Risk Factors Dashboard
Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.
View risk factors by ticker
Search filings by term
Risk Factors - SFBC
-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing
Item 1A. Risk Factors
Acknowledging the crucial role of third-party service providers, the Board-approved Vendor Management Policy, coupled with the ISP, guides the identification and management of risks posed by critical vendors. A third-party risk assessment, based on due diligence criteria and identified controls, is conducted regularly to assess inherent and residual risks. Contractual requirements ensure that providers maintain information security controls, providing reasonable assurance of data confidentiality, integrity, and availability. Third-party access is inventoried and monitored, with management reporting to the Board annually on the status and overall effectiveness of the Vendor Management Program .
identified significant compromises, substantial data losses, or major financial setbacks from cybersecurity attacks so far, our systems, along with those of our clients and service providers, face constant threats. There is no guarantee that our cybersecurity risk management program will completely safeguard the confidentiality, integrity, and availability of our information systems and solutions. Cybersecurity risks are anticipated to stay elevated due to the evolving nature of threats and the increased use of online and mobile banking services. See “Risks Related to Cybersecurity, Data and Fraud” under “Item 1A. Risk Factors” in this Form 10-K for a further discussion of risks related to cybersecurity.The ISSC includes key personnel including the vCISO, Chief Operating Officer, Technology Services Director, Information Technology Manager, Internal Audit Manager, Compliance Manager, and Information Security Specialists. The ISSC members bring diverse qualifications, certifications, and extensive experience to the table. This collective expertise ensures a comprehensive and well-rounded approach to our information security initiatives.Our vCISO has substantial relevant expertise and formal training in the areas of information security and cybersecurity risk management and is accountable for managing our enterprise information security department and developing and implementing our information security program. The responsibilities include cybersecurity risk assessment, defense operations, incident response, vulnerability assessment, threat intelligence, identity access governance, third-party risk management, client, vendor and employee education and awareness, and business continuity and disaster recovery.
We assume and manage a certain degree of risk in order to conduct our business strategy. In addition to the risk factors described below, other risks and uncertainties not specifically mentioned, or that are currently known to, or deemed to be immaterial by management, also may materially and adversely affect our financial condition, results of operations and cash flows. Before making an investment decision, you should carefully consider the risks described below together with all of the other information included in this Form 10-K and our other documents filed with and furnished to the SEC. If any of the circumstances described in the following risk factors occur to a significant degree, the value of our common stock could decline, and you could lose all or part of your investment. If any of the circumstances described in the following risk factors actually occur to a significant degree, the value of our common stock could decline, and you could lose all or part of your investment. This report is qualified in its entirety by these risk factors.
Risks Related to Macroeconomic Conditions
A worsening of economic conditions in our market area could reduce demand for our products and services and result in increases in our level of nonperforming loans, which could adversely affect our operations, financial condition and earnings.
Substantially all our loans are to businesses and individuals in the state of Washington. Accordingly, local economic conditions have a significant impact on the ability of our borrowers to repay loans and the value of the collateral securing loans. Further, as a result of a high concentration of our customer base in the Puget Sound and eastern Washington state regions, a deterioration in the business environment in these areas, or the financial challenges of one or more large employers in these areas, could have a material adverse effect on our business, financial condition, liquidity, results of operations and prospects. Further, as a result of a high concentration of our customer base in the Puget Sound area and eastern Washington state regions, the deterioration of businesses in these areas, or one or more businesses with a large employee base in these areas, could have a material adverse effect on our business, financial condition, liquidity, results of operations and prospects. Broad economic factors such as inflation, unemployment and money supply fluctuations, changes in monetary policy expectations, and volatility in interest rate markets also may adversely affect our profitability. Uncertainty regarding the timing and magnitude of potential interest rate reductions by the Federal Reserve, following a prolonged period of elevated interest rates, may negatively affect borrowing demand, asset yields, deposit pricing, and overall economic activity in our market areas. Furthermore, trade disputes,
trade wars, tariffs, or shifts in trade policies between the United States and other nations could disrupt supply chains, increase costs for businesses, and reduce export opportunities for our customers. These developments may, in turn, negatively impact our clients’ operations and, consequently, our financial performance.
A deterioration in economic conditions in the markets we serve, in particular the Puget Sound area and western region of Washington State, could result in the following consequences, any of which could have a material adverse effect on our business, financial condition, liquidity and results of operations:
•Reduced demand for our products and services, potentially leading to a decline in our overall loans or assets.
•Elevated instances of loan delinquencies, problem assets, and foreclosures.
•An increase in our allowance for credit losses on loans.
•Reduced values in collateral securing our loans, thereby diminishing borrowing capacities and asset values tied to existing loans.
•Reduced net worth and liquidity of loan guarantors, possibly impairing their ability to meet commitments to us.
•Reduction in our low-cost or noninterest-bearing deposits.
Moreover, a significant decline in local, regional or national economic conditions caused by inflation, recession, economic slowdown, severe weather, natural disasters, widespread disease or pandemics, sustained higher interest rates, acts of terrorism, an outbreak of hostilities or other international or domestic calamities, trade-related pressures that may affect construction costs or materials availability, unemployment or other factors beyond our control could negatively affect the financial results of our banking operations.Moreover, a significant decline in local, regional or national economic conditions caused by inflation, recession, severe weather, natural disasters, widespread disease or pandemics, acts of terrorism, an outbreak of hostilities or other international or domestic calamities, unemployment or other factors beyond our control could negatively affect the financial results of our banking operations. Such events could affect the stability of our deposit base, impair the ability of borrowers to repay outstanding loans and leases, impair the value of collateral securing loans, cause significant property damage, result in loss of revenue or cause us to incur additional expenses.
Monetary policy, inflation, deflation, and other external economic factors could adversely impact our financial performance and operations.
Our financial condition and results of operations are influenced by monetary, fiscal, and trade policies, including those of the Federal Reserve, the U.S. Treasury, and other governmental authorities. Actions by these authorities may lead to inflation, deflation, changes in interest rates, or other economic conditions that could materially adversely affect our results of operations. Tariffs, supply-chain disruptions, or rising costs could reduce the ability of our clients, particularly small- and medium-sized businesses, to repay loans, negatively affecting credit quality and financial performance. Prolonged inflation may increase operational costs, including wages and benefits, while fluctuations in interest rates and the yield curve can significantly impact our net interest income. Interest rates may not move in alignment with inflation or deflation, adding uncertainty to the economic environment.
36
SOUND FINANCIAL BANCORP, INC. AND SUBSIDIARY
Risks Related to Our Lending
Our loan portfolio includes loans with a higher risk of loss.
