Risk Factors - HFBL

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

$HFBL Risk Factor changes from 00/09/30/24/2024 to 00/09/26/25/2025

Item 1A. Risk Factors Not applicable. Item 1B. Unresolved Staff Comments Not applicable. Item 1C. Item 1C. Cybersecurity The Bank has implemented an information security program that encompasses the Bank’s cybersecurity efforts as part of its risk management process. Cybersecurity The Bank has implemented an information security program that encompasses the Bank’s cybersecurity efforts as part of its risk management process. Risk assessments, including Information Technology and Cybersecurity Risk, are conducted annually by the Chief Risk Officer, Information Technology Officer and Information Security Officer to identify, assess and mitigate risks. Risk assessments, including Information Technology and Cybersecurity Risk, are conducted annually by the Chief Risk Officer, Information Technology Officer and Information Security Officer to identify, assess and mitigate risks. The Bank recognizes the need for sound physical and internal controls over its critical financial data, confidential information and digital assets to ensure the accuracy, integrity, and confidentiality of the processed information. The Bank recognizes the need for sound physical and internal controls over its critical financial data, confidential information and digital assets to ensure the accuracy, integrity, and confidentiality of the processed information. As regulated financial institutions, the Company and Bank are also subject to financial privacy laws and their cybersecurity practices are subject to oversight by the federal banking agencies. As regulated financial institutions, the Company and Bank are also subject to financial privacy laws and their cybersecurity practices are subject to oversight by the federal banking agencies. The Boards of Directors of the Company and Bank and the Audit Committee of the Company are responsible for ultimate oversight of cybersecurity risks managed daily by management pursuant to the Bank’s information security program. The Boards of Directors of the Company and Bank and the Audit Committee of the Company are responsible for ultimate oversight of cybersecurity risks managed daily by management pursuant to the Bank’s information security program. The Boards of Directors annually approve this information security program and regularly receive reports from the Bank’s Information Security Officer and Information Technology Officer that outline the steps undertaken to protect the information and data assets of the Bank and Company. The Boards of Directors annually approve this information security program and regularly receive reports from the Bank’s Information Security Officer and Information Technology Officer that outline the steps undertaken to protect the information and data assets of the Bank and Company. Additionally, the Information Security Officer and Information Technology Officer update the Boards of Directors through supplementary reports on issues related to Cybersecurity readiness. Additionally, the Information Security Officer and Information Technology Officer update the Boards of Directors through supplementary reports on issues related to Cybersecurity readiness. The Bank’s information security program is developed and implemented by the Bank’s Information Security Officer, Information Technology Officer and Chief Risk Officer. The Bank’s information security program is developed and implemented by the Bank’s Information Security Officer, Information Technology Officer and Chief Risk Officer. Together with the Bank’s Electronic Data Processing (EDP) Committee, comprised of relevant information technology and business unit stakeholders within Bank management, the Information Security and Information Technology Officers of the Bank work to manage, control and mitigate cybersecurity risks. Together with the Bank’s Electronic Data Processing (EDP) Committee, comprised of relevant information technology and business unit stakeholders within Bank management, the Information Security and Information Technology Officers of the Bank work to manage, control and mitigate cybersecurity risks. The Bank’s employees are regularly trained on cybersecurity awareness, and testing is performed to monitor the success of the training. The Board of Directors receives training annually. The Board of Directors receives training annually. The Bank engages a third party to audit and examine its processes, conduct vulnerability assessments, and review the security of its network infrastructure consistent with FFIEC (Federal Financial Institutions Examination Council) Information Technology Audit guidelines, regulatory requirements and federal banking agency expectations. The Bank engages a third party to audit and examine its processes, conduct vulnerability assessments, and review the security of its network infrastructure consistent with FFIEC (Federal Financial Institutions Examination Council) Information Technology Audit guidelines, regulatory requirements and federal banking agency expectations. Trusted third parties are engaged to assist the Bank in improving its cybersecurity readiness. The Bank engages third party vendors to monitor and assist in maintaining its network infrastructure. The Bank engages third party vendors to monitor and assist in maintaining its network infrastructure. These third-party vendors take an active role in ensuring that the Bank’s systems are protected by testing, reviewing and advising the Bank to strengthen cybersecurity controls when necessary. The Bank has a vendor oversight risk management process that helps to validate the security and integrity of information collected and maintained by third party vendors that the Bank uses to provide banking services. The Bank has a vendor oversight risk management process that helps to validate the security and integrity of information collected and maintained by third party vendors that the Bank uses to provide banking services. A key goal of the Bank’s vendor management program includes assessing risks, which include but are not limited to operational, strategic, reputational, cyber, and credit risks. A key goal of the Bank’s vendor management program includes assessing risks, which include but are not limited to operational, strategic, reputational, cyber, and credit risks. These processes are supported by a specialized vendor that assists the Bank’s management and Board of Directors with properly assessing these risks. These processes are supported by a specialized vendor that assists the Bank’s management and Board of Directors with properly assessing these risks. Finally, the Bank also has an incident response and business continuity program that is intended to address operational concerns, including cybersecurity risks, during contingency scenarios that may create unknown circumstances. This program is tested annually.

Although the Company and Bank have not, as of the date of this Annual Report on Form 10-K, experienced a cybersecurity threat or incident that materially affected their business strategy, results of operations or financial condition, there can be no guarantee that the Company or Bank will not experience such an incident in the future. Although the Company and Bank have not, as of the date of this Annual Report on Form 10-K, experienced a cybersecurity threat or incident that materially affected their business strategy, results of operations or financial condition, there can be no guarantee that the Company or Bank will not experience such an incident in the future. 25 Table of Contents . 26 Table of Contents .