Risk Factors Dashboard
Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.
View risk factors by ticker
Search filings by term
Risk Factors - COLB
-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing
ITEM 1A. RISK FACTORS. RISK FACTORS.
Our processes also aim to address cybersecurity threat risks associated with our use of third-party service providers, including those in our supply chain or who have access to our customer and employee data or our systems. Third-party risks are included within our enterprise risk management assessment program, as well as our cybersecurity-specific risk identification program, both of which are discussed above. In addition, cybersecurity considerations affect the selection and oversight of our third-party service providers. We perform diligence on third parties that have access to our systems, data, or facilities that house such systems or data, and monitor cybersecurity threat risks identified through such diligence. Additionally, we generally require those third parties that could introduce significant cybersecurity risk to us to agree by contract to manage their cybersecurity risks in specified ways, and to agree to be subject to cybersecurity audits, which we conduct as appropriate.
As of the date of this Annual Report on Form 10-K, we do not believe that any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. As of the date of this Annual Report on Form 10-K, we do not believe that any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect us, including our business strategy, results of operations, or financial condition. The expenses we have incurred from cybersecurity incidents, including the Vendor Incident have been immaterial to date. Nevertheless, we also believe risks from certain cybersecurity threats, including as a result of our previously disclosed Vendor Incident could potentially result in charges, settlements or other potential liabilities that could materially affect our business strategy, results of operations, and financial condition, depending on the outcome of pending lawsuits as discussed further above.
Our Board of Director’s Enterprise Risk Management Committee (the "ERMC") is responsible for the oversight of risks from cybersecurity threats. At least annually, the ERMC receives an overview from management of our cybersecurity threat risk management and strategy processes covering topics such as anticipated emerging threats, cybersecurity posture, progress towards predetermined risk-mitigation-related goals, and material cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to such risks. In such sessions, the ERMC generally receives materials indicating current and emerging cybersecurity threat risks, and describing the Company’s ability to mitigate those risks, and discusses such matters with our Chief Information Security Officer, Chief Information Officer, and Chief Privacy and Information Risk Officer. In such sessions, the ERMC generally receives materials including a cybersecurity scorecard and other materials indicating current and emerging cybersecurity threat risks, and describing the Company’s ability to mitigate those risks, and discusses such matters with our Chief Information Security Officer, Chief Information Officer, and Chief Privacy and Information Risk Officer. Members of the ERMC are also encouraged to regularly engage in ad hoc conversations with management on cybersecurity-related news events and discuss any updates to our cybersecurity risk management and strategy programs. Material cybersecurity threat risks are also considered during separate Board meeting discussions of important matters like enterprise risk management, operational budgeting, business continuity planning, mergers and acquisitions, brand management, and other relevant matters. Additionally, the Disclosure Committee periodically receives reports on cybersecurity threat risks to ensure that required disclosures are accurate and timely.
Our cybersecurity risk management and strategy processes, which are discussed in greater detail above, are led by our Chief Information Security Officer and Chief Privacy and Information Risk Officer . Such individuals have many years of prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs. Such individuals have collectively over 40 years of prior work experience in various roles involving managing information security, developing cybersecurity strategy, implementing effective information and cybersecurity programs. Their expertise is further supported by advanced degrees and industry-recognized certifications. These members of management are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents through their management of, and participation in, the cybersecurity risk management and strategy processes described above, including the operation of our incident response plan. As discussed above, these members of management report to the ERMC about cybersecurity threat risks, among other cybersecurity related matters, at least annually.
The following is a discussion of what we currently believe are the most significant risks and uncertainties that may affect our business, financial condition, and future results.
Risks Relating to our Operations
A failure in or breach of our operational or security systems, or those of our third-party service providers, including as a result of cyberattacks, could disrupt our business, result in unintentional disclosure or misuse of confidential or proprietary information, damage our reputation, increase our costs, and cause losses.
As a financial institution, our operations rely heavily on the secure processing, storage, and transmission of confidential and other information on our computer systems and networks. Any failure, interruption or breach in security or operational integrity of these systems could result in failures or disruptions in our online banking system, customer relationship management, general ledger, deposit and loan servicing and other systems. The security and integrity of our systems are susceptible to a variety of interruptions or information security breaches, including those caused by computer hacking, cyberattacks, electronic fraudulent activity or attempted theft of financial assets. We are not able to anticipate, detect, or implement effective preventative measures against all threats, particularly because the techniques used by cybercriminals change frequently, often are not recognized until launched and can be initiated from a variety of sources. We cannot assure you that we will be able to adequately address all such failures, interruptions or security breaches that may have a material adverse impact on our business, financial condition, results of operations and prospects. While we have certain protective policies and procedures in place, the nature and sophistication of the threats continue to evolve. We may be required to expend significant additional resources in the future to modify and enhance our protective measures.
Due to the complexity and interconnectedness of information technology systems, the process of enhancing our systems can itself create a risk of systems disruptions and security issues. Additionally, we face the risk of operational disruption, failure, termination, or capacity constraints of any of the third parties that facilitate our business activities, including exchanges, clearing agents, clearing houses or other financial intermediaries. Such parties can also be the source of an attack on, or breach of, our operational systems. Failures, interruptions or security breaches in our information systems could damage our reputation, result in a loss of customer business, result in a violation of privacy or other laws, or expose us to civil litigation, regulatory fines or losses not covered by insurance, all of which could have a material adverse impact on our business, financial condition, results of operations and prospects. Further, as an investigation into a cyberattack is inherently unpredictable, it may take a significant amount of time for us to fully uncover the scope of and damage related to a cyberattack and develop an effective mitigation plan. During such time, damage related to a cyberattack may continue and communications to the public, customers, regulators, and other stakeholders may not be timely or accurate. Potential new regulations may require us to publicly disclose information about a cyberattack before the incident has been resolved or fully investigated.
The confidential information of our customers (including usernames and passwords) can also be jeopardized from the compromise of customers’ personal electronic devices or as a result of a data security breach at an unrelated company.23Table of ContentsThe confidential information of our customers (including usernames and passwords) can also be jeopardized from the compromise of customers’ personal electronic devices or as a result of a data security breach at an unrelated company. Losses due to unauthorized account activity could harm our reputation and may have a material adverse effect on our business, financial condition, results of operations and prospects.
As previously disclosed and discussed in greater detail in Note 16 – Commitments and Contingencies and Related-Party Transactions, in 2023 Columbia Bank was informed by one of its technology service providers (the “Vendor”) that a widely reported security incident involving MOVEit, a filesharing software used globally by government agencies, enterprise corporations, and financial institutions, resulted in the unauthorized acquisition by a third party of the names and social security numbers or tax identification numbers of certain of Columbia Bank’s consumer and small business customers. On behalf of the Bank, the Vendor notified affected customers (approximately 429,000), and the Bank and Vendor notified applicable federal and state regulators regarding the Vendor Incident.
24
Acquisitions and the integration of acquired businesses subject us to various risks and may not result in all of the benefits anticipated, future acquisitions may be dilutive to current shareholders and future acquisitions may be delayed, impeded, or prohibited due to regulatory issues.
