to be its intellectual property and that it currently sells or licenses for a fee, which could result in lost revenue.26 MOODY'S 2024 10-KTable of ContentsUnauthorized third parties may also try to obtain and use technology or other information that the Company regards as proprietary. It is also possible that Moody’s competitors or other entities could obtain patents or other intellectual property rights related to the types of products and services that Moody’s offers, and attempt to require Moody’s to stop developing or marketing the products or services, to modify or redesign the products or services to avoid infringing, or to obtain licenses from the holders of the intellectual property in order to continue developing and marketing the products and services. It is also possible that Moody’s competitors or other entities could obtain patents related to the types of products and services that Moody’s offers, and attempt to require Moody’s to stop developing or marketing the products or services, to modify or redesign the products or services to avoid infringing, or to obtain licenses from the holders of the patents in order to continue developing and marketing the products and services. Even if Moody’s attempts to assert or protect its intellectual property rights through litigation, it may require considerable cost, time and resources to do so, and there is no guarantee that the Company will be successful. The Company’s ability to establish, maintain and protect its intellectual property and proprietary rights against theft, misappropriation or infringement could be materially and adversely affected by insufficient and/or changing proprietary rights and intellectual property legal protections in some jurisdictions and markets. These risks, and the cost, time and resources needed to address them, may increase as the Company’s business grows and its profile rises in countries with intellectual property regimes that are less protective than the rules and regulations applied in the United States.Moody’s Faces Risks Related to Tax Matters, Including Changes in Tax Rates or Tax Rules.As a global company, Moody’s is subject to taxation in the United States and various other countries and jurisdictions. As a result, our effective tax rate is determined based on the taxable income and applicable tax rates in the various jurisdictions in which the Company operates. Moody’s future tax rates could be affected by changes in the composition of earnings in countries or states with differing tax rates or other factors, including by increased earnings in jurisdictions where Moody’s faces higher tax rates, losses incurred in jurisdictions for which Moody’s is not able to realize the related tax benefit, or changes in foreign currency exchange rates. Changes in the tax, accounting and other laws, treaties, regulations, policies and administrative practices, or changes to their interpretation or enforcement, including changes applicable to multinational corporations such as the Base Erosion Profit Shifting and the global minimum tax rate initiatives being led by the OECD, which requires companies to disclose more information to tax authorities on operations around the world, and the EU’s state aid rulings, could have a material adverse effect on the Company’s effective tax rate, results of operations and financial condition and may lead to greater audit scrutiny of profits earned in various countries. Changes in the tax, accounting and other laws, treaties, regulations, policies and administrative practices, or changes to their interpretation or enforcement, including changes applicable to multinational corporations such as the Base Erosion Profit Shifting and the global minimum tax rate initiatives being led by the Organization for Economic Co-operation and Development, which requires companies to disclose more information to tax authorities on operations around the world, and the European Union’s state aid rulings, could have a material adverse effect on the Company’s effective tax rate, results of operations and financial condition and may lead to greater audit scrutiny of profits earned in various countries. In addition, Moody’s is subject to regular examination of its income tax returns by the IRS and other tax authorities around the world.In addition, Moody’s is subject to regular examination of its income tax returns by the Internal Revenue Service and other tax authorities around the world. Moody’s regularly assesses the likelihood of favorable or unfavorable outcomes resulting from these examinations to determine the adequacy of its provision for income taxes, including unrecognized tax benefits; however, developments in an audit or litigation could materially and adversely affect the Company. Although the Company believes its tax estimates and accruals are reasonable, there can be no assurance that any final determination will not be materially different than the treatment reflected in its income tax provisions, accruals and unrecognized tax benefits, which could materially and adversely affect the Company’s business, operating results, cash flows and financial condition.During 2023, multiple foreign jurisdictions in which the Company operates have enacted legislation to adopt a minimum tax rate described in the GloBE or Pillar II, tax model rules issued by the OECD. A minimum ETR of 15% would apply to multinational companies with consolidated revenue above €750 million with an effective date beginning in 2024. Under the GloBE rules, a company would be required to determine a combined ETR for all entities located in a jurisdiction. If the jurisdictional tax rate is less than 15%, an additional tax will be due to bring the jurisdictional effective tax rate up to 15%. While the Pillar II minimum tax requirement is not currently anticipated to have a material impact on the Company’s results of operations or financial position, management is evaluating and will continue to monitor the potential impact of the Pillar II global minimum tax proposals on our consolidated financial statements and related disclosures.B. Risks Related to our Business The Company is Exposed to Legal, Economic, Operational and Regulatory Risks of Operating in Multiple Jurisdictions.Moody’s conducts operations in various countries outside the U.S. and derives a significant portion of its revenue from foreign sources. Changes in the economic condition of the various foreign economies in which the Company operates have an impact on the Company’s business. For example, economic uncertainty in the Eurozone or elsewhere, including, but not limited to, in Latin America, China or the Middle East, affects the number of securities offerings undertaken within those particular areas. For example, economic uncertainty in the Eurozone or elsewhere, including, but not limited to, in Latin America or China, affects the number of securities offerings undertaken within those particular areas. In addition to the risks addressed elsewhere in this section, operations abroad expose Moody’s to a number of legal, economic and regulatory risks such as:–economic and geopolitical events and market conditions, such as the Russia-Ukraine military conflict and the military conflict in the Middle East, including the effect of these events and conditions on customers, customer retention and demands for our products and services;–fluctuations in interest rates and credit spreads, and exposure to exchange rate movements between foreign currencies and USD;–restrictions on the ability to convert local currency into USD and the costs, including the tax impact, of repatriating cash held by entities outside the U. In addition to the risks addressed elsewhere in this section, operations abroad expose Moody’s to a number of legal, economic and regulatory risks such as:–economic and geopolitical market conditions, including the effect of these conditions on customers and customer retention;–exposure to exchange rate movements between foreign currencies and USD;–restrictions on the ability to convert local currency into USD and the costs, including the tax impact, of repatriating cash held by entities outside the U. S.;–U.S. laws affecting overseas operations, including domestic and foreign export and import restrictions, tariffs and other trade barriers and restrictions, such as those related to the U.S.’s relationship with China and embargoes and sanctions laws with respect to Russia, including the Russia-Ukraine military conflict. For example, U.S. economic sanctions have increasingly targeted Chinese persons. In response, China issued a blocking statute that establishes a framework for limiting the effect of foreign sanctions on Chinese persons. Blocking statutes typically create conflicts of law. An entity that is subject to conflicting MOODY'S 2024 10-K 27Table of Contentslaws in multiple jurisdictions may need to determine a means to comply with such laws. An entity that is subject to conflicting laws in multiple jurisdictions may need to determine a means to comply with such laws. Such conflicts could eventually affect the ability of entities to adhere to applicable laws or continue to operate in certain jurisdictions;–differing and potentially conflicting legal or civil liability, compliance and regulatory standards;–current and future regulations relating to the imposition of mandatory rotation requirements on CRAs hired by issuers of securities;–uncertain, evolving and new laws and regulations, including those applicable to the financial services industries, such as the EU’s implementation of DORA in January 2025, and to the protection of intellectual property and to