Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - CFR

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A. Risk Factors and the section captioned “Forward-Looking Statements and Factors that Could Affect Future Results” in Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations of this report and other cautionary statements set forth elsewhere in this report.
The Corporation
Cullen/Frost Bankers, Inc., a Texas business corporation incorporated in 1977, is a financial holding company and a bank holding company headquartered in San Antonio, Texas that provides, through its subsidiaries, a broad array of products and services throughout numerous Texas markets. The terms “Cullen/Frost,” “the Corporation,” “we,” “us” and “our” mean Cullen/Frost Bankers, Inc. and its subsidiaries, when appropriate. We offer commercial and consumer banking services, as well as trust and investment management, insurance, brokerage, mutual funds, leasing, treasury management, capital markets advisory and item processing services. At December 31, 2025, Cullen/Frost had consolidated total assets of $53.0 billion and was one of the largest independent bank holding companies headquartered in the State of Texas.
Our philosophy is to grow and prosper, building long-term relationships based on top quality service, high ethical standards, and safe, sound assets. We operate as a locally-oriented, community-based financial services organization, augmented by experienced, centralized support in select critical areas. Our local market orientation is reflected in our regional management and regional advisory boards, which are comprised of local business persons, professionals and other community representatives that assist our regional management in responding to local banking needs. Despite this local market, community-based focus, we offer many of the products available at much larger money-center financial institutions.
We serve a wide variety of industries including, among others, energy, manufacturing, services, construction, retail, telecommunications, healthcare, military and transportation. Our customer base is similarly diverse. We are not dependent upon any single industry or customer.
Our operating objectives include expansion, diversification within our markets, growth of our fee-based income, and growth internally and, to a lesser extent, through acquisitions of financial institutions, branches and financial services businesses. While we are currently focused on organic growth, we may seek merger or acquisition partners that are culturally similar and have experienced management and possess either significant market presence or have potential for improved profitability through financial management, economies of scale and expanded services. From time to time, we evaluate merger and acquisition opportunities and conduct due diligence activities related to possible transactions with other financial institutions and financial services companies. As a result, merger or acquisition discussions and, in some cases, negotiations may take place and future mergers or acquisitions involving cash, debt or equity securities may occur. Acquisitions typically involve the payment of a premium over book and market values, and, therefore, some dilution of our tangible book value and net income per common share may occur in connection with any future transaction. Our ability to engage in certain merger or acquisition transactions, whether or not any regulatory approval is required, will be dependent upon our bank regulators’ views at the time as to the capital levels, quality of management and our overall condition and their assessment of a variety of other factors. Certain merger or acquisition transactions, including those involving the acquisition of a depository institution or the assumption of the deposits of any depository institution, require formal approval from various bank regulatory authorities, which will be subject to a variety of factors and considerations.
Although Cullen/Frost is a corporate entity, legally separate and distinct from its affiliates, bank holding companies such as Cullen/Frost are required to act as a source of financial strength for their subsidiary banks. The principal source of Cullen/Frost’s income is dividends from its subsidiaries. There are certain regulatory restrictions on the extent to which these subsidiaries can pay dividends or otherwise supply funds to Cullen/Frost. See the section captioned “Supervision and Regulation” elsewhere in this item for further discussion of these matters.
Cullen/Frost’s executive offices are located at 111 W. Houston Street, San Antonio, Texas 78205, and its telephone number is (210) 220-4011.
4
Subsidiaries of Cullen/Frost
Frost Bank
Frost Bank, the principal operating subsidiary and sole banking subsidiary of Cullen/Frost, is a Texas-chartered bank primarily engaged in the business of commercial and consumer banking through approximately 204 financial centers across Texas in the Austin, Dallas, Fort Worth, Gulf Coast, Houston, Permian Basin, and San Antonio regions. Frost Bank also operates approximately 1,760 automated-teller machines (“ATMs”) throughout the State of Texas, the majority of which are operated in connection with branding and licensing agreements with various retailers. Frost Bank was originally chartered as a national banking association in 1899, but its origin can be traced to a mercantile partnership organized in 1868. At December 31, 2025, Frost Bank had consolidated total assets of $53.1 billion and total deposits of $43.3 billion and was one of the largest commercial banks headquartered in the State of Texas.
Significant services offered by Frost Bank include:
Commercial Banking. Frost Bank provides commercial banking services to corporations and other business customers. Deposit products consist of traditional business checking and savings accounts, which Frost Bank offers through its traditional branches and on-line banking platforms. Loans are made for a wide variety of general corporate purposes, including financing for industrial and commercial properties and to a lesser extent, financing for interim construction related to industrial and commercial properties, financing for equipment, inventories and accounts receivable, and acquisition financing. We also originate commercial leases. We also originate commercial leases and offer treasury management services.
Treasury Management Services. Frost Bank offers a full suite of treasury management services designed to help businesses optimize their cash flow, manage liquidity, and streamline their financial operations. Frost Bank offers Frost Connect, a secure digital banking platform designed to help customers manage their banking needs online including account management, fund transfers, bill payments, mobile check deposits, and access to financial tools and resources. Frost Connect includes additional features for businesses such as payroll services, cash management, and detailed financial reporting.
Merchant Services. Frost Bank provides merchant services through its integrated point-of-sale systems designed to provide businesses with efficient and secure solutions for processing transactions at the point of sale. Frost Bank also offers business bank debit and credit cards to make business purchases.
Correspondent Banking. Frost Bank acts as correspondent for approximately 178 financial institutions, which are primarily banks in Texas. These banks maintain deposits with Frost Bank, which offers them a full range of services including check clearing, transfer of funds, fixed income security services, and securities custody and clearance services.
Capital Markets Division. Frost Bank’s Capital Markets Division supports the transaction needs of fixed-income institutional investors. Services include sales and trading, new issue underwriting, money market trading, advisory services and securities safekeeping and clearance. Frost Bank's Capital Markets department also provides financial services designed to support government entities, non-profit organizations, and other public sector customers. Services include traditional banking, investment and insurance services as well as services designed to help facilitate funding, manage debt, and optimize financial operations for public projects and initiatives, among other things.
Global Trade Services. Frost Bank provides global trade services designed to support businesses engaged in international trade by providing a range of financial products and services designed to help facilitate cross-border transactions, manage risks, and optimize cash flow. Services include foreign exchange, online global trade services, and trade services, such as standby letters of credit, import/export letters of credit, demand guarantees, and documentary collections, among other things.
Consumer Services. Frost Bank provides a full range of consumer banking services that are designed to meet the financial needs of individual customers, providing a range of products and services including a full suite of traditional deposit products, including various types of checking, savings, money market and certificate of deposit accounts; safe deposit facilities; online and mobile banking; drive-in and night deposit services; ATM’s; and consumer lending products, including home equity lines of credit, home equity loans, home improvement loans, 1-4 family residential mortgages, overdraft facilities, and other consumer loans.
5
International Banking. Frost Bank provides international banking services to customers residing in or dealing with businesses located in Mexico. These services consist of accepting deposits (only payable in the U.S. in U.S. dollars), making loans (generally only in U.S. dollars), issuing letters of credit, handling foreign collections, transmitting funds, and to a limited extent, dealing in foreign exchange.
Trust Services. Frost Bank provides a wide range of trust, investment, agency and custodial services for individual and corporate customers. These services include the administration of estates and personal trusts, as well as the management of investment accounts for individuals, employee benefit plans and charitable foundations. At December 31, 2025, the estimated fair value of trust assets was $51.0 billion, including managed assets of $26.7 billion and custody assets of $24.3 billion. At December 31, 2024, the estimated fair value of trust assets was $51.4 billion, including managed assets of $26.2 billion and custody assets of $25.2 billion.
Frost Insurance Agency, Inc.
Frost Insurance Agency (“FIA”) is a wholly owned subsidiary of Frost Bank. FIA provides a broad range of insurance products and services to both business and consumer customers. Products and services include property and casualty insurance and employee benefits plans for businesses, among other things. FIA also arranges for life, disability, long-term care, property and real estate, automobile, and valuables insurance for individuals.
Frost Brokerage Services, Inc.
Frost Brokerage Services, Inc. (“FBS”) is a wholly owned subsidiary of Frost Bank that provides brokerage services and performs other transactions or operations related to the sale and purchase of securities of all types. (“FBS”) is a wholly-owned subsidiary of Frost Bank that provides brokerage services and performs other transactions or operations related to the sale and purchase of securities of all types. FBS is registered as a fully disclosed introducing broker-dealer under the Securities Exchange Act of 1934 and, as such, does not hold any customer accounts or maintain custody of customer assets.
Frost Investment Advisors, LLC
Frost Investment Advisors, LLC is a registered investment advisor and a wholly owned subsidiary of Frost Bank that provides investment management services to Frost-managed mutual funds, institutions and individuals.
Frost Investment Services, LLC
Frost Investment Services, LLC is a registered investment advisor and a wholly owned subsidiary of Frost Bank that provides investment management services to individuals.
Tri–Frost Corporation
Tri-Frost Corporation is a wholly owned subsidiary of Frost Bank that primarily holds securities and receives cash flows related to principal and interest on the securities until such time that the securities mature.
Cullen/Frost Capital Trust II
Cullen/Frost Capital Trust II (“Trust II”) is a Delaware statutory business trust formed in 2004 for the purpose of issuing $120.0 million in trust preferred securities and lending the proceeds to Cullen/Frost. Cullen/Frost guarantees, on a limited basis, payments of distributions on the trust preferred securities and payments on redemption of the trust preferred securities. Trust II is a variable interest entity for which we are not the primary beneficiary. As such, the accounts of Trust II are not included in our consolidated financial statements. See our accounting policy related to consolidation in Note 1 - Summary of Significant Accounting Policies in the notes to consolidated financial statements included in Item 8. Financial Statements and Supplementary Data elsewhere in this report.
Although the accounts of Trust II are not included in our consolidated financial statements, the $120.0 million in trust preferred securities issued by Trust II are included in the regulatory capital of Cullen/Frost during the reported periods. See the section captioned “Supervision and Regulation - Capital Requirements” for a discussion of the regulatory capital treatment of our trust preferred securities.
Other Subsidiaries
Cullen/Frost has various other subsidiaries that are not significant to the consolidated entity.

6
Operating Segments
Our operations are managed along two reportable operating segments consisting of Banking and Frost Wealth Advisors. See the sections captioned “Results of Segment Operations” in Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations and Note 17 - Operating Segments in the notes to consolidated financial statements included in Item 8. Financial Statements and Supplementary Data elsewhere in this report.
Competition
There is significant competition among commercial banks in our market areas. In addition, we also compete with other providers of financial services, such as savings and loan associations, credit unions, consumer finance companies, securities firms, private equity and debt funds, insurance companies, insurance agencies, commercial finance and leasing companies, full service brokerage firms, discount brokerage firms, and financial/wealth technology (“fintech/wealthtech”) firms. Some of our competitors have greater resources and, as such, may have higher lending limits and may offer other services that are not provided by us. We generally compete on the basis of customer service and responsiveness to customer needs, available loan and deposit products, the rates of interest charged on loans, the rates of interest paid for funds, and the availability and pricing of trust, brokerage and insurance services. For further discussion, see the section captioned “We Operate In A Highly Competitive Industry and Market Area” in Item 1A. Risk Factors.
Supervision and Regulation
Cullen/Frost, Frost Bank and most of its non-banking subsidiaries are subject to extensive regulation under federal and state laws. The regulatory framework is intended primarily for the protection of depositors, federal deposit insurance funds and the banking system as a whole and not for the protection of shareholders and creditors.
Significant elements of the laws and regulations applicable to Cullen/Frost and its subsidiaries are described below. The description is qualified in its entirety by reference to the full text of the statutes, regulations and policies that are described. Also, such statutes, regulations and policies are continually under review by Congress and state legislatures and federal and state regulatory agencies. A change in statutes, regulations or regulatory policies applicable to Cullen/Frost and its subsidiaries could have a material effect on our business, financial condition or our results of operations.
Regulatory Agencies
Cullen/Frost is a legal entity separate and distinct from Frost Bank and its other subsidiaries. As a financial holding company and a bank holding company, Cullen/Frost is regulated under the Bank Holding Company Act of 1956, as amended (“BHC Act”), and it and its subsidiaries are subject to inspection, examination and supervision by the Federal Reserve Board. The BHC Act provides generally for “umbrella” regulation of financial holding companies such as Cullen/Frost by the Federal Reserve Board, and for functional regulation of banking activities by bank regulators, securities activities by securities regulators, and insurance activities by insurance regulators. Cullen/Frost is also under the jurisdiction of the Securities and Exchange Commission (“SEC”) and is subject to the disclosure and regulatory requirements of the Securities Act of 1933, as amended, and the Securities Exchange Act of 1934, as amended, as administered by the SEC. Cullen/Frost’s common stock is listed on the New York Stock Exchange (“NYSE”) under the trading symbol “CFR” and our Depositary Shares, each representing a 1/40th interest in a share of our 4.450% Non-Cumulative Perpetual Preferred Stock, Series B, is listed on the NYSE under the trading symbol “CFR PrB.” Accordingly, Cullen/Frost is also subject to the rules of the NYSE for listed companies.
Frost Bank is a Texas state chartered bank and a member of the Federal Reserve System. Accordingly, the Texas Department of Banking and the Federal Reserve Board are the primary regulators of Frost Bank. Deposits at Frost Bank are insured by the Federal Deposit Insurance Corporation (“FDIC”) up to applicable limits.
All member banks of the Federal Reserve System, including Frost Bank, are required to hold stock in the Federal Reserve System's Reserve Banks in an amount equal to six percent of their capital stock and surplus (half paid to acquire the stock with the remainder held as a cash reserve). Member banks do not have any control over the Federal Reserve System as a result of owning the stock and the stock cannot be sold or traded. The annual dividend rate for larger member banks, including Frost Bank, is tied to 10-year U.S. Treasuries with the maximum dividend rate
7
capped at six percent. The total amount of stock dividends that Frost Bank received from the Federal Reserve totaled $1.5 million in 2025, $1.5 million in 2024 and $1.4 million in 2023.
Most of our non-bank subsidiaries also are subject to regulation by the Federal Reserve Board and other federal and state agencies. Frost Brokerage Services, Inc. is regulated by the SEC, the Financial Industry Regulatory Authority (“FINRA”) and state securities regulators. Frost Investment Advisors, LLC and Frost Investment Services, LLC are subject to the disclosure and regulatory requirements of the Investment Advisors Act of 1940, as administered by the SEC. Our insurance subsidiary is subject to regulation by applicable state insurance regulatory agencies. Other non-bank subsidiaries are subject to both federal and state laws and regulations. Frost Bank and its affiliates are also subject to supervision, regulation, examination and enforcement by the Consumer Financial Protection Bureau (“CFPB”) and state regulators with respect to consumer protection laws and regulations. Frost Bank and its affiliates are also subject to supervision, regulation, examination and enforcement by the Consumer Financial Protection Bureau (“CFPB”) with respect to consumer protection laws and regulations.
Bank Holding Company Activities
In general, the BHC Act limits the business of bank holding companies to banking, managing or controlling banks and other activities that the Federal Reserve Board has determined to be so closely related to banking as to be a proper incident thereto. In addition, bank holding companies that qualify and elect to be financial holding companies may engage in any activity, or acquire and retain the shares of a company engaged in any activity, that is either (i) financial in nature or incidental to such financial activity (as determined by the Federal Reserve Board in consultation with the Secretary of the Treasury) or (ii) complementary to a financial activity and does not pose a substantial risk to the safety and soundness of depository institutions or the financial system generally (as solely determined by the Federal Reserve Board), without prior approval of the Federal Reserve Board. Activities that are financial in nature include securities underwriting and dealing, insurance underwriting and making merchant banking investments, among others. Activities that are 7Table of Contentsfinancial in nature include securities underwriting and dealing, insurance underwriting and making merchant banking investments, among others.