We have in the past sought, and in the future may continue to seek, to grow our business by acquiring other businesses.We have in the past sought, and expect in the future to continue to seek, to grow our business by acquiring other businesses. Our acquisitions may not have the anticipated positive results, including results relating to: correctly assessing the asset quality of the assets being acquired; the total cost of integration including management attention and resources; the time required to complete the integration successfully; the amount of longer-term cost savings; being able to profitably deploy funds acquired in an acquisition; or the overall performance of the combined entity. Our acquisitions, including our merger with UHC, may not have the anticipated positive results, including results relating to: correctly assessing the asset quality of the assets being acquired; the total cost of integration including management attention and resources; the time required to complete the integration successfully; the amount of longer-term cost savings; being able to profitably deploy funds acquired in an acquisition; or the overall performance of the combined entity.
In addition, unexpected contingent liabilities can arise from the businesses we acquire. Integration of an acquired business can be complex and costly, sometimes including combining relevant accounting and data processing systems, management, financial reporting, and internal controls, as well as managing relevant relationships with employees, clients, suppliers, and other business partners. Integration efforts could divert management attention and resources, which could adversely affect these systems, processes or controls and our operations or results.
Acquisitions may also result in business disruptions that cause us to lose customers or cause customers to remove their accounts from us and move their business to competing financial institutions. It is possible that the integration process related to acquisitions could result in the disruption of our ongoing businesses or inconsistencies in standards, controls, procedures, and policies that could adversely affect our ability to maintain relationships with clients, customers, depositors, and employees. The loss of key employees in connection with an acquisition could adversely affect our ability to successfully conduct our business.
We may engage in future acquisitions involving the issuance of additional common stock and/or cash. Any such acquisitions and related issuances of stock may have a dilutive effect on EPS, book value per share, or the percentage ownership of current shareholders. The use of cash as consideration in any such acquisitions could impact our capital position and may require us to raise additional capital.
Furthermore, notwithstanding our prior acquisitions, we cannot provide any assurance as to the extent to which we can continue to grow through acquisitions as this will depend on the availability of prospective target opportunities at valuations we find attractive and other factors. Among other things, acquisitions by financial institutions are subject to approval by a variety of federal and state regulatory agencies. Regulatory approvals could be delayed, impeded, restrictively conditioned, or denied due to existing or new regulatory issues we have, or may have, with regulatory agencies.
Our ability to sustain or improve upon existing performance is dependent upon our ability to respond to technological change, and we may have fewer resources than some of our competitors to continue to invest in technological improvements.24Table of ContentsOur ability to sustain or improve upon existing performance is dependent upon our ability to respond to technological change, and we may have fewer resources than some of our competitors to continue to invest in technological improvements.
The financial services industry is undergoing rapid technological changes with frequent introductions of new technology-driven products and services. The effective use of technology increases efficiency and enables financial institutions to better serve customers and to reduce costs. Many of our competitors have substantially greater resources to invest in technological improvements than we do. Our future success will depend, in part, upon our ability to address the needs of our clients by using technology to provide products and services that will satisfy client demands for convenience, as well as to create additional efficiencies in our operations. We may not be able to effectively implement new technology-driven products and services or be successful in marketing these products and services to our customers. In addition, the implementation of technological changes and upgrades to maintain current systems and integrate new ones may also cause service interruptions, transaction processing errors, and system conversion delays and may cause us to fail to comply with applicable laws. There can be no assurance that we will be able to successfully manage the risks associated with our increased dependency on technology.
25
We may not be able to attract or retain key employees.
Our success depends in significant part on the skills of our management team and our ability to retain, recruit and motivate key officers and employees. We expect our future success to be driven in large part by the relationships maintained with our clients by our executives and other key employees. Leadership changes will occur from time to time, and we cannot predict whether significant resignations or other departures will occur or whether we will be able to recruit additional qualified personnel. Competition for senior executives and skilled personnel in the financial services and banking industry is intense, which means the cost of hiring, incentivizing, and retaining skilled personnel may continue to increase. The increase in remote and hybrid work arrangements has also increased competition for skilled personnel, and our current approach to in-office work may not meet the needs or expectations of current or prospective employees or may not be perceived as favorable compared to arrangements offered by other companies, which could adversely affect our ability to attract and retain skilled and qualified personnel. The increase in remote and hybrid work arrangements has also increased competition for skilled personnel, and our current or future approach to in-office or remote-work arrangements may not meet the needs or expectations of current or prospective employees or may not be perceived as favorable compared to arrangements offered by other companies, which could adversely affect our ability to attract and retain skilled and qualified personnel. We need to continue to attract and retain key personnel and to recruit qualified individuals to succeed existing key personnel to ensure the continued growth and successful operation of our business. The unexpected loss of any such employees, or the inability to recruit and retain qualified personnel in the future, could have a material adverse impact on our business, financial condition, results of operations, and prospects. In addition, the scope and content of U.S. banking regulators' regulations and policies on incentive compensation, as well as changes to these regulations and policies, could adversely affect our ability to hire, retain, and motivate our key employees.
The development and use of Artificial Intelligence (“AI”) presents risks and challenges that may adversely impact our business.
We or our third-party (or fourth-party) vendors, clients or counterparties may develop or incorporate AI technology in certain business processes, services, or products. The development and use of AI presents a number of risks and challenges to our business. The development and use of AI present a number of risks and challenges to our business. The legal and regulatory environment relating to AI is uncertain and rapidly evolving, both in the U.S. and internationally, and includes regulatory schemes targeted specifically at AI as well as provisions in intellectual property, privacy, consumer protection, employment, and other laws applicable to the use of AI. These evolving laws and regulations could require changes in our implementation of AI technology and increase our compliance costs and the risk of non-compliance. AI models, particularly generative AI models, may produce output or take action that is incorrect, that result in the release of private, confidential, or proprietary information, that reflect biases included in the data on which they are trained, infringe on the intellectual property rights of others, or that is otherwise harmful. In addition, the complexity of many AI models makes it challenging to understand why they are generating particular outputs. This limited transparency increases the challenges associated with assessing the proper operation of AI models, understanding and monitoring the capabilities of the AI models, reducing erroneous output, eliminating bias, and complying with regulations that require documentation or explanation of the basis on which decisions are made. Further, we may rely on AI models developed by third parties, and, to that extent, would be dependent in part on the manner in which those third parties develop and train their models, including risks arising from the inclusion of any unauthorized material in the training data for their models, and the effectiveness of the steps these third parties have taken to limit the risks associated with the output of their models, matters over which we may have limited visibility. Any of these risks could expose us to liability or adverse legal or regulatory consequences and harm our reputation and the public perception of our business or the effectiveness of our security measures.
In addition to our use of AI technologies, we are exposed to risks arising from the use of AI technologies by bad actors to commit fraud and misappropriate funds and to facilitate cyberattacks.25Table of ContentsIn addition to our use of AI technologies, we are exposed to risks arising from the use of AI technologies by bad actors to commit fraud and misappropriate funds and to facilitate cyberattacks. AI, if used to perpetrate fraud or launch cyberattacks, could create panic at a particular financial institution or exchange, which could pose a threat to financial stability.