the emergence of LLMs in the context of Gen AI and other technologies, such as the EU AI Act, including the effect of these laws and regulations on our customers and on the products and services that we offer;–uncertainty regarding the future relationship and increasing tensions between the U.S. and China, which may result in further restrictions or actions by the U.S. government with respect to doing business in China and/or by the Chinese government with respect to business conducted by foreign entities in China;–the possibility of nationalization, expropriation, price controls and other restrictive governmental actions;–competition with CRAs that have greater familiarity, longer operating histories and/or support from local governments or other institutions;–uncertainties in obtaining reliable data and creating products and services relevant to particular geographic markets;–reduced protection for intellectual property rights;–longer payment cycles and possible problems in collecting receivables;–differing accounting principles and standards;–difficulties in staffing and managing foreign operations;–difficulties and delays in translating documentation into foreign languages; –potentially adverse tax consequences; and –complexities of compliance with employment laws, various proposed and enacted data privacy laws, and cybersecurity rules in numerous jurisdictions. government with respect to doing business in China and/or by the Chinese government with respect to business conducted by foreign entities in China;–the possibility of nationalization, expropriation, price controls and other restrictive governmental actions;–competition with CRAs that have greater familiarity, longer operating histories and/or support from local governments or other institutions;–uncertainties in obtaining data and creating products and services relevant to particular geographic markets;–reduced protection for intellectual property rights;–longer payment cycles and possible problems in collecting receivables;–differing accounting principles and standards;–difficulties in staffing and managing foreign operations;–difficulties and delays in translating documentation into foreign languages; –potentially adverse tax consequences; and –complexities of compliance with employment laws and new data and cybersecurity rules in numerous jurisdictions. Additionally, Moody’s is subject to complex U.S., foreign and other local laws and regulations that are applicable to its operations abroad, such as laws and regulations governing economic and trade sanctions, tariffs, embargoes, and anti-corruption including the Foreign Corrupt Practices Act of 1977, the U.K. Bribery Act of 2010 and other similar local laws. The internal controls, policies and procedures and employee training and compliance programs to deter prohibited practices the Company has implemented may not be effective in preventing employees, contractors or agents from violating or circumventing such internal policies or from material violations of applicable laws and regulations. Any determination or allegations, even if unfounded, that the Company has violated sanctions, anti-bribery or anti-corruption laws could have a material adverse effect on Moody’s business, operating results and financial condition. Compliance with international and U.S. laws and regulations that apply to the Company’s international operations increases the cost of doing business in foreign jurisdictions. Violations of such laws and regulations may result in severe fines and penalties, criminal sanctions, administrative remedies and restrictions on business conduct and could have a material adverse effect on Moody’s reputation, its ability to attract and retain employees, its business, operating results and financial condition. Violations of such laws and regulations may result in severe fines and penalties, criminal sanctions, administrative remedies, and restrictions on business conduct and could have a material adverse effect on Moody’s reputation, its ability to attract and retain employees, its business, operating results and financial condition. Moody’s Operations are Exposed to Risks from Infrastructure Malfunctions or Failures.Moody’s ability to conduct business may be materially and adversely impacted by a disruption in the infrastructure that supports its businesses and the communities in which Moody’s is located, including: (i) New York City, the location of Moody’s headquarters, (ii) major cities worldwide in which Moody’s has offices, and (iii) locations that may be affected by the Russia-Ukraine military conflict and the military conflict in the Middle East.Moody’s ability to conduct business may be materially and adversely impacted by a disruption in the infrastructure that supports its businesses and the communities in which Moody’s is located, including: (i) New York City, the location of Moody’s headquarters, (ii) major cities worldwide in which Moody’s has offices, (iii) locations in Europe that may be affected by the conflict in Russia/Ukraine; and (iv) locations in China used for certain Moody’s work. This may include a disruption involving physical or technological infrastructure (whether or not controlled by the Company), including the Company’s electronic delivery systems, the Company's data center facilities, or the Internet, used by the Company or third parties with or through whom Moody’s conducts business. Many of the Company’s products and services are delivered electronically and the Company’s customers depend on the Company’s ability to receive, store, process, transmit and otherwise rapidly handle very substantial quantities of data and transactions on computer-based networks. Some of Moody’s operations require complex processes and the Company’s extensive controls to reduce the risk of error inherent in our operations cannot eliminate such risk completely. To the extent the Company grows through acquisitions, newly acquired businesses may not have invested in technological infrastructure and disaster recovery to the same extent as Moody's has. To the extent the Company grows through acquisitions, newly acquired businesses may not have invested in technological infrastructure and disaster recovery to the same extent as Moody's has. As their systems are integrated into Moody's, a vulnerability could be introduced, which could impact platforms across the Company. The Company’s customers also depend on the continued capacity, reliability and security of the Company’s telecommunications, data centers, networks and other electronic delivery systems, including its websites and connections to the Internet. The Company’s employees also depend on these systems for internal use. Any significant failure, compromise, cyber-breach, interruption or a significant slowdown of operations of the Company’s infrastructure, whether due to human error, capacity constraints, hardware failure or defect, weather (including climate-related risks), natural disasters, fire, power loss, telecommunication failures, break-ins, 28 MOODY'S 2024 10-KTable of Contentssabotage, intentional acts of vandalism, acts of terrorism, political unrest, pandemic, war or otherwise, may impair the Company’s ability to deliver its products and services. Any significant failure, compromise, cyber-breach, interruption or a significant slowdown of operations of the Company’s infrastructure, whether due to human error, capacity constraints, hardware failure or defect, weather (including climate change), natural disasters, fire, power loss, telecommunication failures, break-ins, sabotage, intentional acts of vandalism, acts of terrorism, political unrest, pandemic (including the COVID-19 pandemic), war or otherwise, may impair the Company’s ability to deliver its products and services. Moody’s efforts to secure and plan for potential disruptions of its major operating systems may not be successful. The Company also relies on third-party providers, including, increasingly, cloud-based service providers, to provide certain essential services. The Company relies on third-party providers, including, increasingly, cloud-based service providers, to provide certain essential services. While the Company believes that such providers are generally reliable, the Company has limited control over the performance of such providers. While the Company believes that such providers are reliable, the Company has limited control over the performance of such providers. To the extent any of the Company’s third-party providers ceases to provide these services in an efficient, cost-effective manner or fails to adequately expand its services to meet the Company’s needs and the needs of the Company’s customers, the Company could experience lower revenues and higher costs. To the extent any of the Company’s third-party providers ceases to provide these services in an efficient, cost-effective manner or fails to adequately expand its services to meet the Company’s needs and the needs of the Company’s customers, the Company could MOODY'S 2022 10-K 27Table of Contentsexperience lower revenues and higher costs. Additionally, refer to the risk factor entitled “The Company Is Dependent on the Use of Third-Party Software, Data, Hosted Solutions, Data Centers, Cloud and Network Infrastructure (Together, the “Third-Party Technology”), and Any Reduction in Third-Party Product Quality or Service Offerings, Could Have a Material Adverse Effect on the Company’s Business, Financial Condition or Results of Operations.MOODY'S 2022 10-K 31Table of ContentsThe Company Is Dependent on the Use of Third-Party Software, Data, Hosted Solutions, Data Centers, Cloud and