Open main menu
Home
Random
Donate
Recent changes
Special pages
Community portal
Preferences
About Stockhub
Disclaimers
Search
User menu
Talk
Contributions
Create account
Log in
Editing
Morningstar, Inc.
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== Risks Related to Our Information Technology and Security === '''''We could face significant reputational and financial consequences relating to cybersecurity and the protection of confidential information, including personal information about individuals.''''' Our business requires that we securely collect, process, store, and transmit confidential information, including personal information, relating to our operations, customers, employees, and other third parties. We continuously invest in systems, processes, controls, and other security measures to guard against the risk of improper access to or release of such information. However, these measures do not guarantee absolute security, and improper access to or release of confidential information may still occur through employee error or malfeasance, system error, other inadvertent release, failure to properly purge and protect data, or cyberattack. We may suffer malicious attacks by individuals or groups (including those sponsored by nation-states, terrorist organizations, or global corporations) seeking to attack our products and services or penetrate our network infrastructure to gain access to intellectual property, confidential or personal information, or to facilitate distributed denial of service attacks. While we have dedicated resources responsible for maintaining appropriate levels of cybersecurity and implemented systems and processes intended to help identify cyberattacks and protect and remediate our network infrastructure, these attacks have become increasingly frequent, sophisticated, and difficult to detect. Even if we are not directly impacted by an attack, time and effort must be spent confirming our status and communicating internally and with other stakeholders. Our measures may not be adequate for all eventualities and may be vulnerable to circumvention of security systems, denial of service attacks or other cyberattacks, hacking, “phishing” attacks, computer viruses, ransomware or malware, employee or insider error, employee or vendor malfeasance, social engineering, physical breaches or other malicious actions. Furthermore, these security measures are less effective in situations where employees are utilizing personal devices and home networks while working remotely. We may also be impacted by a cyberattack targeting one of our vendors or within our technology supply chain or infrastructure. Security breaches at government agencies and other companies have led to enhanced government and regulatory scrutiny of the measures taken by companies to protect against cyberattacks and may in the future result in heightened cybersecurity requirements, including additional regulatory expectations for oversight of customers, vendors, and service providers. These risks may be heightened as we offer employees flexibility to work more frequently from remote work environments, our dependency on certain service providers, such as video conferencing and web conferencing services, has significantly increased. Our information technology systems interact with those of customers, vendors, and service providers and collect an increasing amount of data as we expand our product and service offerings. As a result, inadequacies of our customers’ security technologies and practices introduce additional risk and cost of monitoring, and may only be detected after a security breach has occurred. Any failure to safeguard confidential information or any material cybersecurity failures or incidents in our systems (or the systems of a customer, vendor, or service provider which stores or processes confidential information for which we are responsible) could cause us to experience reputational harm, loss of customers, regulatory actions, sanctions or other statutory penalties, litigation, or financial losses and increased expenses related to addressing or mitigating the risks associated with any such material failures or incidents. In addition to the risks above related to general confidential information, we may also be subject to specific obligations relating to personal information and personal financial information. Our products and websites in certain cases collect, store, process, and transmit personal information about an individual, including personally identifiable information and personal financial information such as portfolio holdings, account numbers, and credit card information. Our business also operates across national borders and routinely moves personal information from one jurisdiction to another. Regulators and political leaders in various countries are increasingly interested in restricting cross-border data transfers that they perceive as problematic. We and our customers are often subject to federal, state, and foreign laws relating to privacy, cybersecurity, and data protection. The scope of the laws that may be applicable is often uncertain and required practices may be inconsistent with laws of other jurisdictions. Consequently, our business is subject to a variety of continuously evolving and possibly conflicting regulations and customer requirements. Our compliance with these changing and increasingly burdensome regulations and requirements may cause us to incur substantial costs or require us to change our business practices which may impact financial results. If we fail to comply with these regulations or requirements, we may be exposed to litigation expenses and possible significant liability, fees, or fines. For example, in the EU, noncompliance with the General Data Protection Regulation (GDPR) requirements could result in penalties of up to 4% of worldwide revenues. One of Morningstar’s core strengths is the ability to collect data and enrich it with data from another part of the business to provide valuable information and insights to investors. As data is accessible across our products, consistent data privacy practices and disclosure becomes more important and challenging. Failure to comply with our public statements or to adequately disclose our privacy or data protection practices could result in costly investigations by governmental authorities, litigation, and fines as well as reputational damage and customer loss. We also from time to time acquire other companies that collect and process personal information. While we perform extensive due diligence on the technology systems and practices of these companies, there can be no assurance that such companies have not suffered data breaches or system intrusions prior to or continuing after our acquisition for which we may be liable. Acquired businesses may not have invested as heavily in such security measures or data privacy controls and they introduce additional cybersecurity and data privacy risk as their systems are integrated with ours. While we maintain insurance coverage that is intended to address certain aspects of cybersecurity and data protection risks, such coverage may not be sufficient to cover all or the majority of the costs, losses, or types of claims. Our insurance coverage would not extend to any reputational damage, loss of customers, or required improvements to our systems. '''''Failing to respond to technological change, keep pace with new technology developments, or adopt a successful technology strategy may negatively affect our competitive position and business results.''''' We believe innovation in the financial technology landscape continues to accelerate. Developments in technology are fundamentally changing the ways investors, financial intermediaries, and other market participants access data and content. Examples include the shift from local network computing to cloud-based systems, the proliferation of wireless mobile devices, rapid acceleration in the use of social media platforms, the dissemination of data through application programming interfaces that permit real-time updating rather than raw data feeds, the proliferation of machine learning and other artificial intelligence technologies, and the adoption of distributed ledger or “blockchain” technologies. These technological developments can render our existing products less competitive, obsolete or