Risk Factors - CIZN

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

$CIZN Risk Factor changes from 00/03/16/23/2023 to 00/03/29/24/2024

ITEM 1A. RISK FACTORS. In addition to the other information contained in or incorporated by reference into this report and the exhibits hereto, the following risk factors should be considered carefully in evaluating the Company’s business. In addition to the other information contained in or incorporated by reference into this report and the exhibits hereto, the following risk factors should be considered carefully in evaluating the Company’s business. The risks disclosed below, either alone or in combination, could materially adversely affect the business, prospects, financial condition or results of operations of the Company and/or the Bank. Additional risks not presently known to the Company, or that the Company currently deems immaterial, may also adversely affect the Company’s business, financial condition or results of operations. 11 Table of Contents Risks Related to The Company’s Business and Industry The Company is subject to interest rate risk. 11 Risks Related To The Company’s Business and Industry The Company is subject to interest rate risk. One of the most important aspects of management’s efforts to sustain long-term profitability for the Company is the management of interest rate risk. Management’s goal is to maximize net interest income within acceptable levels of interest-rate risk and liquidity. The Company’s assets and liabilities are principally financial in nature and the resulting earnings thereon are subject to significant variability due to the timing and extent to which the Company can reprice the yields on interest-earning assets and the costs of interest bearing liabilities as a result of changes in market interest rates. Interest rates in the financial markets affect the Company’s decisions on pricing its assets and liabilities, which impacts net interest income, an important cash flow stream for the Company. As a result, a substantial part of the Company’s risk-management activities is devoted to managing interest-rate risk. Currently, the Company does not have any significant risks related to foreign currency exchange, commodities or equity risk exposures. The Company’s earnings and cash flows are largely dependent upon the net interest income of the Company. Net interest income is the difference between interest earned on assets, such as loans and securities, and the cost of interest-bearing liabilities, such as deposits and borrowed funds. Interest rates are highly sensitive to many factors that are beyond the Company’s control, including general economic conditions and policies of various governmental and regulatory agencies and, in particular, the FRB. Changes in monetary policy, including changes in interest rates, could influence not only the interest the Company receives on loans and securities and the amount of interest the Company pays on deposits and borrowings, but such changes could also affect (i) the Company’s ability to originate loans and obtain deposits, which could reduce the amount of fee income generated; (ii) the fair value of the Company’s financial assets and liabilities; and (iii) the average duration of the Company’s mortgage-backed securities portfolio. If the interest rates paid on deposits and other borrowings increase at a faster rate than the interest rates received on loans and other investments, the Company’s net interest income could be adversely affected, which in turn could negatively affect its earnings. Earnings could also be adversely affected if the interest rates received on loans and other investments fall more quickly than the interest rates paid on deposits and other borrowings. Interest rates increased significantly in 2022 and 2023, and these increases may continue in as the U. Interest rates increased significantly in 2022 and additional increases are expected in 2023 as the U. S. government attempts to slow economic growth to counteract rising inflation. Although management believes it has implemented effective asset and liability management strategies to reduce the potential effects of changes in interest rates on the results of operations of the Company, any substantial, unexpected, prolonged change in market interest rates could have a material adverse effect on the Company’s financial condition and results of operations. For the reasons set forth above, an increase in interest rates generally as a result of such a credit rating downgrade could adversely affect our net interest income levels, thereby resulting in reduced earnings, and reduce loan demand. Volatility in interest rates may also result in disintermediation, which is the flow of funds away from financial institutions into direct investments, such as United States Government and Agency securities and other investment vehicles, including mutual funds, which generally pay higher rates of return than financial institutions because of the absence of federal insurance premiums and reserve requirements. Disintermediation could also result in material adverse effects on the Company’s financial condition and results of operations. 12 Table of Contents A discussion of the policies and procedures used to identify, assess and manage certain interest rate risk is set forth in Item 7A, “Quantitative and Qualitative Disclosures about Market Risk. 12 A discussion of the policies and procedures used to identify, assess and manage certain interest rate risk is set forth in Item 7A, “Quantitative and Qualitative Disclosures about Market Risk. ” The Company is subject to risks related to recent events impacting the financial services industry.” The Company is subject to environmental liability risk associated with lending activities. The high-profile bank failures of Silicon Valley Bank and Signature Bank in March 2023 and First Republic Bank in May 2023 have generated significant market volatility among publicly traded bank holding companies and, in particular, regional banks. These market developments have negatively impacted customer confidence in the safety and soundness of regional banks. As a result, customers may choose to maintain deposits with larger financial institutions or invest in higher yielding short-term fixed income securities, all of which could materially adversely impact our liquidity, cost of funding, loan funding capacity, net interest margin, capital and results of operations. These events are occurring during a period of continued interest rate increases by the Federal Reserve which, among other things, have resulted in unrealized losses in longer-duration securities held by banks, increased competition for bank deposits and the possibility of an increase in the risk of a potential recession. These recent events have, and could continue to, adversely impact the market price and volatility of the Company’s common stock. These rapid bank failures have also highlighted risks associated with advances in technology that increase the speed at which information, concerns and rumors can spread through traditional and new media, and increase the speed at which deposits can be moved from bank to bank or outside the banking system, heightening liquidity concerns of traditional banks. While regulators and large banks have taken steps designed to increase liquidity at regional banks and strengthen depositor confidence in the broader banking industry, there can be no guarantee that these steps will stabilize the financial services industry and financial markets. In addition, regulators may adopt new regulations or increase FDIC insurance costs, which could increase our costs of doing business. The Company is subject to lending risk. There are inherent risks associated with the Company’s lending activities. These risks include, among other things, the impact of changes in interest rates and changes in the economic conditions in the markets where the Company operates as well as those across the United States. Increases in interest rates or weakening economic conditions could adversely impact the ability of borrowers to repay outstanding loans or the value of the collateral securing these loans. As of December 31, 2023, approximately 80.7% of the Company’s loan portfolio consisted of commercial, construction and commercial real estate loans. These types of loans are generally viewed as having more risk of default than residential real estate loans or consumer loans due primarily to the large amounts loaned to individual borrowers. Because the loan portfolio contains a significant number of commercial, construction and commercial real estate loans with relatively large balances, the deterioration of one or a few of these loans could cause a significant increase in non-performing loans. An increase in non-performing loans could result in a net loss of earnings from these loans, an increase in the provision for possible loan losses and an increase in loan charge-offs, all of which could have a material adverse effect on the Company’s financial condition and results of operations. 