Network Infrastructure (Together, “Third Party Technology”), and Any Reduction in Third-Party Product Quality or Service Offerings, Could Have a Material Adverse Effect on the Company’s Business, Financial Condition or Results of Operations. ”Additionally, although the Company maintains processes to prevent, detect and recover from a disruption, the Company also does not have fully redundant systems for most of its smaller office locations and low-risk systems, and its disaster recovery plan does not include restoration of non-essential services. Additionally, although the Company maintains processes to prevent, detect and recover from a disruption, the Company also does not have fully redundant systems for most of its smaller office locations and low-risk systems, and its disaster recovery plan does not include restoration of non-essential services. If a disruption occurs in one of Moody’s locations or systems and its personnel in those locations or those who rely on such systems are unable to utilize other systems or communicate with or travel to other locations, such persons’ ability to service and interact with Moody’s customers will suffer. The Company cannot predict with certainty all of the adverse effects that could result from the Company’s failure, or the failure of a third party, to efficiently address and resolve these delays and interruptions. A disruption to Moody’s operations or infrastructure may have a material adverse effect on its reputation, business, operating results and financial condition.The Economics of the Company’s Business is Dependent on the Volume of Debt Securities Issued in Domestic and/or Global Capital Markets. Recent Financial Market Conditions, Including Decreased Asset Levels and Flows into Investment Vehicles, Increases in Interest Rates and Other Volatility Has Had, and May Continue to Have, a Material Adverse Impact on the Volume of Debt Securities Issued.Moody’s business is impacted by general economic conditions and volatility in world financial markets. Furthermore, issuers of debt securities have increasingly elected to issue securities without ratings or securities which are rated or evaluated by non-traditional parties such as financial advisors, rather than traditional CRAs, such as MIS. Companies are also increasingly accessing alternative sources of financing, such as loans and debt financing from non-bank lenders that do not involve a CRA-issued credit rating. A majority of Moody’s credit-rating-based revenue is transaction-based, and therefore it is especially dependent on the number and dollar volume of debt securities issued in the capital markets. Conditions that reduce issuers’ ability or willingness to issue debt securities, such as interest rate and market volatility, declining growth, currency devaluations, changes in laws (including tax-related laws) or other adverse economic trends, reduce the number and dollar-equivalent volume of debt issuances for which MIS provides ratings services and thereby adversely affect the fees Moody’s earns in its ratings business. Conditions that reduce issuers’ ability or willingness to issue debt securities, such as market volatility, declining growth, currency devaluations, changes in laws (including tax-related laws) or other adverse economic trends, reduce the number and dollar-equivalent volume of debt issuances for which Moody’s provides ratings services and thereby adversely affect the fees Moody’s earns in its ratings business. Current market, economic and government factors could negatively impact the volume of debt securities issued in global capital markets and the demand for credit ratings, which is materially and adversely affect the Company’s business, operating results and financial condition.Current market, economic and government factors are negatively impacting the volume of debt securities issued in global capital markets and the demand for credit ratings, which is materially and adversely affecting the Company’s business, operating results and financial condition. These factors include increases in or uncertainty around interest rates (as well as related monetary policy by governments in the response to factors such as inflation, inflationary pressures, increases or volatility in mortgage rates, widening credit spreads, regulatory and political developments (including the change in the U.S. Presidential administration and uncertainty in various jurisdictions where Moody's operates), difficult economic conditions, growth in the use of alternative sources of credit, and defaults by significant issuers. Further declines or other changes in the markets for debt securities may materially and adversely affect the Company’s business, operating results, financial condition, cash flows and prospects.Moody’s initiatives to reduce costs to counteract a decline in its business may not be sufficient.Moody’s initiatives to reduce costs to counteract a decline in its business, including the 2022 - 2023 Geolocation Restructuring Program, may not be sufficient. Cost reductions may be difficult or impossible to obtain in the short term, due in part to rent, technology, compliance, compensation and other fixed costs associated with some of the Company’s operations as well as the need to monitor outstanding ratings. Cost reductions, including those associated with this program, may be difficult or impossible to obtain in the short term, due in part to rent, technology, compliance, compensation and other fixed costs associated with some of the Company’s operations as well as the need to monitor outstanding ratings. Further, cost-reduction initiatives, including those under-taken to date, could make it difficult for the Company to rapidly expand operations in order to accommodate any unexpected increase in the demand for ratings. Further volatility in the financial markets, including decreases in the volumes of debt securities, increases in interest rates, and fluctuations in credit spreads, may have a material adverse effect on the business, operating results and financial condition, which the Company may not be able to successfully offset with cost reductions. Further volatility in the financial markets, including continued decreases in the volumes of debt securities and increases in interest rates, may have a material adverse effect on the business, operating results and financial condition, which the Company may not be able to successfully offset with cost reductions. The Introduction of Competing Products, Technologies or Services by Other Companies Can Negatively Impact the Nature and Economics of the Company’s Business.The markets for credit ratings, research, credit risk management services, business intelligence and analytical services are highly competitive and characterized by rapid technological change, including change based on our Gen AI offerings, disruption by the Gen AI offerings of others, changes in customer and investor demands, and evolving regulatory requirements, industry standards and market preferences.The markets for credit ratings, research, credit risk management services, business intelligence and analytical services are highly competitive and characterized by rapid technological change, changes in customer and investor demands, and evolving regulatory requirements, industry standards and market preferences. The ability to develop and successfully launch and maintain innovative products, technologies and services that anticipate customers’ and investors’ changing requirements and utilize emerging technological trends in a timely and cost-effective manner is a key factor in maintaining a competitive market position. Moody’s competitors include both established companies with significant financial resources, brand recognition, market experience and technological expertise, and smaller companies which may be more agile and better poised to quickly adopt new or emerging technologies or respond to customer requirements. Moody’s competitors include both established companies with significant financial resources, brand recognition, market experience and technological expertise, and smaller companies which may be better poised to quickly adopt new or emerging technologies or respond to customer requirements. Competitors may develop quantitative methodologies or related services, including services based on Gen AI, for assessing credit risk that customers and market participants may deem preferable, more cost-effective or more valuable than the credit risk assessment methods currently employed by Moody’s, or may position, price or market their products in manners that differ from those utilized by Moody’s. Competitors may develop quantitative methodologies or related services for assessing credit risk that customers and market participants may deem preferable, more cost-effective or more valuable than the credit risk assessment methods currently employed by Moody’s, or may position, price or market their products in manners that differ from those utilized by Moody’s. The increased presence of Gen AI in the market could also lead to increased expectations from customers and market participants that higher quality information will be delivered on advanced timelines. Moody’s also MOODY'S 2024 10-K 29Table of Contentscompetes indirectly against consulting firms and technology and information providers, some of whom are also suppliers to Moody’s; these indirect competitors could in the future choose to compete directly with Moody’s, cease doing business with Moody’s or change the terms under which they do business with Moody’s in a way that could negatively impact our business. Moody’s also competes