unmarketable. As a result, our future success will continue to depend upon our ability to identify and develop new products and enhancements that address the future needs of our target markets and to deliver them in ways that support our customers’ business models. As our customers further automate their business processes, their need for our products may change and the technological flexibility and interoperability of our systems may become more important. For example, the pandemic accelerated advisor and client demand for digital, friction-free technology and experiences with our turnkey asset management platform, shining a light on dated, legacy operational workflows. In addition, there has been an increasing focus on technology not merely supplying additional tools for users, but also offering solutions to specific client problems. We have a myriad of potential technology investments across our product lines and need to prioritize scarce technology resources to focus on products that best meet the needs and priorities of our customers. Our software development process is based on frequently rolling out new features so that we can quickly incorporate user feedback. However, at times adoption of new features or enhanced versions, for example of some of our workplace solutions products, is slowed by the significant client investment required for more advanced use cases. While some changes in technology may offer opportunities for Morningstar, we cannot guarantee that we will successfully adapt our product offerings to meet evolving customer needs or that the transition to such new offerings will be seamless. If we fail to develop and implement new technology rapidly enough, we may sacrifice new business opportunities or renewals from existing customers. We may also incur additional operating expense if major software projects take longer than anticipated or if clients decline to migrate to new systems and we must support multiple platforms over an extended period of time. Our competitive position depends on our execution speed and we regularly face new competitors from venture capital funded fintech firms that may be significantly more focused or nimble. Our technology is also heavily dependent on the quality and comprehensiveness of our data and our ability to successfully build analytics, research, and other intellectual property around that data. For example, in order to provide the personalized holistic advice that clients value, we need to collect, organize, and protect large, non-homogenous datasets and synthesize and effectively analyze the insights offered by this data. We are investing significant resources in consolidating our various data assets and improving their usability and deliverability across our platform of products. Our competitive position and business results may suffer if we fail to realize the value and potential of our data assets. Finally, we rely on technology for our own internal business operations and must continually evaluate these tools to ensure they are sufficient for our expanding needs. If we are unable to develop or purchase technology to support our finance, legal, compliance, audit, human resources, and other corporate teams, these functions may operate inefficiently, at higher cost, or with greater risks than is necessary. '''''We could face liability for the information and data we collect, store, use, create, and distribute or the reports and other documents we publish or that are produced by our software products.''''' We may be subject to claims for securities law violations, defamation (including libel and slander), negligence, or other claims relating to the information we publish, including our research and credit ratings. For example, investors may take legal action against us if they rely on published information that contains an error, or a company may claim that we have made a defamatory statement about it or its employees. In addition, in our credit ratings business, we have access to significant amounts of material nonpublic information on issuers of securities, the inadvertent disclosure of which, or the misappropriation by employees or others, could expose us to various liabilities under securities and other laws. Less significant errors could still require us to remove ratings, research, or data temporarily which could diminish the perceived value of the product or cause us to be deficient in our service-level agreements with clients that require us to meet certain obligations for delivering time-sensitive, up-to-date data and information. Some of our products support the investment processes or the client account reporting practices and other activities of our clients who manage significant assets of other parties. Use of our products as part of such activities creates the risk that clients, or the parties whose assets are managed by our clients, may pursue claims against us for losses that may have some connection to our products, and we may be subject to investigation of our products and their use by government regulators who regulate the business of our clients. In the case of software products, even though most of our contracts for such products contain limitations of our liability in such cases, we may be required to make such clients or their customers whole for any losses in order to maintain our business relationships. We could also be subject to claims based on the content that is accessible from our website through links to other websites. We rely on a variety of outside parties as the original sources for the information we use in our published data. These sources include securities exchanges, fund companies, hedge funds, transfer agents, issuers, and other data providers. We also incorporate data from a variety of third-party sources for many of our products including PitchBook. Accordingly, in addition to possible exposure for publishing incorrect information that results directly from our own errors, we could face liability based on inaccurate data provided to us by others. For example, our Sustainalytics business is reliant on self-reported information for some of its issuer focused ESG ratings and analysis. We also face the risk that a significant data source terminates its distribution of the data to us, which could impact our products, research, or other calculations that utilize that information. We could be subject to claims by providers of data and information we compile from websites and other sources that we have improperly obtained that data in violation of the source’s copyrights or terms of use. We could also be subject to claims from third parties, such as securities exchanges from which we license and redistribute data and information, that we have used or redistributed the data or information in ways not permitted by our license rights or that we have inadequately permissioned our clients to use such data. The agreements with such exchanges and other data providers give them extensive data use audit rights, and such audits can be expensive and time consuming and potentially result in substantial fines. We could also be subject to claims from regulators that we have mishandled private ratings or nonpublic data and information, in particular in our credit ratings business. These regulatory bodies have audit rights regarding our data use which could have similar adverse consequences in terms of time, expense, or fines. Defending claims based on the information we publish could be expensive and time-consuming and could adversely impact our business, operating results, and financial condition. Finally, our global business regularly seeks to optimize our data storage in order to improve information accuracy and streamline the technology, which supports our business operations. These efforts are constrained by data privacy legislation, such as GDPR, which defines standards for storage, transfer, and use of certain personal information from and about individuals. Legislation aimed at protecting material nonpublic information or mitigating potential conflicts of interest further define how certain information can be accessed and retained which may result in less efficient or higher cost technological processes and infrastructure.
Summary:
Please note that all contributions to Stockhub may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Stockhub:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)