26
Risks Relating to our acquisition of Pacific Premier
Combining Columbia and Pacific Premier may be more difficult, costly or time-consuming than expected, and Columbia may fail to realize the anticipated benefits of the acquisition of Pacific Premier.
Prior to the closing of the acquisition of Pacific Premier on August 31, 2025, Columbia and Pacific Premier operated independently. The success of the acquisition, including anticipated benefits and cost savings, will depend, in part, on our ability to successfully integrate Pacific Premier's business into Columbia's in a manner that permits growth opportunities and does not materially disrupt the existing customer relations nor result in decreased revenues due to loss of customers. It is possible that the integration process could result in the loss of key employees, the disruption of Columbia's ongoing businesses or inconsistencies in standards, controls, procedures, and policies that adversely affect Columbia's ability to maintain relationships with clients, customers, depositors, and employees or to achieve the anticipated benefits and cost savings of the acquisition.It is possible that the integration process could result in the loss of key employees, the disruption of each company’s ongoing businesses or inconsistencies in standards, controls, procedures, and policies that adversely affect the companies’ ability to maintain relationships with clients, customers, depositors, and employees or to achieve the anticipated benefits and cost savings of the Merger. The loss of key employees could adversely affect Columbia’s ability to successfully conduct its business, which could have an adverse effect on Columbia’s financial results and the value of its common stock. If Columbia experiences difficulties with the integration process, the anticipated benefits of the acquisition may not be realized fully or at all, or may take longer to realize than expected. If we are not able to successfully achieve these objectives, the anticipated benefits of the Merger may not be realized fully or at all or may take longer to realize than expected. As with any acquisition involving financial institutions, there also may be business disruptions that cause Columbia to lose customers or cause customers to remove their accounts from Columbia and move their business to competing financial institutions. Integration efforts will also divert management attention and resources. Integration efforts between the companies may also divert management attention and resources. These integration matters could have an adverse effect on Columbia for an undetermined period after completion of the acquisition. These integration matters could have an adverse effect on the combined company for an undetermined period after completion of the Merger. In addition, the actual cost savings of the acquisition could be less than anticipated.
Columbia may be unable to retain Columbia and/or legacy Pacific Premier personnel successfully.
The success of the acquisition of Pacific Premier will depend in part on Columbia's ability to retain the talent and dedication of key employees.The success of the Merger will depend in part on the Company’s ability to retain the talents and dedication of key employees. It is possible that these employees may decide not to remain with Columbia following the consummation of the acquisition. If Columbia is unable to retain key employees, including management, who are critical to the successful integration of Pacific Premier's business and the future operations of Columbia, Columbia could face disruptions in its operations, loss of existing customers, loss of key information, expertise, or know-how and unanticipated additional recruitment costs. If the Company is unable to retain key employees, including management, who are critical to the successful future operations of the combined company, the Company could face disruptions in its operations, loss of existing customers, loss of key information, expertise or know-how and unanticipated additional recruitment costs. In addition, following the acquisition, if key employees terminate their employment, Columbia's business activities may be adversely affected, and management's attention may be diverted from successfully hiring suitable replacements, all of which may cause the Columbia's business to suffer. Columbia also may not be able to locate or retain suitable replacements for any key employees who leave Columbia.
Interest Rate and Credit Risks
Economic conditions in the market areas we serve may adversely impact our earnings and could increase our credit risk associated with our loan portfolio, the value of our investment portfolio and the availability of deposits.
Substantially all of our loan and deposit customers are businesses and individuals in Arizona, California, Colorado, Idaho, Nevada, Oregon, Utah, and Washington and soft economies in these market areas could have a material adverse effect on our business, financial condition, results of operations, and prospects.Substantially all of our loan and deposit customers are businesses and individuals in Washington, Oregon, Idaho, California and Nevada, and soft economies in these market areas could have a material adverse effect on our business, financial condition, results of operations and prospects. We are focusing on growth opportunities in Arizona, Colorado, Texas, and Utah; however, economic softening in these areas could hinder our expansion plans. A deterioration in the market areas we serve could result in consequences, including the following, any of which would have an adverse impact, which could be material, on our business, financial condition, results of operations and prospects:
•loan delinquencies may increase;
•problem assets and foreclosures may increase;
•collateral for loans made may decline in value, in turn reducing customers’ borrowing power, reducing the value of assets and collateral associated with existing loans;
•certain securities within our investment portfolio could require an ACL, requiring a write-down through earnings to fair value, thereby reducing equity;
•low-cost or non-interest-bearing deposits may decrease; and
•demand for our loan and other products and services may decrease.
27
Concentrations within our loan portfolio could result in increased credit risk in a challenging economy.
While our loan portfolio is diversified across business sectors, it is concentrated in CRE and commercial business loans.While our loan portfolio is diversified across business sectors, it is concentrated in commercial real estate and commercial business loans. These types of loans generally are viewed as having more risk of default than residential real estate loans or certain other types of loans or investments. In fact, the FDIC has issued pronouncements alerting banks of its concern about significant loan concentrations. CRE valuations can be materially affected over relatively short periods of time by changes in business climate, economic conditions, interest rates, and, in many cases, the results of operations of businesses and other occupants of the real property. Commercial real estate valuations can be materially affected over relatively short periods of time by changes in business climate, economic conditions, interest rates, and, in many cases, the results of operations of businesses and other occupants of the real property. Evolving factors such as the shift to work-from-home or hybrid-work arrangements, changing consumer preferences (including online shopping), and resulting changes in occupancy rates as a result of these and other trends can also impact such valuations over relatively short periods. Emerging and evolving factors such as the shift to work-from-home or hybrid-work arrangements, changing consumer preferences (including online shopping), and resulting changes in occupancy rates as a result of these and other trends can also impact such valuations over relatively short periods. Because our loan portfolio contains CRE and commercial business loans with relatively large balances, the deterioration of one or a few of these loans may cause a significant increase in our non-performing loans. Because our loan portfolio contains commercial real estate and commercial business loans with relatively large balances, the deterioration of one or a few of these loans may cause a significant increase in our non-performing loans. An increase in non-performing loans could result in a loss of earnings from these loans, an increase in the provision for loan losses, or an increase in loan charge-offs, any of which would have an adverse impact, which could be material, on our business, financial condition, results of operations, and prospects.
A large percentage of our loan portfolio is secured by real estate, in particular CRE.A large percentage of our loan portfolio is secured by real estate, in particular commercial real estate. Deterioration in the real estate market or other segments of our loan portfolio would lead to additional losses.