13 Table of Contents Delays in the Company’s ability to foreclose on delinquent mortgage loans may negatively impact our business. As business necessitates, the Company forecloses on and takes title to real estate serving as collateral for loans. The amount of other real estate held by the Company may increase in the future as a result of, among other things, business combinations, increased uncertainties in the housing market or increased levels of credit stress in residential real estate loan portfolios. Increased other real estate balances could lead to greater expenses as the Company incurs costs to manage, maintain and dispose of real properties as well as to remediate any environmental cleanup costs incurred in connection with any contamination discovered on real property on which the Company has foreclosed and to which the Company has taken title. As a result, the Company’s earnings could be negatively affected by various expenses associated with other real estate owned, including personnel costs, insurance and taxes, completion and repair costs, valuation adjustments and other expenses associated with real property ownership, as well as by the funding costs associated with other real estate assets. The expenses associated with holding a significant amount of other real estate could have a material adverse effect on the Company’s financial condition or results of operations. The allowance for possible loan losses may be insufficient. 13 The allowance for possible loan losses may be insufficient. Although the Company tries to maintain diversification within its loan portfolio in order to minimize the effect of economic conditions within a particular industry, management also maintains an allowance for loan losses, which is a reserve established through a provision for loan losses charged to expense, to absorb probable credit losses inherent in the entire loan portfolio. Although the Company tries to maintain diversification within its loan portfolio in order to minimize the effect of economic conditions within a particular industry, management also maintains an allowance for loan losses, which is a reserve established through a provision for loan losses charged to expense, to absorb probable credit losses inherent in the entire loan portfolio. The appropriate level of the allowance is based on management’s quarterly analysis of the loan portfolio and represents an amount that management deems adequate to provide for inherent losses, including collective impairment. Among other considerations in establishing the allowance for loan losses, management considers economic conditions reflected within industry segments, the unemployment rate in the Company’s markets, loan segmentation and historical losses that are inherent in the loan portfolio. The determination of the appropriate level of the allowance for loan losses inherently involves a high degree of subjectivity and requires management to make significant estimates of current credit risks and future trends, all of which may undergo material changes. Changes in economic conditions affecting borrowers, new information regarding existing loans, identification of additional problem loans and other factors, both within and outside of the Company’s control, may require an increase in the allowance for loan losses. In addition, bank regulatory agencies periodically review the allowance for loan losses and may require an increase in the provision for loan losses or the recognition of further loan charge-offs, based on judgments different than those of management. In addition, if charge-offs in future periods exceed the allowance for loan losses, the Company will need additional provisions to increase the allowance for loan losses. Any increases in the allowance for loan losses will result in a decrease in net income and, possibly, capital, and may have a material adverse effect on the Company’s financial condition and results of operations. A discussion of the policies and procedures related to management’s process for determining the appropriate level of the allowance for loan losses is set forth in Item 7, “Management’s Discussion and Analysis of Financial Condition and Results of Operations.” 14 Table of Contents The Company is subject to environmental liability risk associated with lending activities. A significant portion of the loan portfolio is secured by real property. During the ordinary course of business, the Company may foreclose on and take title to properties securing certain loans. In doing so, there is a risk that hazardous or toxic substances could be found on these properties. If hazardous or toxic substances are found, the Company may be liable for remediation costs, as well as for personal injury and property damage. Environmental laws may require the Company to incur substantial expenses and may materially reduce the affected property’s value or limit the ability of the Company to use or sell the affected property. In addition, future laws or more stringent interpretations or enforcement policies with respect to existing laws may increase the Company’s exposure to environmental liability. Although management has policies and procedures to perform an environmental review during the loan application process and also before initiating any foreclosure action on real property, these reviews may not be sufficient to detect all potential environmental hazards. The remediation costs and any other financial liabilities associated with an environmental hazard could have a material adverse effect on the Company’s financial condition and results of operations. The profitability of the Company depends significantly on economic conditions in the State of Mississippi. The Company’s success depends primarily on the general economic conditions of the State of Mississippi and the specific local markets in which it operates. Unlike larger national or other regional banks that are more geographically diversified, the Company provides banking and financial services to customers primarily in the state of Mississippi. The local economic conditions in this area have a significant impact on the demand for the Company’s products and services, as well as the ability of its customers to repay loans, the value of the collateral securing loans and the stability of its deposit funding sources. The Company is subject to extensive government regulation and supervision. The Company is subject to accounting estimate risks. The Company and the Bank are subject to extensive federal and state regulation and supervision. Banking regulations are primarily intended to protect depositors’ funds, federal deposit insurance funds and the banking system as a whole, not security holders. These regulations and supervisory guidance affect the Company’s lending practices, capital structure, investment practices, dividend policy and growth, among other things. Congress and federal regulatory agencies continually review banking laws, regulations, and policies for possible changes. Changes to statutes, regulations