To maintain financial holding company status, a financial holding company and all of its depository institution subsidiaries must be “well capitalized” and “well managed.” A depository institution subsidiary is considered to be “well capitalized” if it satisfies the requirements for this status discussed in the section captioned “Prompt Corrective Action,” elsewhere in this item. A depository institution subsidiary is considered “well managed” if it received a composite rating and management rating of at least “satisfactory” in its most recent examination. A financial holding company’s status will also depend upon it maintaining its status as “well capitalized” and “well managed” under applicable Federal Reserve Board regulations. If a financial holding company ceases to meet these capital and management requirements, the BHC Act, and the Federal Reserve Board’s regulations provide that the financial holding company must enter into a confidential agreement with the Federal Reserve Board to comply with all applicable capital and management requirements. Until the financial holding company returns to compliance, the Federal Reserve Board may impose limitations or conditions on the conduct of its activities, and the company may not commence any of the broader financial activities permissible for financial holding companies or acquire a company engaged in such financial activities without prior approval of the Federal Reserve Board. If the company does not return to compliance within 180 days, the Federal Reserve Board may require divestiture of the holding company’s depository institutions. Bank holding companies and banks must also be both well capitalized and well managed in order to acquire banks located outside their home state.
In order for a financial holding company to commence any new activity permitted by the BHC Act or to acquire a company engaged in any new activity permitted by the BHC Act, each insured depository institution subsidiary of the financial holding company must have received a rating of at least “satisfactory” in its most recent Community Reinvestment Act “CRA” performance evaluation. See the section captioned “Community Reinvestment Act” elsewhere in this item.
The Federal Reserve Board has the power to order any bank holding company or its subsidiaries to terminate any activity or to terminate its ownership or control of any subsidiary when the Federal Reserve Board has reasonable grounds to believe that continuation of such activity or such ownership or control constitutes a serious risk to the financial soundness, safety or stability of any bank subsidiary of the bank holding company.
The BHC Act, the Bank Merger Act, the Texas Finance Code and other federal and state statutes regulate acquisitions of commercial banks and their parent holding companies. The BHC Act requires the prior approval of the Federal Reserve Board for the direct or indirect acquisition by a bank holding company of more than 5.0% of the voting shares of a commercial bank or its parent holding company. Under the Bank Merger Act, the prior approval of the Federal Reserve Board or other appropriate bank regulatory authority is required for a member bank to merge with another bank or purchase substantially all of the assets or assume any deposits of another bank. In reviewing
8
applications seeking approval of merger and acquisition transactions, the bank regulatory authorities will consider, among other things, the competitive effect and public benefits of the transactions, the applicant's managerial and financial resources, the capital position of the combined organization, the risks to the stability of the U.S. banking or financial system (e.g., systemic risk), the applicant’s performance record under the CRA (see the section captioned “Community Reinvestment Act” elsewhere in this item) and its compliance with law, including fair lending, fair housing and other consumer protection laws, and the effectiveness of the subject organizations in combating money laundering activities.
Dividends and Stock Repurchases
The principal source of Cullen/Frost’s liquidity is dividends from Frost Bank. The prior approval of the Federal Reserve Board is required if the total of all dividends declared by a state-chartered member bank in any calendar year would exceed the sum of the bank’s net profits for that year and its retained net profits for the preceding two calendar years, less any required transfers to surplus or to fund the retirement of preferred stock. Federal law also prohibits a state-chartered, member bank from paying dividends that would be greater than the bank’s undivided profits. Frost Bank is also subject to limitations under Texas state law regarding the level of dividends that may be paid. Under the foregoing dividend restrictions, and while maintaining its “well capitalized” status, Frost Bank could pay aggregate dividends of approximately $977.4 million to Cullen/Frost, without obtaining affirmative governmental approvals, at December 31, 2025. This amount is not necessarily indicative of amounts that may be paid or available to be paid in future periods.
In addition, Cullen/Frost and Frost Bank are subject to other regulatory policies and requirements relating to the payment of dividends, including requirements to maintain adequate capital above regulatory minimums.8Table of ContentsIn addition, Cullen/Frost and Frost Bank are subject to other regulatory policies and requirements relating to the payment of dividends, including requirements to maintain adequate capital above regulatory minimums. The appropriate federal regulatory authority is authorized to determine under certain circumstances relating to the financial condition of a bank holding company or a bank that the payment of dividends would be an unsafe or unsound practice and to prohibit payment thereof. Additionally, it is Federal Reserve policy that bank holding companies generally should pay dividends on common stock only out of net income available to common shareholders over the past year and only if the prospective rate of earnings retention appears consistent with the organization’s current and expected future capital needs, asset quality and overall financial condition. Federal Reserve policy also provides that a bank holding company should inform the Federal Reserve reasonably in advance of declaring or paying a dividend that exceeds earnings for the period for which the dividend is being paid or that could result in a material adverse change to the bank holding company’s capital structure.
In certain circumstances, Cullen/Frost’s repurchases of its common stock may be subject to a prior approval or notice requirement under other regulations, policies or supervisory expectations of the Federal Reserve Board. Any redemption or repurchase of preferred stock or subordinated debt remains subject to the prior approval of the Federal Reserve Board.
The Inflation Reduction Act of 2022 (the “IRA”) imposes a 1% excise tax on the fair market value of stock repurchased after December 31, 2022 by publicly traded U.S. corporations. With certain exceptions, the value of stock repurchased is determined net of stock issued in the year, including shares issued pursuant to compensatory arrangements.
Transactions with Affiliates
Transactions between Frost Bank and its subsidiaries, on the one hand, and Cullen/Frost or any other subsidiary, on the other hand, are regulated under federal banking law. The Federal Reserve Act imposes quantitative and qualitative requirements and collateral requirements on covered transactions by Frost Bank with, or for the benefit of, its affiliates, and generally requires those transactions to be on terms at least as favorable to Frost Bank as if the transaction were conducted with an unaffiliated third party. Covered transactions are defined by statute to include a loan or extension of credit, as well as a purchase of securities issued by an affiliate, a purchase of assets (unless otherwise exempted by the Federal Reserve Board) from the affiliate, certain derivative transactions that create a credit exposure to an affiliate, the acceptance of securities issued by the affiliate as collateral for a loan, and the issuance of a guarantee, acceptance or letter of credit on behalf of an affiliate. In general, any such transaction by Frost Bank or its subsidiaries must be limited to certain thresholds on an individual and aggregate basis and, for credit transactions with any affiliate, must be secured by designated amounts of specified collateral.

9
Federal law also limits a bank’s authority to extend credit to its directors, executive officers and 10% stockholders, as well as to entities controlled by such persons. Among other things, extensions of credit to insiders are required to be made on terms that are substantially the same as, and follow credit underwriting procedures that are not less stringent than, those prevailing for comparable transactions with unaffiliated persons. Also, the terms of such extensions of credit may not involve more than the normal risk of non-repayment or present other unfavorable features and may not exceed certain limitations on the amount of credit extended to such persons individually and in the aggregate.
Source of Strength Doctrine
Federal Reserve Board policy and federal law require bank holding companies to act as a source of financial and managerial strength to their subsidiary banks. Under this requirement, Cullen/Frost is expected to commit resources to support Frost Bank, including at times when Cullen/Frost may not be in a financial position to provide such resources. Any capital loans by a bank holding company to any of its subsidiary banks are subordinate in right of payment to depositors and to certain other indebtedness of such subsidiary banks. In the event of a bank holding company’s bankruptcy, any commitment by the bank holding company to a federal bank regulatory agency to maintain the capital of a subsidiary bank will be assumed by the bankruptcy trustee and entitled to priority of payment.
Capital Requirements
Cullen/Frost and Frost Bank are each required to comply with applicable capital adequacy standards adopted by the Federal Reserve Board (the “Basel III Capital Rules”) and codified in 12 C.F.R. Part 217. The Basel III Capital Rules define qualifying capital instruments and specify minimum amounts of capital as a percentage of assets that banking organizations are required to maintain. Under the Basel III Capital Rules, risk-based capital ratios are calculated by dividing Common Equity Tier 1 (“CET1”) capital, Tier 1 capital and total capital, respectively, by risk-weighted assets. Assets and off-balance sheet credit equivalents are assigned a risk weight based primarily on supervisory assessments of relative credit risk.
The Basel III Capital Rules require Cullen/Frost and Frost Bank to maintain the following:
A minimum ratio of Common Equity Tier 1 (“CET1”) to risk-weighted assets of at least 4.5%, plus a 2.5% “capital conservation buffer” that is composed entirely of CET1 capital (resulting in a minimum ratio of CET1 to risk-weighted assets of 7.0%);
A minimum ratio of Tier 1 capital to risk-weighted assets of at least 6.0%, plus the capital conservation buffer (resulting in a minimum Tier 1 capital ratio of 8.5%);
A minimum ratio of total capital (Tier 1 capital plus Tier 2 capital) to risk-weighted assets of at least 8.0%, plus the capital conservation buffer (resulting in a minimum total capital ratio of 10.5%); and
A minimum leverage ratio of 4.0%, calculated as the ratio of Tier 1 capital to average consolidated assets as reported on consolidated financial statements (known as the “leverage ratio”).
The capital conservation buffer is designed to absorb losses during periods of economic stress. Banking institutions that fail to meet the effective minimum ratios once the capital conservation buffer is taken into account, as detailed above, will be subject to constraints on capital distributions, including dividends and share repurchases, and certain discretionary executive compensation.Banking institutions that fail to meet the effective minimum ratios once the capital conservation buffer is taken into account, as detailed above, will be subject to constraints on capital distributions, including dividends and share repurchases, and certain discretionary executive compensation. The severity of the constraints depends on the amount of the shortfall and the institution’s “eligible retained income” (that is, the greater of (i) net income for the preceding four quarters, net of distributions and associated tax effects not reflected in net income and (ii) average net income over the preceding four quarters).
The Basel III Capital Rules also provide for a number of deductions from and adjustments to CET1. As non-advanced approaches organizations under the Basel III Capital Rules, Cullen/Frost and Frost Bank are subject to rules that provide for simplified capital requirements relating to the threshold deductions. These include, for example, the requirement that certain deferred tax assets and significant investments in non-consolidated financial entities be deducted from CET1 to the extent that any one such category exceeds 25% of CET1.
In addition, under the general risk-based capital rules, the effects of accumulated other comprehensive income items included in capital were excluded for the purposes of determining regulatory capital ratios. Under the Basel III Capital Rules, the effects of certain accumulated other comprehensive income items are not excluded; however, non-advanced approaches banking organizations, including Cullen/Frost and Frost Bank, were able to make a one-time
10
permanent election to continue to exclude these items. Both Cullen/Frost and Frost Bank made this election in order to avoid significant variations in the level of capital depending upon the impact of interest rate fluctuations on the fair value of their available-for-sale securities portfolio. Under the Basel III Capital Rules, trust preferred securities no longer included in our Tier 1 capital may nonetheless be included as a component of Tier 2 capital on a permanent basis without phase-out.
In February 2019, the federal bank regulatory agencies issued a final rule (the “2019 CECL Rule”) that revised certain capital regulations to account for changes to credit loss accounting under U.S. GAAP. The 2019 CECL Rule included a transition option that allows banking organizations to phase in, over a three-year period, the day-one adverse effects of adopting a new accounting standard related to the measurement of current expected credit losses (“CECL”) on their regulatory capital ratios (three-year transition option). In March 2020, the federal bank regulatory agencies issued an interim final rule that maintains the three-year transition option of the 2019 CECL Rule and also provided banking organizations that were required under U.S. GAAP (as of January 2020) to implement CECL before the end of 2020 the option to delay for two years an estimate of the effect of CECL on regulatory capital, relative to the incurred loss methodology’s effect on regulatory capital, followed by a three-year transition period (five-year transition option). We elected to adopt the five-year transition option. This CECL transitional adjustment totaled $15.4 million at December 31, 2024, after which point the transitional period ended.
The Basel III Capital Rules prescribe a standardized approach for risk weightings that expanded the risk-weighting categories from the general risk-based capital rules to a much larger and more risk-sensitive number of categories, depending on the nature of the assets, generally ranging from 0% for U.S. government and agency securities, to 600% for certain equity exposures (and higher percentages for certain other types of interests), and resulting in higher risk weights for a variety of asset categories.
In December 2017, the Basel Committee published standards that it described as the finalization of the Basel III post-crisis regulatory reforms.10Table of ContentsIn December 2017, the Basel Committee published standards that it described as the finalization of the Basel III post-crisis regulatory reforms. Among other things, these standards revised the Basel Committee’s standardized approach for credit risk (including the recalibration of risk weights and the introduction of new capital requirements for certain “unconditionally cancellable commitments,” such as unused credit card lines of credit) and provided a new standardized approach for operational risk capital. Under the current U.S. capital rules, operational risk capital requirements and a capital floor apply only to advanced approaches banking organizations, and therefore not to Cullen/Frost or Frost Bank.
In July 2023, the federal banking regulators proposed revisions to the Basel III Capital Rules to implement the Basel Committee’s 2017 standards and make other changes to the Basel III Capital Rules. The proposal introduced revised credit risk, equity risk, operational risk, credit valuation adjustment risk and market risk requirements, among other changes, which would substantially increase the levels of required capital. Nonetheless, these revised capital requirements would not apply to us because Cullen/Frost and Frost Bank each have less than $100 billion in total consolidated assets and trading assets and liabilities below the threshold for market risk requirements. Nonetheless, these revised capital requirements would not apply to Cullen/Frost or Frost Bank because they each have less than $100 billion in total consolidated assets and trading assets and liabilities below the threshold for market risk requirements. The Federal Reserve has indicated that it expects a revised proposal will be issued in early 2026. The revised proposal is not expected to apply to us. The Federal Reserve has indicated that it expects to work with the other federal banking regulators in 2025 on a revised proposal.
Liquidity Requirements
The Basel III liquidity framework and regulations of the Federal Reserve require that certain banks and bank holding companies measure their liquidity against specific liquidity tests. One test, referred to as the liquidity coverage ratio (“LCR”), is designed to ensure that the banking entity maintains an adequate level of unencumbered high-quality liquid assets equal to the entity’s expected net cash outflow for a 30-day time horizon (or, if greater, 25% of its expected total cash outflow) under an acute liquidity stress scenario. The other test, referred to as the net stable funding ratio (“NSFR”), is designed to promote more medium- and long-term funding of the assets and activities of banking entities over a one-year time horizon. Rules applicable to certain large banking organizations have been implemented for LCR and for NSFR; however, based on our asset size, these rules do not currently apply to Cullen/Frost and Frost Bank.
Prompt Corrective Action
The Federal Deposit Insurance Act, as amended (the “FDIA”) requires among other things, the federal banking agencies to take “prompt corrective action” in respect of depository institutions that do not meet minimum capital requirements. The FDIA includes the following five capital tiers: “well capitalized,” “adequately capitalized,” “undercapitalized,” “significantly undercapitalized” and “critically undercapitalized.”
11
A bank will be (i) “well capitalized” if the institution has a total risk-based capital ratio of 10.0% or greater, a CET1 capital ratio of 6.5% or greater, a Tier 1 risk-based capital ratio of 8.0% or greater, and a leverage ratio of 5.0% or greater, and is not subject to any order or written directive by any such regulatory authority to meet and maintain a specific capital level for any capital measure; (ii) “adequately capitalized” if the institution has a total risk-based capital ratio of 8.0% or greater, a CET1 capital ratio of 4.5% or greater, a Tier 1 risk-based capital ratio of 6.0% or greater, and a leverage ratio of 4.0% or greater and is not “well capitalized”; (iii) “undercapitalized” if the institution has a total risk-based capital ratio that is less than 8.0%, a CET1 capital ratio less than 4.5%, a Tier 1 risk-based capital ratio of less than 6.0% or a leverage ratio of less than 4.0%; (iv) “significantly undercapitalized” if the institution has a total risk-based capital ratio of less than 6.0%, a CET1 capital ratio less than 3.0%, a Tier 1 risk-based capital ratio of less than 4.0% or a leverage ratio of less than 3.0%; and (v) “critically undercapitalized” if the institution’s tangible equity is equal to or less than 2.0% of average quarterly tangible assets. An institution may be downgraded to, or deemed to be in, a capital category that is lower than indicated by its capital ratios if it is determined to be in an unsafe or unsound condition or if it receives an unsatisfactory examination rating with respect to certain matters. A bank’s capital category is determined solely for the purpose of applying prompt corrective action regulations, and the capital category may not constitute an accurate representation of the bank’s overall financial condition or prospects for other purposes.