As of December 31, 2025, 76% of our total gross loans were secured by real estate. Any renewed downturn in the economies or real estate values in the markets we serve could have a material adverse effect on both borrowers’ ability to repay their loans and the value of the real property securing such loans. CRE mortgage loans, which comprise a significant portion of our loan portfolio, generally involve a greater degree of credit risk than residential real estate mortgage loans because they typically have larger balances and are more affected by adverse conditions in the economy. Commercial real estate mortgage loans, which comprise a significant portion of our loan portfolio, generally involve a greater degree of credit risk than residential real estate mortgage loans because they typically have larger balances and are more affected by adverse conditions in the economy. Because payments on loans secured by CRE often depend upon the successful operation and management of the properties and the businesses which operate from within them, repayment of such loans may be affected by factors outside the borrower’s control, such as adverse conditions in the real estate market or the economy or changes in government regulations. Because payments on loans secured by commercial real estate often depend upon the successful operation and management of the properties and the businesses which operate from within them, repayment of such loans may be affected by factors outside the borrower’s control, such as adverse conditions in the real estate market or the economy or changes in government regulations. Following the COVID-19 pandemic there has been an evolution of various remote work options which may continue to impact the short-term performance and could impact the long-term performance of some types of office properties within our CRE portfolio. Following the COVID-19 pandemic there has been an evolution of various remote work options which could impact the long-term performance of some types of office properties within our commercial real estate portfolio. Accordingly, the federal banking regulatory agencies have expressed concerns about weaknesses in the current CRE market. Our ability to recover on defaulted loans would then be diminished, and we would be more likely to suffer losses on defaulted loans, any or all of which would have an adverse impact, which could be material, on our business, financial condition, results of operations, and prospects.
Our allowance may not be adequate to cover future loan losses, which could adversely affect earnings.
We maintain an ACL in an amount that we believe is adequate to provide for losses inherent in our loan portfolio. While we strive to carefully monitor credit quality and to identify loans that may become non-performing, at any time there are loans in the portfolio that could result in losses but that have not been identified as non-performing or potential problem loans. We cannot be sure that we will be able to identify deteriorating loans before they become non-performing assets or that we will be able to limit losses on those loans that have been identified. Additionally, the process for determining the allowance requires different, subjective and complex judgments about the future impact from current economic conditions that might impair the ability of borrowers to repay their loans. As a result, future significant increases to the allowance may be necessary. Future increases to the allowance may be required based on changes in the composition of the loans comprising the portfolio, deteriorating values in underlying collateral (most of which consists of real estate) and changes in the financial condition of borrowers, such as may result from changes in economic conditions, or as a result of actual future events differing from assumptions used by management in determining the allowance.
Additionally, banking regulators, as an integral part of their supervisory function, periodically review our allowance. These regulatory agencies may require us to increase the allowance. Any increase in the allowance would have an adverse effect, which could be material, on our financial condition and results of operations.
28
Non-performing assets take significant time to resolve and could adversely affect our results of operations and financial condition.
Our non-performing assets adversely affect our net income in various ways. We do not record interest income on non-accrual loans, thereby adversely affecting our income. Moreover, non-accrual loans increase our loan administration costs. Assets acquired by foreclosure or similar proceedings are recorded at fair value less estimated costs to sell. The valuation of these foreclosed assets is periodically updated and resulting losses, if any, are charged to earnings in the period in which they are identified. An increase in the level of non-performing assets also increases our risk profile and may impact the capital levels our regulators believe is appropriate in light of such risks. We utilize various techniques such as loan sales, workouts, and restructurings to manage our problem assets. Decreases in the value of these problem assets, the underlying collateral, or in the borrowers’ performance or financial condition would have an adverse impact, which could be material, on our business, financial condition, results of operations, and prospects. In addition, the resolution of non-performing assets requires significant commitments of time from management and staff, which can be detrimental to performance of their other responsibilities. We may experience increases in non-performing loans in the future.
Fluctuating interest rates could adversely affect our business.
Significant increases in market interest rates on loans, or the perception that an increase may occur, could adversely affect both our ability to originate new loans and our ability to grow. Conversely, decreases in interest rates could result in an acceleration of loan prepayments. An increase in market interest rates or prolonged period in which market interest rates exceed the market interest rates at loan origination could also adversely affect the ability of our floating-rate and adjustable-rate borrowers to meet their higher payment obligations. If this occurred, it could cause an increase in non-performing assets and charge-offs, which could adversely affect our business.
Further, our profitability is dependent to a large extent upon net interest income, which is the difference (or “spread”) between the interest earned on loans, securities and other interest-earning assets and the interest paid on deposits, borrowings, and other interest-bearing liabilities. Because of the differences in maturities and repricing characteristics of our interest-earning assets and interest-bearing liabilities, changes in interest rates do not produce equivalent changes in interest income earned on interest-earning assets and interest paid on interest-bearing liabilities. Accordingly, fluctuations in interest rates could adversely affect our interest rate spread, and, in turn, our profitability. Although the Federal Reserve decreased the federal funds target rate throughout 2025 and may further decrease the target rate through 2026, interest rates may increase to combat renewed inflation or otherwise. Lower rates could reduce our interest income and adversely affect our business forecasts. Alternatively, increases in interest rates may result in a change in the mix of non-interest and interest-bearing deposit accounts, and may have otherwise unpredictable effects. Increases in interest rates, to combat inflation or otherwise, may result in a change in the mix of noninterest and interest-bearing accounts, and may have otherwise unpredictable effects. For example, increases in interest rates may result in increases in the number of delinquencies, bankruptcies or defaults by clients and more non-performing assets and net charge-offs, decreases in customer deposit levels, decreases to the demand for interest rate-based products and services, including loans, and changes to the level of off-balance sheet market-based investments preferred by our clients, each of which may reduce our interest rate spread. For example, increases in interest rates may result in increases in the number of delinquencies, bankruptcies or defaults by clients and more non-performing assets and net charge-offs, decreases in deposit levels, decreases to the demand for interest rate-based products and services, including loans, and changes to the level of off-balance sheet market-based investments preferred by our clients, each of which may reduce our interest rate spread. We are unable to predict changes in interest rates, which are affected by factors beyond our control, including inflation, deflation, recession, unemployment, money supply, and other changes in financial markets.
Our business depends on our ability to successfully manage credit risk.
The operation of our business requires us to manage credit risk. As a lender, we are exposed to the risk that our borrowers will be unable to repay their loans according to their terms, and that the collateral securing repayment of their loans, if any, may not be sufficient to ensure repayment. In addition, there are risks inherent in making any loan, including risks with respect to the period of time over which the loan may be repaid, risks relating to proper loan underwriting, model and scorecard risks, risks resulting from changes in economic and industry conditions and risks inherent in dealing with individual borrowers. In order to successfully manage credit risk, we must, among other things, maintain disciplined and prudent underwriting standards and ensure that our bankers follow those standards. The weakening of these standards for any reason, such as an attempt to attract higher yielding loans, a lack of discipline or diligence by our employees in underwriting and monitoring loans, the inability of our employees to adequately adapt policies and procedures to changes in economic or any other conditions affecting borrowers and the quality of our loan portfolio, may result in loan defaults, foreclosures, and additional charge-offs and may necessitate that we increase our ACL, each of which could adversely affect our net income. As a result, our inability to successfully manage credit risk could have a material adverse effect on our business, financial condition, results of operations and prospects.
29
We may be required, in the future, to recognize a credit loss with respect to investment securities.