or regulatory policies or supervisory guidance, including changes in interpretation or implementation or statutes, regulations, policies and supervisory guidance, could affect the Company in substantial and unpredictable ways. Such changes could subject the Company to additional costs, limit the types of financial services and products the Company may offer and/or increase the ability of nonbanks to offer competing financial services and products, among other things. Failure to comply with laws, regulations, policies or supervisory guidance could result in enforcement and other legal actions by Federal or state authorities, including criminal and civil penalties, the loss of FDIC insurance, the revocation of a banking charter, civil money penalties, other sanctions by regulatory agencies and/or reputational damage. In this regard, government authorities, including bank regulatory agencies, continue to pursue enforcement agendas with respect to compliance and other legal matters involving financial activities, which heightens the risks associated with actual and perceived compliance failures. Any of the foregoing could have a material adverse effect on the Company’s financial condition or results of operations. 15 Table of Contents We are subject to claims and litigation. From time to time, customers and others make claims and take legal action pertaining to our performance of our responsibilities. Whether customer claims and legal action related to our performance of our responsibilities are founded or unfounded, or if such claims and legal actions are not resolved in a manner favorable to us, they may result in significant financial liability and/or adversely affect the market perception of us and our products and services, as well as impact customer demand for those products and services. Any financial liability or reputation damage could have a material adverse effect on our business, which, in turn, could have a material adverse effect on our financial condition and results of operations. The Company operates in a highly competitive financial services industry. The Company faces substantial competition in all areas of its operations from a variety of different competitors, many of which are larger and may have greater financial resources. Such competitors primarily include banks, as well as community banks operating nationwide and regionally within the various markets in which the Company operates. The Company also faces competition from many other types of financial institutions, including savings and loans, credit unions, finance companies, brokerage firms, insurance companies, factoring companies and other financial intermediaries. Additionally, fintech developments, such as blockchain and other distributed ledger technologies, have the potential to disrupt the financial industry and change the way banks do business. The financial services industry could become even more competitive as a result of legislative, regulatory and technological changes and continued consolidation. Some of the Company’s competitors have fewer regulatory constraints and may have lower cost structures. 15 Some of the Company’s competitors have fewer regulatory constraints and may have lower cost structures. Additionally, due to their size, many of the Company’s larger competitors may be able to achieve economies of scale and, as a result, may offer a broader range of products and services as well as better pricing for those products and services than the Company. The Company’s ability to compete successfully depends on a number of factors, including: the ability to develop, maintain and build upon long-term customer relationships based on top quality service, high ethical standards and safe, sound assets; the ability to continue to expand the Company’s market position through organic growth and acquisitions; the scope, relevance and pricing of products and services offered to meet customer needs and demands; the rate at which the Company’s introduces new products and services relative to its competitors; and industry and general economic trends. Failure to perform in any of these areas could significantly weaken the Company’s competitive position, which could adversely affect the Company’s financial condition or results of operations. 16 Table of Contents We are subject to a variety of operational risks, including the risk of fraud or theft by employees, which may adversely affect our business and results of operations. We are exposed to many types of operational risks, including liquidity risk, credit risk, market risk, interest rate risk, legal and compliance risk, strategic risk, information security risk, and reputational risk. We are also reliant upon our employees, and our operations are subject to the risk of fraud, theft or malfeasance by our employees. We have established processes and procedures intended to identify, measure, monitor, report and analyze these risks, however, there are inherent limitations to our risk management strategies as there may exist, or develop in the future, risks that we have not appropriately anticipated, monitored or identified. If our risk management framework proves ineffective, we could suffer unexpected losses, we may have to expend resources detecting and correcting the failure in our systems and we may be subject to potential claims from third parties and government agencies. We may also suffer severe reputational damage. Any of these consequences could adversely affect our business, financial condition or results of operations. In particular, the unauthorized disclosure, misappropriation, mishandling or misuse of personal, non-public, confidential or proprietary information of customers could result in significant regulatory consequences, reputational damage and financial loss. Our risk management policies and procedures may not be fully effective in identifying or mitigating risk exposure in all market environments or against all types of risk, including employee misconduct. We have devoted significant resources to develop our risk management policies and procedures and will continue to do so. Nonetheless, our policies and procedures to identify, monitor and manage risks may not be fully effective in mitigating our risk exposure in all market environments or against all types of risk. Many of our methods of managing risk and exposures are based upon our use of observed historical market behavior or statistics based on historical models. During periods of market volatility or due to unforeseen events, the historically derived correlations upon which these methods are based may not be valid. As a result, these methods may not predict future exposures accurately, which could be significantly greater than what our models indicate. This could cause us to incur investment losses or cause our hedging and other risk management strategies to be ineffective. Other risk management methods depend upon the evaluation of information regarding markets, clients, catastrophe occurrence or other matters that are publicly available or otherwise accessible to us, which may not always be accurate, complete, up-to-date or properly evaluated. Moreover, we are subject to the risks of errors and misconduct by our employees and advisors, such as fraud, non-compliance with policies, recommending transactions that are not suitable, and improperly using or disclosing confidential information. 16 Moreover, we are subject to the risks of errors and misconduct by our employees and advisors, such as fraud, non-compliance with policies, recommending transactions that are not suitable, and improperly using or disclosing confidential information. These risks are difficult to detect in advance and deter, and could harm our business, results of operations or financial condition. Management of operational, legal and regulatory risks requires, among other things, policies and procedures to record properly and verify a large number of transactions and events, and these policies and procedures may not be fully effective in mitigating our risk exposure in all market environments or against all types of risk. Insurance and other traditional risk-shifting tools may be held by or available to us in order to manage certain exposures, but they are subject to terms such as deductibles, coinsurance, limits and policy exclusions, as well as risk of counterparty denial of coverage, default or insolvency. 