The FDIA prohibits an insured depository institution from accepting brokered deposits or offering interest rates on any deposits significantly higher than the prevailing rate in the bank’s normal market area or nationally (depending upon where the deposits are solicited), unless it is (i) well capitalized, or (ii) adequately capitalized and receives a waiver from the FDIC.
Additionally, the FDIA generally prohibits a depository institution from making any capital distributions (including payment of a dividend) or paying any management fee to its parent holding company if the depository institution would thereafter be “undercapitalized.11Table of ContentsAdditionally, the FDIA generally prohibits a depository institution from making any capital distributions (including payment of a dividend) or paying any management fee to its parent holding company if the depository institution would thereafter be “undercapitalized. ” “Undercapitalized” institutions are subject to growth limitations and are required to submit a capital restoration plan. The agencies may not accept such a plan without determining, among other things, that the plan is based on realistic assumptions and is likely to succeed in restoring the depository institution’s capital. In addition, for a capital restoration plan to be acceptable, the depository institution’s parent holding company must guarantee that the institution will comply with such capital restoration plan. The bank holding company must also provide appropriate assurances of performance. The aggregate liability of the parent holding company is limited to the lesser of (i) an amount equal to 5.0% of the depository institution’s total assets at the time it became undercapitalized and (ii) the amount which is necessary (or would have been necessary) to bring the institution into compliance with all capital standards applicable with respect to such institution as of the time it fails to comply with the plan. If a depository institution fails to submit an acceptable plan, it is treated as if it is “significantly undercapitalized.”
“Significantly undercapitalized” depository institutions may be subject to a number of requirements and restrictions, including orders to sell sufficient voting stock to become “adequately capitalized,” requirements to reduce total assets, and cessation of receipt of deposits from correspondent banks. “Critically undercapitalized” institutions are subject to the appointment of a receiver or conservator.
The appropriate federal banking agency may, under certain circumstances, reclassify a well capitalized insured depository institution as adequately capitalized. The FDIA provides that an institution may be reclassified if the appropriate federal banking agency determines (after notice and opportunity for hearing) that the institution is in an unsafe or unsound condition or deems the institution to be engaging in an unsafe or unsound practice. The appropriate agency is also permitted to require an adequately capitalized or undercapitalized institution to comply with the supervisory provisions as if the institution were in the next lower category (but not treat a significantly undercapitalized institution as critically undercapitalized) based on supervisory information other than the capital levels of the institution.
As of December 31, 2025, Frost Bank, was “well capitalized” based on the aforementioned ratios. For further information regarding the capital ratios and leverage ratio of Cullen/Frost and Frost Bank see the discussion under the section captioned “Capital and Liquidity” included in Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations and Note 8 - Capital and Regulatory Matters in the notes to consolidated financial statements included in Item 8. Financial Statements and Supplementary Data, elsewhere in this report.
12
The prompt corrective action regulations do not apply to bank holding companies. However, the Federal Reserve Board is authorized to take appropriate action at the bank holding company level, based upon the undercapitalized status of the bank holding company’s depository institution subsidiaries.
Safety and Soundness Standards
The FDIA requires the federal bank regulatory agencies to prescribe standards, by regulations or guidelines, relating to internal controls, information systems and internal audit systems, loan documentation, credit underwriting, interest rate risk exposure, asset growth, asset quality, earnings, stock valuation and compensation, fees and benefits, and such other operational and managerial standards as the agencies deem appropriate. Guidelines adopted by the federal bank regulatory agencies establish general standards relating to internal controls and information systems, internal audit systems, loan documentation, credit underwriting, interest rate exposure, asset growth and compensation, fees and benefits. In general, the guidelines require, among other things, appropriate systems and practices to identify and manage the risk and exposures specified in the guidelines. The guidelines prohibit excessive compensation as an unsafe and unsound practice and describe compensation as excessive when the amounts paid are unreasonable or disproportionate to the services performed by an executive officer, employee, director or principal stockholder. In addition, the agencies adopted regulations that authorize, but do not require, an agency to order an institution that has been given notice by an agency that it is not satisfying any of such safety and soundness standards to submit a compliance plan. If, after being so notified, an institution fails to submit an acceptable compliance plan or fails in any material respect to implement an acceptable compliance plan, the agency must issue an order directing action to correct the deficiency and may issue an order directing other actions of the types to which an undercapitalized institution is subject under the “prompt corrective action” provisions of the FDIA. See “Prompt Corrective Action” above. If an institution fails to comply with such an order, the agency may seek to enforce such order in judicial proceedings and to impose civil money penalties and cease and desist orders.
In October 2025, the FDIC and OCC issued a proposed rule that would define the term “unsafe or unsound practice” for purposes of their enforcement powers under the FDIA. The proposed definition would focus on whether the practice is likely to materially harm, or already has materially harmed, the financial condition of an institution. The Federal Reserve has not issued a similar proposal.
Deposit Insurance
Deposits at Frost Bank are insured up to applicable limits by the Deposit Insurance Fund (“DIF”) of the FDIC and Frost Bank is subject to deposit insurance assessments to maintain the DIF. Deposit insurance assessments are based on average total assets minus average tangible equity. For larger institutions, such as Frost Bank, the FDIC uses a performance score and a loss-severity score that are used to calculate an initial assessment rate. In calculating these scores, the FDIC uses a bank’s capital level and supervisory ratings and certain financial measures to assess an institution’s ability to withstand asset-related stress and funding-related stress. The FDIC has the ability to make discretionary adjustments to the total score based upon significant risk factors that are not adequately captured in the calculations.
Under the FDIA, the FDIC may terminate deposit insurance upon a finding that the institution has engaged in unsafe and unsound practices, is in an unsafe or unsound condition to continue operations, or has violated any applicable law, regulation, rule, order or condition imposed by the FDIC. In addition, the FDIC is authorized to conduct examinations of and require reporting by FDIC-insured institutions.
In October 2022, the FDIC adopted a final rule that increased the initial base deposit insurance assessment rate schedules uniformly by 2 basis points beginning with the first quarterly assessment period of 2023. The increased assessment was expected to improve the likelihood that the DIF reserve ratio would reach the statutory minimum of 1.35% by the statutory deadline prescribed under the FDIC’s amended restoration plan.
In November 2023, the FDIC issued a final rule to implement a special assessment to recover losses to the DIF incurred as a result of bank failures earlier that year and the FDIC's use of the systemic risk exception to cover certain deposits that were otherwise uninsured. The special assessment was based on estimated uninsured deposits as of December 31, 2022 (excluding the first $5.0 billion) and was assessed at a quarterly rate of 3.36 basis points, over eight quarterly assessment periods, beginning in the first quarter of 2024. As a result of this final rule, we accrued $51.5 million ($40.7 million after tax) related to this assessment in 2023. This amount was based on our estimate of the full amount of the assessment at that time. The special assessment was based on estimated uninsured deposits as of December 31, 2022 (excluding the first $5.0 billion) and was assessed at a quarterly rate of 3.36 basis points, over eight quarterly assessment periods, that began in the first quarter of 2024. In June 2024, due to the increased estimate of losses, the FDIC announced that it projects that the special assessment will be collected for an additional two quarters beyond the initial eight-quarter collection period, at a lower rate. During 2024, the FDIC increased their loss estimate related to the aforementioned bank failures. As a result, we accrued an additional $9.0 million ($7.1 million after tax) in 2024. At
13
that time, due to the increased estimate of losses, the FDIC also projected that the special assessment will be collected for an additional two quarters beyond the initial eight-quarter collection period, at a lower rate.
In December 2025, based upon the first six quarterly collections of the special assessment and anticipated collections for the seventh quarterly special assessment, the FDIC issued an interim final rule to amend the collection of the special assessment to reduce the eighth quarterly assessment rate from 3.36 basis points to 2.97 basis points. Because the cumulative amount collected through the initial eight quarter special assessment period is projected to equal the FDIC’s loss estimate, the additional two quarter extend assessment period was removed. In light this interim final rule, we reversed a total of $9.7 million ($7.7 million after tax) of our special deposit insurance assessment accrual based upon a decrease in expected future payments related to the special deposit insurance assessment. The interim final rule also requires the FDIC to provide an offset to regular quarterly deposit insurance assessments for institutions subject to the special assessment if the aggregate amount collected exceeds estimated losses following the resolution of pending litigation, and again following the termination of the receiverships. As provided for in the special assessment rule, if losses at the termination of the receiverships exceed the amount collected, the FDIC will implement a one-time final shortfall special assessment to ensure the full amount of actual losses is recovered as required by law. The extent to which any such future offsets or a future one-time shortfall special assessment will impact our future deposit insurance expense is currently uncertain. The extent to which any such additional future assessments will impact our future deposit insurance expense is currently uncertain.
Enhanced Prudential Standards
The Federal Reserve Board is required to monitor emerging risks to financial stability and enact enhanced supervision and prudential standards applicable to large bank holding companies and certain non-bank covered companies designated as systemically important by the Financial Stability Oversight Council. The Dodd-Frank Wall Street Reform and Consumer Protection Act (the “Dodd-Frank Act”) mandates that certain regulatory requirements applicable to these systemically important financial institutions be more stringent than those applicable to other financial institutions. The enhanced prudential standards rules, as amended in 2019, require bank holding companies with consolidated assets in excess of $50 billion, including Cullen/Frost, to maintain a risk committee that approves and periodically reviews its risk-management policies and oversees its risk-management framework.
Resolution Planning
The FDIC requires certain insured depository institutions (“IDIs”) with more than $50 billion in total consolidated assets to submit to the FDIC periodic plans for resolution in the event of the institution’s failure. In June 2024, the FDIC finalized amendments to the resolution planning requirements for IDIs with $50 billion or more in total assets. The amendments require IDIs with between $50 billion and $100 billion in assets, which includes Frost Bank, to submit informational filings on a three-year cycle, with an interim supplement updating key information submitted in the off years. The final rule became effective October 1, 2024. Frost Bank's initial informational filing is due on April 1, 2026.
In December 2025, the FDIC announced its intention to propose amendments to its resolution planning rule to codify content requirement exemptions and make additional changes that take into account key findings from its review of 2025 plan submissions. In light of these plans, the FDIC has suspended submission requirements for Group B IDIs, which includes Frost Bank, subsequent to any full resolution submissions scheduled to be filed on or before April 1, 2026 or July 1, 2026 until such time as the amendments to the resolution planning rules are finalized.
The Volcker Rule
The so-called Volcker Rule under the Dodd-Frank Act restricts banks and their affiliates from engaging in proprietary trading and investing in and sponsoring hedge funds and private equity funds. The Volcker Rule does not significantly impact the operations of Cullen/Frost and its subsidiaries as we do not have any significant engagement in the businesses prohibited by the Volcker Rule.
Depositor Preference
The FDIA provides that, in the event of the “liquidation or other resolution” of an insured depository institution, the claims of depositors of the institution, including the claims of the FDIC as subrogee of insured depositors, and certain claims for administrative expenses of the FDIC as a receiver, will have priority over other general unsecured claims against the institution. If an insured depository institution fails, insured and uninsured depositors, along with the FDIC, will have priority in payment ahead of unsecured, non-deposit creditors, including depositors whose
14
deposits are payable only outside of the United States and the parent bank holding company, with respect to any extensions of credit they have made to such insured depository institution.
Interchange Fees
Under the Durbin Amendment to the Dodd-Frank Act, the Federal Reserve adopted rules establishing standards for assessing whether the interchange fees that may be charged with respect to certain electronic debit transactions are “reasonable and proportional” to the costs incurred by issuers for processing such transactions.
Interchange fees, or “swipe” fees, are charges that merchants pay to us and other card-issuing banks for processing electronic payment transactions. Federal Reserve Board rules applicable to financial institutions that have assets of $10 billion or more provide that the maximum permissible interchange fee for an electronic debit transaction is the sum of 21 cents per transaction and 5 basis points multiplied by the value of the transaction. An upward adjustment of no more than 1 cent to an issuer’s debit card interchange fee is allowed if the card issuer develops and implements policies and procedures reasonably designed to achieve certain fraud-prevention standards. The Federal Reserve Board also has rules governing routing and exclusivity that require issuers to offer two unaffiliated networks for routing transactions on each debit or prepaid product. In August 2025, the U.S. District Court for the District of North Dakota ruled to vacate the Federal Reserve’s current interchange rules but simultaneously stayed its own vacatur pending appeal to the circuit court. The outcome of this litigation could significantly and adversely affect the fees banks can charge on debit card transactions.
In October 2023, the Federal Reserve issued a proposal under which the maximum permissible interchange fee for an electronic debit transaction would be the sum of 14.4 cents per transaction and 4 basis points multiplied by the value of the transaction. In October 2023, the Federal Reserve issued a proposal under which the maximum permissible interchange fee for an electronic debit transaction would be the sum of 14.4 cents per transaction and 4 basis points multiplied by the value of the transaction. Furthermore, the fraud-prevention adjustment would increase from a maximum of 1 cent to 1.3 cents per debit card transaction. The proposal would adopt an approach for future adjustments to the interchange fee cap, which would occur every other year based on issuer cost data gathered by the Federal Reserve from large debit card issuers. The comment period for this proposal ended in May 2024. The extent to which any such proposed changes in permissible interchange fees will impact our future revenues is currently uncertain.
Consumer Financial Protection
We are subject to a number of federal and state consumer protection laws that extensively govern our relationship with our customers. These laws include the Equal Credit Opportunity Act, the Fair Credit Reporting Act, the Truth in Lending Act, the Truth in Savings Act, the Electronic Fund Transfer Act, the Expedited Funds Availability Act, the Home Mortgage Disclosure Act, the Fair Housing Act, the Real Estate Settlement Procedures Act, the Fair Debt Collection Practices Act, the Service Members Civil Relief Act and these laws’ respective state-law counterparts, as well as state usury laws and laws regarding unfair and deceptive acts and practices. These and other federal laws, among other things, require disclosures of the cost of credit and terms of deposit accounts, provide substantive consumer rights, prohibit discrimination in credit transactions, regulate the use of credit report information, provide financial privacy protections, prohibit unfair, deceptive and abusive practices, restrict our ability to raise interest rates and subject us to substantial regulatory oversight. Violations of applicable consumer protection laws can result in significant potential liability from litigation brought by customers, including actual damages, restitution and attorneys’ fees. Federal bank regulators, state attorneys general and state and local consumer protection agencies may also seek to enforce consumer protection requirements and obtain these and other remedies, including regulatory sanctions, customer rescission rights, action by the state and local attorneys general in each jurisdiction in which we operate and civil money penalties. Failure to comply with consumer protection requirements may also result in our failure to obtain any required bank regulatory approval for merger or acquisition transactions we may wish to pursue or our prohibition from engaging in such transactions even if approval is not required.
The Consumer Financial Protection Bureau (“CFPB”) is a federal agency responsible for implementing, examining and enforcing compliance with federal consumer protection laws.14Table of ContentsThe Consumer Financial Protection Bureau (“CFPB”) is a federal agency responsible for implementing, examining and enforcing compliance with federal consumer protection laws. The CFPB has broad rulemaking authority for a wide range of consumer financial laws that apply to all banks, including, among other things, laws relating to fair lending and the authority to prohibit “unfair, deceptive or abusive” acts and practices. Abusive acts or practices are defined as those that materially interfere with a consumer’s ability to understand a term or condition of a consumer financial product or service or take unreasonable advantage of a consumer’s (i) lack of financial savvy, (ii) inability to self-protect in the selection or use of consumer financial products or services, or (iii) reasonable reliance on a covered entity to act in the consumer’s interests. The CFPB can issue cease-and-desist orders against banks and other entities that violate consumer financial laws. The CFPB may also institute a civil action against an entity in violation of federal consumer financial law in order to impose a civil penalty or injunction. The CFPB has
15
examination and enforcement authority over all banks with more than $10 billion in assets, as well as their affiliates. Banking regulators take into account compliance with consumer protection laws when considering approval of a proposed transaction.