indirectly against consulting firms and technology and information providers, some of whom are also suppliers to Moody’s; these indirect competitors could in the future choose to compete directly with Moody’s, cease doing business with Moody’s or change the terms under which they do business with Moody’s in a way that could negatively impact our business. In addition, customers or others may develop alternative, proprietary systems for assessing risk, including credit and climate risk. Such developments could affect demand for Moody’s products and services and its growth prospects. Further, the increased availability in recent years of free or relatively inexpensive information, online and through the use of Gen AI, may reduce the demand for Moody’s products and services. Further, the increased availability in recent years of free or relatively inexpensive internet information may reduce the demand for Moody’s products and services. Moody’s growth prospects and operating margins also could be adversely affected by Moody’s failure to make necessary or optimal capital infrastructure expenditures and improvements and the inability of its information technologies to provide adequate capacity and capabilities to meet increased demands of producing quality ratings and research products at levels achieved by competitors. Moody’s growth prospects also could be adversely affected by Moody’s failure to make necessary or optimal capital infrastructure expenditures and improvements and the inability of its information technologies to provide adequate capacity and capabilities to meet increased demands of producing quality ratings and research products at levels achieved by competitors. Any inability of Moody’s to compete successfully may have a material adverse effect on its business, operating results and financial condition.The Company Faces Increased Pricing Pressure from Competitors and/or Customers.There is price competition in the credit rating, research, and credit risk management segments, as well as in the segment for research, business intelligence and analytical services offered by MA.There is price competition in the credit rating, research, and credit risk management markets, as well as in the market for research, business intelligence and analytical services offered by MA. Moody’s faces competition globally from other CRAs and from investment banks and brokerage firms that offer credit opinions in research, as well as from in-house research operations. Competition for customers and market share has spurred more aggressive tactics by some competitors in areas such as pricing and services, as well as increased competition from non-NRSROs that evaluate debt risk for issuers or investors. In addition, the emergence of Gen AI and other technologies may further intensify these pressures, as the Company's competitors may use these tools to deliver solutions at lower prices, or these tools may be used in a way that significantly increases access to publicly available information. At the same time, a challenging business environment and consolidation among both competitors and customers, particularly those involved in structured finance products and commercial real estate, and other factors affecting demand may enhance the market power of competitors and reduce the Company’s customer base. Recent weak economic growth has intensified competitive pricing pressures, which may result in customers’ use of free or lower-cost information that is increasingly becoming available from alternative sources or their development of alternative, proprietary systems for assessing credit risk that replace the products currently purchased from Moody’s. Recent weak economic growth has intensified competitive pricing pressures, which may result in customers’ use of free or lower-cost information that is available from alternative sources or their development of alternative, proprietary systems for assessing credit risk that replace the products currently purchased from Moody’s. While Moody’s seeks to compete primarily on the basis of the quality of its products and services, it can lose market share when its pricing is not sufficiently competitive. In addition, the Reform Act was designed to encourage competition among rating agencies. The formation of additional NRSROs may increase pricing and competitive pressures. Furthermore, in some of the countries in which Moody’s operates, governments may provide financial or other support to local rating agencies. Any inability of Moody’s to compete successfully with respect to the pricing of its products and services will have a material adverse impact on its business, operating results and financial condition.The Company Is Exposed to Reputation and Credibility Concerns.Moody’s reputation and the strength of its brand are key competitive strengths. To the extent that the credit rating business as a whole or Moody's, relative to its competitors, suffers a loss in credibility, Moody’s business will be significantly impacted. To the extent that the rating agency business as a whole or Moody's, relative to its competitors, suffers a loss in credibility, Moody’s business will be significantly impacted. Factors that may have already affected credibility and could potentially continue to have an impact in this regard include the appearance of conflicts of interest, the performance of securities relative to the ratings assigned to such securities, the timing and nature of changes in ratings and rating methodologies, a major compliance failure, negative perceptions or publicity and increased criticism by users of ratings, regulators and legislative bodies, including as to the ratings process, or the Company’s recent sustainability strategies and our incorporation of climate- and other sustainability-related risks in the Company's rating process, and intentional, poor representation of our products and services by our partners or agents, manipulation of our products and services by third parties, or unintentional misrepresentations of Moody’s products and services in advertising materials, public relations information, social media or other external communications. Factors that may have already affected credibility and could potentially continue to have an impact in this regard include the appearance of a conflict of interest, the performance of securities relative to the rating assigned to such securities, the timing and nature of changes in ratings, a major compliance failure, negative perceptions or publicity and increased criticism by users of ratings, regulators and legislative bodies, including as to the ratings process, including as to the Company’s recent ESG initiatives, and its implementation with respect to one or more securities and intentional, poor representation of our products and services by our partners or agents, manipulation of our products and services by third parties, or unintentional misrepresentations of Moody’s products and services in advertising materials, public relations information, social media or other external communications. Operational errors, including calculation or methodological errors, or errors in software or data, whether by Moody’s or a Moody’s competitor, could also harm the reputation of the Company or the industries in which the Company operates. Additionally, as Moody's develops its Gen AI product offerings, the Company may incur risks or challenges in its adoption, such as falling behind market expectations for the performance and cost savings related to these offerings, as well as for Moody's perceived expertise regarding these offerings, that could lead to reputational harm. Damage to reputation and credibility could have a material adverse impact on Moody’s business, operating results and financial condition, as well as on the Company’s ability to find suitable candidates for acquisition.Our reputation or business could be negatively impacted by ESG matters and our reporting of such mattersOver the past several years, both in the United States and internationally, regulators, certain investors and other stakeholders have focused on various environmental, social policy, human rights, and other sustainability matters. We communicate certain sustainability initiatives, goals and commitments (including with respect to environmental matters, social matters and other matters), in our various public disclosures, Task Force on Climate-related Financial Disclosures Report, on our website, in our filings with the SEC and elsewhere. These goals or commitments could be challenging to achieve and costly to implement, and could result in scrutiny, criticism or claims from certain stakeholders, including governmental authorities, regulators, shareholders and customers that could negatively impact our business or reputation. Furthermore, MIS incorporates climate and other sustainability-related risks in its rating process, which also could cause reputational risk or could lead to litigation. The Company could fail to achieve, or be perceived to fail to achieve, our net zero 2040 commitment or other sustainability-related initiatives, goals or commitments. Furthermore, we could be criticized for the timing, scope or nature of these initiatives, goals or commitments, or for any changes to them. To the extent that our required and voluntary disclosures about such sustainability matters increase, we could be criticized for the accuracy, sufficiency or completeness of such disclosures. We could be subject to litigation or regulatory enforcement actions regarding the accuracy, sufficiency or completeness of our sustainability-related 30 MOODY'S 2024 10-KTable of