Our origination of commercial and multifamily real estate, construction and land, consumer and commercial business loans, typically present different risks to us than our one-to-four family residential loans for a number of reasons, including as follows:
•Construction and Land Loans. Construction lending carries inherent uncertainties in estimating a property's future value upon project completion and the overall cost, encompassing interest, for project fulfillment. These uncertainties arise from challenges in estimating construction costs, assessing the market value upon project completion, and considering the impact of governmental regulations on real property. Consequently, accurately evaluating the total funds required to complete a project and determining the loan-to-value ratio for the completed project is often challenging. We may encounter scenarios where advancing funds beyond the committed amount becomes necessary to ensure project completion due to inaccurate estimations of construction costs, potentially resulting in inadequate security for loan repayment upon project completion and subsequent losses. Challenges such as disputes between borrowers and builders, builder failures to pay subcontractors, and the concentration of higher loan amounts among a limited number of builders further increase risk exposure. A downturn in the housing or real estate market could escalate delinquencies, defaults, and foreclosures, substantially impairing collateral values and complicating the process of selling foreclosed properties. A downturn in housing or the real estate market could increase delinquencies, defaults and foreclosures, and significantly impair the value of our collateral and our ability to sell the collateral upon foreclosure. Multiple loans with a single builder amplify our risk exposure, wherein adverse developments in one loan or credit relationship pose significant loss potential. Some construction loans involve interest accumulation without borrower payments, impacting construction loan dynamics if market interest rates rise, leading to increased borrowing costs for end purchasers and potentially reducing homebuyer financing capabilities or overall project demand. Management's estimate is based on our continuing evaluation of specific credit risks and loan loss experience, current loan portfolio quality, present economic, political and regulatory conditions, industry concentrations and other factors that may indicate future loan losses. Properties under construction are challenging to sell and often necessitate completion before successful sale, further complicating the management of problematic construction loans. Properties under construction are often difficult to sell and typically must be completed in order to be successfully sold which also complicates the process of managing our problem construction loans. This could require additional fund allocation or engagement with alternate builders, adding market risks in selling projects at future market prices that may not cover outstanding loan funds, construction, and liquidation costs. Our construction loans include those with finalized sales contracts or permanent loans for finished homes and speculative construction loans where purchasers may not be identified during or post-construction. Speculative construction loans to builders pose higher potential risks than loans for personal residences. Speculative construction loans to a builder pose a greater potential risk to us than construction loans to individuals on their personal residences. We aim to mitigate these risks by actively monitoring local housing markets and unsold homes in our portfolio, and balancing home sales with new loan originations. We consider various factors, including builder financial capacity, market demand, and inventory ratios, while working with numerous small and mid-sized builders across geographic regions within our service area to diversify speculative construction lending risks.
Land loans for future development entail additional risks due to the lack of income generation from the property and potential illiquidity of collateral and are significantly affected by supply and demand dynamics. Hence, such lending involves disbursing substantial funds, with repayment dependent on project success and the borrower's ability to sell or lease the property or obtain permanent financing, rather than independent repayment capability.
•Commercial and Multifamily Real Estate Loans. Our commercial and multifamily real estate loans generally involve higher principal amounts compared to other loan types, and some commercial borrowers maintain multiple loans with us. Consequently, an adverse development in any single loan or credit relationship can significantly heighten our exposure to potential losses, far more than the impact of a similar development in a one-to-four family residential mortgage loan. Consequently, an adverse development with respect to one loan or one credit relationship can expose us to a significantly greater risk of loss compared to an adverse development with respect to a one-to-four family residential mortgage loan. The repayment of these loans relies on income generated from the property securing the loan. This income must sufficiently cover operational expenses and debt service. Economic fluctuations or shifts in local market conditions may adversely affect the property's income, posing potential repayment challenges. Moreover, a substantial portion of our commercial and multifamily real estate loans do not fully amortize and include substantial balloon payments upon maturity. These balloon payments may require the borrower to either sell or refinance the property, and refinancing may be difficult or unavailable due to elevated interest rates, tighter underwriting standards, declining property values, or reduced lender appetite, heightening the risk of default or non-payment. In the event of a foreclosure on a commercial or multifamily real estate loan, our holding period for the collateral tends to be longer compared to one-to-four family residential loans. This extended holding period results from a limited pool of potential purchasers for the collateral.
In recent years, the commercial real estate market has experienced substantial growth, with increased competition contributing to historically low capitalization rates and rising property values.In recent years, commercial real estate markets have been experiencing substantial growth, and increased competitive pressures have contributed significantly to historically low capitalization rates and rising property values. More recently, the commercial real estate market has been affected by higher interest rates, tighter credit conditions, and changing economic and workplace dynamics. The adoption of remote and hybrid work models has led many companies to re-evaluate their long-term real estate needs. Although certain employers have increased in-office requirements, others are downsizing or shifting to hybrid models, and demand for office space in certain markets has remained structurally lower than pre-pandemic levels, creating uncertainty in demand for office space and other commercial properties. This trend could result in prolonged vacancies, declining rental income, refinancing challenges, and reduced property values, particularly for
37
SOUND FINANCIAL BANCORP, INC. AND SUBSIDIARY
certain property types or markets, adversely affecting the performance of our commercial real estate loan portfolio. Federal banking regulators have increased supervisory focus on commercial real estate exposures, particularly with respect to refinancing risk, collateral valuation, and borrower equity levels, which may subject us to heightened examination scrutiny, additional risk management expectations, or more conservative supervisory expectations. Failures in our risk management policies and controls could lead to higher delinquencies and losses, adversely affecting our business, financial condition, and results of operations.
•Commercial Business Loans. Our commercial business loans are primarily made based on the cash flow of the borrower and secondarily on the underlying collateral provided by the borrower. A borrower’s cash flow may be unpredictable, and collateral securing these loans may fluctuate in value. A borrower's cash flow may prove to be unpredictable, and collateral securing these loans may fluctuate in value. Most often, this collateral includes accounts receivable, inventory, equipment or real estate. In the case of loans secured by accounts receivable, the availability of funds for the repayment of these loans may be substantially dependent on the ability of the borrower to collect amounts due from its customers. Other collateral securing commercial business loans may depreciate over time, may be difficult to appraise, may be illiquid and may fluctuate in value based on the success of the business. Other collateral securing loans may depreciate over time, may be difficult to appraise, may be illiquid and may fluctuate in value based on the success of the business.
•Consumer Loans. Generally, we consider consumer loans to involve a different degree of risk compared to first mortgage loans on one-to-four family residential properties. As a result of our large portfolio of consumer loans, we may need to increase the level of our allowance for credit losses on loans, which could decrease our profits. As a result of our large portfolio of these loans, it may become necessary to increase the level of our provision for loan losses, which could decrease our profits. Consumer loans, particularly those secured by assets that depreciate rapidly like manufactured homes, automobiles, and recreational vehicles, generally carry a higher degree of risk. Upon default, repossessed collateral from these loans might not adequately cover the outstanding loan balance. In particular, manufactured home loans pose higher risks due to the cost and difficulty of relocating the manufactured home when repossessed and the limited market for resale, especially with the diminishing number of manufactured home parks in the Puget Sound area. A significant portion of our manufactured home loan borrowers are first-time home buyers, typically exhibiting higher credit risk due to limited financial resources. Consequently, these loans tend to experience increased default probabilities, higher delinquency rates and greater servicing costs compared to other consumer loans.
Floating home, houseboat, and house barge loans are typically located on cooperative or condominium moorages. Our floating home, houseboat and house barge loans are typically located on cooperative or condominium moorages. The primary risk of these loans stems from the distinctive nature of the collateral and the complexities involved in relocating such property to permissible locations. The process for securing deeds or rights within condominium or cooperative docks in this lending area differs significantly from our other loan types, potentially resulting in higher costs associated with collateral recovery compared to one-to-four family mortgage loans and other consumer loans.