In October 2024, the CFPB issued a final rule that requires a provider of payment accounts or products, such as a bank, to make data available to consumers, free upon request, regarding the products or services they obtain from the provider. Any such data provider is also required to make such data available to third parties, with the consumer’s express authorization and through an interface that satisfies formatting, performance, and security standards, for the purpose of such third parties providing the consumer with financial products or services requested by the consumer. Data required to be made available under the rule includes transaction information, account balance, account and routing numbers, terms and conditions, upcoming bill information, and certain account verification data. The final rule is intended to give consumers control over their financial data, including with whom it is shared, and encourage competition in the provision of consumer financial products or services. The rule is the subject of litigation, which is currently stayed while the CFPB considers revisions to the rule.
During 2025, the CFPB reduced its staff by over 80%. The reduction in force is the subject of litigation, and the staffing cuts are currently stayed pending the federal circuit court's en banc rehearing of the case. The impact of these developments on banking organizations subject to CFPB regulation and supervision, including Cullen/Frost, is uncertain. States and state attorneys general may increase regulatory, investigative and enforcement activity with respect to consumer protection, in response to changes in regulation, supervision and enforcement of consumer protection laws by federal regulators.
Community Reinvestment Act
The CRA requires depository institutions to assist in meeting the credit needs of their market areas consistent with safe and sound banking practice. Under the CRA, each depository institution is required to help meet the credit needs of its market areas by, among other things, providing credit to low- and moderate-income individuals and communities. Depository institutions are periodically examined for compliance with the CRA and are assigned ratings. In order for a financial holding company to commence any new activity permitted by the BHC Act, or to acquire any company engaged in any new activity permitted by the BHC Act, each insured depository institution subsidiary of the financial holding company must have received a rating of at least “satisfactory” in its most recent examination under the CRA. Furthermore, banking regulators take into account CRA ratings when considering a request for an approval of a proposed transaction. Frost Bank received a rating of “satisfactory” in its most recent CRA performance evaluations.
Financial Privacy
The federal banking regulators have adopted rules under the Gramm-Leach-Bliley Act of 1999 that limit the ability of banks and other financial institutions to disclose non-public information about consumers to nonaffiliated third parties. These limitations require disclosure of privacy policies to consumers and, in some circumstances, allow consumers to prevent disclosure of certain personal information to a nonaffiliated third party. These regulations affect how consumer information is transmitted through diversified financial companies and conveyed to outside vendors.
Anti-Money Laundering and the USA Patriot Act
A major focus of governmental policy on financial institutions has been aimed at combating money laundering and terrorist financing. The U.S. Bank Secrecy Act (the “BSA”) and the USA PATRIOT Act of 2001 (the “USA Patriot Act”) require financial institutions to develop programs to prevent them from being used for, and to detect and deter, money laundering, terrorist financing, and other illegal activities. The USA Patriot Act substantially broadened the scope of United States anti-money laundering laws and regulations by imposing significant new compliance and due diligence obligations, creating new crimes and penalties and expanding the extra-territorial jurisdiction of the United States. Financial institutions are also prohibited from entering into specified financial transactions and account relationships and must use enhanced due diligence procedures in their dealings with certain types of high-risk customers and implement a written customer identification program. Financial institutions must take certain steps to assist government agencies in detecting and preventing money laundering and report certain types of suspicious transactions. Regulatory authorities routinely examine financial institutions for compliance with these obligations, and failure of a financial institution to maintain and implement adequate programs to combat money laundering and terrorist financing, or to comply with all of the relevant laws or regulations, could have
16
serious financial, legal and reputational consequences for the institution, including causing applicable bank regulatory authorities not to approve merger or acquisition transactions when regulatory approval is required or to prohibit such transactions even if approval is not required. Regulatory authorities have imposed cease and desist orders and civil money penalties against institutions found to be violating these obligations.
In August 2024, Financial Crimes Enforcement Network (“FinCEN”), which drafts regulations implementing the U.S. Patriot Act, BSA and other anti-money laundering legislation, adopted a rule extending anti-money laundering obligations, including maintenance of an anti-money laundering program and filing certain reports with FinCEN, to registered investment advisers, like certain of Cullen/Frost’s subsidiaries. In December 2025, FinCEN delayed the effective date of the rule to January 1, 2028 in part to allow FinCEN to review the rule.
Office of Foreign Assets Control Regulation
The U.S. Treasury Department’s Office of Foreign Assets Control, or OFAC, administers and enforces economic and trade sanctions against targeted foreign countries and regimes, under authority of various laws, including designated foreign countries, nationals and others. OFAC publishes lists of specially designated targets and countries. These sanctions include: (i) restrictions on trade with or investment in a sanctioned country, including prohibitions against direct or indirect imports from and exports to a sanctioned country and prohibitions on “U.S. persons” engaging in financial transactions relating to making investments in, or providing investment-related advice or assistance to, a sanctioned country, and (ii) blocking assets in which the government or specially designated nationals of the sanctioned country have an interest by prohibiting transfers of property subject to U.S. jurisdiction (including property in the possession or control of U.S. persons). We are responsible for, among other things, blocking accounts of, and transactions with, such targets and countries, prohibiting unlicensed trade and financial transactions with them and reporting blocked transactions after their occurrence. Failure to comply with these sanctions could have serious financial, legal and reputational consequences, including the imposition of civil money penalties or causing applicable bank regulatory authorities not to approve merger or acquisition transactions when regulatory approval is required or to prohibit such transactions even if approval is not required.
Incentive Compensation
The Federal Reserve Board reviews, as part of its regular, risk-focused examination process, the incentive compensation arrangements of banking organizations, such as Cullen/Frost, that are not “large, complex banking organizations.” These reviews are tailored to each organization based on the scope and complexity of the organization’s activities and the prevalence of incentive compensation arrangements. Deficiencies will be incorporated into the organization’s supervisory ratings, which can affect the organization’s ability to make acquisitions and take other actions. Enforcement actions may be taken against a banking organization if its incentive compensation arrangements, or related risk-management control or governance processes, pose a risk to the organization’s safety and soundness and the organization is not taking prompt and effective measures to correct the deficiencies.
Under regulatory guidance applicable to all banking organizations, incentive compensation policies must be consistent with safety and soundness principles. The guidance, which covers all employees that have the ability to materially affect the risk profile of an organization, either individually or as part of a group, is based upon the key principles that a banking organization’s incentive compensation arrangements should (i) provide incentives that do not encourage risk-taking beyond the organization’s ability to effectively identify and manage risks, (ii) be compatible with effective internal controls and risk management, and (iii) be supported by strong corporate governance, including active and effective oversight by the organization’s board of directors.
In October 2022, the SEC adopted a final rule directing national securities exchanges and associations, including the NYSE, to implement listing standards that require listed companies to adopt policies mandating the recovery or “clawback” of excess incentive-based compensation earned by a current or former executive officer during the three fiscal years preceding the date the listed company is required to prepare an accounting restatement, including to correct an error that would result in a material misstatement if the error were corrected in the current period or left uncorrected in the current period. In October 2022, the SEC adopted a final rule directing national securities exchanges and associations, including the NYSE, to implement listing standards that require listed companies to adopt policies mandating the recovery or “clawback” of excess incentive-based compensation earned by a current or former executive officer during the three fiscal years preceding the date the listed company is required to prepare an accounting restatement, including to correct an error that would result in a material misstatement if the error were corrected in the current period or left uncorrected in the current period. The NYSE’s listing standards pursuant to the SEC’s rule became effective on October 2, 2023. We adopted a compensation recovery policy pursuant to the NYSE listing standards on October 25, 2023. The policy is included as Exhibit 97.1 to this Form 10-K.
17
Cybersecurity
The federal banking regulators regularly issue new guidance and standards, and update existing guidance and standards, regarding cybersecurity intended to enhance cyber risk management among financial institutions. Financial institutions are expected to comply with such guidance and standards and to accordingly develop appropriate security controls and risk management processes. If we fail to observe such regulatory guidance or standards, we could be subject to various regulatory sanctions, including financial penalties. In 2023, the SEC issued a final rule that requires disclosure of material cybersecurity incidents, as well as cybersecurity risk management, strategy and governance. Under this rule, banking organizations that are SEC registrants must generally disclose information about a material cybersecurity incident within four business days of determining it is material with periodic updates as to the status of the incident in subsequent filings, as necessary.
Banking organizations are required to notify their primary banking regulator within 36 hours of determining that a “computer-security incident” has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, the banking organization’s ability to carry out banking operations or deliver banking products and services to a material portion of its customer base, its businesses and operations that would result in material loss, or its operations that would impact the stability of the United States.
State regulators have also been increasingly active in implementing privacy and cybersecurity standards and regulations. Recently, several states have adopted regulations requiring certain financial institutions to implement cybersecurity programs and many states, including Texas, have also recently implemented or modified their data breach notification, information security and data privacy requirements. We expect this trend of state-level activity in those areas to continue and are continually monitoring developments in the states in which our customers are located.
Risks and exposures related to cybersecurity attacks, including litigation and enforcement risks, are expected to be elevated for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of Internet banking, mobile banking and other technology-based products and services by us and our customers.17Table of ContentsRisks and exposures related to cybersecurity attacks, including litigation and enforcement risks, are expected to be elevated for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of Internet banking, mobile banking and other technology-based products and services by us and our customers.
In May 2024, the SEC finalized amendments to Regulation S-P to require broker-dealers, investment companies and investment advisers registered with the SEC to adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information. The amended Regulation S-P also requires covered entities to notify, within 30 days, individuals affected by an incident involving sensitive customer information and provide them with details about the incident and other information intended to help affected individuals respond appropriately.
See Item 1A. Risk Factors for a further discussion of risks related to cybersecurity and Item 1C. Cybersecurity for a further discussion of risk management strategies and governance processes related to cybersecurity.
Climate-Related and Other ESG Developments
In recent years, certain lawmakers and regulators in and outside the United States have increased their focus on financial institutions' and other companies' risk oversight, disclosures and practices in connection with climate change and other environmental, social and governance (“ESG”) matters. In addition, several states, including Texas, have enacted or proposed statutes or regulations addressing climate change and other ESG issues, including “anti-ESG” statutes or regulations.
Fair Access to Financial Services
In recent years, certain states have enacted, or have proposed to enact, statutes, regulations or policies that prohibit financial institutions from denying or canceling products or services to a person or business, or otherwise discriminating against a person or business in making available products or services, on the basis of certain social or political factors or other activities. In August 2025, President Trump signed Executive Order 14331, “Guaranteeing Fair Banking Access for All Americans,” which states that it is the policy of the United States that no American should be denied access to financial services because of their constitutionally or statutorily protected beliefs, affiliations, or political views. The Executive Order directs the Treasury Secretary and federal banking regulators to address politicized or unlawful debanking activities.
18
Future Legislation and Regulation
Congress may enact legislation from time to time that affects the regulation of the financial services industry, and state legislatures may enact legislation from time to time affecting the regulation of financial institutions chartered by or operating in those states. Federal and state regulatory agencies also periodically propose and adopt changes to their regulations or change the manner in which existing regulations are applied. The substance or impact of pending or future legislation or regulation, or the application thereof, cannot be predicted, although any change could impact the regulatory structure under which we or our competitors operate and may significantly increase costs, impede the efficiency of internal business processes, require an increase in regulatory capital, require modifications to our business strategy, and limit our ability to pursue business opportunities in an efficient manner. It could also affect our competitors differently than us, including in a manner that would make them more competitive. A change in statutes, regulations or regulatory policies applicable to Cullen/Frost or any of its subsidiaries could have a material, adverse effect on our business, financial condition and results of operations.
Human Capital Resources
At December 31, 2025, we employed 6,008 full-time equivalent employees. At that date, the average tenure of all of our full-time employees was approximately 9.4 years while the average tenure of our executive officers was approximately 30.3 years. None of our employees are represented by collective bargaining agreements. We believe our employee relations to be good.
Oversight of our corporate culture is an important element of our board of director’s oversight of risk because our people are critical to the success of our corporate strategy. Our board sets the “tone at the top,” and holds senior management accountable for embodying, maintaining, and communicating our culture to employees. In that regard, our culture is designed to promote our commitment to making people's lives better and to uphold that principle in everything we do. That commitment has been a central pillar in our approach to our employees, our planet and the communities we have proudly served for over 150 years. Our culture is designed to adhere to the timeless values of integrity, caring and excellence. In keeping with that culture, we expect our people to treat each other and our customers with the highest level of honesty and respect and go out of their way to do the right thing, and we strive to be a force for good in everyday life. We dedicate resources to promote a safe workplace; attract, develop and retain talented employees; promote a culture of integrity, caring and excellence; and reward and recognize employees for both the results they deliver and, importantly, how they deliver them. We also seek to design careers that are fulfilling ones, with competitive compensation and benefits alongside a positive work-life balance. We also dedicate resources to fostering professional and personal growth with continuing education, on-the-job training and development programs.
Our employees are key to our success as an organization. We are committed to providing equal opportunity to and avoiding unlawful discrimination against all applicants and employees and attracting, retaining and promoting top quality talent regardless of personal aspects such as sex, sexual orientation, gender identity, race, color, national origin and age. We are dedicated to providing a workplace for our employees that is supportive, and free of any form of unlawful discrimination or harassment; rewarding and recognizing our employees based on their individual results and performance as well as that of their department and the company overall; and recognizing and respecting all of the characteristics and differences that make each of our employees unique.
By promoting and fostering a workforce that we believe is reflective of the values of our customers and communities, we seek to better understand the financial needs of our prospects and customers and provide them with relevant financial service products. This enables us to better serve our customers and communities, enhancing our success as an organization. Understanding and supporting our community has always been a priority to us. We have established a voluntary, employee-led and staffed team that is committed to touching and improving the lives of people that live and work in our community. Additionally, we provide employees the opportunity to use paid time off to perform community service activities in their choice of ways. In 2025, this amounted to over 27,000 hours of community service performed by our employees. Our efforts are designed to enrich the lives of not only those that are in need but also the lives of our employees who participate in these meaningful and rewarding opportunities.
19
Information About Our Executive Officers
The names, ages, recent business experience and positions or offices held by each of the executive officers of Cullen/Frost are as follows:
There are no arrangements or understandings between any executive officer of Cullen/Frost and any other person pursuant to which such executive officer was or is to be selected as an officer.
20
Available Information
Under the Securities Exchange Act of 1934, we are required to file annual, quarterly and current reports, proxy statements and other information with the Securities and Exchange Commission (“SEC”). The SEC maintains a website at http://www.sec.gov that contains reports, proxy and information statements, and other information regarding issuers that file electronically with the SEC. We file electronically with the SEC.
We make available, free of charge through our website, our reports on Forms 10-K, 10-Q and 8-K, and amendments to those reports, as soon as reasonably practicable after such reports are filed with or furnished to the SEC. Additionally, we have adopted and posted on our website a code of ethics that applies to our principal executive officer, principal financial officer and principal accounting officer. Our website also includes our Corporate Governance Guidelines and the charters for our Audit Committee, our Compensation and Benefits Committee, our Risk Committee, our Corporate Governance and Nominating Committee, and our Technology and Cybersecurity Committee. Our website also includes our corporate governance guidelines and the charters for our audit committee, our compensation and benefits committee, our risk committee, our corporate governance and nominating committee and our technology committee. The address for our website is http://www.frostbank.com. We will provide a printed copy of any of the aforementioned documents to any requesting shareholder.