Our securities portfolio currently includes securities with unrecognized losses. As of December 31, 2025, gross unrealized losses in our securities portfolio were $380 million. We may continue to observe declines in the fair market value of these securities. Securities issued by certain states and municipalities may come under scrutiny due to concerns about credit quality. Although management believes the credit quality of the Company’s state and municipal securities portfolio to be good, there can be no assurance that the credit quality of these securities will not decline in the future. We evaluate the securities portfolio for any securities with an associated credit loss each reporting period, as required by GAAP in the United States. There can be no assurance, however, that future evaluations of the securities portfolio will not require us to recognize credit losses with respect to these and other holdings. For example, it is possible that government-sponsored programs to allow mortgages to be refinanced to lower rates could materially adversely impact the yield on our portfolio of mortgage-backed securities, since a significant portion of our investment portfolio is composed of such securities.
We are exposed to the risk of environmental liabilities in connection with real properties acquired.
During the ordinary course of business, we foreclose on and take title to properties securing certain loans. In doing so, there is a risk that hazardous or toxic substances could be found on these properties. If previously unknown or undisclosed hazardous or toxic substances are discovered, we may be liable for remediation costs, as well as for personal injury and property damage. Environmental laws may require us to incur substantial expenses which may materially reduce the affected property’s value or limit our ability to use or sell the affected property. In addition, future laws or more stringent interpretations or enforcement polices with respect to existing laws may increase our exposure to environmental liability. Although we have policies and procedures which require the performance of an environmental review at the time of underwriting a loan secured by real property, and also before initiating any foreclosure action on real property, these reviews may not be sufficient to detect all potential environmental hazards. The remediation costs and any other financial liabilities associated with an environmental hazard could have a material adverse effect on our financial condition and results of operations.
Funding and Liquidity Risks
Our management of capital could adversely affect profitability measures and the market price of our common stock and could dilute the holders of our outstanding common stock.
Our capital ratios are higher than regulatory minimums. We may lower our capital ratios through selective acquisitions that meet our disciplined criteria, share repurchase plans, organic loan growth, investment in securities, or other factors. We continually evaluate opportunities to expand our business through strategic acquisitions. There can be no assurance that we will be able to negotiate future acquisitions on terms acceptable to us.
Conversely, there may be circumstances under which it would be prudent to consider alternatives for raising capital to take advantage of significant acquisition opportunities or in response to changing economic conditions. In addition, we may need to raise additional capital in the future to have sufficient capital resources and liquidity to meet our commitments and fund our business needs and future growth, particularly if the quality of our assets or earnings were to deteriorate significantly. We may not be able to raise additional capital when needed on terms acceptable to us or at all. Our ability to raise additional capital, if needed, will depend on, among other things, conditions in the capital markets at the time, which are outside our control, and our financial performance. Further, if we need to raise capital in the future, we may have to do so when many other financial institutions are also seeking to raise capital and would then have to compete with those institutions for investors. An inability to raise additional capital on acceptable terms when needed could have a material adverse effect on our business, financial condition, results of operations, and prospects. In addition, any capital raising alternatives could dilute the holders of our outstanding common stock and may adversely affect the market price of our common stock.
Deposits are a critical source of funds for our continued growth and profitability.
Our ability to continue to grow depends primarily on our ability to successfully attract deposits to fund loan growth. Core deposits are a low cost and generally stable source of funding and a significant source of funds for our lending activities. Our inability to retain or attract such funds could adversely affect our liquidity. If we are forced to seek other sources of funds, such as additional brokered deposits or borrowings from the FHLB, the interest expense associated with these other funding sources are now and may be higher than the rates we are currently paying on our deposits, which would adversely impact our net income, and such sources of funding may be more volatile and unavailable.
30
Rate fluctuations are unpredictable and can adversely impact our ability to maintain consistently low-cost funding.
Volatility in interest rates can also result in the flow of funds away from financial institutions into investments such as United States government and corporate securities and other investment vehicles (including mutual funds) that generally pay higher rates of return than financial institutions in part because of the absence of federal insurance premiums.Rate fluctuationsVolatility in interest rates can also result in the flow of funds away from financial institutions into investments such as United States government and corporate securities and other investment vehicles (including mutual funds) that generally pay higher rates of return than financial institutions in part because of the absence of federal insurance premiums. This may cause the Bank to lose some of its low-cost deposit funding. Customers may also continue to move non-interest-bearing deposits into interest-bearing accounts, which increases overall deposit costs. Higher funding costs may reduce the Company’s net interest margin and net interest income. A prolonged period of high or increasing interest rates may cause the Company to experience an acceleration of deposit migration, which could adversely affect the Company’s operations and liquidity. This risk is exacerbated by technological developments and trends in customer behavior, including the ease and speed with which deposits may be transferred electronically, particularly by a growing number of customers who maintain accounts with multiple banks.
Loss of customer deposits could increase the Company’s funding costs.
Loss of customer deposits could increase the Company’s funding costs. The Company relies on bank deposits as a low-cost and stable funding source.The Company relies on bank deposits to be a low-cost and stable source of funding. Increases in short-term interest rates between March 2022 and July 2023 resulted in intense competition with banks and other financial services companies for deposits, causing the Company to increase the interest rates paid on deposits. Increases in short-term interest rates since March 2022 have resulted in and are expected to continue to result in more intense competition in deposit pricing. In September 2024, the Federal Reserve reduced the federal funds rate, starting the current cycle of declining short-term interest rates. A lowering interest rate environment could also impact the Company. Lower interest rates may reduce the attractiveness of deposits, leading customers to seek higher returns elsewhere. This could force the Company to maintain higher than expected deposit interest rates to retain customers or rely on more expensive funding sources, which could impact funding costs and reduce net interest margin and income.
Checking and savings account balances may decrease as customers perceive alternative investments, like the stock market, as offering better returns. This shift could increase the Company’s funding costs and reduce net interest income. Additionally, mass withdrawals of deposits, as seen in certain bank failures in 2023, could be triggered by losses in investment portfolios or concerns about uninsured deposits. Technological advancements and changes in banking relationships, such as customers maintaining accounts at multiple banks, facilitate rapid deposit movements. The spread of information, including false rumors, through social media can exacerbate this risk. Significant deposit outflows could lead to higher funding costs, substantial losses, and a reduced ability to raise new capital.
The Company could lose access to sources of liquidity if it were to experience financial or regulatory issues.
The Company relies on sources of liquidity provided by the Federal Reserve Bank, such as the Federal Reserve Bank discount window and other liquidity facilities that the Federal Reserve Board may establish from time to time, as well as liquidity provided by the FHLB. To access these sources of liquidity, the Federal Reserve Board or FHLB may impose conditions that the Company and the Bank are in sound financial condition (as determined by the Federal Reserve Board or FHLB) or that the Company and Bank maintain minimum supervisory ratings. If the Company or Bank were to experience financial or regulatory issues, it could affect the ability to access liquidity facilities, including at times when the Company or Bank needs additional liquidity for the operation of its business. If the Company or Bank were to lose access to these liquidity sources, it could have a material adverse effect on the Company’s operations and financial condition.
31
Legal, Accounting and Compliance Risks
We operate in a highly regulated environment and changes to or increases in, or supervisory enforcement of, banking or other laws and regulations or governmental fiscal or monetary policies could adversely affect us.