Our business may be adversely affected by credit risk associated with residential property and declining property values.
Our first-lien one-to-four family real estate loans are primarily made based on the repayment ability of the borrower and the collateral securing these loans. Home equity lines of credit generally entail greater risk than one-to-four family residential mortgage loans where we are in the first-lien position. Home equity lines of credit generally entail greater risk than do one-to-four family residential mortgage loans where we are in the first-lien position. For those home equity lines secured by a second mortgage, it is less likely that we will be successful in recovering all of our loan proceeds in the event of default. Our foreclosure on these loans requires that the value of the property be sufficient to cover the repayment of the first mortgage loan, as well as the costs associated with foreclosure.
This type of lending is generally sensitive to regional and local economic conditions that significantly impact the ability of borrowers to meet their loan payment obligations, making loss levels difficult to predict. A downturn in the economy or the housing market in our market areas or a rapid increase in interest rates may reduce the value of the real estate collateral securing these types of loans and increase the risk that we would incur losses if borrowers default on their loans. Residential loans with high combined loan-to-value ratios generally will be more sensitive to declining property values than those with lower combined loan-to-value ratios and therefore may experience a higher incidence of default and severity of losses. In addition, if the borrowers sell their homes, the borrowers may be unable to repay their loans in full from the sale proceeds. As a result, these loans may experience higher rates of delinquencies, defaults and losses, which will in turn adversely affect our financial condition and results of operations. A majority of our residential loans are “non-conforming” because they are adjustable-rate mortgages which contain interest rate floors or do not satisfy credit or other requirements due to the borrower’s personal and financial circumstances (i.e., divorce, bankruptcy, length of time employed, etc.), conforming loan limits (i.e., jumbo mortgages), and other requirements imposed by secondary market purchasers. Some of these borrowers have higher debt-to-income ratios, or the loans are secured by unique properties in rural markets for which there are no sales of comparable properties to support the value according to secondary market requirements. We may require additional collateral or lower loan-to-value ratios to reduce the risk of these loans. We believe that these loans satisfy a need in our local market areas. As a result, subject to market conditions, we intend to continue to originate these types of loans.
Our allowance for credit losses on loans may prove inadequate or we may be negatively affected by credit risk exposures. Future additions to our allowance for credit losses on loans, as well as charge-offs in excess of reserves, will reduce our earnings. Future additions to our allowance for loan losses, as well as charge-offs in excess of reserves, will reduce our earnings.
38
SOUND FINANCIAL BANCORP, INC. AND SUBSIDIARY
Our business relies significantly on the creditworthiness of our customers. To account for potential defaults and nonperformance in our loan portfolio, we maintain an allowance for credit losses on loans using the Current Expected Credit Loss (“CECL”) methodology. This allowance represents management’s best estimate of the lifetime expected credit losses in our loan portfolio. The amount of this allowance is determined by management through periodic reviews and consideration of several factors, including, but not limited to:
•our collective loss reserve, for loans evaluated on a pool basis with similar risk characteristics based on our life of loan historical default and loss experience, certain macroeconomic factors, reasonable and supportable forecasts, regulatory requirements, management’s expectations of future events and certain qualitative factors; and
•our individual loss reserve, based on our evaluation of individual loans that do not share similar risk characteristics and the present value of the expected future cash flows or the fair value of the underlying collateral.
The determination of the appropriate allowance for credit losses involves a significant degree of subjectivity and judgment, relying on substantial estimates of both current credit risks and future economic and portfolio trends, all of which are subject to change.We are subject to federal and state privacy regulations and confidentiality obligations that, among other things restrict the use and dissemination of, and access to, certain information that we produce, store or maintain in the course of our business. Inaccuracies in our estimates could result in an allowance for credit losses that is insufficient to absorb actual losses, and changes in economic forecasts, borrower performance, or asset-class conditions may result in period-to-period volatility in our provision for credit losses, which could adversely impact our net income. Additionally, significant portfolio growth, the introduction of new loan products, or increased refinancing activity may result in portfolios consisting of unseasoned loans that may not perform as anticipated, increasing the risk that our allowance for credit losses may prove inadequate without additional provisions.
Environmental and climate-related events, including wildfires, flooding, mudslides, hurricanes, or other natural disasters, including recent events in our market regions, may adversely affect borrowers’ ability to repay loans, reduce the value of collateral, and increase uncertainty in estimating credit losses. These factors may require increases to our allowance for credit losses to account for elevated credit risks.
Bank regulatory agencies periodically review our allowance for credit losses and related methodologies and, based on their assessments, may require increased provisions or loan charge-offs. A material deterioration in the credit quality of our loan portfolio, significant changes in the risk profile of markets, industries, or customer groups, or an inadequately maintained allowance for credit losses could have a material adverse effect on our business, financial condition, liquidity, capital, and results of operations. If the credit quality of our loan portfolio materially decreases, if the risk profile of a market, industry or group of customers changes materially, or if the allowance for loan losses is not adequate, our business, financial condition, liquidity, capital, and results of operations could be materially adversely affected.
Risks Related to Market and Interest Rate Changes
Fluctuating interest rates can adversely affect our profitability.
Our net income is primarily derived from the excess of net interest income and non-interest income over non-interest expenses, provisions for credit losses, and taxes. The core component of our net income is net interest income, which centers on the variance between the interest income accrued from interest-earning assets, such as loans and securities, and the interest expense incurred on interest-bearing liabilities, mainly deposits and borrowings. Net interest income makes up a majority of our net income and is based on the difference between the interest income we earn on interest-earning assets, such as loans and securities, and the interest expense we pay on interest-bearing liabilities, such as deposits and borrowings.
The yields we earn on our interest-earning assets and the rates we pay on our interest-bearing liabilities are generally fixed for a contractual period of time.The yields we earn on our assets and the rates we pay on our liabilities are generally fixed for a contractual period of time. Like many financial institutions, our liabilities generally have shorter contractual maturities than our assets. This mismatch exposes us to significant earnings volatility as market interest rates fluctuate. Shifts in interest rates can also impact the average lifespan of loans and mortgage-backed securities. In periods of interest rate volatility, prolonged elevated rates, or an uncertain rate-cutting environment, the growth rate of interest income from our interest-earning assets might lag behind the accelerating interest expenses on our interest-bearing liabilities or decline more rapidly than anticipated as assets reprice. In addition, periods of declining or volatile interest rates, or changes in borrower refinancing behavior, may trigger increased loan prepayments and mortgage-backed security redemptions. This introduces reinvestment risk, where the challenge lies in reinvesting prepayments at rates comparable to those initially earned on the prepaid loans or securities. Moreover, changes in the shape of the interest rate yield curve, including an inverted or rapidly flattening yield curve, can compress a financial institution’s net interest margin. This poses financial risks, particularly for institutions that originate longer-term, fixed-rate mortgage loans. As of December 31, 2025, approximately 50.1% of our loan portfolio consisted of fixed-rate loans, potentially exposing us to these risks.
Rising rates can also increase the cost of deposits and other funding sources. If deposit and borrowing rates rise faster than loan and investment yields, our net interest income and overall earnings could decline. Additionally, adjustable-rate residential mortgage loans and home equity lines of credit may face increased default risks in a rising rate environment.