Contentsdisclosures. Our actual or perceived failure to achieve our sustainability-related initiatives, goals or commitments could negatively impact our reputation or otherwise materially harm our business.Moody’s Is Exposed to Risks Related to Loss of Skilled Employees and Related Compensation Cost Pressures.Moody’s success depends upon its ability to recruit, retain and motivate highly skilled, experienced professionals, including financial analysts, data scientists and software engineers.Moody’s success depends upon its ability to recruit, retain and motivate highly skilled, experienced professionals, including financial analysts. Competition for skilled individuals in the financial services and technology industries is intense, and Moody’s ability to attract high quality employees could be impaired if it is unable to offer competitive compensation and other incentives or if the regulatory environment mandates restrictions on or disclosures about individual employees that would not be necessary in competing industries. Competition for skilled individuals in the financial services industry is intense, and Moody’s ability to attract high quality employees could be impaired if it is unable to offer competitive compensation and other incentives or if the regulatory environment mandates restrictions on or disclosures about individual employees that would not be necessary in competing industries. Rising expenses including wage inflation, and global labor shortages could adversely affect Moody’s ability to attract and retain high-quality employees. As greater focus has been placed on executive compensation at public companies, in the future, Moody’s may be required to alter its compensation practices in ways that adversely affect its ability to attract and retain talented employees. Investment banks, investors and competitors may seek to attract analyst talent by providing more favorable working conditions or offering significantly more attractive compensation packages than Moody’s. Moody’s also may not be able to identify and hire the appropriate qualified employees in some markets outside the U.S. with the required experience or skills to perform sophisticated credit analysis. We could also fail to effectively respond to evolving perceptions and goals of those in our workforce or whom we might seek to hire, including with respect to flexible or remote working arrangements or other matters. We could also fail to effectively respond to evolving perceptions and goals of those in our workforce or whom we might seek to hire, including in response to changes brought on by the COVID-19 pandemic, with respect to flexible working or other matters. Also, the emergence and adoption Gen AI technologies has required and will continue to require upskilling and additional training of Moody's employees, making retention and training increasingly important. There is a risk that even when the Company invests significant resources in attempting to attract, train and retain qualified personnel, it will not succeed in its efforts, and its business could be harmed. Further, employee expectations in areas such as ESG have been evolving. A failure to adequately meet employee expectations may result in an inability to attract and retain talented employees.Moody’s is highly dependent on the continued services of Robert Fauber, the Company's President and Chief Executive Officer, and other senior officers and key employees.Moody’s is highly dependent on the continued services of Robert Fauber, the President and Chief Executive Officer, and other senior officers and key employees. The loss of the services of skilled personnel for any reason and Moody’s inability to replace them with suitable candidates quickly or at all, as well as any negative market perception resulting from such loss, could have a material adverse effect on Moody’s business, operating results and financial condition.Moody’s Acquisitions, Dispositions and Other Strategic Transactions or Investments May Not Produce Anticipated Results Exposing the Company to Future Significant Impairment Charges Relating to Its Goodwill, Intangible Assets or Property and Equipment.MOODY'S 2022 10-K 29Table of ContentsMoody’s Acquisitions, Dispositions and Other Strategic Transactions or Investments May Not Produce Anticipated Results Exposing the Company to Future Significant Impairment Charges Relating to Its Goodwill, Intangible Assets or Property and Equipment. Moody’s regularly evaluates and enters into acquisitions, dispositions or other strategic transactions and investments to strengthen its business and grow the Company. Such transactions and investments present significant challenges and risks. The Company faces intense competition for acquisition targets, especially in light of industry consolidation, which may affect Moody’s ability to complete such transactions on favorable terms or at all. Additionally, the Company makes significant investments in technology, including software for internal use, which can be expensive, time-intensive and complex to develop and implement. The anticipated growth, synergies and other strategic objectives of completed transactions may not be fully realized, and a variety of factors may adversely affect any anticipated benefits from such transactions. Any strategic transaction involves a number of risks, including unanticipated challenges regarding integration of operations, technologies and new employees; the existence of liabilities or contingencies not disclosed to or otherwise known by the Company prior to closing a transaction; unexpected regulatory and operating difficulties and expenditures; scrutiny from competition and antitrust authorities; failure to retain key personnel of the acquired business; future developments that impair the value of purchased goodwill or intangible assets; diversion of management’s focus from other business operations; failure to implement or remediate controls, procedures and policies appropriate for a larger public company at acquired companies that prior to the acquisition lacked such controls, procedures and policies; disputes or litigation arising out of acquisitions or dispositions; challenges retaining the customers of the acquired business; coordination of product, sales, marketing and program and systems management functions; integration of employees from the acquired business into Moody’s organization; integration of the acquired business’s accounting, information technology, human resources, legal and other administrative systems with Moody’s; risks that acquired systems expose us to cybersecurity risks; and for foreign transactions, additional risks related to the integration of operations across different cultures and languages, and the economic, political and regulatory risks associated with specific countries. The anticipated benefits from an acquisition or other strategic transaction or investment may not be realized fully, or may take longer to realize than expected. As a result, the failure of acquisitions, dispositions and other strategic transactions and investments to perform as expected may have a material adverse effect on Moody’s business, operating results and financial condition.At December 31, 2024, Moody’s had $5,994 million of goodwill and $1,890 million of intangible assets on its balance sheet.At December 31, 2022, Moody’s had $5,839 million of goodwill and $2,210 million of intangible assets on its balance sheet. Approximately 94% of the goodwill and intangible assets reside in the MA business and are allocated to the two reporting units within MA. Approximately 94% of the goodwill and intangible assets reside in the MA business, including those related to Bureau van Dijk and RMS, and are allocated to the two reporting units within MA. The remaining 6% of goodwill and intangible assets reside in MIS and primarily relate to ICRA. Failure to achieve business objectives and financial projections in any of these reporting units could result in a significant asset impairment charge, which would result in a non-cash charge to operating expenses. Goodwill and intangible assets are tested for impairment on an annual basis and also when events or changes in circumstances indicate that impairment may have occurred. Determining whether an impairment of goodwill exists can be especially difficult in periods of market or economic uncertainty and turmoil, and requires significant management estimates and judgment. In addition, the potential for goodwill impairment is increased during periods of economic uncertainty. An asset impairment charge could have a material adverse effect on Moody’s business, operating results and financial condition.MOODY'S 2024 10-K 31Table of ContentsOur business could be negatively impacted by climate change.MOODY'S 2022 10-K 23Table of ContentsMoody’s Faces Risks Related to Financial Reforms Outside the U. As a global company, our employees and offices are subject to risks related to the impact of climate change. We have offices in locations that are vulnerable to the effects of climate change and extreme weather. In addition, continued reliable energy sources are critical for business continuity globally and those sources too can be impacted by extreme weather. In addition, continued reliable energy sources are critical for business continuity globally and those sources too can be impacted by extreme weather. The frequency and impact of extreme weather events on critical infrastructure has the potential to disrupt the Company’s ongoing operations, as well as the operations of our vendors and customers, and may result in losses and additional costs to