17 Table of Contents The Company may be required to pay significantly higher FDIC premiums in the future. The FDIC insures deposits at FDIC insured financial institutions, including the Bank. The FDIC charges the insured financial institutions premiums to maintain the Deposit Insurance Fund at an adequate level. The FDIC may increase these rates and impose additional special assessments in the future, which could have a material adverse effect on future earnings. The Company’s controls and procedures may fail or be circumvented. Management regularly reviews and updates the Company’s internal control over financial reporting, disclosure controls and procedures and corporate governance policies and procedures. Any system of controls, however well designed and operated, has inherent limitations, including the possibility that a control can be circumvented or overridden, and misstatements due to error or fraud may occur and not be detected. Also, because of changes in conditions, internal control effectiveness may vary over time. Accordingly, even an effective system of internal control will provide only reasonable assurance with respect to the Company’s adherence to financial reporting, disclosure and corporate governance policies and procedures. The Company may be adversely affected by the soundness of other financial institutions. Financial institutions are interrelated as a result of trading, clearing, counterparty, or other relationships. The Company has exposure to many different industries and counterparties, and routinely executes transactions with counterparties in the financial services industry, including commercial banks, brokers and dealers, investment banks, and other institutional clients. Many of these transactions expose the Company to credit risk in the event of a default by a counterparty or client. In addition, the Company’s credit risk may be exacerbated when the collateral held by the Company cannot be realized or is liquidated at prices not sufficient to recover the full amount of the credit or derivative exposure due to the Company. Any such losses could have a material adverse effect on the Company’s financial condition and results of operations. The Company relies on third party vendors for a number of key components of its business. 17 The Company relies on third party vendors for a number of key components of its business. The Company contracts with a number of third party vendors to support its infrastructure. Many of these vendors are large national companies who are dominant in their area of expertise and would be difficult to quickly replace. Failures of certain vendors to provide services could adversely affect the Company’s ability to deliver products and services to its customers, disrupting its business and causing it to incur significant expense. External vendors also present information security risks. The Company is substantially dependent on dividends from the Bank for its revenues. The Company is a separate and distinct legal entity from the Bank, and it receives substantially all of its revenue from dividends from the Bank. These dividends are the principal source of funds to pay dividends on its common stock and interest and principal on debt. Various federal and state laws and regulations limit the amount of dividends that the Bank may pay to the Company. In the event the Bank is unable to pay dividends to the Company, it may not be able to pay obligations or pay dividends on the Company’s common stock. The inability to receive dividends from the Bank could have a material adverse effect on the Company’s business, prospects, financial condition and results of operations. The information under the heading “Supervision and Regulation” in Item 1, “Business,” provides a discussion about the restrictions governing the Bank’s ability to transfer funds to the Company. 18 Table of Contents Potential acquisitions may disrupt the Company’s business and dilute shareholder value. From time-to-time, the Company evaluates merger and acquisition opportunities and conducts due diligence activities related to possible transactions with other financial institutions. As a result, merger or acquisition discussions and, in some cases, negotiations may take place, and future mergers or acquisitions involving cash, debt or equity securities may occur at any time. Acquiring other banks, businesses or branches involves various risks commonly associated with acquisitions, including, among other things: ● potential exposure to unknown or contingent liabilities of the target company; ● exposure to potential asset quality issues of the target company; ● difficulty and expense of integrating the operations and personnel of the target company; ● potential disruption to the Company’s business; ● potential diversion of management’s time and attention; ● the possible loss of key employees and customers of the target company; ● difficulty in estimating the value of the target company; and ● potential changes in banking or tax laws or regulations that may affect the target company. Acquiring other banks, businesses or branches involves various risks commonly associated with acquisitions, including, among other things: ● potential exposure to unknown or contingent liabilities of the target company; ● exposure to potential asset quality issues of the target company; ● difficulty and expense of integrating the operations and personnel of the target company; ● potential disruption to the Company’s business; ● potential diversion of management’s time and attention; ● the possible loss of key employees and customers of the target company; ● difficulty in estimating the value of the target company; and ● potential changes in banking or tax laws or regulations that may affect the target company. In addition, acquisitions typically involve the payment of a premium over book and market values, and, therefore, some dilution of the Company’s tangible book value and net income per common share may occur in connection with any future transaction. In addition, acquisitions typically involve the payment of a premium over book and market values, and, therefore, some dilution of the Company’s tangible book value and net income per common share may occur in connection with any future transaction. Furthermore, failure to realize the expected revenue increases, cost savings, increases in geographic or product presence, or other projected benefits from an acquisition could have a material adverse effect on the Company’s business, prospects, financial condition and results of operations. The Company’s information systems may experience an interruption or breach in security. 18 The Company’s information systems may experience an interruption or breach in security. Evolving technologies and the need to protect against and react to cybersecurity risks and electronic fraud requires significant resources. The Company relies heavily on communications and information systems to conduct its business. Furthermore, the Bank provides its customers the ability to bank online. The secure transmission of confidential information over the Internet is a critical element of online banking. The Company needs to invest in information technology to keep pace with technology changes, and while the Company invests amounts it believes will be adequate, it may fail to invest adequate amounts such that the efficiency of information technology systems fails to meet operational needs. Any failure, interruption or breach in security of these systems could result in failures or disruptions in its customer relationship management, general ledger, deposit, loan and other systems. While the Company has policies and procedures designed to prevent or limit the effect of the failure, interruption or security breach of the Company’s information systems, there can be no assurance that any such failures, interruptions or security breaches will be prevented, and if they occur, that they will be adequately addressed. Additionally, to the extent the Company relies on third party vendors to perform or assist operational functions, the challenge of managing the associated risks becomes more difficult. The occurrence of any failures, interruptions or security breaches of the Company’s information systems could damage its reputation, result in a loss of customer business, subject the Company to additional regulatory scrutiny, or expose it to civil litigation and possible financial liability, any of which could have a material adverse effect on the financial condition and results of operations of the Company. 