We are subject to extensive regulation, supervision, and examination by federal and state banking authorities. In addition, as a publicly traded company, we are subject to regulation by the SEC. Any change in applicable regulations or federal, state, or local legislation or in policies or interpretations or regulatory approaches to compliance and enforcement, income tax laws, or accounting principles, including as a result of changes in U.S. presidential administrations or one or both houses of Congress and other factors, could have a substantial impact on us and our operations. Changes in laws and regulations may also increase our expenses by imposing additional fees or taxes or restrictions on our operations. Additional legislation and regulations that could significantly affect our powers, authority and operations may be enacted or adopted in the future, which could have a material adverse effect on our business, financial condition, results of operations and prospects. Failure to appropriately comply with any such laws, regulations or principles could result in sanctions by regulatory agencies or damage to our reputation, all of which could adversely affect our business, financial condition, or results of operations. For example, the Dodd-Frank Act was enacted in July 2010. Among other provisions, the legislation (i) created the CFPB with broad powers to regulate consumer financial products such as credit cards and mortgages, (ii) resulted in new capital requirements from federal banking agencies, (iii) placed new limits on electronic debit card interchange fees, and (iv) required the SEC and national stock exchanges to adopt significant new corporate governance and executive compensation reforms, some of which have yet to be promulgated. The Dodd-Frank Act and regulations that have been adopted thereunder have increased the overall costs of regulatory compliance, and further regulatory developments whether related to Dodd-Frank or otherwise may lead to additional costs. In addition, the CFPB has broad rulemaking authority and is the principal federal regulatory agency responsible for the supervision and enforcement of a wide range of consumer protection laws for banks with greater than $10 billion in assets.
If we fail to maintain appropriate levels of capital or liquidity, we could become subject to formal or informal enforcement actions that may impose restrictions on our business, including limiting our lending activities or our ability to expand, requiring us to raise additional capital (which may be dilutive to shareholders) or requiring regulatory approval to pay dividends or otherwise return capital to shareholders. We also face the risk of becoming subject to new or more stringent requirements in connection with the introduction of new regulations or modifications of existing regulations, which could require us to hold more capital or liquidity or have other adverse effects on our business or profitability.
Further, regulators have significant discretion and authority to prevent or remedy unsafe or unsound practices or violations of laws or regulations by financial institutions and holding companies in the performance of their supervisory and enforcement duties.31Table of ContentsFurther, regulators have significant discretion and authority to prevent or remedy unsafe or unsound practices or violations of laws or regulations by financial institutions and holding companies in the performance of their supervisory and enforcement duties. The exercise of regulatory authority may have an adverse impact, which could be material, on our business, financial condition, results of operations, and prospects. Additionally, our business is affected significantly by the fiscal and monetary policies of the U.S. federal government and its agencies, including the Federal Reserve.
We cannot accurately predict the full effects of recent legislation or the various other governmental, regulatory, monetary, and fiscal initiatives which have been and may be enacted on the financial markets, the Company, and the Bank. The terms and costs of these activities, or any worsening of current financial market and economic conditions, could materially and adversely affect our business, financial condition, and results of operations, as well as the trading price of our common stock.
Changes in accounting standards could materially impact our financial statements.
From time to time, the FASB and the SEC change the financial accounting and reporting standards that govern the preparation of our financial statements. These changes can materially impact how we record and report our financial condition and results of operations.
32
Significant legal or regulatory actions could subject us to substantial uninsured liabilities and reputational harm and have a material adverse effect on our business and results of operations.
We are from time to time subject to claims and proceedings related to our operations. Claims and legal actions, including supervisory or enforcement actions by our regulators, or criminal proceedings by prosecutorial authorities, could involve large monetary claims, including civil money penalties or fines imposed by government authorities and significant defense costs. To mitigate the cost of some of these claims, we maintain insurance coverage in amounts and with deductibles that we believe are appropriate for our operations. However, our insurance coverage does not cover any civil money penalties or fines imposed by government authorities and may not cover all other claims that might be brought against us or continue to be available to us at a reasonable cost. As a result, we may be exposed to substantial uninsured liabilities, which could adversely affect our business, prospects, results of operations and financial condition. Substantial legal liability or significant regulatory action against us could cause significant reputational harm to us and/or could have a material adverse impact on our business, financial condition, results of operations and prospects. Because we primarily serve individuals and businesses located in the western United States, any negative impact resulting from reputational harm, including any impact on our ability to attract and retain customers and employees, likely would be greater than if our business were more geographically diverse.
Financial holding company status.
Financial holding companies are allowed to engage in certain financial activities in which a bank holding company is not otherwise permitted to engage. However, to maintain financial holding company status, a bank holding company (and all of its depository institution subsidiaries) must be “well-capitalized” and “well-managed.” If a bank holding company ceases to meet these capital and management requirements, there are many penalties it would be faced with, including the FRB may impose limitations or conditions on the conduct of its activities, and it may not undertake any of the broader financial activities permissible for financial holding companies or acquire a company engaged in such financial activities without prior approval of the FRB.” If a bank holding company ceases to meet these capital and management requirements, there are many penalties it would be faced with, including the FRB may impose limitations or conditions on the conduct of its activities, and it may not undertake any of the broader financial activities permissible for financial holding companies or acquire a company engaged in such financial activities without prior approval of the FRB. If a company does not return to compliance within 180 days, which period may be extended, the FRB may require divestiture of that company’s depository institutions. To the extent we do not meet the requirements to be a financial holding company in the future, there could be a material adverse effect on our business, financial condition, and results of operations.
Risks Relating to Markets and External Events
National and global economic and other conditions could adversely affect our future results of operations or market price of our stock.
Our business is directly impacted by factors such as economic, political and market conditions, broad trends in industry and finance, changes in government monetary and fiscal policies and inflation, foreign policy, and financial market volatility, all of which are beyond our control. Global economies continue to face significant challenges to achieving normalized economic growth rates. Any renewed deterioration in the economies of the nation as a whole or in our markets would have an adverse effect, which could be material, on our business, financial condition, results of operations, and prospects, and could also cause the market price of our stock to decline. If recessionary economic conditions or an economic downturn develop, they would likely have a negative financial impact across the financial services industry, including on us. If these conditions are more severe, the extent of the negative impact on our business and financial performance can increase and be more severe, including the adverse effects listed above and discussed throughout this “Risk Factors” section.
In recent years, supply chain constraints, robust demand, and labor shortages have led to persistent inflationary pressures throughout the economy.Supply chain constraints, robust demand and labor shortages have led to persistent inflationary pressures throughout the economy. The possible economic policies of the U.S. presidential administration, including those already imposed and additional tariffs that may be imposed or increased tariffs on U.S. trading partners, may also lead to renewed inflationary pressures. Volatility and uncertainty related to inflation and the effects of inflation, which may lead to increased costs for businesses and consumers and potentially contribute to poor business and economic conditions generally, may also enhance or contribute to some of the risks discussed herein. For example, higher inflation, or volatility and uncertainty related to inflation, could reduce demand for our products, adversely affect the creditworthiness of our borrowers, result in lower values for our investment securities and other interest-earning assets, and increase expense related to talent acquisition and retention.