39
SOUND FINANCIAL BANCORP, INC. AND SUBSIDIARY
A sustained and substantial change in market interest rates could significantly impact our financial condition, liquidity, and operational results. Furthermore, fluctuations in interest rates could adversely affect the valuation of our assets and liabilities, ultimately affecting our earnings.
Changes in the valuation of our securities portfolio could hurt our profits and reduce our capital levels.
Our securities portfolio may be impacted by fluctuations in market value, potentially reducing accumulated other comprehensive income and/or earnings. Fluctuations in market value may be caused by changes in market interest rates, lower market prices for securities and limited investor demand. Management evaluates securities for credit losses on a quarterly basis, with more frequent evaluation for selected issues. Management evaluates securities for OTTI on a quarterly basis, with more frequent evaluation for selected issues. In analyzing a debt issuer’s financial condition, management considers whether the securities are issued by the federal government or its agencies, whether downgrades by bond rating agencies have occurred and industry analysts’ reports. Changes in interest rates can also adversely affect our financial condition, as our AFS securities are reported at their estimated fair values and therefore are impacted by fluctuations in interest rates. Changes in interest rates can also have an adverse effect on our financial condition, as our available-for-sale securities are reported at their estimated fair value, and therefore are impacted by fluctuations in interest rates. We increase or decrease our stockholders’ equity by the amount of change in the estimated fair value of the AFS securities, net of taxes. We increase or decrease our stockholders’ equity by the amount of change in the estimated fair value of the available-for-sale securities, net of taxes. Declines in market value could result in credit losses on these assets, which would lead to accounting charges that could have a material adverse effect on our net income and capital levels. Declines in market value could result in OTTI losses on these assets, which would lead to accounting charges that could have a material adverse effect on our net income and capital levels. At December 31, 2025, we had no allowance for credit losses on securities. At December 31, 2022, we had no securities that were deemed impaired.
An increase in interest rates, changes in the programs offered by Fannie Mae or our ability to qualify for its programs may reduce our mortgage revenues, which would negatively impact our noninterest income.
The sale of residential mortgage loans to Fannie Mae contributes significantly to our non-interest income. Future changes in Fannie Mae’s program, our eligibility to participate, the criteria for loan acceptance, or related laws that significantly affect the activity of Fannie Mae could materially adversely affect our results of operations.
Mortgage banking is generally considered a volatile source of income because it depends largely on loan volume, which is influenced by prevailing market interest rates. In a rising or higher interest-rate environment, the demand for mortgage loans, particularly refinancing of existing mortgage loans, tends to fall and our originations of mortgage loans may decrease, resulting in fewer loans that are available to be sold. This would result in a decrease in mortgage revenues and a corresponding decrease in noninterest income. Our results of operations are also affected by noninterest expenses associated with mortgage banking activities, including salaries and employee benefits, occupancy, equipment, data processing, and other operating costs. During periods of reduced loan demand, we may face challenges in reducing these expenses proportionately, which could adversely impact our results of operations. During periods of reduced loan demand, our results of operations may be adversely affected to the extent that we are unable to reduce expenses commensurate with the decline in loan originations. Although we sell loans into the secondary market without recourse, we provide customary representations and warranties to buyers. If these representations and warranties are breached, we may be required to repurchase the loans, potentially incurring a loss. If we breach those representations and warranties, we may be required to repurchase the loans and we may incur a loss on the repurchase.
We may incur losses in the fair value of our mortgage servicing rights due to changes in prepayment rates.
Our mortgage servicing rights carry interest-rate risk because the total amount of servicing fees earned, as well as changes in fair market value, fluctuate based on expected loan prepayments (affecting the expected average life of a portfolio of residential mortgage servicing rights). The rate of prepayment of residential mortgage loans may be influenced by changing national and regional economic trends, such as recessions or stagnating real estate markets, as well as the difference between interest rates on existing residential mortgage loans relative to prevailing residential mortgage rates. During periods of declining interest rates, many residential borrowers refinance their mortgage loans. Changes in prepayment rates are therefore difficult for us to predict. The loan administration fee income (related to the residential mortgage loan servicing rights corresponding to a mortgage loan) decreases as mortgage loans are prepaid. Consequently, if prepayment rates increase, we would expect the fair value of portfolios of residential mortgage loan servicing rights to decrease along with the amount of loan administration income received.
Risks Related to Cybersecurity, Data and Fraud
A failure in or breach of our security systems or infrastructure, including breaches resulting from cyber-attacks, could disrupt our business, result in the disclosure or misuse of confidential or proprietary information, damage our reputation, increase our costs and cause losses.
The integrity of our security systems and infrastructure is crucial. Any failure or breach, including those arising from cyber-attacks, has the potential to disrupt our business operations, leading to the disclosure or misuse of confidential information, detrimental effects on our reputation, increased operational costs, and financial losses. Management's estimate is based on our continuing evaluation of specific credit risks and loan loss experience, current loan portfolio quality, present economic, political and regulatory conditions, industry concentrations and other factors that may indicate future loan losses. The landscape of information security risks for financial institutions has expanded significantly due to the proliferation of new technologies, the widespread use of the Internet and telecommunications for financial transactions, and the escalating activities of organized crime, hackers, terrorists, activists, and other external entities.Information security risks for financial institutions have increased in recent years in part because of the proliferation of new technologies, the use of the Internet and telecommunications technologies to conduct financial transactions, and the increased sophistication and activities of organized crime, hackers, terrorists, activists, and other external parties. These parties may attempt to deceive employees, customers, or system users to extract confidential information, thereby gaining access to our data or that of our customers.
40
SOUND FINANCIAL BANCORP, INC. AND SUBSIDIARY
Our operations heavily rely on the secure processing, transmission, and storage of confidential information within our computer systems and networks, managed directly by us or through third-party data processing vendors. Additionally, our customers use personal computers, smartphones, tablets, and other mobile devices to access our services, which are beyond our direct control. While we have robust information security procedures and controls in place, our reliance on third-party vendors, technologies, systems, networks, and customers’ devices makes them susceptible to cyber-attacks, viruses, unauthorized access, hackers, or security breaches. Such incidents could lead to unauthorized data releases, monitoring, misuse, theft, or destruction of confidential information, disrupting our operations or those of our customers and third parties.
To date, we have not incurred substantial losses from cyber-attacks or security breaches. However, the evolving nature of threats and our ongoing plans to advance our internet and mobile banking channels heighten our exposure to these risks. As a result, continuously developing and enhancing our information security controls, processes, and practices to safeguard customer information, systems, computers, software, data, and networks remains a management priority. With the evolving nature of cyber threats, we may need to allocate significant additional resources to bolster our protective measures or investigate and address crucial information security vulnerabilities or exposures. Despite our efforts, they might not prevent all physical and electronic intrusions, denial of service, cyber-attacks, or security breaches.
Disruptions or failures in the physical infrastructure or operating systems supporting our business and customers, or breaches in the networks, systems, or devices used by customers accessing our services, could result in customer attrition, uninsured financial losses, customer transaction disruptions, productivity losses, technology replacement costs, incident response expenses, legal and regulatory repercussions, reputational damage, litigation, reimbursement or compensation costs, and additional compliance expenses. Any of these outcomes could significantly and adversely affect our financial condition or operational results.