19 Table of Contents The operational functions of business counterparties may experience similar disruptions that could adversely impact us and over which the Company may have limited or no control. Over the course of the past few years, companies such as major retailers have experienced data systems incursions reportedly resulting in the thefts of credit and debit card information, online account information, and other financial data of tens of millions of the retailers’ customers. Over the course of the past few years, companies such as major retailers have experienced data systems incursions reportedly resulting in the thefts of credit and debit card information, online account information, and other financial data of tens of millions of the retailers’ customers. Retailer incursions affect cards issued and deposit accounts maintained by many banks, including the Bank. Although the Bank systems are not breached in retailer incursions, these events can cause the Bank to reissue a significant number of cards and take other costly steps to avoid significant theft loss to the Bank and its customers. Other possible points of incursion or disruption not within the Bank’s control include internet service providers, electronic mail portal providers, social media portals, distant-server (“cloud”) service providers, electronic data security providers, telecommunications companies, and smart phone manufacturers. The Company continually encounters technological change and we may not have the resources to implement new technology. The Company’s industry is continually undergoing rapid technological change with frequent introductions of new technology-driven products and services. The effective use of technology increases efficiency and enables financial institutions to better serve customers and reduce costs. The Company’s future success depends, in part, upon its ability to address the needs of its customers by using technology to provide products and services that will satisfy customer demands, as well as to create additional efficiencies in the Company’s operations. Many of the Company’s competitors have substantially greater resources to invest in technological improvements. The Company may not be able to effectively implement new technology-driven products and services or be successful in marketing these products and services to its customers. Failure to successfully keep pace with technological change affecting the Company’s industry could have a material adverse impact on its business and, in turn, the Company’s financial condition and results of operations. Consumers may decide not to use banks to complete their financial transactions. 19 Consumers may decide not to use banks to complete their financial transactions. While the Company continually attempts to use technology to offer new products and services, at the same time, technology and other changes are allowing parties to complete financial transactions that historically have involved banks through alternative methods. For example, consumers can now maintain funds in brokerage accounts, mutual funds or use electronic payment methods such as Apple Pay or PayPal, that would have historically been held as bank deposits. Consumers can also complete transactions such as paying bills or transferring funds directly without the assistance of banks. The process of eliminating banks as intermediaries, known as disintermediation, could result in the loss of fee income, as well as the loss of customer deposits and the related income generated from those deposits. The loss of these revenue streams and the lower cost deposits as a source of funds could have a material adverse effect on the Company’s financial condition and results of operations. 20 Table of Contents The Company is subject to accounting estimate risks. The preparation of the Company’s consolidated financial statements in conformity with generally accepted accounting principles requires management to make significant estimates that affect the financial statements. The Company’s most critical estimate is the level of the allowance for credit losses. However, other estimates occasionally become highly significant, especially in volatile situations such as litigation and other loss contingency matters. Estimates are made at specific points in time; as actual events unfold, estimates are adjusted accordingly. Due to the inherent nature of these estimates, it is possible that, at some time in the future, the Company may significantly increase the allowance for credit losses or sustain credit losses that are significantly higher than the provided allowance, or the Company may make some other adjustment that will differ materially from the estimates that the Company makes today. Risks Associated With the Company’s Common Stock The trading volume in the Company’s common stock is less than that of other larger bank holding companies. The Company’s common stock is quoted on the OTCQX Market. The Company’s common stock is listed for trading on NASDAQ Global Market. The average daily trading volume in the Company’s common stock is low, generally less than that of many of its competitors and other larger bank holding companies. A public trading market having the desired characteristics of depth, liquidity and orderliness depends on the presence in the marketplace of willing buyers and sellers of the Company’s common stock at any given time. This presence depends on the individual decisions of investors and general economic and market conditions over which the Company has no control. Given the lower trading volume of the Company’s common stock, significant sales of the Company’s common stock, or the expectation of these sales, could cause volatility in the price of the Company’s common stock. Issuing additional shares of our common stock to acquire other banks, bank holding companies, financial holding companies and/or insurance agencies may result in dilution for existing shareholders and may adversely affect the market price of our stock. 20 Issuing additional shares of our common stock to acquire other banks, bank holding companies, financial holding companies and/or insurance agencies may result in dilution for existing shareholders and may adversely affect the market price of our stock. We may issue, in the future, shares of our common stock to acquire additional banks, bank holding companies, and other businesses related to the financial services industry that may complement our organizational structure. Resales of substantial amounts of common stock in the public market and the potential of such sales could adversely affect the prevailing market price of our common stock and impair our ability to raise additional capital through the sale of equity securities. We may be required to pay an acquisition premium above the fair market value of acquired assets for acquisitions. Paying this acquisition premium, in addition to the dilutive effect of issuing additional shares, may also adversely affect the prevailing market price of our common stock. 21 Table of Contents The Company’s Articles of Incorporation and Bylaws, as well as certain banking laws, may have an anti-takeover effect.