maintain or resume operations. The frequency and impact of extreme weather events on critical infrastructure has the potential to disrupt the Company’s ongoing operations, as well as the operations of our vendors and customers, and may result in losses and additional costs to maintain or resume operations. C. Technology RisksThe Company Is Exposed to Risks Related to Cybersecurity and Protection of Confidential Information. Technology RisksThe Company Is Exposed to Risks Related to Cybersecurity and Protection of Confidential Information. The Company’s operations rely on the secure processing, storage and transmission of confidential, sensitive, proprietary and other types of information.The Company’s operations rely on the secure processing, storage and transmission of confidential, sensitive, proprietary and other types of information relating to its business operations and confidential and sensitive information about its customers and employees in the Company’s computer systems and networks, and in those of its third party vendors. Such information relates to its business operations and confidential and sensitive information about its customers and employees in the Company’s computer systems and networks, and in those of its third-party vendors. The Company also often has access to MNPI and other confidential information concerning its customers, including public and private companies, sovereigns, and other third parties, and their customers, suppliers or transaction counterparties. Unauthorized disclosure of the foregoing information could cause our customers to lose faith in our ability to protect their confidential information, affecting the trading of their securities, damage their reputations or competitive positions and therefore cause customers to cease doing business with us, and potentially expose us to risk of litigation.The risks the Company faces range from cyber-attacks common to most industries, to more advanced threats that target the Company because of its prominence in the global marketplace, or due to its ratings of sovereign debt and corporate issuers. The risks the Company faces range from cyber-attacks common to most industries, to more advanced threats that target the Company because of its prominence in the global marketplace, or due to its ratings of sovereign debt. The Company and its third-party service providers, including our vendors, regularly experience cyber-attacks and data breaches of varying degrees. Cyber-attacks targeting Moody’s or Moody’s vendors’ technology and systems, whether from circumvention of security systems, denial-of-service attacks, ransomware, malware, hacking, social engineering or "phishing" attacks, deepfake attacks, computer viruses, employee or insider threats, malfeasance, supply chain attacks, physical breaches, vendor email compromise, payment fraud or other cyber-attacks some of which may be carried out by state-sponsored actors, may result in unauthorized access, exfiltration, manipulation or corruption of sensitive data, material interruptions or malfunctions in the Company’s or such vendors’ web sites or systems, applications, data processing, or disruption of other business operations. Such events may compromise the confidentiality, integrity, or availability of material information held by the Company (including information about Moody’s business, employees or customers), as well as other sensitive data, including personally identifiable information, the disclosure of which could lead to identity theft. The Company's MNPI concerning customers and clients could be improperly used by authorized or unauthorized parties, including for insider trading. The Company has implemented administrative, technical, and physical measures to detect and prevent unauthorized activity, but such precautions may not be successful.As the Company has grown and acquired businesses, IT guidelines have been developed and applied within business units or inherited from legacy organizations, which can result in internal differences in the Company's approach to IT standards until acquired entities are integrated. This creates a risk of developing unintended vulnerabilities and could result in additional costs, difficulty meeting new regulatory standards, or failing to meet customer expectations. The Company may be exposed to additional threats as it migrates its data from legacy systems to cloud-based solutions, and increased dependence on third-parties to store cloud-based data subjects the Company to further cyber risks. Additionally, the Company may be exposed to additional threats as the Company migrates its data from legacy systems to cloud-based solutions, and increased dependence on third parties to store cloud-based data subjects the Company to further cyber risks. Further, many of our employees work remotely, which magnifies the importance of the integrity of our remote access security measures and may expose the Company to additional cyber risks.The Company has invested and continues to invest in risk management and information security measures in order to protect its systems and data, including employee training, disaster plans, and technical defenses. Although Moody’s devotes significant resources to maintain and regularly update such systems and processes, measures that Moody’s takes to avoid, detect, mitigate or recover from material incidents can be expensive, and may be insufficient, circumvented, or may become ineffective. Further, Moody’s relies on third-party technical subject matter experts to assist in managing its cyber security risk management processes. While Moody’s employs such third parties to assist in strengthening its cybersecurity defenses, there can be no guarantee that any action taken as advised by such third party will be adequate or sufficient to address the evolving threat landscape. Additionally, any measures that Moody’s takes in connection with such third parties to avoid, detect, mitigate or recover from material cyber security threats or incidents can be expensive, and may be insufficient, circumvented, or may become ineffective.Additionally, the cost and operational consequences of implementing, maintaining and enhancing further data or system protection measures could increase significantly to overcome increasingly intense, complex and sophisticated global cyber threats. The cost and operational consequences of implementing, maintaining and enhancing further data or system protection measures could increase significantly to overcome increasingly intense, complex, and sophisticated global cyber threats. Gen AI has contributed to an increase in the prevalence and sophistication of cyber threats, expanding the Company's exposure to disruptions. Despite the Company’s best efforts, it is not fully insulated from, and has in the past experienced, security threats and system disruptions. Although past incidents have not had a material adverse effect on the Company's operating results, there can be no assurance of a similar result in the future. Because the methods used for these systems cyberattacks are rapidly changing, the Company or its third-party vendors, despite significant focus and investment, may be unable to anticipate and/or deploy sufficient protections against such incidents. Because the methods used for these systems cyberattacks are rapidly changing, the Company, despite significant focus and investment, may be unable to anticipate/deploy sufficient protections against such incidents. Further, the extent of a particular security incident and the steps needed to investigate may not be immediately clear, and it may take a significant amount of time before such an investigation can be completed and full and reliable information about the incident, including the extent of the harm and how best to remediate it, is known. Recent well-publicized security breaches at other companies have led to enhanced government and regulatory scrutiny of the measures taken by companies to protect against cyber-attacks, and may in the future result in heightened cybersecurity compliance requirements, including additional regulatory expectations for oversight of third-party vendors and service providers. Cybersecurity incidents, including the accidental loss, inadvertent disclosure or unapproved dissemination of proprietary information or sensitive or 32 MOODY'S 2024 10-KTable of Contentsconfidential data, could cause reputational harm, loss of customers and revenue, fines, regulatory actions and scrutiny, sanctions or other statutory penalties, litigation, liability for failure to safeguard the Company’s customers’ information, or financial losses that are either not insured against or not fully covered through any insurance maintained by the Company. Cybersecurity incidents, including the accidental loss, inadvertent disclosure or unapproved dissemination of proprietary information or sensitive or confidential data, could cause reputational harm, loss of customers and revenue, fines, regulatory actions and scrutiny, sanctions or other statutory penalties, litigation, liability for failure to safeguard the Company’s customers’ information, or financial losses that are either not insured against or not fully covered through any insurance maintained by the Company. In addition, disclosure or media reports of actual or perceived security vulnerabilities to the Company’s systems or those of the Company’s third parties, even if no breach has been attempted or occurred, could lead to reputational harm, loss of customers and revenue, or increased regulatory actions oversight and scrutiny. Any of the foregoing may have a material adverse effect