The failure to protect our customers' confidential information and privacy could adversely affect our business.
We are subject to federal and state privacy regulations and confidentiality obligations that, among other things, restrict the use and dissemination of, and access to, certain information that we produce, store or maintain in the course of our business. We also have contractual obligations to protect certain confidential information we obtain from our existing vendors and customers.
These obligations generally include protecting such confidential information in the same manner and to the same extent as we protect our own confidential information, and in some instances may impose indemnity obligations on us relating to unlawful or unauthorized disclosure of any such information.
If we do not comply with privacy regulations and contractual obligations that require us to protect confidential information, or if we experience a security breach or network compromise, we could experience adverse consequences, including regulatory sanctions, penalties or fines, increased compliance costs, remedial costs such as providing credit monitoring or other services to affected customers, litigation and damage to our reputation, which in turn could result in decreased revenues and loss of customers, all of which would have a material adverse effect on our business, financial condition and results of operations.
Our operations rely on certain external vendors.
We rely on certain external vendors to provide products and services essential to our day-to-day operations. These third-party vendors expose us to operational and information security risks, including operational errors, system failures, interruptions or breaches, and unauthorized disclosures of sensitive or confidential information. These third-party vendors are sources of operational and informational security risks to us, including risks associated with operational errors, information system failures, interruptions or breaches and unauthorized disclosures of sensitive or confidential client or customer information. Past incidents involving third-party vendors have demonstrated the potential for such risks to disrupt our operations, impair customer service, damage our reputation, or expose us to litigation.
While we work closely with our vendors to implement appropriate security measures and monitoring processes to mitigate these risks, no system is entirely immune to breaches or other security events. Such incidents could materially and adversely affect our business, financial condition, and results of operations. Any such changes could have a material adverse effect on our business, financial condition and results of operations.
Our current and future uses of Artificial Intelligence (AI) and other emerging technologies may create additional risks.
The increasing adoption of AI in financial services presents significant opportunities but also introduces a range of risks that could impact our operations, regulatory compliance, and customer trust. AI introduces model risk, where flawed algorithms or biased data could result in inaccurate credit decisions, compliance violations, or discriminatory outcomes in lending or customer service. Cybersecurity threats, such as data breaches, adversarial attacks, and data poisoning, pose significant challenges, particularly as these systems handle large volumes of sensitive customer information. Additionally, the opaque nature of some AI models, often referred to as "black-box" systems, raises regulatory compliance concerns, as regulators increasingly require transparency and explainability in AI-driven decision-making.
Operational risks also arise from potential system failures, over-reliance on AI, and integration challenges with existing infrastructure. Disruptions in AI systems could impact critical functions such as fraud detection, transaction monitoring, and
41
SOUND FINANCIAL BANCORP, INC. AND SUBSIDIARY
customer support. Ethical and reputational risks, including unintended consequences or perceived unfairness in AI-driven decisions, may erode customer trust and expose us to regulatory scrutiny.
Mitigating these risks requires a robust governance framework, regularly testing and auditing of AI models, and strong human oversight. Investments in cybersecurity, data privacy protections, and employee training are critical to managing these risks.
We continually encounter technological change, and we may have fewer resources than many of our competitors to invest in technological improvements.42Table of ContentsWe continually encounter technological change, and we may have fewer resources than many of our competitors to invest in technological improvements.
The financial services industry is undergoing rapid technological changes with frequent introductions of new technology-driven products and services. The effective use of technology increases efficiency and enables financial institutions to better serve customers and to reduce costs. Our future success will depend, in part, upon our ability to address the needs of our clients by using technology to provide products and services that will satisfy client demands for convenience, as well as to create additional efficiencies in our operations. Many national vendors provide turn-key services to community banks, such as internet banking and remote deposit capture that allow smaller banks to compete with institutions that have substantially greater resources to invest in technological improvements. We may not be able, however, to effectively implement new technology-driven products and services or be successful in marketing these products and services to our customers.
Our business may be adversely affected by an increasing prevalence of fraud and other financial crimes.
As a financial institution, we face the risk of fraudulent activities perpetrated against us or our customers, potentially resulting in financial losses, increased operational costs, disclosure or misuse of sensitive information, misappropriation of assets, breaches of customer privacy, legal actions, or damage to our reputation. Fraudulent activities come in various forms, including check fraud, electronic fraud, wire fraud, phishing, social engineering, and other deceptive practices.
There has been a notable national increase in reported incidents of fraud and other financial crimes. Our institution has encountered losses due to apparent fraudulent activities and other financial crimes. Despite implementing policies and procedures aimed at preventing such losses, the dynamic nature of fraudulent activities presents ongoing challenges, and there is no guarantee against the occurrence of such losses.
While we remain committed to stringent policies and procedures to mitigate the risks associated with fraudulent activities, including investing in security measures and staff training, the evolving landscape of fraudulent tactics and the persistence of sophisticated schemes pose continual threats. Accordingly, there is inherent uncertainty regarding our ability to prevent losses resulting from fraudulent activities in the future.
Regulatory and Accounting-Related Risks
We operate in a highly regulated environment and may be adversely affected by changes in federal and state laws and regulations that could increase our costs of operations.
The banking industry is extensively regulated. Federal banking regulations are designed primarily to protect the deposit insurance funds and customers, not to benefit a company’s shareholders. These regulations may sometimes impose significant limitations on our operations. These regulations, along with the currently existing tax, accounting, securities, insurance, and monetary laws, regulations, rules, standards, policies and interpretations control the methods by which financial institutions conduct business, implement strategic initiatives and tax compliance, and govern financial reporting and disclosures. These laws, regulations, rules, standards, policies, and interpretations are constantly evolving and may change significantly over time. Any new regulations or legislation, change in existing regulation or oversight, whether a change in regulatory policy or a change in a regulator’s interpretation of a law or regulation, could have a material impact on our operations, impact the capital or liquidity requirements applicable to us, increase our costs of regulatory compliance and of doing business, and adversely affect our profitability. Any new regulations or legislation, change in existing regulation or oversight, whether a change in regulatory policy or a change in a regulator's interpretation of a law or regulation, could have a material impact on our operations, increase our costs of regulatory compliance and of doing business and adversely affect our profitability. In this regard, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”), published guidelines in 2014 for financial institutions servicing cannabis businesses that are legal under state law. These guidelines generally allow us to work with cannabis-related businesses that are operating in accordance with state laws and regulations, so long as we comply with required regulatory oversight of their accounts with us. Legislation has previously been introduced in Congress that would allow banks and financial institutions to serve cannabis businesses in states where it is legal without any risk of federal prosecution but has yet to be enacted. At December 31, 2025, approximately 3.6% of our total deposits and a portion of our service charges from deposits are from legal cannabis-related businesses.
Any adverse change in the FinCEN guidance noted above, any new regulations or legislation, any change in existing regulations or oversight, whether a change in regulatory policy or a change in a regulator's interpretation of a law or regulation, could have a negative impact on our non-interest income, as well as the cost of our operations, increasing our cost of regulatory compliance and of doing business and/or otherwise affect us, which may materially affect our profitability. Moreover, our failure to comply with laws, regulations or policies could result in civil or criminal sanctions and money penalties by state and federal agencies, and/or reputational damage, which could have a material adverse effect on our business, financial condition
42
SOUND FINANCIAL BANCORP, INC. AND SUBSIDIARY
and results of operations. See “Part I, Item 1. Business - How We Are Regulated” in this Form 10-K for more information about the laws and regulations to which we are subject.