ITEM 1A. RISK FACTORS
An investment in our common stock is subject to risks inherent to our business. The material risks and uncertainties that management believes affect us are described below. Before making an investment decision, you should carefully consider the risks and uncertainties described below together with all of the other information included or incorporated by reference in this report. The risks and uncertainties described below are not the only ones facing us. Additional risks and uncertainties that management is not aware of or focused on or that management currently deems immaterial may also impair our business operations. This report is qualified in its entirety by these risk factors. If any of the following risks actually occur, our business, financial condition and results of operations could be materially and adversely affected. If this were to happen, the market price of our common stock and preferred stock could decline significantly, and you could lose all or part of your investment.
Risks Related To Our Business
Interest Rate Risks
We Are Subject To Interest Rate Risk
Our earnings and cash flows are largely dependent upon our net interest income. Net interest income is the difference between interest income earned on interest-earning assets such as loans and securities and interest expense paid on interest-bearing liabilities such as deposits and borrowed funds. Interest rates are highly sensitive to many factors that are beyond our control, including general economic conditions, inflationary trends, changes in government spending and debt issuances and policies of various governmental and regulatory agencies and, in particular, the Federal Open Market Committee. Changes in monetary policy, including changes in interest rates, could influence not only the interest we receive on loans and securities and the amount of interest we pay on deposits and borrowings, but such changes could also affect (i) our ability to originate loans and obtain deposits, (ii) the fair value of our financial assets and liabilities, and (iii) the average duration of our mortgage-backed securities portfolio. If the interest rates paid on deposits and other borrowings increase at a faster rate than the interest rates received on loans and other investments, our net interest income, and therefore earnings, could be adversely affected. Earnings could also be adversely affected if the interest rates received on loans and other investments fall more quickly than the interest rates paid on deposits and other borrowings. Any substantial, unexpected, or prolonged change in market interest rates could have a material adverse effect on our business, financial condition and results of operations. See Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations under the section captioned “Net Interest Income” and Item 7A. Quantitative and Qualitative Disclosures About Market Risk elsewhere in this report for further discussion related to interest rate sensitivity and our management of interest rate risk.
21
Credit and Lending Risks
We Are Subject To Lending Risk and Lending Concentration Risk
There are inherent risks associated with our lending activities. These risks include, among other things, the impact of changes in interest rates and changes in the economic conditions in the markets where we operate as well as those across the State of Texas and the United States. Increases in interest rates and/or weakening economic conditions could adversely impact the ability of borrowers to repay outstanding loans or the value of the collateral securing these loans.
As of December 31, 2025, approximately 80.9% of our loan portfolio consisted of commercial and industrial, energy, construction and commercial real estate mortgage loans. These types of loans are generally viewed as having more risk of default and are typically larger than residential real estate loans or consumer loans. Because our loan portfolio contains a significant number of commercial and industrial, energy, construction and commercial real estate loans with relatively large balances, the deterioration of one or a few of these loans could cause a significant increase in non-performing loans. Increases in non-performing loans have resulted in a net loss of earnings from particular loans, an increase in credit loss expense and an increase in loan charge-offs, and these and future instances could have a material adverse effect on our business, financial condition and results of operations. Certain of our credit exposures are concentrated in industries that may be more susceptible to the long-term risks of climate change, natural disasters or global pandemics. To the extent that these risks may have a negative impact on the financial condition of borrowers, it could also have a material adverse effect on our business, financial condition and results of operations. See the section captioned “Loans” in Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations elsewhere in this report for further discussion related to commercial and industrial, energy, construction and commercial real estate loans.
Our Allowance For Credit Losses May Be Insufficient
We maintain allowances for credit losses on loans, securities and off-balance sheet credit exposures. In the case of loans and securities, allowances for credit losses are contra-asset valuation accounts that are deducted from the amortized cost basis of these assets to present the net amount expected to be collected. In the case of off-balance-sheet credit exposures, the allowance for credit losses is a liability account reported as a component of accrued interest payable and other liabilities in our consolidated balance sheets. The amount of each allowance account represents management's best estimate of current expected credit losses on these financial instruments considering available information, from internal and external sources, relevant to assessing exposure to credit loss over the contractual term of the instrument. Relevant available information includes historical credit loss experience, current conditions and reasonable and supportable forecasts. As a result, the determination of the appropriate level of allowance for credit losses inherently involves a high degree of subjectivity and requires us to make significant estimates related to current and expected future credit risks and trends, all of which may undergo material changes. Changes in economic conditions; inflation; interest rate volatility; new information regarding existing loans, credit commitments and securities holdings; global pandemics; natural disasters and risks related to climate change; and identification of additional problem loans, ratings down-grades and other factors, both within and outside of our control, may require an increase in the allowances for credit losses on loans, securities and off-balance sheet credit exposures. Changes in economic conditions; inflation; interest rate volatility; new information regarding existing loans, credit commitments and securities holdings; the lingering effects of the COVID-19 pandemic or other global pandemics; natural disasters and risks related to climate change; and identification of additional problem loans, ratings down-grades and other factors, both within and outside of our control, may require an increase in the allowances for credit losses on loans, securities and off-balance sheet credit exposures. In addition, bank regulatory agencies periodically review our allowance for credit losses and may require an increase in credit loss expense or the recognition of further loan charge-offs, based on judgments different than those of management. Furthermore, if any charge-offs related to loans, securities or off-balance sheet credit exposures in future periods exceed our allowances for credit losses on loans, securities or off-balance sheet credit exposures, we will need to recognize additional credit loss expense to increase the applicable allowance. Any increase in the allowance for credit losses on loans, securities and/or off-balance sheet credit exposures will result in a decrease in net income and, possibly, capital, and may have a material adverse effect on our business, financial condition and results of operations. See the section captioned “Allowance for Credit Losses” in Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations elsewhere in this report for further discussion related to our process for determining the appropriate level of the allowance for credit losses.
22
We Are Subject to Risk Arising From Conditions In The Commercial Real Estate Market
As of December 31, 2025, commercial real estate mortgage loans comprised approximately 47.1% of our loan portfolio. Commercial real estate mortgage loans generally involve a greater degree of credit risk than residential real estate mortgage loans because the collateral securing these loans may not be sold as easily as residential real estate and because they typically have larger balances and are more affected by adverse conditions in the economy. Because payments on loans secured by commercial real estate often depend upon the successful operation and management of the properties and the businesses which operate from within them, repayment of such loans may be affected by factors outside the borrower’s control, such as adverse conditions in the real estate market or the economy or changes in government regulations. In recent years, commercial real estate markets have been particularly impacted by the economic disruption resulting from the COVID-19 pandemic. The COVID-19 pandemic was also a catalyst for the evolution of various remote work options which have impacted the long-term performance of some types of office properties within our commercial real estate portfolio. The COVID-19 pandemic has also been a catalyst for the evolution of various remote work options which have impacted the long-term performance of some types of office properties within our commercial real estate portfolio. Accordingly, the federal banking regulatory agencies have expressed concerns about weaknesses in the current commercial real estate market. Failures in our risk management policies, procedures and controls could adversely affect our ability to manage this portfolio going forward and could result in an increased rate of delinquencies in, and increased losses from, this portfolio, which, accordingly, could have a material adverse effect on our business, financial condition and results of operations.
We Are Subject To Volatility Risk In Crude Oil Prices
As of December 31, 2025, we had $1.1 billion of energy loans which comprised approximately 5.0% of our loan portfolio at that date. Furthermore, energy production and related industries represent a large part of the economies in some of our primary markets. The energy industry and market prices for oil and gas have historically been cyclical. Global wars, military conflicts, terrorism, governmental and social responses to environmental issues and climate change, or other geopolitical events as well as actions by members of the Organization of Petroleum Exporting Countries (“OPEC”) can impact global crude oil and gas production levels and lead to significant volatility in global oil and gas supplies and market prices. Prolonged periods of low oil and gas commodity prices could negatively impact our borrowers' ability to pay, particularly those that utilize higher-cost production technologies such as hydraulic fracking and horizontal drilling, as well as oilfield service providers, energy equipment manufacturers and transportation suppliers, among others. The price per barrel of crude oil was $57.95 at December 31, 2025 and $71.72 at December 31, 2024. While losses in our energy portfolio have not been significant in recent years, we have experienced increased losses within our energy portfolio in years that were impacted by significant oil price volatility. The price per barrel of crude oil was approximately $72 at both December 31, 2024, and December 31, 2023. While losses in our energy portfolio have not been significant in recent years, we have experienced increased losses within our energy portfolio in years that were impacted by significant oil price volatility. Future oil price volatility could have negative impacts on the U.S. economy, in particular, the economies of energy-dominant states such as Texas, and our borrowers and customers. Such negative impacts could result in an increased rate of loan delinquencies and credit losses which, accordingly, could have a material adverse effect on our business, financial condition and results of operations.
We Are Subject To Environmental Liability Risk Associated With Lending Activities
A significant portion of our loan portfolio is secured by real property. During the ordinary course of business, we foreclose on and take title to properties securing certain loans. There is a risk that hazardous or toxic substances could be found on these properties. If hazardous or toxic substances are found, we may be liable for remediation costs, as well as for personal injury and property damage. Environmental laws may require us to incur substantial expenses and may materially reduce the affected property’s value or limit our ability to use or ability to sell the affected property. Environmental reviews of real property before initiating foreclosure actions may not be sufficient to detect all potential environmental hazards. The remediation costs and any other financial liabilities associated with an environmental hazard could have a material adverse effect on our business, financial condition and results of operations.
Liquidity Risk
We Are Subject To Liquidity Risk
We require liquidity to meet our deposit and debt obligations as they come due. Our access to funding sources in amounts adequate to finance our activities or on terms that are acceptable to us could be impaired by factors that affect us specifically or the financial services industry or economy generally. Factors that could reduce our access to liquidity sources include a downturn in the Texas or national economy, difficult credit markets or adverse regulatory actions against us. Factors that could reduce our access to liquidity sources include a downturn in the Texas economy, difficult credit markets or adverse regulatory actions against us. Our access to deposits may also be affected by the liquidity needs of our depositors. A substantial
23
majority of our liabilities are demand, savings, interest checking and money market deposits, which are payable on demand or upon several days’ notice, while by comparison, a substantial portion of our assets are loans, which cannot be called or sold in the same time frame. We may not be able to replace withdrawn or maturing deposits as necessary in the future, especially if a large number of our depositors sought to withdraw their accounts, regardless of the reason. We may not be able to replace maturing deposits and advances as necessary in the future, especially if a large number of our depositors sought to withdraw their accounts, regardless of the reason. Our access to deposits may be negatively impacted by, among other factors, periods of low interest rates or higher interest rates which could promote increased competition for deposits, including from new financial technology competitors, or provide customers with alternative investment options. Additionally, negative news about us or the banking industry in general could negatively impact market or customer perceptions of our company, which could lead to a loss of depositor confidence and an increase in deposit withdrawals, particularly among those with uninsured deposits. Furthermore, as we and other regional banking organizations experienced in 2023, the failure of other financial institutions may cause deposit outflows as customers spread deposits among several different banks so as to maximize their amount of FDIC insurance, move deposits to banks deemed "too big to fail" or remove deposits from the banking system entirely. As of December 31, 2025, approximately 52% of our deposits were uninsured and we rely on these deposits for liquidity. A failure to maintain adequate liquidity could have a material adverse effect on our business, financial condition and results of operations. We may also need to raise additional capital and liquidity through the issuance of stock to comply with regulatory mandates, which could dilute the ownership of existing stockholders, or reduce or even eliminate common stock dividends or share repurchases to preserve capital and liquidity.
Unrealized Losses in Our Securities Portfolio Could Affect Liquidity.
We have experienced significant unrealized losses on our available-for sale-securities portfolio as a result of elevated market interest rates. Unrealized losses related to available-for-sale securities are reflected in accumulated other comprehensive income in our consolidated balance sheets and reduce the level of our book capital and tangible common equity. However, such unrealized losses do not affect our regulatory capital ratios. We actively monitor our available-for-securities portfolio and we do not currently anticipate the need to realize material losses from the sale of securities for liquidity purposes. Furthermore, we believe it is unlikely that we would be required to sell any such securities before recovery of their amortized cost bases, which may be at maturity. Nonetheless, our access to liquidity sources could be affected by unrealized losses if securities must be sold at a loss; tangible capital ratios continue to decline from an increase in unrealized losses or realized credit losses; the FHLB or other funding sources reduce capacity; or bank regulators impose restrictions on us that impact the level of interest rates we may pay on deposits or our ability to access brokered deposits. Additionally, significant unrealized losses could negatively impact market and/or customer perceptions of our company, which could lead to a loss of depositor confidence and an increase in deposit withdrawals, particularly among those with uninsured deposits.
Operational Risks
Our Accounting Estimates and Risk Management Processes Rely On Analytical and Forecasting Models
The processes we use to estimate our expected credit losses and to measure the fair value of financial instruments, as well as the processes used to estimate the effects of changing interest rates and other market measures on our financial condition and results of operations, depends upon the use of analytical and forecasting models. These models reflect assumptions that may not be accurate, particularly in times of market stress or other unforeseen circumstances. Even if these assumptions are adequate, the models may prove to be inadequate or inaccurate because of other flaws in their design or their implementation, including flaws caused by failures in controls, data management, human error or from the reliance on technology. If the models we use for interest rate risk and asset-liability management are inadequate, we may incur increased or unexpected losses upon changes in market interest rates or other market measures. If the models we use for estimating our expected credit losses are inadequate, the allowance for credit losses may not be sufficient to support future charge-offs. If the models we use to measure the fair value of financial instruments are inadequate, the fair value of such financial instruments may fluctuate unexpectedly or may not accurately reflect what we could realize upon sale or settlement of such financial instruments. Any such failure in our analytical or forecasting models could have a material adverse effect on our business, financial condition and results of operations.

24
We Are Subject To Risk Arising From Failure Or Circumvention Of Our Controls and Procedures
Our internal controls, including fraud detection and controls, disclosure controls and procedures, and corporate governance procedures are based in part on certain assumptions and can provide only reasonable, not absolute, assurance that the objectives of the controls and procedures are met. Any failure or circumvention of our controls and procedures; failure to comply with regulations related to controls and procedures; or failure to comply with our corporate governance procedures could have a material adverse effect on our reputation, business, financial condition and results of operations, including subjecting us to litigation, regulatory fines, penalties or other sanctions. Furthermore, notwithstanding the proliferation of technology and technology-based risk and control systems, our businesses ultimately rely on people and we are subject to the risk that they make mistakes or engage in violations of applicable policies, laws, rules or procedures that in the past have not, and in the future may not always be prevented by our technological processes or by our controls and other procedures intended to prevent and detect such errors or violations. Furthermore, notwithstanding the proliferation of technology and technology-based risk and control systems, our businesses ultimately rely on people as our greatest resource, and we are subject to the risk that they make mistakes or engage in violations of applicable policies, laws, rules or procedures that in the past have not, and in the future may not always be prevented by our technological processes or by our controls and other procedures intended to prevent and detect such errors or violations. Human errors, malfeasance and other misconduct, even if promptly discovered and remediated, can result in reputational damage or legal risk and have a material adverse effect on our business, financial condition and results of operations.
New Lines Of Business, Products Or Services and Technological Advancements May Subject Us To Additional Risks
From time to time, we implement new lines of business or offer new products and services within existing lines of business. For instance, we recently implemented a new residential mortgage product offering. There are substantial risks and uncertainties associated with these efforts, particularly in instances where the markets are not fully developed. In developing and marketing new lines of business and/or new products and services we invest significant time and resources. Initial timetables for the introduction and development of new lines of business and/or new products or services may not be achieved, and price and profitability targets may not prove feasible. External factors, such as compliance with regulations, competitive alternatives, and shifting market preferences, may also impact the successful implementation of a new line of business or a new product or service.