Provisions of the Company’s Articles of Incorporation and Bylaws, which are exhibits to this Annual Report on Form 10-K, and the federal banking laws, including regulatory approval requirements, could make it more difficult for a third party to acquire the Company, even if doing so would be perceived to be beneficial to the Company’s shareholders. The combination of these provisions impedes a non-negotiated merger or other business combination, which, in turn, could adversely affect the market price of the Company’s common stock. General Risk Factors The Company is subject to risk from adverse economic conditions. Our operations and profitability are impacted by general business and economic conditions in the State of Mississippi, and the United States. Our operations and profitability are impacted by general business and economic conditions in the State of Mississippi, and the United States. These conditions include recession, short-term and long-term interest rates, inflation, money supply, political issues, international conflicts (including the conflict between Ukraine and Russia and between Israel and Hamas), legislative and regulatory changes, fluctuations in both debt and equity capital markets, broad trends in industry and finance, and the strength of the U. These conditions include recession, short-term and long-term interest rates, inflation, money supply, political issues, international conflicts (including the conflict between Ukraine and Russia), legislative and regulatory changes, fluctuations in both debt and equity capital markets, broad trends in industry and finance, and the strength of the U. S. economy and the local economies in which we operate, all of which are beyond our control. A deterioration in economic conditions could result in an increase in loan delinquencies and nonperforming assets, decreases in loan collateral values and a decrease in demand for our products and services, among other things, any of which could have a material adverse impact on our financial condition and results of operations. Negative perceptions or publicity could damage our reputation among existing and potential customers, investors, employees and advisors. Our reputation is one of our most important assets. Our ability to attract and retain customers, investors, employees and advisors is highly dependent upon external perceptions of our company. Damage to our reputation could cause significant harm to our business and prospects and may arise from numerous sources, including litigation or regulatory actions, failing to deliver minimum standards of service and quality, compliance failures, any perceived or actual weakness in our financial strength or liquidity, technological, cybersecurity, or other security breaches resulting in improper disclosure of client or employee personal information, unethical behavior and the misconduct of our employees, advisors and counterparties. Negative perceptions or publicity regarding these matters could damage our reputation among existing and potential customers, investors, employees and advisors. Adverse developments with respect to our industry may also, by association, negatively impact our reputation or result in greater regulatory or legislative scrutiny or litigation against us. In addition, the SEC and other federal and state regulators have increased their scrutiny of potential conflicts of interest. It is possible that potential or perceived conflicts could give rise to litigation or enforcement actions. It is possible also that the regulatory scrutiny of, and litigation in connection with, conflicts of interest will make our clients less willing to enter into transactions in which such a conflict may occur and will adversely affect our businesses. 22 Table of Contents The Company may not be able to attract and retain skilled people. The Company’s success depends in part on its ability to retain key executives and to attract and retain additional qualified personnel who have experience both in sophisticated banking matters and in operating a bank of the Company’s size. Competition for such personnel is strong in the banking industry, and the Company may not be successful in attracting or retaining the personnel it requires. The unexpected loss of one or more of the Company’s key personnel could have a material adverse impact on its business because of their skills, knowledge of the Company’s markets, years of industry experience and the difficulty of promptly finding qualified replacements. The Company expects to effectively compete in this area by offering financial packages that are competitive within the industry. Severe weather, natural disasters, acts of war or terrorism and other external events could significantly impact the Company’s business. The Bank has branches along the coast of Mississippi that are subject to risks from hurricanes from time to time. Severe weather, natural disasters, acts of war or terrorism, and other adverse external events could have a significant impact on the ability of the Company to conduct business. Such events could affect the stability of the Company’s deposit base, impair the ability of borrowers to repay outstanding loans, impair the value of collateral securing loans, cause significant property damage, result in loss of revenue or cause the Company to incur additional expenses. The occurrence of any such event could have a material adverse effect on the Company’s business, prospects, financial condition and results of operations. The Company’s stock price can be volatile. Stock price volatility may make it more difficult for you to sell your common stock when you want and at prices you find attractive. The Company’s stock price can fluctuate significantly in response to a variety of factors including, among other things: ● actual or anticipated variations in quarterly results of operations; ● recommendations by securities analysts; ● operating and stock performance of other companies that to be peers; ● perceptions in the marketplace regarding the Company or its competitors; ● new technology used, or services offered, by competitors; ● significant acquisitions or business combinations involving the Company or its competitors; ● failure to integrate acquisitions or realize anticipated benefits from acquisitions; ● changes in government regulations; and ● volatility affecting the financial markets in general. The Company’s stock price can fluctuate significantly in response to a variety of factors including, among other things: ● actual or anticipated variations in quarterly results of operations; ● recommendations by securities analysts; ● operating and stock performance of other companies that to be peers; ● perceptions in the marketplace regarding the Company or its competitors; ● new technology used, or services offered, by competitors; ● significant acquisitions or business combinations involving the Company or its competitors; ● failure to integrate acquisitions or realize anticipated benefits from acquisitions; ● changes in government regulations; and ● volatility affecting the financial markets in general. General market fluctuations, the potential for breakdowns on electronic trading or other platforms for executing securities transactions, industry factors and general economic and political conditions could cause the Company’s stock price to decrease regardless of operating results. 22 General market fluctuations, the potential for breakdowns on electronic trading or other platforms for executing securities transactions, industry factors and general economic and political conditions could cause the Company’s stock price to decrease regardless of operating results. 23 Table of Contents Climate change and societal responses to climate change could adversely affect the Company’s business and results of operations, including indirectly through impact to its customers. The current and anticipated effects of climate change are creating an increasing level of concern for the state of the global environment. As a result, political and social attention to the issue of climate change has increased. In recent years, governments across the world have entered into international agreements to attempt to reduce global temperatures, in part by limiting greenhouse gas emissions. The United States Congress, state legislatures and federal and state regulatory agencies have continued to propose and advance numerous legislative and regulatory initiatives seeking to mitigate the effects of climate change. These agreements and measures may result in the imposition of taxes and fees, the required purchase of emission credits and the implementation of significant operational changes, each of which may require businesses to expend significant capital and incur compliance, operating, maintenance and remediation costs. Consumers and businesses also may change their behavior on their own as a result of these concerns. It is not possible to predict how climate change may impact the Company’s financial condition and operations; however, the Company’s operates in areas where its business and the activities of its customers could be impacted by the effects of climate change. The effects of climate change may include increased frequency or severity of weather-related events, such as severe storms, hurricanes, flooding and droughts and rising sea levels. These effects can disrupt business operations, damage property, devalue assets and change customer and business preferences, which may adversely