on Moody’s business, operating results and financial condition.The Company Is Exposed to Risks Related to Protection of Confidential and Personal InformationTo conduct its operations, the Company regularly moves data across national borders, and consequently is subject to a variety of continuously evolving and developing laws and regulations in the U.S. and abroad regarding privacy, data protection and data security, such as the Federal Trade Commission Act in the U.S., the GDPR in the EU, the GDPR in the U.K., the Cyber Security Law, the Data Security Law, and the Personal Information Protection Law in China and various other international, federal, state and local laws and regulations. The scope of the laws that may be applicable to Moody’s is often uncertain and may be conflicting, particularly with respect to foreign laws. For example, GDPR greatly increased the jurisdictional reach of European Union privacy law and added a broad array of requirements for processing personal data, including the public disclosure of significant data breaches. For example, GDPR, which became effective in May 2018, greatly increased the jurisdictional reach of European Union privacy law and added a broad array of requirements for processing personal data, including the public disclosure of significant data breaches. Failure to comply with GDPR requirements could result in penalties of up to 4% of annual worldwide revenue. Additionally, other countries have enacted or are enacting data localization laws that require data to stay within their borders. Further, laws such as the California Consumer Privacy Act of 2018 ("CCPA"), require among other things, covered companies to provide disclosures to consumers, and affords consumers the ability to opt-out of certain sales of personal information. A number of U.S. states have enacted data privacy laws, including the California Privacy Rights Act of 2020 (“CPRA”), and laws in Virginia, Colorado, Connecticut, Utah, Montana, Oregon and Texas, which became effective in 2023 and 2024. Data privacy laws have also been passed in numerous U.S. states, including Iowa, Indiana, Tennessee, Delaware, New Jersey, Kentucky, Maryland, Minnesota, Nebraska, New Hampshire and Rhode Island that will go into effect over the course of 2024, 2025 and 2026. The effects of non-compliance with the CCPA, CPRA and other similar data privacy laws are significant, and may require the Company to modify its data processing practices and policies and to incur additional costs and expenses. The effects of non-compliance with the CCPA, CPRA and other similar data privacy laws in other jurisdictions are significant, and may require the Company to modify its data processing practices and policies and to incur additional costs and expenses. All of these evolving compliance and operational requirements have required or could require in the future, changes to certain business practices, thereby increasing costs, requiring significant management time and attention, and subjecting the Company to negative publicity, as well as remedies that may harm its business, including fines, modified demands or orders, the cessation of existing business practices and exposure to litigation, regulatory actions, sanctions or other statutory penalties. All of these evolving compliance and operational requirements have required changes to certain business practices, thereby increasing costs, requiring significant management time and attention, and subjecting the Company to negative publicity, as well as remedies that may harm its business, including fines, modified demands or orders, the cessation of existing business practices, and exposure to litigation, regulatory actions, sanctions or other statutory penalties. The Company Is Dependent on the Use of Third-Party Software, Data, Hosted Solutions, Data Centers, Cloud and Network Infrastructure (Together, the “Third-Party Technology”), and Any Reduction in Third-Party Product Quality or Service Offerings, Could Have a Material Adverse Effect on the Company’s Business, Financial Condition or Results of Operations.MOODY'S 2022 10-K 31Table of ContentsThe Company Is Dependent on the Use of Third-Party Software, Data, Hosted Solutions, Data Centers, Cloud and Network Infrastructure (Together, “Third Party Technology”), and Any Reduction in Third-Party Product Quality or Service Offerings, Could Have a Material Adverse Effect on the Company’s Business, Financial Condition or Results of Operations. Moody’s relies on Third-Party Technology in connection with its product development and offerings and operations.Moody’s relies on Third Party Technology in connection with its product development and offerings and operations. The Company depends on the ability of Third-Party Technology providers to deliver and support reliable products, provide sufficient cloud computing capacity to meet demand, enhance their current products, develop new products on a timely and cost-effective basis, provide data necessary to develop and maintain its products and respond to emerging industry standards and other technological changes. The Company depends on the ability of Third Party Technology providers to deliver and support reliable products, enhance their current products, develop new products on a timely and cost-effective basis, provide data necessary to develop and maintain its products and respond to emerging industry standards and other technological changes. The Third-Party Technology Moody’s uses can become obsolete or restrictive, incompatible with future versions of the Company’s products, fail to be comprehensive or accurate, unavailable or fail to operate effectively, and Moody’s business could be adversely affected when the Company is unable to timely or effectively replace such Third-Party Technology. The Third Party Technology Moody’s uses can become obsolete or restrictive, incompatible with future versions of the Company’s products, fail to be comprehensive or accurate, unavailable or fail to operate effectively, and Moody’s business could be adversely affected when the Company is unable to timely or effectively replace such Third Party Technology. In addition, certain aspects of the Company’s business rely on a concentrated group of vendors, and a cybersecurity breach or event and/or an error caused by one or more of such vendors could have a significant impact on the Company’s operations, as well as the operations of the Company's customers and other Third-Party Technology. The Company also monitors its use of Third-Party Technology to comply with applicable license and other contractual requirements.The Company also monitors its use of Third Party Technology to comply with applicable license and other contractual requirements. Despite the Company’s efforts, the Company cannot ensure that such third parties will permit Moody’s use in the future, resulting in increased Third-Party Technology acquisition costs and loss of rights. In addition, the Company’s operating costs could increase if license or other usage fees for Third-Party Technology increase or the efforts to incorporate enhancements to Third-Party Technology are substantial. In addition, the Company’s operating costs could increase if license or other usage fees for Third Party Technology increase or the efforts to incorporate enhancements to Third Party Technology are substantial. Some of these third-party suppliers are also Moody’s competitors, increasing the risks noted above. In the ordinary course, third-parties, including the Company’s vendors, are subject to various forms of cyber-attacks or security incidents. In the ordinary course, our third-parties, including our vendors, are subject to various forms of cyber attacks. Vulnerabilities in our vendors' software, system or networks or failure of their safeguards, policies or procedures may cause material interruptions to Moody's or our vendors' websites, applications, or data processing, or could compromise the confidentiality or integrity of the impacted information. Additionally, the Company may be exposed to additional threats as the Company migrates its data from legacy systems to cloud-based solutions, and becomes increasingly dependent on third parties to store cloud-based data subjects. Additionally, the Company may be exposed to additional threats as the Company migrates its data from legacy systems to cloud-based solutions, and increased dependence on third parties to store cloud-based data subjects the Company to further cyber risks. To date, such attacks have not resulted in a material adverse impact to Moody’s business operations, but there can be no guarantee the Company will not experience such an impact in the future. To date, such attacks have not resulted in a material adverse impact to our business operations, but there can be no guarantee we will not experience such an impact. If any of these risks materialize, they could have a material adverse effect on the Company’s business, financial condition or results of operations. When any of these risks materialize, they could have a material adverse effect on the Company’s business, financial condition or results of operations. ITEM 1B. UNRESOLVED STAFF COMMENTSNone. UNRESOLVED STAFF COMMENTSNone. MOODY'S 2024 10-K 33Table of ContentsITEM 1C. CYBERSECURITY AND RISK MANAGEMENTGovernanceManagementThe Company maintains a dedicated internal cybersecurity team that interacts with executive management and its business units to identify, assess, manage, and respond to cybersecurity risks and incidents relating to the Company’s information systems and operations. In addition, this internal cybersecurity team is