The financial services industry is continually undergoing rapid technological change with frequent introductions of new technology-driven products and services, including the increased usage of intelligent automation within the industry. Our future success depends, in part, upon our ability to address the needs of our customers by using technology to provide products and services that will satisfy customer demands, as well as to create additional efficiencies in our operations. Many of our competitors have substantially greater resources to invest in technological improvements. We may not be able to effectively implement new technology driven products and services or be successful in marketing these products and services to our customers. In addition, our implementation of certain new technologies, such as those related to artificial intelligence, automation and algorithms, in our business processes may have unintended consequences due to their limitations or our failure to use them effectively. In addition, cloud technologies are critical to the operation of our systems, and our reliance on cloud technologies is growing. In addition, cloud technologies are also critical to the operation of our systems, and our reliance on cloud technologies is growing. Failure to successfully keep pace with technological change affecting the financial services industry could have a material adverse effect on our business, financial condition and results of operations.
Furthermore, any new line of business, new product or service and/or new technology could have a significant impact on the effectiveness of our system of internal controls. Failure to successfully manage these risks in the development and implementation of new lines of business, new products or services and/or new technologies could have a material adverse effect on our business, financial condition and results of operations.
Our Reputation and Our Business Are Subject to Negative Publicity Risk
Risk to our earnings, liquidity, and capital from negative public opinion, is inherent in our business. Negative public opinion could adversely affect our ability to keep and attract customers and expose us to adverse legal and regulatory consequences. Negative public opinion could result from our actual or alleged conduct in any number of activities, including (i) lending practices, (ii) branching strategy, (iii) product and service offerings, (iv) corporate governance, (v) regulatory compliance, (vi) mergers and acquisitions, (vii) disclosure, (viii) sharing or inadequate protection of customer information, (ix) successful or attempted cyber-attacks against us, our customers or our third-party partners or vendors and (x) failure to achieve any publicly announced commitments to employees or other initiatives or to respond adequately to stakeholders’ concerns or actions taken by government regulators and community organizations. Negative public opinion could result from our actual or alleged conduct in any number of activities, including (i) lending practices, (ii) branching strategy, (iii) product and service offerings, (iv) corporate governance, (v) regulatory compliance, (vi) mergers and acquisitions, (vii) disclosure, (viii) sharing or inadequate protection of customer information, (ix) successful or attempted cyber-attacks against us, our customers or our third-party partners or vendors and (x) failure to discharge any publicly announced commitments to employees or ESG initiatives or to respond adequately to social and sustainability concerns from the viewpoint of our stakeholders from actions taken by government regulators and community organizations in response to our conduct. There is focus by some investors and other stakeholders on topics related to corporate policies and approaches related to environmental and social matters. Due to divergent stakeholder views on these matters, we are at increased risk that any action, or lack thereof, concerning these matters will be perceived
25
negatively by some stakeholders, which could negatively affect our business and reputation. Negative public opinion could also result from adverse news or publicity that impairs the reputation of the financial services industry generally or from the actions of our employees, customers, affiliates or third parties with whom we do business.
In addition, our reputation or future prospects may be significantly damaged by adverse publicity or negative information regarding us, whether or not true, that may be posted on social media, non-mainstream news services or other parts of the internet, and this risk is magnified by the speed and pervasiveness with which information is disseminated through those channels. Because we conduct most of our business under the “Frost” brand, negative public opinion about one business could affect our other businesses.
Events that result in damage to our reputation may also increase our litigation risk, increase regulatory scrutiny, affect our ability to attract and retain customers and employees and have other consequences that we may not be able to predict.
Our Business, Financial Condition and Results Of Operations Are Subject To Risk From Changes in Customer Behavior
Individual, economic, political, industry-specific conditions and other factors outside of our control, such as fuel prices, energy costs, real estate values, inflation, taxes or other factors that affect customer income levels, could alter anticipated customer behavior, including borrowing, repayment, investment and deposit practices. Such a change in these practices could materially adversely affect our ability to anticipate business needs and meet regulatory requirements. Further, difficult economic conditions may negatively affect consumer confidence levels. A decrease in consumer confidence levels would likely aggravate the adverse effects of these difficult market conditions on us, our customers and others in the financial institutions industry.
Cullen/Frost Relies On Dividends From Its Subsidiaries For Most Of Its Revenue
Cullen/Frost is a separate and distinct legal entity from its subsidiaries. It receives substantially all of its revenue from dividends from its subsidiaries. These dividends are the principal source of funds to pay dividends on Cullen/Frost’s common stock and preferred stock and interest and principal on Cullen/Frost’s debt. Various federal and state laws and regulations limit the amount of dividends that Frost Bank and certain non-bank subsidiaries may pay to Cullen/Frost. Also, Cullen/Frost’s right to participate in a distribution of assets upon a subsidiary’s liquidation or reorganization is subject to the prior claims of the subsidiary’s creditors and depositors. In the event Frost Bank is unable to pay dividends to Cullen/Frost, Cullen/Frost may not be able to service debt, pay obligations or pay dividends on our common stock or our preferred stock. The inability to receive dividends from Frost Bank could have a material adverse effect on our business, financial condition and results of operations. See the section captioned “Supervision and Regulation” in Item 1. Business and Note 8 - Capital and Regulatory Matters in the notes to consolidated financial statements included in Item 8. Financial Statements and Supplementary Data elsewhere in this report.
Our Information Systems May Experience Failure, Interruption Or Breach In Security
In the ordinary course of business, we rely on electronic communications and information systems to conduct our operations and to store sensitive data. Any failure, interruption or breach in security of these systems could result in significant disruption to our operations. Information security breaches and cybersecurity-related incidents include, but are not limited to, attempts to access information, including customer and company information, malicious code, computer viruses and denial of service attacks that could result in unauthorized access, theft, misuse, loss, release or destruction of data (including confidential customer information), account takeovers, unavailability of service or other events. These types of threats may derive from human error, fraud or malice on the part of external or internal parties or may result from accidental technological failure. Our technologies, systems, networks and software have been and continue to be subject to cybersecurity threats and attacks, which range from uncoordinated individual attempts to sophisticated and targeted measures directed at us. Any failures related to upgrades and maintenance of our technology and information systems could further increase our information and system security risk. Our increased use of cloud and other technologies, such as remote work technologies, adoption of artificial intelligence, and the increased connectivity of third parties and electronic devices to our systems also increases our risk of being subject to a cyber-attack. Our increased use of cloud and other technologies, such as remote work technologies, and the increased connectivity of third parties and electronic devices to our systems also increases our risk of being subject to a cyber-attack. The risk of a security breach or disruption, particularly through cyber-attack or cyber-intrusion, has increased as the number, intensity and sophistication of attempted attacks and intrusions from around the world have increased.
26
Our customers, employees and third parties that we do business with have been, and will continue to be, targeted by parties using fraudulent e-mails and other communications in attempts to misappropriate passwords, bank account information or other personal information or to introduce viruses or other malware programs to our information systems, the information systems of merchants or third-party service providers and/or our customers' personal devices, which are beyond our security control systems. Though we endeavor to mitigate these threats through product improvements, use of encryption and authentication technology and customer and employee education, such cyber-attacks against us, merchants, our third-party service providers and our customers remain a serious issue and have been successful in the past.
Although we make significant efforts to maintain the security and integrity of our information systems and have implemented various measures to manage the risks of a security breach or disruption, there can be no assurance that our security efforts and measures will be effective or that attempted security breaches or disruptions would not be successful or damaging. It is possible that employees, merchants or our third-party vendors may not follow our cybersecurity policies and procedures, which may expose us to a cyber-attack. Furthermore, even well protected information, networks, systems and facilities remain potentially vulnerable to attempted security breaches or disruptions because the techniques used in such attempts are constantly evolving, including as a result of artificial intelligence, and generally are not recognized until launched against a target, and in some cases are designed not to be detected and, in fact, may not be detected. Accordingly, we may be unable to anticipate these techniques or to implement adequate security barriers or other preventative measures, and thus it is virtually impossible for us to entirely mitigate this risk. In the event of a cyber-attack, we may be delayed in identifying or responding to the attack, which could increase the negative impact of the cyber-attack on our business, financial condition and results of operations. While we maintain specific “cyber” insurance coverage, which would apply in the event of various breach scenarios, the amount of coverage may not be adequate in any particular case. Furthermore, because cyber threat scenarios are inherently difficult to predict and can take many forms, some breaches may not be covered under our cyber insurance coverage. A security breach or other significant disruption of our information systems or those related to our customers, merchants or our third-party vendors, including as a result of cyber-attacks, could (i) disrupt the proper functioning of our networks and systems and therefore our operations and/or those of our customers; (ii) result in the unauthorized access to, and destruction, loss, theft, misappropriation or release of confidential, sensitive or otherwise valuable information of ours or our customers; (iii) result in a violation of applicable privacy, data breach and other laws, subjecting us to additional regulatory scrutiny and exposing us to civil litigation, enforcement actions, governmental fines and possible financial liability; (iv) require significant management attention and resources to remedy the damages that result; or (v) harm our reputation or cause a decrease in the number of customers that choose to do business with us. The occurrence of any of the foregoing could have a material adverse effect on our business, financial condition and results of operations and could result in serious and harmful consequences to our customers. The occurrence of any of the foregoing could have a material adverse effect on our business, financial condition and results of operations.
Furthermore, the rapid development of quantum computing poses a material risk to the encryption standards currently securing our financial systems, as future quantum capabilities could enable unauthorized decryption of sensitive data, disruption of transaction integrity and invalidation of digital identities, potentially leading to financial losses and reputational damage.
Increasing Fraud Risk Could Adversely Affect Our Business, Financial Condition, and Reputation
We are exposed to an increasing risk of fraud, including cyber fraud, identity theft, account takeover, and other fraudulent activities targeting financial institutions and their customers. The sophistication and frequency of these schemes continue to grow, driven by advances in technology and the proliferation of digital banking channels. Fraudulent activity can result in financial losses for us or our customers, increased operational costs, and potential legal exposure.
Although we employ robust security measures, including authentication protocols, transaction monitoring, and fraud detection systems, these controls may not be sufficient to prevent all fraudulent activity. Criminals continuously adapt their methods to circumvent existing safeguards, and emerging technologies such as artificial intelligence may further enhance their ability to perpetrate fraud.
Significant fraud-related losses could negatively impact our earnings, capital, and liquidity. In addition, fraud incidents may harm our reputation, erode customer trust, and lead to regulatory scrutiny or enforcement actions. Failure to effectively manage and mitigate fraud risk could have a material adverse effect on our business, financial condition, and results of operations. A failure to maintain adequate liquidity could have a material adverse effect on our business, financial condition and results of operations.
27
Our Operations Rely On Certain External Vendors
We rely on certain external vendors to provide products and services necessary to maintain our day-to-day operations. These third-party vendors are sources of operational, cybersecurity, and information security risk to us, including risks associated with operational errors, coding errors, information system failures, interruptions or breaches and unauthorized disclosures of sensitive or confidential customer information. These third-party vendors are sources of operational, cybersecurity, and informational security risk to us, including risks associated with operational errors, coding errors, information system failures, interruptions or breaches and unauthorized disclosures of sensitive or confidential client or customer information. If these vendors encounter any of these issues, or if we have difficulty communicating with them regarding such issues, we could be exposed to disruption of operations, loss of service or connectivity to customers, reputational damage, and litigation risk that could have a material adverse effect on our business and, in turn, our financial condition and results of operations.
In addition, our operations are exposed to risk that these vendors will not perform in accordance with the contracted arrangements under service level agreements. Although we have selected these external vendors carefully, we do not control their actions. The failure of an external vendor to perform in accordance with the contracted arrangements under service level agreements, because of changes in the vendor’s organizational structure, financial condition, support for existing products and services or strategic focus or for any other reason, could be disruptive to our operations, which could have a material adverse effect on our business and, in turn, our financial condition and results of operations. Replacing these external vendors could also entail significant delay and expense.
We Are Subject To Litigation Risk Pertaining To Fiduciary Responsibility
From time to time, customers make claims and take legal action pertaining to our performance of our fiduciary responsibilities. Whether customer claims and legal action related to our performance of our fiduciary responsibilities are founded or unfounded, if such claims and legal actions are not resolved in a manner favorable to us they may result in significant financial liability and/or adversely affect the market perception of us and our products and services as well as impact customer demand for those products and services. Any financial liability or reputational damage could have a material adverse effect on our business, financial condition and results of operations.
We Are Subject To Litigation Risk Pertaining To Intellectual Property
Banking and other financial services companies, including us, rely on technology companies to provide information technology products and services necessary to support day-to-day operations. Technology companies frequently enter into litigation based on allegations of patent infringement or other violations of intellectual property rights. In addition, patent holding companies seek to monetize patents they have purchased or otherwise obtained. Competitors of our vendors, or other individuals or companies, have from time to time claimed to hold intellectual property sold to us by our vendors or in use by us and we are, and may in the future be, named as defendants in various related legal claims. Such claims may increase in the future as the financial services sector becomes more reliant on information technology vendors. The plaintiffs in these actions frequently seek injunctions and substantial damages and may also seek to enter into licensing agreements with us to obtain ongoing fees.
Regardless of the scope or validity of such patents or other intellectual property rights, or the merits of any claims by potential or actual litigants, we may have to engage in protracted litigation. Such litigation is often expensive, time-consuming, disruptive to our operations and distracting to management. If we are found to infringe upon one or more patents or other intellectual property rights, we may be required to pay substantial damages or royalties to a third-party. In certain cases, we have entered, and in the future may consider entering, into licensing agreements for disputed intellectual property, although no assurance can be given that such licenses can be obtained on acceptable terms or that litigation will not occur. These licenses may also significantly increase our operating expenses. If legal matters related to intellectual property claims were resolved against us or settled, we could be required to make payments in amounts that could have a material adverse effect on our business, financial condition and results of operations.
Financial Services Companies Depend On The Accuracy and Completeness Of Information About Customers and Counterparties
In deciding whether to extend credit or enter into other transactions, we rely on information furnished by or on behalf of customers and counterparties, including financial statements, credit reports and other financial information. We also rely on representations of those customers, counterparties or other third parties, such as independent auditors, as to the accuracy and completeness of that information. Reliance on inaccurate or misleading financial statements, credit reports or other financial information could have a material adverse impact on our business, financial condition and results of operations.
28
External and Market-Related Risks
Our Profitability Depends Significantly On Economic Conditions In The State Of Texas
Our success depends substantially on the general economic conditions of the State of Texas and the specific local markets in which we operate. Unlike larger national or other regional banks that are more geographically diversified, we provide banking and financial services primarily to customers across Texas through financial centers in the Austin, Dallas, Fort Worth, Gulf Coast, Houston, Permian Basin, and San Antonio regions. The local economic conditions in these areas have a significant impact on the demand for our products and services as well as the ability of our customers to repay loans, the value of the collateral securing loans and the stability of our deposit funding sources. Moreover, all of the securities in our municipal bond portfolio were issued by political subdivisions or agencies within the State of Texas. A significant decline in general economic conditions in Texas, whether caused by recession, inflation, unemployment, changes or prolonged stagnation in oil prices, changes in securities markets, acts of terrorism, pandemics, natural disasters, climate change, outbreak of hostilities or other international or domestic occurrences or other factors could impact these local economic conditions and, in turn, have a material adverse effect on our business, financial condition and results of operations.
We Are Subject to Risk Arising From The Soundness Of Other Financial Institutions and Counterparties
Financial services institutions are interrelated as a result of trading, clearing, counterparty, or other relationships. We have exposure to many different industries and counterparties, and routinely execute transactions with counterparties in the financial services industry, including commercial banks, brokers and dealers, investment banks, and other institutional customers. Many of these transactions expose us to credit risk in the event of a default by a counterparty or customer. In addition, our credit risk may be exacerbated when the collateral held by us cannot be realized upon or is liquidated at prices not sufficient to recover the full amount of the credit or derivative exposure due to us. Increased interconnectivity amongst financial institutions also increases the risk of cyber-attacks and information system failures for financial institutions. Any such losses could have a material adverse effect on our business, financial condition and results of operations.