The level of our commercial real estate loan portfolio may subject us to additional regulatory scrutiny.43Table of ContentsThe level of our commercial real estate loan portfolio may subject us to additional regulatory scrutiny.
The FDIC, the Federal Reserve and the Office of the Comptroller of the Currency have promulgated joint guidance on sound risk management practices for financial institutions with concentrations in commercial real estate lending. Under this guidance, a financial institution that, like us, is actively involved in commercial real estate lending, should perform a risk assessment to identify concentrations. A financial institution may have a concentration in commercial real estate lending if, among other factors (i) total reported loans for construction, land development and other land represent 100% or more of the bank’s total regulatory capital (or in the case of a bank, such as the Bank, that has elected to follow the CBLR framework, CBLR Capital (Tier 1 capital plus the entire allowance for loan and lease losses), or (ii) total commercial real estate loans (as defined in the guidance) represent 300% or more of the bank’s total regulatory capital or CBLR Capital, as appropriate, and the outstanding balance of the bank’s commercial real estate loan portfolio has increased 50% or more during the prior 36 months. The particular focus of the guidance is on exposure to commercial real estate loans that are dependent on the cash flow from the real estate held as collateral and that are likely to be at greater risk to conditions in the commercial real estate market (as opposed to real estate collateral held as a secondary source of repayment or as an abundance of caution). The purpose of the guidance is to assist banks in developing risk management practices and capital levels commensurate with the level and nature of their real estate concentrations. The purpose of the guidance is to guide banks in developing risk management practices and capital levels commensurate with the level and nature of real estate concentrations. The guidance states that management should employ heightened risk management practices including board and management oversight and strategic planning, development of underwriting standards, risk assessment and monitoring through market analysis and stress testing. At December 31, 2025, Sound Community Bank’s aggregate recorded loan balances for construction, land development and land loans were 42.4% of CBLR Capital. In addition, at December 31, 2025, Sound Community Bank’s loans on all commercial real estate, including construction, owner and non-owner occupied commercial real estate, and multi-family lending, as defined by the FDIC, were 355.2% of CBLR Capital. Although our total commercial real estate loans exceeded 300% of CBLR Capital at December 31, 2025, the outstanding balance of our commercial real estate loan portfolio has not increased by 50% or more during the preceding 36 months. Our banking regulators may nevertheless determine that the level of our commercial real estate lending warrants enhanced risk management practices. Regulators could require us to implement additional policies and procedures consistent with their interpretation of the guidance that may result in additional costs to us.
Our accounting policies and methods are fundamental to how we report our financial condition and results of operations, and we use estimates in determining the fair value of certain of our assets, which estimates may prove to be imprecise and result in significant changes in valuation.
A portion of our assets are carried on the balance sheet at fair value, including investment securities available for sale and mortgage servicing rights related to single-family loans.A portion of our assets are carried on the balance sheet at fair value, including investment securities available for sale, mortgage servicing rights related to single-family loans, and single-family loans held for sale. Generally, for assets that are reported at fair value, we use quoted market prices or valuation models that use observable market data inputs to estimate their fair value. In certain cases, observable market prices and data may not be readily available, or their availability may be diminished due to market conditions. We use financial models to value certain of these assets. These models are complex and use asset-specific collateral data and market inputs for interest rates. Although we have processes and procedures in place governing valuation models and their review, such assumptions are complex, as we must make judgments about the effect of matters that are inherently uncertain. Different assumptions could result in significant changes in valuation, which in turn could affect earnings or result in significant changes in the dollar amount of assets reported on the balance sheet.
We are subject to an extensive body of accounting rules and best practices. Periodic changes to such rules may change the treatment and recognition of critical financial line items and affect our profitability.
Our business operations are significantly influenced by the extensive body of accounting regulations in the United States. Regulatory bodies periodically issue new guidance, altering accounting rules and reporting requirements, which can substantially affect the preparation and reporting of our financial statements. These changes might necessitate retrospective application, potentially leading to restatements of prior period financial statements.
One such significant change in 2023 was the implementation of the CECL model, which we adopted on January 1, 2023. Under the CECL model, financial assets carried at amortized cost, such as loans and HTM debt securities, are presented at the net amount expected to be collected. This forward-looking approach in estimating expected credit losses contrasts starkly with the prior, “incurred loss” model, which delays recognition until a loss is probable. CECL mandates considering historical experience, current conditions, and reasonable forecasts affecting collectability, leading to periodic adjustments of financial asset values. However, this forward-looking methodology, reliant on macroeconomic variables, introduces the potential for increased earnings volatility due to unexpected changes in these indicators between periods.
An additional consequence of CECL is an accounting asymmetry between loan-related income, recognized periodically based on the effective interest method, and credit losses, recognized upfront at origination. This asymmetry might create the
43
SOUND FINANCIAL BANCORP, INC. AND SUBSIDIARY
perception of reduced profitability during loan expansion periods due to the immediate recognition of expected credit losses. Conversely, periods with stable or declining loan levels might seem relatively more profitable as income accrues gradually for loans where losses had been previously recognized.
Scrutiny and evolving expectations from customers, regulators, investors, and other stakeholders with respect to our environmental, social and governance practices may impose additional costs on us or expose us to new or additional risks.
In recent years, companies have faced scrutiny from customers, regulators, investors, and other stakeholders related to their environmental, social, and governance (“ESG”) practices and disclosure. Investor advocacy groups, investment funds, and influential investors are also focused on these practices, especially as they relate to the environment, health and safety, diversity, labor conditions, and human rights. Increased ESG-related compliance costs could result in increases to our overall operational costs. Failure to adapt to or comply with regulatory requirements, or investor or stakeholder expectations and standards, could negatively impact our reputation, ability to do business with certain partners, and our stock price.
Recent changes in the regulatory landscape and shifting federal priorities have moved toward a reduction in emphasis on certain ESG priorities, particularly around climate change and diversity, equity, and inclusion (“DEI”). This shift is leading to the rollback of regulations that mandate specific disclosures and operational practices in these areas. However, some stakeholder groups continue to demand greater transparency and action, resulting in a complex and potentially conflicting environment for companies. If regulatory enforcement of ESG-related policies becomes less stringent, companies may face reputational risks if their practices are seen as insufficient or inconsistent with broader societal expectations, especially related to DEI and environmental stewardship. As a result, navigating this evolving regulatory and public opinion landscape may require us to balance compliance with regulatory requirements against maintaining investor, customer, and stakeholder trust.
Risks Related to our Business and Industry Generally
Ineffective liquidity management could adversely affect our financial results and condition.
Our business hinges on effective liquidity management. We must maintain ample liquidity to meet various financial obligations, including: (i) fulfilling customer loan requests and handling deposit maturities and withdrawals; and (ii) making timely payments on debt obligations and other cash commitments under normal and unpredictable circumstances, including times of industry or financial market stress.