responsible for managing detection, mitigation and remediation of cybersecurity incidents. The internal cybersecurity team is managed by the CISO, who reports to the CAO, who is a member of the executive leadership team. At December 31, 2024, the Company’s internal cybersecurity team consisted of members located in various countries and time zones across the world. The team has members with experience in governance, risk management and compliance, threat monitoring, threat emulation, penetration testing and cyber incident management. Team members have both individual responsibilities and a team focus, covering areas such as network, endpoint device, and e-mail security engineering as well as operations and threat management, monitoring, and response.The Cyber Committee, chaired by the CISO, and whose members include the CTSO, CAO and Chief Risk & Resiliency Officer, as well as other members of senior management and the legal team, is responsible for identifying cybersecurity risks and threats, recommending mitigating actions to strengthen cybersecurity resilience, and meeting risk tolerance thresholds established by senior management. The Cyber Committee also validates that the Company has appropriate people, process and technology capabilities to identify, mitigate and report on cybersecurity risks to the executive leadership team and the Board of Directors. The Cyber Committee meets regularly to allow members of the internal cybersecurity team to present concerns and recommendations for decisions on preventing, identifying, mitigating, and remediating risks and threats. To the extent warranted, the Cyber Committee may additionally be convened on an ad hoc basis. The Cyber Committee makes decisions regarding the reporting of cybersecurity concerns to the executive leadership team, who escalate issues to the Board and/or the Audit Committee as necessary. In the case of incidents that arise, the Cyber Committee, under the direction of the Board and/or executive leadership team when appropriate, works to involve all appropriate personnel with the aim of resolving the incident, performing any required remediation/reporting, and taking appropriate steps to comply with applicable laws and regulations. The process that the Cyber Committee follows upon emergence of incidents is documented in the Company’s Incident Response Plan. Additionally, cybersecurity risks and the adequacy of associated mitigations are analyzed by senior leadership as part of the enterprise risk assessments that are reported to and discussed by the Board.The CISO has extensive cybersecurity knowledge and skills, gained from over 20 years’ experience working in regulated industries. The CISO holds a number of cybersecurity related certifications, including the Certified Information Systems Security Professional and Certified Information Security Manager. In addition to the CISO, the CTSO has been a close partner and advocate for cybersecurity at the Company, and is consulted or informed on all decisions or risks that affect the Company's technology systems and/or implicate cybersecurity. The CAO is responsible for overseeing the cybersecurity team at the executive leadership level. Board of Directors and Audit CommitteeThe Board provides oversight of management’s efforts to assess and manage cybersecurity risks and respond to cybersecurity incidents and threats. In addition, the Audit Committee of the Board of Directors regularly receives reports from management regarding the Company’s financial and compliance risks, including, but not limited to, risks relating to internal controls and cybersecurity risks.The Board receives regular updates from the CISO, CTSO, and CAO regarding matters related to technology and cybersecurity. The Company has protocols, as discussed below, by which certain cybersecurity concerns, incidents and threats are escalated within the Company and, where appropriate, reported in a timely manner to the Board.Risk Management and StrategyThe objective of the Company's comprehensive cybersecurity program is to assess, identify, and manage risks from cybersecurity incidents and threats. The Company's cybersecurity program leverages the NIST Framework and it incorporates training and awareness coupled with ongoing monitoring and assessment. The cybersecurity program is an important part of the Company’s enterprise risk management (ERM), with the head of the Company’s ERM program (the Chief Risk & Resiliency Officer) sitting on the Cyber Committee, and sets forth a process for escalating certain incidents to the Company’s ERM group integrated into the Company’s Incident Response Plan. As part of the cybersecurity program, the Company’s cybersecurity environment is monitored by automated tools on an ongoing basis and an internal cybersecurity team that reviews threats, alerts, and incidents. The Company’s Incident Response Plan provides governance and guidance in responding to information security incidents and is tested regularly for calibration against existing and emerging threats. The Incident Response Plan describes the process to be followed by the Cyber Committee in connection with the oversight of the cybersecurity environment and specific events that occur from time to time. The cybersecurity program undergoes periodic internal and external reviews. In addition, the Company's Internal Controls Department performs an independent assessment of the design and operating effectiveness of the Company’s network of cybersecurity controls in accordance with the NIST Framework. The results of the assessment are periodically shared with the Cyber Committee.The Company’s cybersecurity environment is also subject to routine vulnerability assessment processes. Internal and external teams, including the Cyber Committee, conduct activities such as penetration testing, red teaming, tabletop exercises and phishing drills. Results are measured and assessed for possible improvements. In addition to these ongoing efforts, the Company has a set 34 MOODY'S 2024 10-KTable of Contentsof third-party risk management tools through which it monitors for cybersecurity risks and threats associated with its third-party service providers. The Incident Response Plan includes processes that define how the Company manages and responds to such risks or threats associated with its third-party service providers.The Company contracts with reputable third parties to conduct annual external assessments of its cybersecurity program and its components. Government agencies and their contracted agents also conduct periodic reviews in certain jurisdictions where the Company operates. Insurance agents, customers and other market participants routinely assess the Company’s security posture relative to their own standards.Security Policy and RequirementsThe Company has an Information Security Policy and Information Security Standards, which, taken together, describe the standards and minimum requirements that are expected of all business and information security personnel to protect the Company’s information and technology assets. The policy provides a framework guided by security principles designed to address the confidentiality, integrity and availability of the Company’s information assets in the context of internal, external, deliberate and accidental threats, while supporting the Company’s information creation and sharing needs.The Company is subject to various privacy laws in the jurisdictions where it operates including CCPA and GDPR, as well as U.S. Federal regulation by the FTC, for certain privacy-related aspects of its business, and the Sarbanes-Oxley Act of 2002. The Company is audited in connection with requirements set forth in the Sarbanes-Oxley Act of 2002, and Moody’s Analytics obtains third-party audits in connection with the ISO 27001 certification and SOC 1 and SOC 2 attestation reports, respectively, for certain products. As previously mentioned, the Company also aligns with NIST standards in connection with information security, which it uses to evaluate its cybersecurity readiness and resilience, and is required to make various filings and comply with requirements in certain jurisdictions in which it operates.The Company’s cybersecurity program also includes an information security training and awareness program called InfoSafe for all employees. The program includes annual certification to having read and understood the Company's IT Use Policy, continuing education on phishing awareness, regular communications about cybersecurity best practices, and participation in annual events like Cybersecurity Awareness Month. Employees are expected to complete annual cybersecurity training, and compliance is monitored. The Company uses general and targeted phishing simulations to help employees better recognize and respond to potential threats. The training program is further enhanced by cybersecurity experts speaking at educational events. The Company also offers specialized training modules on emerging cybersecurity threats for its software development teams. The Company’s IT Use Policy outlines a detailed escalation process under which employees are to immediately report any suspected cybersecurity incident.The cybersecurity threat landscape is dynamic and volatile, and requires significant investment on the part of the Company in terms of talent recruitment and retention, as well as procuring and deploying the correct tools to address threats. Additional information on cybersecurity risks is discussed in Item 1A of Part I, “Risk Factors,” under the heading “Technology Risks,” which should be read in conjunction with the foregoing information..