affect borrowers, increase credit risk and reduce demand for the Company’s products and services. The Company and its customers will need to respond to new laws and regulations as well as consumer and business preferences resulting from climate change concerns. The Company and its customers may face cost increases, asset value reductions, operating process changes and the like. The impact to the Company’s customers will likely vary depending on their specific attributes, including reliance on or role in carbon intensive activities. In addition, the Company could face reductions in creditworthiness on the part of some customers or in the value of assets securing loans. The Company’s efforts to take these risks into account may not be effective in protecting it from the negative impact of new laws and regulations or changes in consumer or business behavior and could have a material adverse effect on the Company’s financial condition and results of operations. ITEM 1B. ITEM 1B. UNRESOLVED STAFF COMMENTS. None. ITEM 1C. ITEM 1B. Cybersecurity Risk Management and Strategy General. The Company’s information security program, including its processes with respect to cybersecurity, is focused on protecting our systems, networks, and data from unauthorized access by a third party. Concerns about cybersecurity risks impact, at some level, every facet of the Company’s operations, from the way we structure the services we offer, to how we communicate with our customers, to our interactions with and training of employees, and to the expenditures we make when expanding and enhancing our technological infrastructure. We expect this continue to be the case as cybersecurity threats, and the means to respond to those threats, continue to evolve. 24 Table of Contents The Company has adopted a defense-in-depth philosophy that relies on multiple systems and processes to reasonably provide for the confidentiality, integrity, and availability of our systems, networks, and data. Features of our information security include: •Documentation: We have written policies and procedures that delineate the roles and responsibilities of the Company’s Board of Directors, executive management, and other employees, as well as outside parties, with respect to the various aspects of the information security program. Over the course of the past few years, companies such as major retailers have experienced data systems incursions reportedly resulting in the thefts of credit and debit card information, online account information, and other financial data of tens of millions of the retailers’ customers. This documentation helps to align the entire information security program with our efforts to maintain the integrity of the Company’s cybersecurity. These policies and procedures are reviewed and updated at least annually. •Separation of duties: Separation of duties means that, where appropriate, a task is designed to ensure that more than one person or group is responsible for its completion. We believe that separation of duties helps to prevent fraud, misuse, or other security compromise, and we apply this concept when we delegate administrative and oversight responsibilities to multiple groups for certain aspects of the information security program, including identity and access management, network management, system administration, policy oversight, monitoring, and alerting. •The principle of least privilege: Access approval for the Company’s employees is coordinated between an employee’s manager, the Company’s human resources department and the Information Technology Service Desk. The goal is to give an employee access rights to our data, applications, and other information resources only to the extent necessary for the employee to perform the functions of the particular job. Any change in employment responsibilities that requires access changes is implemented using the same access approval procedures. Finally, all remote access into the Company’s networks must include approval by the Information Security Officer (which we refer to as the “ISO”). •Vulnerability and patch management: The Company’s vulnerability management program includes internal and external scanning using third-party tools and services. Software patches are deployed based on criticality of vulnerability. Further, we track our performance in implementing patches, and if implementation timing falls below performance expectations, management will take steps to identify and remediate the root causes of implementation delays. •Risk assessments: At least annually, management conducts risk assessments to assess the existence, severity and trends of cybersecurity risks and other risks that the Company’s information security program faces. The scope of an individual risk assessment can be the whole organization, parts of the organization, an individual information system, specific system components, or services. •Log management: System security logs are consolidated by the Company’s Security Incident and Event Management system and are reviewed by the Bank’s contracted Managed Service Security Provider via both automatic and manual processes for anomalous behavior. •Incident response: The incident response process is designed to, among other things, promptly elevate a cybersecurity threat or incident to the parties responsible for leading our efforts to identify, contain and mitigate the threat or incident, notify impacted customers or other third parties and comply with applicable law, regulations, and regulatory expectations. •Employee training: Information security is an integral component of our employee training program. Training includes efforts to maintain security awareness among employees at all times by means of company-wide communications of cybersecurity risks or incidents. 25 Table of Contents The information security program applies to all the Company’s business lines and employees as well as to vendors and other third parties with access to the Company’s information systems or its confidential and proprietary information. Whenever we consider a new product or service to offer to its clients, or a new means of offering or providing an existing product or service, or a new back-office process or procedure, the implications to the Company’s information security are required to be considered. Our ISO leads the Company’s information security team. The Board of Directors oversee our information security team, receiving regular updates related to the material features of the information security program, our success and failures in maintaining information security and emerging threats and management’s proposed response thereto. Strategy and Testing. As mentioned above, the Company employs a layered, defense-in-depth approach that leverages people, processes, and technology to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools to monitor, block and provide alerts regarding suspicious activity and to report on any suspected threats. These controls include appropriate access controls based on least privilege, multifactor authentication for remote and privilege access, and encryption to protect data. The information security program is designed to comply with applicable laws and regulations and is driven by industry standards for financial institutions, including the Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity Assessment Tool. We work closely with government and industry associations to stay abreast of developments and share best practices with respect to cybersecurity. The following paragraphs describe how we test, or otherwise obtain feedback about, the Company’s cybersecurity and other information security. The feedback we develop through testing and assessment, in addition to information about cybersecurity threats or incidents impacting other entities, is incorporated into the Company’s information security program to enhance our cybersecurity; in certain circumstances a new or emerging cybersecurity threat may require modifications to how we conduct business. The Company’s information security team utilizes the Financial Services Sector Coordinating Council for Critical Infrastructure Protection and Homeland Security version of the FFIEC Cybersecurity Assessment Tool to perform an annual assessment of our information security program. The assessment provides a repeatable and measurable process for institutions to measure their cybersecurity preparedness over time. The assessment incorporates cybersecurity-related principles from the FFIEC Information Technology Examination Handbook and regulatory guidance, and concepts from other industry standards. The assessment consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. The Cybersecurity Maturity aspect of the assessment is designed to help management measure the institution’s level of risk and corresponding controls. The levels range from baseline to innovative. Cybersecurity Maturity includes tests to determine whether an institution’s behaviors, practices and processes can support cybersecurity preparedness within the following five domains: ● Cyber risk management and oversight ● Threat intelligence and collaboration ● Cybersecurity controls ● External dependency management ● Cyber incident management and resilience 26 Table of Contents We also retain third parties to test the effectiveness of our cybersecurity efforts. Annually, we obtain independent third-party audits of the information security program, including program maturity and overall control effectiveness. Each