We Operate In A Highly Competitive Industry and Market Area
We face substantial competition in all areas of our operations from a variety of different competitors, many of which are larger and may have more financial resources than us. Such competitors primarily include national, regional, and community banks within the various markets where we operate. Recent regulation has reduced the regulatory burden of large bank holding companies, and raised the asset thresholds at which more onerous requirements apply, which could cause certain large bank holding companies with less than $250 billion in total consolidated assets, which were previously subject to more stringent enhanced prudential standards, to become more competitive or to pursue expansion more aggressively.
We also face competition from many other types of financial institutions, including, without limitation, savings and loans, credit unions, finance companies, brokerage firms, insurance companies and other financial intermediaries. The financial services industry could become even more competitive as a result of legislative, regulatory and technological changes and continued consolidation.
Also, technology and other changes have lowered barriers to entry and made it possible for non-banks to offer products and services traditionally provided by banks. In particular, the activity of fintechs/wealthtechs has grown significantly over recent years and is expected to continue to grow. Some fintechs/wealthtechs are not subject to the same regulation as we are, which may allow them to be more competitive. Fintechs/wealthtechs have and may continue to offer bank or bank-like products and a number of such organizations have applied for bank or industrial loan charters while others have partnered with existing banks to allow them to offer deposit products to their customers. Increased competition from fintechs/wealthtechs and the growth of digital banking may also lead to pricing pressures as competitors offer more low-fee and no-fee products
In July 2025, President Trump signed into law the GENIUS Act, which establishes a regulatory framework for “payment stablecoins” and their issuers. Consumers and businesses may view payment stablecoins as a substitute for traditional bank deposits, resulting in deposit withdrawals. Depending on consumer and business interest in payment stablecoins, and the characteristics and utility of payment stablecoins, the passage of the GENIUS Act could result in increased competition with respect to our deposit products. However, the GENIUS Act requires the U.S. Treasury
29
Department and federal and state regulators to issue regulations on numerous topics to interpret and implement the statute, so the effect of the GENIUS Act will depend on what those regulations provide.
Additionally, consumers can maintain funds that would have historically been held as bank deposits in brokerage accounts or mutual funds. Consumers can also complete transactions such as paying bills and/or transferring funds directly without the assistance of banks. In addition, the emergence, adoption and evolution of new technologies that do not require intermediation, including distributed ledgers such as stablecoin and other digital assets and blockchain, as well as advances in intelligent automation, could significantly affect the competition for financial services. In addition, the emergence, adoption and evolution of new technologies that do not require intermediation, including distributed ledgers such as digital assets and blockchain, as well as advances in robotic process automation, could significantly affect the competition for financial services. The process of eliminating banks as intermediaries, known as “disintermediation,” could result in the loss of fee income, as well as the loss of customer deposits and the related income generated from those deposits. Further, many of our competitors have fewer regulatory constraints and may have lower cost structures than us. Additionally, due to their size, many competitors may be able to achieve economies of scale and, as a result, may offer a broader range of products and services as well as better pricing for those products and services than we can. Our ability to compete successfully depends on a number of factors, including, among other things, (i) the ability to develop, maintain and build long-term customer relationships based on top quality service, high ethical standards and safe, sound assets; (ii) the ability to expand within our marketplace and with our market position; (iii) the scope, relevance and pricing of products and services offered to meet customer needs and demands; (iv) the rate at which we introduce new products and services relative to our competitors; (v) customer satisfaction with our level of service; and (vi) industry and general economic trends. Failure to perform in any of these areas could significantly weaken our competitive position, which could adversely affect our growth and profitability, which, in turn, could have a material adverse effect on our business, financial condition and results of operations.
Compliance and Regulatory Risks
We Are Subject To Extensive Government Regulation and Supervision and Related Enforcement Powers and Other Legal Remedies
We, primarily through Cullen/Frost, Frost Bank and certain non-bank subsidiaries, are subject to extensive federal and state regulation and supervision, which vests a significant amount of discretion in the various regulatory authorities. Banking regulations are primarily intended to protect depositors’ funds, federal deposit insurance funds and the banking system as a whole, not shareholders. These regulations and supervisory guidance affect our lending practices, capital structure, investment practices, dividend policy, the fees we can charge for certain products or transactions, and growth, among other things. Congress and federal regulatory agencies continually review banking laws, regulations and policies for possible changes. Changes to statutes, regulations or regulatory policies or supervisory guidance, including changes in interpretation or implementation of statutes, regulations, policies or supervisory guidance, have and could continue to affect us in substantial and unpredictable ways. Such changes have and could continue to subject us to additional costs, limit the types of financial services and products we may offer, limit our ability to return capital to shareholders or conduct certain activities, and/or increase the ability of non-banks to offer competing financial services and products, among other things. Failure to comply with laws, regulations, policies or supervisory guidance could result in enforcement and other legal actions by Federal or state authorities, including criminal and civil penalties, the loss of FDIC insurance, the revocation of a banking charter, enforcement actions or sanctions by regulatory agencies, significant fines and civil money penalties and/or reputational damage. In this regard, government authorities, including the bank regulatory agencies, are pursuing aggressive enforcement actions with respect to compliance and other legal matters involving financial activities, which heightens the risks associated with actual and perceived compliance failures. Directives issued to enforce such actions may be confidential and thus, in some instances, we are not permitted to publicly disclose these actions. Litigation challenging actions or regulations by Federal or state authorities could, depending on the outcome, significantly affect the regulatory and supervisory framework affecting our operations. For example, there is litigation pending to challenge the Federal Reserve’s regulation on permissible interchange fees on the ground that the regulation allows higher interchange fees than permitted by statute, which, if successful, could significantly and adversely affect the fees banks can charge on debit card transactions. Any of the foregoing could have a material adverse effect on our business, financial condition and results of operations.
In addition, we face significant regulatory scrutiny, in the course of routine examinations and otherwise, and new regulations in response to negative developments in the banking industry, which may increase our cost of doing business and reduce our profitability. Among other things, there may be increased focus by both regulators and investors on deposit composition, the level of uninsured deposits, brokered deposits, unrealized losses in securities portfolios, liquidity, commercial real estate loan composition and concentrations, and capital as well as general
30
oversight and control of the foregoing. We could face increased scrutiny or be viewed as higher risk by regulators and/or the investor community, which could have a material adverse effect on our business, financial condition and results of operations.
See the sections captioned “Supervision and Regulation” included in Item 1. Business and Note 8 - Capital and Regulatory Matters in the notes to consolidated financial statements included in Item 8. Financial Statements and Supplementary Data elsewhere in this report.
The Repeal Of Federal Prohibitions On Payment Of Interest On Demand Deposits Could Increase Our Interest Expense
All federal prohibitions on the ability of financial institutions to pay interest on demand deposit accounts were repealed as part of the Dodd-Frank Act beginning in 2011. As a result, some financial institutions offer interest on demand deposits to compete for customers. Our interest expense will increase, and our net interest margin will decrease, if we begin offering interest on demand deposits to attract additional customers or maintain current customers, which could have a material adverse effect on our business, financial condition and results of operations.
We Are Subject To Government Regulation and Oversight Relating to Data and Privacy Protection
Our business requires the collection and retention of large volumes of customer data, including personally identifiable information in various information systems that we maintain and in those maintained by third parties with whom we contract to provide data services. We also maintain important internal company data such as personally identifiable information about our employees and information relating to our operations. The integrity and protection of that customer and company data is important to us. Our collection of such customer and company data is subject to extensive regulation and oversight.
We are subject to laws and regulations relating to the privacy of the information of our customers, employees and others, and any failure to comply with these laws and regulations could expose us to legal risk and/or reputational damage. As new privacy-related laws and regulations are implemented, the time and resources needed for us to comply with such laws and regulations, as well as our potential liability for non-compliance and reporting obligations in the case of data breaches, may significantly increase.
We Are Subject To the Potential Adverse Effects of a U.S. Federal Government Shutdown
A prolonged or repeated shutdown of the U.S. federal government could adversely affect our business, financial condition, liquidity, and results of operations. Funding gaps or lapses in federal appropriations may disrupt the operations of government agencies that provide critical economic data, administer regulatory functions, or directly support our customers and counterparties. During a shutdown, federal agencies such as the Internal Revenue Service, Small Business Administration, and various supervisory bodies may suspend or significantly curtail their activities, which can delay loan originations, hinder verification processes, impede regulatory approvals, and reduce the availability of government‑guaranteed lending programs.
A shutdown may also impair the financial capacity of borrowers who depend on federal salaries, contracts, reimbursements, or benefit programs, including government employees, federal contractors, and recipients of government-funded services. Reduced or delayed income to these borrowers could increase delinquencies, reduce loan demand, negatively affect deposit inflows, and increase our credit risk exposure. In addition, disruptions to federal economic data releases or fiscal operations may create volatility in financial markets, affecting interest rates, liquidity conditions, and the valuation of securities in our investment portfolio.
The duration and economic impact of any government shutdown are inherently uncertain, and any such event could, individually or in the aggregate, have a material adverse effect on our business, financial condition and results of operations.
Risks Related to Acquisition Activity
Potential Acquisitions May Disrupt Our Business and Dilute Shareholder Value
We generally seek merger or acquisition partners that are culturally similar and have experienced management and possess either significant market presence or have potential for improved profitability through financial management, economies of scale or expanded services. Acquiring other banks, businesses, or branches involves
31
various risks commonly associated with acquisitions, including, among other things, (i) potential exposure to unknown or contingent liabilities of the target company; (ii) exposure to potential asset quality issues of the target company; (iii) potential disruption to our business; (iv) potential diversion of our management’s time and attention; (v) the possible loss of key employees and customers of the target company; (vi) difficulty in estimating the value of the target company; and (vii) potential changes in banking or tax laws or regulations that may affect the target company.
Acquisitions typically involve the payment of a premium over book and market values, and, therefore, some dilution of our tangible book value and net income per common share may occur in connection with any future transaction. Acquisitions may also result in potential dilution to existing shareholders of our earnings per share if we issue common stock in connection with the acquisition. Furthermore, failure to realize the expected revenue increases, cost savings, increases in geographic or product presence, and/or other projected benefits from an acquisition could have a material adverse effect on our business, financial condition and results of operations.
Acquisitions May Be Delayed, Impeded, Or Prohibited Due To Regulatory Issues
Acquisitions by financial institutions, including us, are subject to approval by a variety of federal and state regulatory agencies (collectively, “regulatory approvals”). Our ability to engage in certain merger or acquisition transactions depends on the bank regulators' views at the time as to our capital levels, quality of management, and overall condition, in addition to their assessment of a variety of other factors, including our compliance with law. Our ability to engage in certain merger or acquisition transactions, whether or not any regulatory approval is required, will be dependent upon our bank regulators’ views at the time as to the capital levels, quality of management and our overall condition and their assessment of a variety of other factors. Regulatory approvals could be delayed, impeded, restrictively conditioned or denied due to existing or new regulatory issues we have, or may have, with regulatory agencies, including, without limitation, issues related to BSA compliance, CRA issues, fair lending laws, fair housing laws, consumer protection laws, unfair, deceptive, or abusive acts or practices regulations and other laws and regulations. We may fail to pursue, evaluate or complete strategic and competitively significant acquisition opportunities as a result of our inability, or perceived or anticipated inability, to obtain regulatory approvals in a timely manner, under reasonable conditions or at all. Difficulties associated with potential acquisitions that may result from these factors could have a material adverse effect on our business, financial condition and results of operations.
Risks Associated With Our Common Stock and Preferred Stock
The Trading Volumes In Our Common Stock and Preferred Stock Are Less Than That Of Other Larger Financial Services Companies
Although our common stock and preferred stock are listed for trading on the NYSE, the trading volume in our common stock is less than that of other, larger financial services companies. A public trading market having the desired characteristics of depth, liquidity and orderliness depends on the presence in the marketplace of willing buyers and sellers of our common stock and preferred stock at any given time. This presence depends on the individual decisions of investors and general economic and market conditions over which we have no control. Given the lower trading volumes of our common stock and preferred stock, significant sales of our common stock or our preferred stock, or the expectation of these sales, could cause our stock prices to fall.
Cullen/Frost May Not Continue To Pay Dividends On Its Common Stock In The Future
Holders of Cullen/Frost common stock are only entitled to receive such dividends as its board of directors may declare out of funds legally available for such payments. Although Cullen/Frost has historically declared cash dividends on its common stock, it is not required to do so and may reduce or eliminate its common stock dividend in the future. This could adversely affect the market price of Cullen/Frost’s common stock. Also, Cullen/Frost is a bank holding company, and its ability to declare and pay dividends is dependent on certain federal regulatory considerations, including the guidelines of the Federal Reserve Board regarding capital adequacy and dividends.
As more fully discussed in Note 8 - Capital and Regulatory Matters in the notes to consolidated financial statements included in Item 8. Financial Statements and Supplementary Data elsewhere in this report, our ability to declare or pay dividends on our common stock may also be subject to certain restrictions in the event that we elect to defer the payment of interest on our junior subordinated deferrable interest debentures or do not declare and pay dividends on our Series B Preferred Stock.
32
An Investment In Our Common Stock or Preferred Stock Is Not An Insured Deposit
Our common stock and preferred stock are not bank deposits and, therefore, are not insured against loss by the FDIC, any other deposit insurance fund or by any other public or private entity. Investment in our common stock or preferred stock is inherently risky for the reasons described in this “Risk Factors” section and elsewhere in this report and is subject to the same market forces that affect the price of common stock or preferred stock in any company. As a result, if you acquire our common stock or preferred stock, you could lose some or all of your investment.
Certain Banking Laws May Have An Anti-Takeover Effect
Provisions of federal banking laws, including regulatory approval requirements, could make it more difficult for a third party to acquire us, even if doing so would be perceived to be beneficial to our shareholders. These provisions effectively inhibit a non-negotiated merger or other business combination, which, in turn, could adversely affect the market price of our common stock.
General Risk Factors
We are Subject To Risk From Fluctuating Conditions In The Financial Markets and Economic and Political Conditions Generally
Our success depends, to a certain extent, upon local, national and global economic and political conditions, as well as governmental monetary policies. Our financial performance generally, and in particular the ability of borrowers to pay interest on and repay principal of outstanding loans and the value of collateral securing those loans, as well as demand for loans and other products and services we offer, is highly dependent upon the business environment in the markets where we operate, in the State of Texas and in the United States as a whole. A favorable business environment is generally characterized by, among other factors, economic growth, efficient capital markets, low inflation, low unemployment, high business and investor confidence, and strong business earnings. Unfavorable or uncertain economic and market conditions can be caused by a decline in economic growth both in the U.S. and internationally; declines in business activity or investor or business confidence; limitations on the availability of or increases in the cost of credit and capital; increases in inflation or interest rates; high unemployment; oil price volatility; natural disasters; trade policies and tariffs; or a combination of these or other factors. In addition, financial markets and global supply chains may be adversely affected by the current or anticipated impact of global wars/military conflicts, terrorism or other geopolitical events. In addition, financial 32Table of Contentsmarkets and global supply chains may be adversely affected by the current or anticipated impact of global wars/military conflicts, terrorism or other geopolitical events. Current economic conditions are being heavily impacted by recent inflationary conditions and higher interest rates, the effects of which may impact our profitability by negatively impacting our fixed costs and expenses. Economic and inflationary pressure on consumers and uncertainty regarding economic improvement could result in changes in consumer and business spending, borrowing and savings habits. Such conditions could have a material adverse effect on the credit quality of our loans and our business, financial condition and results of operations.
Federal budget deficit concerns and the potential for political conflict over legislation to fund U.S. government operations and raise the U.S. government's debt limit may increase the possibility of a default by the U.S. government on its debt obligations, related credit-rating downgrades, or an economic recession in the United States. Many of our investment securities are issued by the U.S. government and government agencies and sponsored entities. As a result of uncertain domestic political conditions, including potential future federal government shutdowns, the possibility of the federal government defaulting on its obligations for a period of time due to debt ceiling limitations or other unresolved political issues, investments in financial instruments issued or guaranteed by the federal government pose liquidity risks. Most recently, in connection with successive failures by the U.S. government to reverse the trend of large annual fiscal deficits and growing interest costs, Moody's lowered its long-term issuer credit rating on the U.S. from Aaa to Aa1. A further downgrade, or downgrades by other rating agencies, as well as sovereign debt issues facing the governments of other countries, could have a material adverse impact on financial markets and economic conditions in the U.S. and worldwide.