Raising funds through deposits, borrowings, loan sales, or sales of investment securities is essential for our liquidity. We primarily rely on customer deposits and occasionally borrow from entities like the FHLB of Des Moines, the Federal Reserve, and other wholesale funding sources. Several factors influence our liquidity, including (i) interest rate trends and competition affecting deposit flows and loan prepayments and (ii) potential limitations arising from changes in FHLB of Des Moines’ underwriting guidelines, which could restrict our borrowing capacity. While in prior periods we have successfully replaced maturing deposits and borrowings, deposit balances across the banking industry have become more rate-sensitive and responsive to market perceptions, and future replacements may be challenged by shifts in our financial condition, FHLB of Des Moines’ status, or market conditions.
Our access to adequate funding, vital for our activities, could be hindered by specific issues impacting us or broader industry and economic concerns. Such limitations could arise due to financial market disruptions, negative industry outlooks, credit market deterioration, reduced market activity, poor financial performance, or adverse regulatory actions. Any decline in available funding sufficient to sustain our operations could severely impact our ability to lend, invest, meet expenses, repay borrowings, or manage deposit withdrawal demands. Consequently, this could significantly affect our business, financial condition, and results of operations.
Climate change and related legislative and regulatory initiatives may materially affect the Company's business and results of operations.
The effects of climate change continue to raise significant concerns about the state of the environment.The effects of climate change continue to create an alarming level of concern for the state of the global environment. Federal and state policy approaches to climate change continue to evolve, and changes in legislative or regulatory priorities could alter the requirements and expectations placed on businesses, including banks, to address climate-related risks.
The lack of empirical data regarding the financial and credit risks posed by climate change makes it difficult to predict its specific impact on our financial condition and results of operations. However, the physical effects of climate change, such as more frequent and severe weather disasters, could directly affect us. For instance, such events may damage real property securing loans in our portfolio or reduce the value of that collateral. If our borrower’s insurance is insufficient to cover these losses or if insurance becomes unavailable, the value of collateral securing our loans could be negatively affected, potentially impacting our financial condition and results of operations. Moreover, climate change may adversely affect regional and local economic activity, harming our customers and the communities in which we operate. Regardless of changes in federal policy,
44
SOUND FINANCIAL BANCORP, INC. AND SUBSIDIARY
the effects of climate change and their unknown long-term impacts could still have a material adverse effect on our financial condition and results of operations.
If our enterprise risk management framework is not effective at mitigating risks we face, we could suffer unexpected losses and our results of operations could be materially adversely affected.If our enterprise risk management framework is not effective at mitigating risk and loss to us, we could suffer unexpected losses and our results of operations could be materially adversely affected.
We maintain an enterprise risk management program that is designed to identify, quantify, monitor, report, and control the risks that we face. These risks include interest-rate, credit, liquidity, operations, reputation, compliance and litigation risks. We also maintain a compliance program to identify, measure, assess, and report on our adherence to applicable laws, policies and procedures. While we assess and improve these programs on an ongoing basis, there can be no assurance that our risk management or compliance programs, along with other related controls, will effectively mitigate all risk and limit losses in our business. As with any risk management framework, there are inherent limitations to our risk management strategies as there may exist, or develop in the future, risks that we have not appropriately anticipated or identified. If our risk management framework proves ineffective, we could suffer unexpected losses and our business, financial condition and results of operations could be materially adversely affected.
We are subject to certain risks in connection with our data management or aggregation.
We are reliant on our ability to manage data and our ability to aggregate data in an accurate and timely manner to ensure effective risk reporting and decision-making. Deficiencies in how data is acquired, validated, stored, protected, or processed, as well as the manual nature of many of our data management and aggregation processes, could lead to human error or system failures. Inaccurate, incomplete, or delayed data could limit our ability to identify, measure, and manage current and emerging risks, impair management decision-making, and hinder our ability to respond to changing business conditions. These shortcomings could also adversely affect our financial reporting, regulatory compliance, operational efficiency, and strategic initiatives. Any of these outcomes could materially and adversely affect our business, financial condition, results of operations, and growth prospects.
Our growth or future losses may require us to raise additional capital in the future, but that capital may not be available when it is needed, or the cost of that capital may be exceedingly high.
We are required by regulatory authorities to maintain adequate levels of capital to support our operations.We are required by federal regulatory authorities to maintain adequate levels of capital to support our operations. At some point, we may need to raise additional capital to support our growth or replenish future losses. Our ability to raise additional capital, if needed, will depend on conditions in the capital markets at that time, which are outside our control, and on our financial condition and performance. Accordingly, we cannot make assurances that we will be able to raise additional capital if needed on terms that are acceptable to us, or at all. If we cannot raise additional capital when needed, our ability to further expand our operations could be materially impaired and our financial condition and liquidity could be materially and adversely affected. In addition, any additional capital we obtain may dilute the interests of existing holders of our common stock. In addition, any additional capital we obtain may result in the dilution of the interests of existing holders of our common stock. Further, if we are unable to raise additional capital when required by our banking regulators, we may be subject to adverse regulatory action. Further, if we are unable to raise additional capital when required by our bank regulators, we may be subject to adverse regulatory action.
As a community bank, maintaining our reputation in our market area is critical to the success of our business, and the failure to do so may materially adversely affect our performance.
We are a community bank, and our reputation is one of the most valuable components of our business. A key aspect of our business strategy is to rely on our reputation for customer service and knowledge of local markets to expand our presence by capturing new business opportunities from existing and prospective customers in our current market and contiguous areas. As such, we strive to conduct our business in a manner that enhances our reputation. This is done, in part, by recruiting, hiring and retaining employees who share our core values of being an integral part of the communities we serve, delivering superior service to our customers and caring about our customers and associates. We provide many different financial products and rely on the ability of our employees and systems to process a significant number of transactions. If our reputation is negatively affected by the actions of our employees, by our inability to conduct our operations in a manner that is appealing to current or prospective customers, or otherwise, our business and, therefore, our operating results may be materially adversely affected.
The Company might not be able to attract and retain skilled employees.The Company may not attract and retain skilled employees.
The Company's success depends, in large part, on its ability to attract and retain key people. Competition for the best people can be intense, and the Company spends considerable time and resources attracting and hiring qualified people for its operations. The unexpected loss of the services of one or more of the Company's key personnel could have a material adverse impact on the Company's business because of their skills, knowledge of the Company's market, and years of industry experience, as well as the difficulty of promptly finding qualified replacement personnel.
The Company's ability to pay dividends, repurchase stock and make subordinated debt payments is subject to the ability of the Bank to make capital distributions to the Company.
45
SOUND FINANCIAL BANCORP, INC. AND SUBSIDIARY
The Company is a separate legal entity from its subsidiary bank and does not have significant operations of its own. The long-term ability of the Company to pay dividends to its stockholders, repurchase its stock and make debt payments is based primarily upon the ability of the Bank to make capital distributions to the Company, and on the availability of cash at the holding company level. The long-term ability of the Company to pay dividends to its stockholders and debt payments is based primarily upon the ability of the Bank to make capital distributions to the Company, and also on the availability of cash at the holding company level. The availability of dividends from the Bank is limited by the Bank's earnings and capital, as well as various statutes and regulations. Under certain circumstances, capital distributions from the Bank to the Company may be subject to regulatory approvals. If the Bank is unable to pay dividends to the Company, the Company may not be able to pay dividends on its common stock, repurchase its common stock or make payments on its outstanding debt. If the Bank is unable to pay dividends to the Company, the Company may not be able to pay dividends on its common stock or make payments on its outstanding debt. Consequently, the inability to receive dividends from the Bank could adversely affect the Company’s financial condition, results of operations, and future prospects and the value of the Company's common stock. At December 31, 2025, Sound Financial Bancorp had $1.4 million in unrestricted cash to support dividend and debt payments. See "Part I. Item 1. Business—How We Are Regulated—Regulation of Sound Community Bank—Capital Rules” and “—Regulation of Sound Financial Bancorp—Limitations on Dividends and Stock Repurchases" for additional information.