year we engage a third-party security firm to conduct both external and internal penetration tests. The goal of these assessments is to discover vulnerabilities in the Company’s in-scope corporate networks. When testing reveals potential vulnerabilities in the Company’s security, management works to develop appropriate mitigation plans to resolve any outstanding issues; we also consider other recommendations to enhance our cybersecurity that these security firms may offer, implementing those that management concludes are appropriate within the context of the Company’s information security program and processes. In addition to audits and testing by third party security firms, our information security program and infrastructure is subject to supervision by the FDIC and the DBCF, including regular in-depth examinations by subject-matter experts from the FDIC and DBCF. The laws and regulations that these regulators administer impose very high expectations on the Company with respect to its information security policies, procedures, processes, and controls. In particular, the Interagency Guidelines Establishing Information Security Standards (the “Guidelines”) require us to implement a comprehensive written information security program that includes administrative, technical and physical safeguards designed to (1) ensure the security and confidentiality of customer information; (2) protect against any anticipated threats or hazards to the security or integrity of such information; (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and (4) ensure the proper disposal of customer information and consumer information. We also must comply with the information sharing requirements and restrictions enacted pursuant to the GLBA. The regulators’ supervision of the Company is designed to ensure, among other things, that our information security program meets all the standards set forth in the Guidelines and that we operate in compliance with the GLBA and all other applicable information security laws and regulations. Finally, in addition to external scrutiny, our internal audit department reviews our compliance with the Guidelines, the GLBA and other laws and regulations, including those related to information security. If any of these examinations identify deficiencies or areas for improvement, the Company’s information security team works with management to act as promptly as reasonably possible to address the action item resulting from any such examination or review. Diligence of Vendors and Other Third Parties. As noted above, the Company’s information security program applies to our vendors and other third parties (referred to collectively as “vendors”) with access to our information systems and networks and/or confidential and proprietary information. Before we grant access to the Company’s systems, or a vendor otherwise obtains access to the Company’s confidential and proprietary information, our information security team assesses the vendor’s information security program. We review the vendor’s information security policy (to the extent the third party is willing to provide a copy of such policy), information security audits, service organization reports and similar information; the team will also investigate the background, reputation and history of prior cybersecurity incidents of such vendor or other third party. If the information security team is not satisfied that the vendor’s information security infrastructure is adequate to reasonably protect the Company’s systems and confidential and proprietary information from unauthorized access, and there is no suitable solution to address the information security team’s concerns, then we will not engage such vendor. The vendors we retain are also categorized by the level of risk that the vendor presents to us, of which information security risk is a component. The information security team annually reviews those vendors in the “high risk” category and periodically reviews other vendors. This review includes obtaining updated information security audits and service organization reports, where available, and otherwise analyzing whether the vendor’s cybersecurity risk profile has materially changed. 27 Table of Contents The information security team’s review process does not, and cannot, guarantee that a Company vendor will not suffer a cybersecurity incident that impacts us. Due to the possibility that a vendor’s information security may be breached, we also negotiate provisions in vendor contracts that address cybersecurity incidents. In addition to including provisions that address the parties’ relative responsibility for damages resulting from a cybersecurity incident at a vendor, these contracts also typically include provisions to ensure that the Company receives timely and complete notification of a cybersecurity incident and cooperation in responding thereto so that we can assess the extent of the incident’s impact on the Company’s systems or information, mitigate any adverse effects arising therefrom and comply with any customer or regulation notification requirements and other legal, regulator or contractual obligations. Incident Response. For those situations where a cybersecurity threat or incident arises, whether internal to the Company or relating to one of its vendors, we have also organized an incident response team. The incident response team includes representatives from the information technology, operations, risk management, legal (including securities law counsel), privacy and finance departments, among others. In addition to meeting quarterly, the incident response team (or a subset of the team) gathers whenever there is a threatened or actual breach of the Company’s information security (whether involving an external actor or an internal party) to determine the nature and extent of the threatened or actual breach and, if appropriate, the steps to take in response thereto to protect the Company’s information security and mitigate any harm that has already occurred. The team is also responsible for ensuring the Company complies with legal and regulatory requirements (including notifying affected customers and regulators and making any filings required by the securities laws). The activities of our incident response team are reported to the Board’s Enterprise Risk Management Committee. The Company also maintains a cyber insurance policy that provides cyber liability coverage. Employee Training and Security Awareness. All employees are required to complete quarterly security awareness training programs. Courses within the training program include general cybersecurity best practices as well as a course specifically related to social engineering, email, and social media security. The Company also conducts routine internally focused exercises to help raise employee awareness of the risks associated with cybersecurity. For example, over the course of 2023, employees received at least one email per month designed to test employees’ ability to identify and avoid potential “phishing” emails, and those employees that fail this phishing test are assigned additional training. In addition, annually the Company’s incident response team engages in a cyber-attack tabletop exercise to train the incident response team in overcoming a simulated attack against The Citizens Bank’s payment systems and processes. Governance and Oversight Management Role. The Company takes a layered approach to the governance of its cybersecurity risk management. The first line of defense against cybersecurity risk is the company’s information security team, led by the ISO. This team is primarily responsible for promptly identifying cybersecurity risks associated with our existing and anticipated operations and once identified, assessing as to the level that each cybersecurity risk poses to us, and then controlling or mitigating to the extent reasonably possible (in the context the Company’s operations and resources, and competitive factors affecting how banks and other financial services companies conduct operations, among other things). 28 Table of Contents The efforts of our information security team to address cybersecurity risk are reviewed by the Chief Risk Officer, which oversees our enterprise risk management program. The Chief Risk Officerfocuses on the quality of the Company’s risk management process in order to manage risks within acceptable tolerance levels. As it pertains to cybersecurity risk, the Chief Risk Officer challenges the processes that the information security team has implemented to identify, assess, control, and mitigate cybersecurity risk. The Chief Risk Officer collaborates with the ISO and other business unit owners impacted by our cybersecurity risk management practices to develop and monitor controls and other processes that mitigate identified risks. As the third line of defense against cybersecurity risk, our Internal Audit Department, with the assistance of outside experts, annually reviews and tests the Company’s processes, including its policies, procedures, and controls, with respect to cybersecurity risk. The Internal Audit Department reports the results of its review, including the steps management intends to take to address any findings, to the Audit Committee of the Board of Directors. Board Oversight. The Company’s Board of Directors oversees the risks related to our technological infrastructure, information security, cybersecurity, business continuity and disaster recovery programs. . ITEM 1B.