Additionally, economic conditions, financial markets and inflationary pressures may be adversely affected by the impact of current or anticipated geopolitical uncertainties, military conflicts, including those in the Middle East and Russia’s invasion of Ukraine, pandemics, and global, national, and local responses thereto by governmental authorities and other third parties. These unpredictable events could create, increase, or prolong economic and financial disruptions and volatility that adversely affect our business, financial condition, capital, and results of operations.
33
Substantial competition in our market areas could adversely affect us.
Commercial banking is a highly competitive business. We compete with other commercial banks, savings and loan associations, credit unions and finance, insurance, and other non-depository companies operating in our market areas. We also experience competition, especially for deposits, from Internet-based banking institutions and financial technology companies, which have grown rapidly in recent years. We also experience competition, especially for deposits, from Internet-based banking institutions, which have grown rapidly in recent years. We may also experience increased competition for deposits from stablecoin issuers and commercial banks that issue or hold stablecoins, as stablecoins have received increasing acceptance by regulators and market participants. We are subject to substantial competition for loans and deposits from other financial institutions. Some of our competitors are not subject to the same degree of regulation and restriction as we are and/or have greater financial resources than we do. Some of our competitors may have liquidity issues, which could impact the pricing of deposits, loans, and other financial products in our markets. Our inability to effectively compete in our market areas could have a material adverse impact on our business, financial condition, results of operations, and prospects.
Climate change concerns could adversely affect our business, affect client activity levels, and damage our reputation.
Concerns over the long-term impacts of climate change have led and will continue to lead to governmental efforts around the world to mitigate those impacts. Consumers and businesses are also changing their behavior and business preferences as a result of these concerns. New governmental regulations or guidance relating to climate change, as well as changes in consumers’ and businesses’ behaviors and business preferences, may affect whether and on what terms and conditions we will engage in certain activities or offer certain products or services. In connection with the potential transition to a low carbon economy, legislative or public policy changes and changes in consumer sentiment could negatively impact the businesses and financial condition of our clients, which may decrease revenues from those clients and increase the credit risk associated with loans and other credit exposures to those clients. In connection with the transition to a low carbon economy, legislative or public policy changes and changes in consumer sentiment could negatively impact the businesses and financial condition of our clients, which may decrease revenues from those clients and increase the credit risk associated with loans and other credit exposures to those clients. Our business, reputation, and ability to attract and retain employees may also be harmed if our response to climate change is perceived to be ineffective or insufficient. In addition, due to divergent stakeholder views regarding climate change, we are at increased risk that any actual or perceived action, or lack thereof, by us in connection with the potential transition to a less carbon-dependent economy will be perceived negatively by some stakeholders and adversely affect our business and reputation.
Our business is subject to the risks of pandemics, earthquakes, tsunamis, floods, fires and other natural catastrophic events and other events beyond our control.33Table of ContentsOur business is subject to the risks of pandemics, earthquakes, tsunamis, floods, fires and other natural catastrophic events and other events beyond our control.
A major catastrophe, such as an earthquake, tsunami, flood, fire, or other natural disaster, including those caused or exacerbated by climate change, public health issues such as the COVID-19 or other pandemics, or other events beyond our control, could result in a prolonged interruption of our business. For example, our headquarters is located in Tacoma, Washington and we have operations throughout the western United States, a geographical region that has been or may be affected by earthquakes, wildfires, tsunamis, and flooding activity. Because we primarily serve individuals and businesses in our footprint, a natural disaster likely would have a greater impact on our business, operations, and financial condition than if our business were more geographically diverse throughout the United States. Because we primarily serve individuals and businesses in our eight-state footprint, a natural disaster likely would have a greater impact on our business, operations, and financial condition than if our business were more geographically diverse throughout the United States. The occurrence of any of these natural disasters could negatively impact our performance by disrupting our operations or the operations of our customers, which could have a material adverse effect on our financial condition, results of operations, and cash flows.
Risks Relating to Investment in our Stock
There can be no assurance as to the level of dividends we may pay on our common stock.
Holders of our common stock are only entitled to receive such dividends as our board of directors declares out of funds legally available for such payments. Although we have historically declared cash dividends on our common stock, we are not required to do so and there may be circumstances under which we would eliminate our common stock dividend in the future. This could adversely affect the market price of our common stock.
34
We rely on dividends and other payments from our bank for substantially all of our revenue.
We are a separate and distinct legal entity from the Bank, and we receive substantially all of our operating cash flows from dividends and other payments from the Bank. These dividends and payments are the principal source of funds to pay dividends on our capital stock and interest and principal on any debt we may have. Various federal and state laws and regulations limit the amount of dividends that the Bank may pay to us. Also, our right to participate in a distribution of assets upon a subsidiary’s liquidation or reorganization is subject to the prior claims of the subsidiary’s creditors. In the event the Bank is unable to pay dividends to us, we may not be able to service debt, pay obligations or pay dividends on our common stock. The inability to receive dividends from the Bank could have a material adverse impact on our business, financial condition, results of operations, and prospects.
We have various anti-takeover measures that could impede a takeover.
Our articles of incorporation include certain provisions that could make it more difficult to acquire us by means of a tender offer, a proxy contest, merger or otherwise. These provisions include certain non-monetary factors that our Board may consider when evaluating a takeover offer, and a requirement that any “Business Combination” be approved by the affirmative vote of no less than 66 2/3% of the total shares attributable to persons other than a “Control Person.” These provisions may have the effect of lengthening the time required for a person to acquire control of us through a tender offer, proxy contest or otherwise, and may deter any potentially hostile offers or other efforts to obtain control of us. This could deprive our shareholders of opportunities to realize a premium for their Columbia common stock, even in circumstances where such action is favored by a majority of our shareholders.
ITEM 1B. UNRESOLVED STAFF COMMENTS.
None.
ITEM 1C.ITEM 1A. CYBERSECURITY.
Risk Management and Strategy
We recognize the importance of assessing, identifying, and managing material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. We believe these risks include, among other things, operational risks resulting in system disruption; intellectual property theft; fraud; extortion; harm to associates or customers including by way of inadvertent release of information; violation of privacy or security laws and other litigation and legal risk; and reputational risks. We have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage such material risks. We have invested in data security and privacy protections, and we follow what we believe to be industry-standard recommendations for data security. However, if we fail to properly assess and identify cybersecurity threats, we may become increasingly vulnerable to such risks.
To identify and assess material risks from cybersecurity threats, we consider cybersecurity threat risks alongside other Company risks as part of our overall risk assessment process.To identify and assess material risks from cybersecurity threats, our corporate risk management program considers cybersecurity threat risks alongside other Company risks as part of our overall risk assessment process. Our corporate risk and cybersecurity professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. Our corporate risk professionals collaborate with subject matter specialists, as necessary, to gather insights for identifying and assessing material cybersecurity threat risks, their severity, and potential mitigations. We employ a range of tools and services, including programs across identity and access management, training and awareness, threat management, cybersecurity operations, cybersecurity enablement, and cybersecurity data, host, and network security. This includes regular network and endpoint monitoring, vulnerability assessments, penetration testing, and tabletop exercises to inform our professionals’ risk identification and assessment.