Item 1B. Unresolved Staff Comments
Not applicable.
46
SOUND FINANCIAL BANCORP, INC. AND SUBSIDIARY
Item 1C. Cybersecurity
Risk Management and Strategy
Our enterprise risk management program is designed to identify, measure, monitor and control significant risks across various aspects of the Company. Cybersecurity risk management processes are integrated into this program, given the increasing reliance on technology and potential of cyber threats.
Our cybersecurity risk management program contains eleven key elements: Information Security Policies, Strategic Planning, Risk Assessment, Audit and Examination, Business Continuity Planning, Incident Response Planning, Third-Party Due Diligence, Cyber Insurance Coverage, Employee Training and Testing, Patch and Vulnerability Management, and the National Institute of Standards and Technology (“NIST”) framework.
The Company is committed to protecting the information of clients, employees, and stakeholders from both conventional and cyber threats. This commitment is upheld through the implementation of our comprehensive Information Security Program (“ISP”), designed to ensure the confidentiality, integrity, and availability of critical information technology (“IT”) systems and data.
The Information Security Steering Committee (“ISSC”), appointed by the Board, bears the responsibility for cybersecurity risk management and strategy. It aids the Board in fulfilling its oversight duties related to IT security, aligning with the Bank’s business strategy, and adhering to regulatory requirements. The Virtual Chief Information Security Officer (“vCISO”), who is also appointed by the Board, oversees the ISP and coordinates the ISSC.
The ISSC's responsibilities encompass:
•Review and approval of the ISP-related documents, including policies, strategies, plans and risk assessments;
•Monitoring of control statuses and program gaps, including findings from audit reports and assessments;
•Participation in program assessments, such as risk and business impact assessments;
•Providing input on mitigation of current issues and threats;
•Reporting, at least quarterly, to the Enterprise Risk Management Committee on ISSC activities and risk impacts on the Risk Appetite Statement.
•Reporting, at least annually, to the Board on the status of the ISP, covering compliance, risk management, vendor management, audit and testing results, breaches and incidents, and recommended updates to the ISP.
The Company’s approach to managing cybersecurity risks is shaped by insights from the NIST Cyber Security Framework (“CSF”) 2.0, a tool designed for assessing and improving cybersecurity practices. This tool undergoes a thorough examination by an independent third-party on an annual basis to ensure an unbiased and comprehensive evaluation. In its most recent assessment in 2025, the NIST CSF 2.0 identified that the Company is operating at an acceptable level of cyber maturity. This means the Company is effectively handling the inherent risks it faces in five critical areas: cyber risk management and oversight, collaboration on threat intelligence, implementation of cybersecurity controls, management of external dependencies, and resilience in handling cyber incidents.
To stay ahead of potential cybersecurity challenges, the Company has established a formal process. This process is activated whenever the NIST CSF 2.0 or the ISSC identifies changes in inherent risks. In response, the Company proactively updates its cybersecurity objectives, policies, and tactical goals. This ensures that the Company’s cybersecurity strategy remains responsive, continuously adapting to emerging threats and evolving industry standards.
Further, to enhance cybersecurity awareness, reduce vulnerability, and foster consideration of cybersecurity threats, our employees and the Board of Directors attend annual trainings. Specific role-based training is mandatory for certain employees, tailored to their duties.
In the ordinary course of business, we rely heavily on electronic communications and information systems to conduct our operations and to store sensitive data. We employ a layered, defensive approach that leverages people, processes and technology to manage and maintain cybersecurity controls. A variety of preventive and detective tools are used to monitor, block, and alert us to suspicious activity, including potential advanced persistent threats. Despite our defenses, the severity and sophistication of cyber-attacks are on the rise. Attackers adapt quickly to changes in defense measures. While we have not
47
SOUND FINANCIAL BANCORP, INC. AND SUBSIDIARY
Governance
The Board of Directors oversees cybersecurity risk management as part of its broader risk oversight responsibilities. The Board receives at least annual reports from the ISSC on cybersecurity risks, emerging threats, regulatory developments, and the effectiveness of our information security program. The Board also reviews and approves the ISP annually to ensure alignment with business strategy and regulatory requirements.
The ISSC, chaired by the vCISO, is responsible for implementing cybersecurity risk management policies and strategies. The vCISO, appointed by the Board, has extensive experience in information security, holding various professional certifications, including a Certified Information Systems Security Professional (“CISSP”). The ISSC also includes senior executives from risk, compliance, IT, and internal audit functions, ensuring a multidisciplinary approach to managing cybersecurity threats.
Adherence to the ISP is of utmost importance, and any exceptions to policy must be recommended by the ISSC, approved by the Enterprise Risk Management Committee, and reported to the Board at least annually.
Recently Filed
Click on a ticker to see risk factors
| Ticker * | File Date |
|---|---|
| DVLT | an hour ago |
| SFBC | an hour ago |
| AEAE | an hour ago |
| MRKR | an hour ago |
| ASRV | an hour ago |
| ASNS | an hour ago |
| PUBC | 2 hours ago |
| APAC | 2 hours ago |
| ACON | 2 hours ago |
| FTFT | 2 hours ago |
| LIDR | 2 hours ago |
| EBRCZ | 2 hours ago |
| GORO | 2 hours ago |
| HBIA | 2 hours ago |
| XHLD | 2 hours ago |
| DWTX | 2 hours ago |
| FDMT | 2 hours ago |
| AVBH | 2 hours ago |
| OVID | 2 hours ago |
| HD | 2 hours ago |
| OSS | 2 hours ago |
| HYPR | 2 hours ago |
| HTFL | 3 hours ago |
| NRGV | 3 hours ago |
| ARX | 3 hours ago |
| UBCP | 3 hours ago |
| BBY | 3 hours ago |
| SERA | 3 hours ago |
| BTM | 3 hours ago |
| DOCU | 3 hours ago |
| MBRX | 3 hours ago |
| PCSA | 3 hours ago |
| XOMA | 3 hours ago |
| PROK | 3 hours ago |
| ELA | 3 hours ago |
| USIO | 3 hours ago |
| LFWD | 7 hours ago |
| PFBX | 8 hours ago |
| MHH | 9 hours ago |
| NEON | 9 hours ago |
| VACI | 10 hours ago |
| GIFT | 10 hours ago |
| NSPR | 10 hours ago |
| CING | 11 hours ago |
| PLX | 12 hours ago |
| HIND | 12 hours ago |
| BOBS | 12 hours ago |
| TSSI | 21 hours ago |
| CNTY | 22 hours ago |
| ESLA | 22 hours ago |
