Risk Factors - NWFL

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

$NWFL Risk Factor changes from 00/03/17/23/2023 to 00/03/14/25/2025

Item 1A. Risk Factors Not applicable. Item 1B. Unresolved Staff Comments None. Item 1C. Item 1B. Cybersecurity Incident Response Policy The Board of Directors is responsible for overseeing the risks from cybersecurity threats. Each month, the Board is presented with the executive overview of the Cybersecurity Continuous Monitoring Review Report (“Report”) prepared by the Company’s third-party chief information security officer. The Board of Directors reviews the Report each month and, if warranted, directs senior management of the Company to take necessary and appropriate actions in accordance with the IR Policy (as defined below). 8 Wayne Bank has adopted an Incident Response Policy (the “IR Policy”) for responding to cybersecurity incidents. This IR Policy applies to both potential and actual incidents. The IR Policy should be invoked in any context where the Bank believes that an incident may have occurred. The IR Policy applies to all employees, contractors, and third parties. The objectives of the IR Policy are to ensure the protection of customer data and all organization assets from security incidents and ensure timely detection, mitigation, and communication of security incidents to appropriate parties. Implementation of the IR Policy requires cross-functional efforts from across the organization. The roles/functions involved and the related responsibilities in enforcing the IR Policy are spread across the entire organization of the Bank’s senior leadership and chief credit officer. Once the possibility of a cybersecurity incident has been noted, employees assigned to appropriate teams do the necessary research and analysis to confirm either that there is an incident requiring additional action, or that no further action is necessary. This will typically involve some combination of Operations and Information Technology. If an incident is confirmed, an incident response team is formed, and the team takes steps to contain the incident to limit damage, eradicate the incident to restore our full control of all Bank systems and eliminate unauthorized access, and recover data and full functionality. Detection and analysis continue during this phase as necessary to ensure that this phase has been successfully executed. This phase also involves communication as needed with employees, customers, partners and service providers, legal representatives, insurance provider, law-enforcement authorities, and regulatory bodies as necessary and appropriate. In the post-incident phase, the Bank analyzes the root cause of the incident, identifies any changes that need to be made to policies, procedures, training, documentation, and technology to protect against similar incidents in the future, and institutes a plan to implement them. In addition, the Bank undertakes any additional communication with the necessary parties and the public, if appropriate, and the Bank’s legal representatives, insurance provider, law-enforcement authorities, and regulatory bodies as appropriate to fully address the impact of the incident, and fully documents the entire incident. During the fiscal year ended December 31, 2024, the risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have not materially affected the Company, its business strategy, results of operations, or financial condition. . .