We also have a cybersecurity-specific risk assessment process, which helps identify our cybersecurity threat risks by comparing our processes to standards aligned to the Cyber Risk Institute Profile that is based on the National Institute of Standards and Technology’s ("NIST") Cybersecurity Framework ("CSF") and aligned to CSF version 2. These standards are aligned to the NIST, International Organization for Standardization, Center for Internet Security, and experts are engaged by us to evaluate the integrity of our information systems, as such term is defined in Item 106(a) of Regulation S-K.
35
To help us preserve the availability of critical data and systems, maintain regulatory compliance, and achieve our goal of managing our material risks from cybersecurity threats, and with an aim to protect against, detect, and respond to cybersecurity incidents, as such term is defined in Item 106(a) of Regulation S-K, we undertake the below listed activities:
• Closely monitor emerging data protection laws and implement changes to our processes designed to comply with such data protection laws;
• Undertake regular reviews of our policies and standards related to cybersecurity;
• Proactively inform our customers of substantive changes related to customer data handling;
• Conduct annual customer data handling and use requirements training for associates;
• Conduct annual cybersecurity management and incident training for associates involved in our systems and processes that handle sensitive data;
• Conduct regular cybersecurity training and awareness for all associates and all contractors with access to corporate systems;
• Through policy, practice, and contract (as applicable) require associates, as well as third-parties who provide services on our behalf, to treat customer information and data with care;
• Run tabletop exercises to simulate a response to a cybersecurity incident and use the findings to improve our processes and technologies;
• Leverage the NIST incident handling framework to help us identify, protect, detect, respond, and recover when there is an actual or potential cybersecurity incident; and
• Maintain what we believe to be customary and appropriate third-party information security coverage for incident loss mitigation.
We also maintain an incident response plan designed to coordinate the activities we take with a goal to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.35Table of ContentsWe also maintain an incident response plan designed to coordinate the activities we take with a goal to prepare for, detect, respond to, and recover from cybersecurity incidents, which include processes to triage, assess severity for, escalate, contain, investigate, and remediate the incident, as well as to comply with potentially applicable legal obligations and mitigate brand and reputational damage.
As part of the above processes, we regularly engage with regulatory examiners, internal and external auditors, and other third-parties, as well as a regular review by both our technology risk management team and corporate risk management team to help identify areas for continued focus, improvement and/or compliance.
As disclosed above, we have implemented several cybersecurity processes, technologies, and controls to aid in our efforts to assess, identify, and manage material risks associated with cybersecurity threats, as such term is defined in Item 106(a) of Regulation S-K. However, any failure in, or unauthorized access to, our information systems, as such term is defined in Item 106(a) of Regulation S-K, could disrupt our business, result in unintentional disclosure or misuse of confidential or proprietary information, damage our reputation, increase our costs and cause losses, and have a material adverse effect on our business, financial condition, results of operations and prospects. Failures, interruptions, or data breaches involving our information systems, or the information systems of our vendors, could damage our reputation, result in a loss of customer business, result in a violation of privacy or other laws, or expose us to civil litigation, regulatory fines or losses not covered by insurance, all of which could have a material adverse impact on our business, financial condition, results of operations, and prospects.
36
As previously disclosed in 2023 Columbia Bank was informed by the Vendor that a widely reported security incident involving MOVEit, a filesharing software used globally by government agencies, enterprise corporations, and financial institutions, resulted in the unauthorized acquisition by a third party of the names and social security numbers or tax identification numbers of certain of Columbia Bank’s consumer and small business customers (the "Vendor Incident"). Other than the information described above, no Columbia Bank account information was compromised as a result of the Vendor Incident, and no information from Columbia Bank’s commercial customers was involved in the Vendor Incident. Other than the information described above, no Umpqua Bank account information was compromised as a result of the Vendor Incident, and no information from Umpqua Bank’s commercial customers was involved in the Vendor Incident. On behalf of the Bank, the Vendor notified affected customers (approximately 429,000), and the Bank and Vendor notified applicable federal and state regulators regarding the Vendor Incident. Subsequently, the Bank was named in a number of putative class action lawsuits related to the Vendor Incident. The lawsuits collectively allege claims for negligence, negligence per se, breach of contract, breach of implied contract, breach of third-party beneficiary contract, breach of fiduciary duty, invasion of privacy, breach of the covenant of good faith and fair dealing, unjust enrichment, and violation of certain state statutes. Given the large number of federal cases throughout the United States (including those involving the Bank), on October 4, 2023 the United States Judicial Panel on Multidistrict Litigation initiated a multidistrict litigation ("MDL") to consolidate such cases – In Re: MOVEit Customer Data Security Breach Litigation, MDL No. 3083 – in the United States District Court for the District of Massachusetts (MDL No. 1:23-md-03083-ADB-PGL). The Bank has engaged defense counsel and intends to vigorously defend against these lawsuits and any similar or related lawsuits or claims. Umpqua Bank has engaged defense counsel and intends to vigorously defend against these suits and any similar or related suits or claims. The Bank has notified relevant insurance carriers and business counterparties and continues to reserve all of its relevant rights to indemnity, defense, contribution, and other relief in connection with these matters. Umpqua Bank has notified relevant insurance carriers and business counterparties and continues to reserve all of its relevant rights to indemnity, defense, contribution, and other relief in connection with these matters.
Cybersecurity Governance
Cybersecurity is an important part of our risk management processes and an area of increasing focus for our Board and management.
37
Recently Filed
Click on a ticker to see risk factors
| Ticker * | File Date |
|---|---|
| AVPT | 2 hours ago |
| NXRT | 2 hours ago |
| SRE | 2 hours ago |
| CABO | 2 hours ago |
| TPC | 2 hours ago |
| BPAC | 2 hours ago |
| WERN | 2 hours ago |
| SDRL | 2 hours ago |
| CHRD | 2 hours ago |
| RYTM | 2 hours ago |
| STEL | 2 hours ago |
| FLOC | 2 hours ago |
| WRBY | 2 hours ago |
| XRAY | 2 hours ago |
| EIG | 2 hours ago |
| DXPE | 2 hours ago |
| AA | 2 hours ago |
| MKL | 2 hours ago |
| ENOV | 2 hours ago |
| MTCH | 2 hours ago |
| KNTK | 2 hours ago |
| WHD | 2 hours ago |
| VCTR | 2 hours ago |
| AUB | 2 hours ago |
| MP | 2 hours ago |
| AMPH | 2 hours ago |
| PBYI | 2 hours ago |
| PJT | 2 hours ago |
| GPCR | 2 hours ago |
| BUSE | 2 hours ago |
| NABL | 2 hours ago |
| Q | 2 hours ago |
| REAL | 2 hours ago |
| DGX | 2 hours ago |
| MTZ | 2 hours ago |
| CTKB | 2 hours ago |
| KGS | 2 hours ago |
| DNA | 2 hours ago |
| ALTG | 2 hours ago |
| WTFC | 2 hours ago |
| NNI | 2 hours ago |
| DEC | 2 hours ago |
| BKU | 2 hours ago |
| VCYT | 2 hours ago |
| JANX | 2 hours ago |
| SHAK | 2 hours ago |
| COLB | 2 hours ago |
| RKLB | 2 hours ago |
| ACRS | 2 hours ago |
| SITC | 2 hours ago |