Furthermore, evolving responses from federal and state governments and other regulators, and our customers or our third-party partners or vendors, to challenges such as climate change have impacted and could continue to impact the economic and political conditions under which we operate which could have a material adverse effect on our business, financial condition and results of operations.
33
Changes In The Federal, State Or Local Tax Laws May Negatively Impact Our Financial Performance and We Are Subject To Examinations and Challenges By Tax Authorities
We are subject to federal and applicable state tax laws and regulations. Changes in these tax laws and regulations, some of which may be retroactive to previous periods, could increase our effective tax rates and, as a result, could negatively affect our current and future financial performance. Furthermore, tax laws and regulations are often complex and require interpretation. In the normal course of business, we are routinely subject to examinations and challenges from federal and applicable state tax authorities regarding the amount of taxes due in connection with investments we have made and the businesses in which we have engaged. Federal and state taxing authorities have been aggressive in challenging tax positions taken by financial institutions. These tax positions may relate to tax compliance, sales and use, franchise, gross receipts, payroll, property and income tax issues, including tax base, apportionment and tax credit planning. The challenges made by tax authorities may result in adjustments to the timing or amount of taxable income or deductions or the allocation of income among tax jurisdictions. If any such challenges are made and are not resolved in our favor, they could have a material adverse effect on our business, financial condition and results of operations.
We May Need To Raise Additional Capital In The Future, and Such Capital May Not Be Available When Needed Or At All
We may need to raise additional capital in the future to provide us with sufficient capital resources and liquidity to meet our commitments and business needs, particularly if our asset quality or earnings were to deteriorate significantly. Our ability to raise additional capital, if needed, will depend on, among other things, conditions in the capital markets at that time, which are outside of our control, and our financial condition. Economic conditions and the loss of confidence in financial institutions may increase our cost of funding and limit access to certain customary sources of capital, including inter-bank borrowings, repurchase agreements and borrowings from the discount window of the Federal Reserve.
We cannot assure that such capital will be available on acceptable terms or at all. Any occurrence that may limit our access to the capital markets, such as a decline in the confidence of debt purchasers, depositors of Frost Bank or counterparties participating in the capital markets, or a downgrade of Cullen/Frost’s or Frost Bank’s debt ratings, may adversely affect our capital costs and our ability to raise capital and, in turn, our liquidity. Moreover, if we need to raise capital in the future, we may have to do so when many other financial institutions are also seeking to raise capital and would have to compete with those institutions for investors. Moreover, if we need to raise capital in the future, we may have to do so when many other financial institutions are also seeking to raise 33Table of Contentscapital and would have to compete with those institutions for investors. An inability to raise additional capital on acceptable terms when needed could have a materially adverse effect on our business, financial condition and results of operations.
Our Stock Price Can Be Volatile
Stock price volatility may make it more difficult for you to resell your common stock when you want and at prices you find attractive. Our stock price can fluctuate significantly in response to a variety of factors including, among other things, (i) actual or anticipated variations in quarterly results of operations; (ii) recommendations by securities analysts; (iii) operating and stock price performance of other companies that investors deem comparable to us; (iv) news reports relating to trends, concerns and other issues in the financial services industry; (v) perceptions in the marketplace regarding us and/or our competitors; (vi) new technology used, or services offered, by competitors; (vii) the issuance by us of additional securities, including common stock and securities that are convertible into or exchangeable for, or that represent the right to receive, common stock; (viii) sales of a large block of shares of our common stock or similar securities in the market after an equity offering, or the perception that such sales could occur; (ix) significant acquisitions or business combinations, strategic partnerships, joint ventures or capital commitments by or involving us or our competitors; (x) failure to integrate acquisitions or realize anticipated benefits from acquisitions; (xi) changes in government regulations; and (xii) geopolitical conditions such as acts or threats of terrorism or military conflicts.
General market fluctuations, including real or anticipated changes in the strength of the Texas economy; industry factors and general economic and political conditions and events, such as economic slowdowns or recessions; and interest rate changes, oil price volatility or credit loss trends could also cause our stock price to decrease regardless of operating results.
34
Changes In Accounting Standards Could Materially Impact Our Financial Statements
From time to time, accounting standards setters change the financial accounting and reporting standards that govern the preparation of our financial statements. These changes can be difficult to predict and can materially impact how we record and report our financial condition and results of operations. In some cases, we could be required to apply a new or revised standard retroactively, resulting in changes to previously reported financial results or a cumulative charge to retained earnings. See Note 19 - Accounting Standards Updates in the notes to consolidated financial statements included in Item 8. Financial Statements and Supplementary Data elsewhere in this report for further information regarding pending accounting standards updates.
We May Not Be Able To Attract and Retain Skilled People
Our success depends, in large part, on our ability to attract and retain key people. Competition for the best people in many activities engaged in by us is intense including with respect to compensation and emerging workplace practices, accommodations and remote work options, and we may not be able to hire people or to retain them. We do not currently have employment agreements or non-competition agreements with any of our executive officers. The unexpected loss of services of key personnel could have a material adverse impact on our business, financial condition and results of operations because of their customer relationships, skills, knowledge of our market, years of industry experience and the difficulty of promptly finding qualified replacement personnel. In addition, the scope and content of U.S. banking regulators' policies on incentive compensation, as well as changes to these policies, could adversely affect our ability to hire, retain and motivate our key employees.
Severe Weather, Natural Disasters, Acts Of War Or Terrorism, Pandemics, and Other Adverse External Events Could Significantly Impact Our Business and Our Customers
Severe weather, natural disasters, acts of war or terrorism, pandemics, and other adverse external events could have a significant impact on our ability to conduct business. In addition, such events could affect the stability of our deposit base, impair the ability of borrowers to repay outstanding loans, impair the value of collateral securing loans, cause significant property damage, result in loss of revenue and/or cause us to incur additional expenses. Furthermore, the occurrence of any such event in the future could have a material adverse effect on our business, which, in turn, could have a material adverse effect on our financial condition and results of operations.
Climate Related Risks Could Have a Material Negative Impact on Us and Our Customers
Our business, as well as the operations and activities of our customers, could be negatively impacted by climate-related risks in both the short-term and the long-term.
Climate change exposes us and our customers to physical risk as its effects may lead to more frequent and more extreme weather events, such as prolonged droughts or flooding, tornados, hurricanes, wildfires and extreme seasonal weather; and longer-term shifts, such as increasing average temperatures, ozone depletion and rising sea levels. Such events and long-term shifts may damage, destroy or otherwise impact the value or productivity of our properties and other assets; increase the premiums for and reduce the availability of insurance; and/or disrupt our operations and other activities through prolonged outages. Such events and long-term shifts may also have a significant impact on our customers, which could amplify credit risk by diminishing borrowers’ repayment capacity or collateral values, and other businesses and counterparties with whom we transact, which could have a broader impact on the economy, supply chains and distribution networks.
In addition, due to divergent policies and viewpoints regarding climate change, we are at increased risk of being subject to different and potentially conflicting legal or regulatory requirements and stakeholder expectations, as well as the risk of harm to our business and brand and our ability to attract and retain employees from negative public opinion related to any of our actual or perceived action or inaction in response to climate-related matters. Furthermore, ongoing legislative or regulatory uncertainties and changes regarding climate-related matters and practices may result in higher regulatory, compliance, credit and other risks and costs, and may subject us to different and potentially conflicting requirements. Ongoing legislative or regulatory uncertainties and changes regarding climate risk management and practices may result in higher regulatory, compliance, credit and reputational risks and costs, and may subject us to different and potentially conflicting requirements.
ITEM 1B. UNRESOLVED STAFF COMMENTS
None
35
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
Our risk management program is designed to identify, assess, and mitigate risks across various aspects of our company, including financial, operational, regulatory, and legal. Cybersecurity is a critical component of this program, given the increasing reliance on technology and potential of cyber threats. Our Chief Information Security Officer is primarily responsible for this cybersecurity component and is a key member of the risk management organization, reporting directly to the Chief Risk Officer and as discussed below, periodically to the Technology and Cybersecurity Committee of our board of directors.
Our objective for managing cybersecurity risk is to proactively identify, mitigate, and respond to the most impactful cyber threats. The information security program is designed to safeguard customer assets and information and ensure the confidentiality, integrity, and availability of our systems, while maintaining operational resilience and alignment with regulatory standards. The structure of our information security program is designed around the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework, regulatory guidance, and other industry standards. In addition, we leverage certain industry and government associations, third-party benchmarking, audits, and threat intelligence feeds to facilitate and promote program effectiveness. Our Chief Information Security Officer and our Chief Information Officer, who reports directly to our Chief Consumer Banking Officer, along with key members of their teams, regularly collaborate with peer banks, industry groups, and policymakers to discuss cybersecurity trends and issues and identify best practices. The information security program is reviewed annually with the goal of addressing changing threats and conditions. The information security program is periodically reviewed by such personnel with the goal of addressing changing threats and conditions.
We employ an in-depth, layered, defensive strategy that embraces a “security by design” philosophy when designing new products, services, and technology. We leverage people, processes, and technology as part of our efforts to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools designed to monitor, block, and provide alerts regarding suspicious activity, as well as to report on suspected advanced persistent threats. We have established processes and systems designed to mitigate cyber risk, including regular and on-going education and training for employees, preparedness simulations and tabletop exercises, and recovery and resilience tests. We engage in regular assessments of our infrastructure, software systems, and network architecture, using internal cybersecurity experts and third-party specialists. We also maintain a third-party risk management program designed to identify, assess, and manage risks, including cybersecurity risks, associated with external service providers and our supply chain. We also actively monitor our communication channels for malicious phishing campaigns and monitor remote connections. We leverage internal auditors and independent external partners to periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management program. We leverage internal and external auditors and independent external partners to periodically review our processes, systems, and controls, including with respect to our information security program, to assess their design and operating effectiveness and make recommendations to strengthen our risk management program.
We maintain an Incident Response Plan that provides a documented framework for responding to actual or potential cybersecurity incidents, including timely notification of and escalation to the appropriate Board-approved management committees, as discussed further below, to the Technology and Cybersecurity Committee of our board of directors, and external agencies. The Incident Response Plan is coordinated through the Chief Information Security Officer and key members of management are embedded into the Plan by its design. The Incident Response Plan facilitates coordination across multiple parts of our organization and is evaluated at least annually.
Notwithstanding our defensive measures and processes, the threat posed by cyber-attacks is severe. Our internal systems, processes, and controls are designed to mitigate loss from cyber-attacks and, while we have experienced cybersecurity incidents in the past, to date, cybersecurity incidents and risks from cybersecurity threats have not materially affected our company. For further discussion of risks from cybersecurity threats, see the section captioned “Our Information Systems May Experience Failure, Interruption Or Breach In Security” in Item 1A. Risk Factors.
Governance
Our Chief Information Security Officer is responsible for managing our enterprise information security department and delivering our information security program. The responsibilities of this department include cybersecurity risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, identity access governance, third-party risk management, information governance risk and compliance, and business resilience. The foregoing responsibilities are covered on a day-to-day basis by a first line of defense function, and our second line of defense function, including the Chief Information Security Officer, provides guidance, oversight,
36
monitoring and challenge of the first line’s activities. The second line of defense function is separated from the first line of defense function through organizational structure and ultimately reports directly to the Chief Risk Officer. The second line of defense function is separated from the first 36Table of Contentsline of defense function through organizational structure and ultimately reports directly to the Chief Risk Officer. The department, as a whole, consists of information security professionals with varying degrees of education and experience. Individuals within the department are generally subject to professional education and certification requirements. In particular, our Chief Information Security Officer has substantial relevant expertise and formal training in the areas of information security and cybersecurity risk management.
Our board of directors has approved management committees including the Information Technology Risk Committee, which focuses on technology impact, and the Information Security Oversight Committee, which focuses on business impact. These committees provide oversight and governance of the technology program and the information security program. These committees are chaired by managers within the enterprise information security department and include the Chief Information Security Officer and Chief Information Officer as well as their direct reports and other key departmental managers from throughout the entire company. These committees generally meet monthly (in the case of the Information Technology Risk Committee) and quarterly (in the case of the Information Security Oversight Committee) to provide oversight of the risk management strategy, standards, policies, practices, controls, and mitigation and prevention efforts employed to manage security risks. More frequent meetings occur from time to time in accordance with the Incident Response Plan in order to facilitate timely informing and monitoring efforts. The Chief Information Security Officer reports summaries of key issues, including significant cybersecurity and/or privacy incidents, discussed at committee meetings and the actions taken to the Technology and Cybersecurity Committee of our board of directors on a quarterly basis (or more frequently as may be required by the Incident Response Plan). The Chief Information Security Officer reports summaries of key issues, including significant cybersecurity and/or privacy incidents, discussed at committee meetings and the actions taken to the Technology Committee of our board of directors on a quarterly basis (or more frequently as may be required by the Incident Response Plan).
The Technology and Cybersecurity Committee of our board of directors meets quarterly and is responsible for overseeing our information security and technology programs, including management’s actions to identify, assess, mitigate, and remediate or prevent material cybersecurity issues and risks. Our Chief Information Security Officer and our Chief Information Officer provide quarterly reports to the Technology and Cybersecurity Committee of our board of directors regarding the information security program and the technology program, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes. Our Chief Information Security Officer and our Chief Information Officer provide quarterly reports to the Technology Committee of our board of directors regarding the information security program and the technology program, key enterprise cybersecurity initiatives, and other matters relating to cybersecurity processes. The Technology and Cybersecurity Committee of our board of directors reviews our information security and technology budgets and strategies annually. The Technology Committee of our board of directors reviews and approves our information security and technology budgets and strategies annually. Additionally, the Risk Committee of our board of directors reviews our cyber security risk profile on a quarterly basis. The Technology and Cybersecurity Committee and Risk Committee of our board of directors each provide a report of their activities to the full board of directors at each board meeting. The Technology Committee and Risk Committee of our board of directors each provide a report of their activities to the full board of directors at each board meeting.
Recently Filed
Click on a ticker to see risk factors
Ticker * File Date
AAT 7 hours ago
LVS 7 hours ago
RTX 7 hours ago
APTV 7 hours ago
SYF 7 hours ago
POWI 7 hours ago
MAA 7 hours ago
CHAC 7 hours ago
VTR 8 hours ago
ELV 9 hours ago
MSCI 9 hours ago
HNOI 10 hours ago
HAL 10 hours ago
AXP 11 hours ago
RLEA 12 hours ago
ATR 12 hours ago
MTD 12 hours ago
TXN 13 hours ago
UNP 14 hours ago
OMF 15 hours ago
BIIB 16 hours ago
PM 17 hours ago
AMZN 1 day, 5 hours ago
RDDT 1 day, 6 hours ago
CCIX 1 day, 6 hours ago
VRSN 1 day, 7 hours ago
CUZ 1 day, 7 hours ago
XPO 1 day, 7 hours ago
PINE 1 day, 7 hours ago
BYRN 1 day, 7 hours ago
BKR 1 day, 7 hours ago
OTIS 1 day, 8 hours ago
APPF 1 day, 8 hours ago
LUV 1 day, 8 hours ago
BSET 1 day, 8 hours ago
CFR 1 day, 8 hours ago
HII 1 day, 8 hours ago
CARR 1 day, 8 hours ago
TT 1 day, 8 hours ago
FAST 1 day, 12 hours ago
SIRI 1 day, 14 hours ago
IDCC 1 day, 15 hours ago
ICE 1 day, 15 hours ago
OCUL 1 day, 16 hours ago
TW 1 day, 17 hours ago
AMD 3 days, 5 hours ago
PYPL 3 days, 7 hours ago
KREF 3 days, 7 hours ago
ISRG 3 days, 7 hours ago
DOC 3 days, 7 hours ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard