Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - UCBI

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

ITEM 1A. RISK FACTORS

This Item outlines specific risks that could affect the ability of our various businesses to compete, change our risk profile or materially affect our financial condition or results of operations. Our operating environment continues to evolve and new risks continue to emerge. To address that challenge we have a risk management governance structure that oversees processes for monitoring evolving risks and oversees various initiatives designed to manage and control our potential exposure. This Item highlights risks that could affect us in material ways by causing future results to differ materially from past results, by causing future results to differ materially from current expectations, or by causing material changes in our financial condition. Some of these risks are interrelated and the occurrence of one or more of them may exacerbate the effect of others.


STRATEGIC RISKS

We may be unable to successfully implement our strategy to grow our banking businesses.

Although our strategy is expected to evolve as business conditions change, our current strategy is to continue to invest resources in our banking businesses and operations, including the businesses and operations we plan to integrate through any planned acquisitions, and seek to exploit opportunities for cost and revenue synergies. Our failure or inability to successfully implement or adapt our strategy could have a material and adverse effect on our results of operation and financial condition.

Expanding in our current markets and selecting new growth markets by opening additional branches and service locations or through acquisitions of all or part of other financial institutions involve risks, any one of which could result in a material and adverse effect upon our results of operation or financial condition. These risks include, without limitation, our inability to do the following:

•identify and expand into suitable markets;

•identify and acquire suitable sites for new branches and service locations;

•identify and execute potential acquisition targets;

•develop accurate estimates and judgments to evaluate asset values and credit, operations, management and market risks with respect to an acquired branch or institution, a new branch office or a new market;

•realize certain assumptions and estimates to preserve the expected financial benefits of the transaction;

•avoid the diversion of our management’s attention from existing operations during the negotiation of a transaction;

•manage successful entry into new markets where we have limited or no direct prior experience;

•obtain regulatory and other approvals, or obtain such approvals without restrictive conditions;

•integrate the acquired business’ operations, clients, and properties quickly and cost-effectively;

•manage cultural assimilation risks associated with growth through acquisitions, which can be an often-overlooked and often-critical failure point in mergers;

•combine the franchise values of businesses that we acquire with those of ours without significant loss of employees or customers from re-branding and other similar changes; or

•retain core clients and key employees.

Failure to achieve one or more key elements needed for successful organic growth could adversely affect our business and earnings.

There are a number of risks to the successful execution of our organic growth strategy that could result in a material and adverse effect upon our results of operation and financial condition. These risks include, without limitation, our inability to do the following:

•attract and retain clients in our banking market areas;

•achieve and maintain growth in our earnings while pursuing new business opportunities;

•maintain a high level of client service while optimizing our physical branch count due to changing client demand, all while expanding our remote banking services and expanding or enhancing our information processing, technology, compliance, and other operational infrastructures effectively and efficiently;

•maintain loan quality while, at the same time, creating loan growth;

•attract sufficient deposits and capital to fund anticipated loan growth;

•maintain adequate common equity and regulatory capital while managing the liquidity and capital requirements associated with growth, especially organic growth and cash-funded acquisitions;

•hire or retain adequate management personnel and systems to oversee and support such growth;

•implement additional policies, procedures and operating systems required to support our growth;

•manage effectively and efficiently the changes and adaptations necessitated by a complex, burdensome, and evolving regulatory environment.


COMPETITION AND INDUSTRY DISRUPTION RISKS

We are subject to intense competition for clients and the nature of that competition is rapidly evolving.

Our primary areas of competition are deposits, loans, wealth management, trust, and other consumer and commercial financial products and services. Our competitors in these areas include other banks, credit unions, savings and loan associations, consumer finance companies, mortgage banking firms, trust companies, securities brokerage firms, investment counseling firms, insurance companies and agencies and other financial services companies. In addition, the emergence of non-traditional, disruptive service providers has intensified this competitive environment. Also, as customer preferences and expectations continue to evolve, technology has lowered barriers to entry and made it possible for nonbanks to offer products and services traditionally provided by banks. While traditional banks are subject to the same regulatory framework as we are, nonbanks experience a significantly different or reduced degree of regulation as well as lower cost structures.

We may face a competitive disadvantage as a result of our smaller size, more limited geographic diversification and inability to spread costs across broader markets. We may also be affected by the marketplace loosening of credit underwriting standards and structures. In addition, larger institutions may have the advantage of being perceived by the public as more secure in times of financial uncertainty as evidenced by the migration of deposits to large banks in response to certain bank failures that occurred in 2023. Although we compete by concentrating marketing efforts in our primary markets with local advertisements, personal contacts and greater flexibility and responsiveness in working with local customers, customer loyalty can be easily influenced by a competitor’s new products and our strategy may or may not continue to be successful.

The financial services industry has undergone and continues to undergo rapid change as a result of frequent new technological innovations, such as the use of artificial intelligence and machine learning. The effective use of technology increases efficiency and enables financial institutions to better serve customers and to reduce costs. Our future success depends, in part, upon our ability to address the needs of our customers by using technology to provide products and services that will satisfy customer demands, as well as to create additional efficiencies in our operations. Many of our competitors have substantially greater resources to invest in technological improvements. If we are unable to provide enhancements and new features and integrations for our existing platform, develop new products that achieve market acceptance, or innovate quickly enough to keep pace with these rapid technological developments, our business could be harmed.

Our traditional approach to customer service, which is highly effective when executed in a physical branch with in-person interactions, may be less effective as customer habits and preferences evolve.

Physical branch utilization has been in decline throughout the industry for many years. This competitive risk is especially pronounced from the largest U.S. banks, and from online-only banks, due in part to the investments they are able to sustain in their digital platforms. While we provide a large number of services remotely (online and mobile) and technology has helped us reduce costs and improve service, it has also weakened traditional geographic and relationship ties.

The nature of technology-driven disruption to our industry is changing, in some cases seeking to displace traditional financial service providers rather than merely enhance traditional services or their delivery.

A number of recent technologies have worked with the existing financial system and traditional banks, such as the evolution of artificial intelligence, machine learning and continued development of smartphone applications. These sorts of technologies often have expanded the market for banking services overall while siphoning a portion of the revenues from those services away from banks and disrupting prior methods of delivering those services. Additionally, some innovations and niche providers may tend to replace traditional banks as financial service providers, deposit-keepers and intermediaries rather than merely augmenting those services. For example, companies which claim to offer applications and services based on artificial intelligence are beginning to compete much more directly with traditional financial services companies in areas involving personal advice, including high-margin services such as wealth management. Our success in the competitive environment in which we operate requires consistent investment of capital and human resources in innovation, particularly in light of the current “FinTech” environment, in which the financial services industry is undergoing rapid technological changes and financial institutions are investing significantly in evaluating new technologies, such as artificial intelligence, machine learning, blockchain and other distributed ledger technologies, and developing potentially industry-changing new products, services and industry standards. Our investment is directed at generating new products and services, and adapting existing products and services to the evolving standards and demands of the marketplace. Among other things, investing in innovation helps us maintain a mix of products and services that keeps pace with our competitors and achieve acceptable margins.


OPERATIONAL RISKS

Fraud is a major, and increasing, operational risk for us and all banks.

The sophistication and methods used to perpetrate fraud continue to evolve as technology changes. In addition to cybersecurity risk (discussed below), new technologies have made it easier for bad actors to obtain and use client personal information, mimic signatures and otherwise create false documents that look genuine. The industry fraud threat continues to evolve, including but not limited to card fraud, check fraud, social engineering and phishing attacks for identity theft and account takeover. Additionally, the use of artificial intelligence and quantum computing could exacerbate many of these risks. Our anti-fraud measures are both preventive and, when necessary, responsive; however, some level of fraud loss is unavoidable, and the risk of a major loss cannot be eliminated.

Operational risk can arise in many ways, including: errors related to failed or inadequate physical, operational, information technology, or other processes; faulty or disabled computer or other technology systems; fraud, theft, physical security breaches, electronic data and related security breaches, or other criminal conduct by associates or third parties; and exposure to other external events. Inadequacies may present themselves in myriad ways. Actions taken to manage one risk may be ineffective against others. Efforts to make systems more robust may make them less adaptable, and vice-versa.

A serious information technology security (cybersecurity) breach can cause significant damage and at the same time be difficult to detect even after it occurs.

Our operations rely on the secure processing, storage and transmission of confidential and other information in our computer systems and networks as well as through the internet through digital and mobile technologies. Although we take protective measures and endeavor to modify these systems as circumstances warrant, the advances in technology increase the risk of information security breaches. We provide our customers the ability to bank remotely, including over the internet or through their mobile device. The secure transmission of confidential information is a critical element of remote and mobile banking. Any failure, interruption or breach in security of these systems could result in disruptions to our accounting, deposit, loan and other systems, and adversely affect our customer relationships.

There have been increasing efforts on the part of third parties, including through cyber-attacks, to breach data security at financial institutions or with respect to financial transactions. There have been several instances involving financial services, credit bureaus and consumer-based companies reporting the unauthorized disclosure of client or customer information or the destruction or theft of

corporate data, by both private individuals and foreign governments. In addition, because the techniques used to cause such security breaches change frequently, often are not recognized until launched against a target and may originate from less regulated and remote areas around the world, we may be unable to proactively address these techniques or to implement adequate preventative measures.

Cyber threats are rapidly evolving and we may not be able to anticipate or prevent all such attacks. Among other things, damage can occur due to outright theft or extortion of our funds, fraud or identity theft perpetrated on clients, or adverse publicity associated with a breach and its potential effects. Perpetrators potentially can be associates, clients, and certain vendors, all of whom legitimately have access to some portion of our systems, as well as outsiders with no legitimate access. These risks are heightened through the increasing use of digital and mobile solutions which allow for rapid money movement and increase the difficulty to detect and prevent fraudulent transactions. Additionally, as we grow through acquisitions and pursue new initiatives that improve our operations and cost structure, we are also expanding and improving our information technologies, resulting in a larger technological presence, utilization of “cloud” computing services, and corresponding exposure to cybersecurity risk. Certain new technologies, such as use of artificial intelligence, present new and significant cybersecurity safety risks that must be analyzed and addressed before implementation. If we fail to assess and identify cybersecurity risks associated with acquisitions and new initiatives, we may become increasingly vulnerable to such risks. We may be required to spend significant capital and other resources to protect against the threat of security breaches and computer viruses, or to alleviate problems caused by security breaches or viruses. To the extent that our activities or the activities of our customers involve the storage and transmission of confidential information, security breaches (including breaches of security of customer systems and networks) and viruses could expose us to claims, litigation and other possible liabilities. Any inability to prevent security breaches or computer viruses could also cause existing customers to lose confidence in our systems and could adversely affect our reputation, results of operations and ability to attract and maintain customers and businesses. In addition, a security breach could also subject us to additional regulatory scrutiny, expose us to civil litigation and possible financial liability and cause reputational damage.

We rely on information technology and telecommunications systems and certain third-party service providers, the operational functions of which may experience disruptions that could adversely affect us and over which we may have limited or no control.

Our business is highly dependent on the successful and uninterrupted functioning of our information technology and telecommunications systems, third-party accounting systems and mobile and online banking platforms. We outsource many of our major systems, such as data processing, loan servicing and deposit processing systems and online banking platforms. While we have selected these vendors carefully, we do not control their actions. The failure of these systems, or the termination of a third-party software license or service agreement on which any of these systems is based, could interrupt our operations. Financial or operational difficulties of a vendor could also damage our operations if those difficulties interfere with the vendor’s ability to serve us. Furthermore, our vendors could also be sources of operational and information security risk to us, including from breakdowns or failures of their own systems or capacity constraints. Replacing these third-party vendors could also create significant delay and expense. Because our information technology and telecommunications systems interface with and depend on third-party systems, we could experience service denials if demand for such services exceeds capacity or such third-party systems fail or experience interruptions. If sustained or repeated, a system failure or service denial could result in a deterioration of our ability to process new and renewed loans, gather deposits and provide customer service, compromise our ability to operate effectively, damage our reputation, result in a loss of customer business and/or subject us to additional regulatory scrutiny and possible financial liability, any of which could have a material adverse effect on our financial condition and results of operations. Our ability to recoup our losses may be limited legally or practically in many situations.

Our risk management framework may not be effective in mitigating risks and/or losses.

We have implemented a risk management framework to mitigate our risk and loss exposure. This framework is comprised of various processes, systems and strategies, and is designed to identify, measure, monitor, report and manage the types of risk to which we are subject, including, among others, credit risk, interest rate risk, liquidity risk, legal and regulatory risk, cybersecurity risk, compliance risk, strategic risk, reputational risk and operational risk related to its employees, systems and vendors, among others. Any system of control and any system to reduce risk exposure, however well designed and operated, is based in part on certain assumptions and can provide only reasonable, not absolute, assurances that the objectives of the system are met and will be effective under all circumstances or that it will adequately identify, manage or mitigate any risk or loss to us. Additionally, instruments, systems and strategies used to hedge or otherwise manage exposure to various types of interest rate, price, legal and regulatory compliance, credit, liquidity, operational and business risks and enterprise-wide risk could be less effective than anticipated. As a result, we may not be able to effectively mitigate our risk exposures in particular market environments or against particular types of risk. If our risk management framework is not effective, we could suffer unexpected losses and become subject to litigation, negative regulatory

consequences, or reputational damage among other adverse consequences, any of which could result in our business, financial condition, results of operations or prospects being materially adversely affected.

Competition for talent is substantial and increasing. Moreover, revenue growth in some business lines increasingly depends upon top talent.

We have assembled a management team which has substantial background and experience in banking and financial services in our markets. Moreover, much of our organic loan growth in recent years was the result of our ability to attract experienced financial services professionals who have been able to attract customers from other financial institutions. We anticipate deploying a similar hiring strategy in the future. It is also common for other financial institutions to deploy this strategy as well and there is a risk that teams of our employees may be recruited by other financial institutions. Additionally, operating our technology systems requires employees with specialized skills that are not readily available in the general employee candidate pool. Inability to retain these key personnel (including key personnel of the businesses we have acquired) or to continue to attract experienced lenders with established books of business could negatively affect our growth because of the loss of these individuals’ skills and customer relationships and/or the potential difficulty of promptly replacing them. Moreover, the higher costs we must pay to hire and retain these experienced individuals could cause our noninterest expense levels to rise and negatively impact our results of operations.

Our accounting estimates and risk management processes rely on analytical and forecasting models.

The processes we use to estimate our expected credit losses and to measure the fair value of financial instruments, as well as the processes used to estimate the effects of changing interest rates and other market measures on our financial condition and results of operations, depend upon the use of analytical and forecasting models. These models reflect assumptions that may not be accurate, particularly in times of market stress or other unforeseen circumstances. If the assumptions used in our model for measuring interest sensitivity and asset-liability management fail to appropriately anticipate customer response to changing interest rates, our earnings and / or liquidity position could be threatened. Although we model multiple scenarios assuming differing interest rate curves and economic events, it is not possible for our modeling to anticipate every scenario or how one assumption may be influenced by changes in another assumption.

If the models we use for interest rate risk and asset-liability management are inadequate, we may incur increased or unexpected losses upon changes in market interest rates or other market measures. If the models we use for estimating our expected credit losses are inadequate, the allowance for credit losses may not be sufficient to support future charge-offs. If the models we use to measure the fair value of financial instruments are inadequate, the fair value of such financial instruments may fluctuate unexpectedly or may not accurately reflect what we could realize upon sale or settlement of such financial instruments.


RISKS FROM CHANGES IN ECONOMIC CONDITIONS AND MONETARY POLICY

Inflationary pressures present a potential threat to our results of operations and financial condition.

In recent years, the United States generally and the regions in which we operate specifically have experienced, for the first time in decades, significant inflationary pressures, evidenced by higher gas prices, higher food prices and higher prices on other consumer items. While inflationary pressure has lessened during 2024, the effects of inflation continue to present a risk to our business and our customers. Inflation represents a loss in purchasing power because the value of investments often does not keep up with inflation and erodes the purchasing power of money and the potential value of investments over time. Accordingly, inflation can result in material adverse effects upon our customers, their businesses (as a result of rising costs, including labor) and, as a result, our financial position and results of operations. Inflation also can and does generally lead to higher interest rates, which have their own separate risks. See Interest Rate and Yield Curve Risks in this Item 1A of this Report.

Generally, in periods of economic volatility, our realized credit losses increase, demand for our products and services declines, and the credit quality of our loan portfolio declines.

Our success depends significantly upon local, national and global economic and political conditions, as well as governmental monetary policies and trade relations. Economic volatility may increase if the U.S. budget deficit continues to increase. If the trend persists, the deficit could create inflationary pressure, which may be detrimental to the U.S. economy, and unemployment rates could

suffer if deficit reduction measures are implemented. Additionally, the 2025 incoming federal administration may deploy new trading strategies, such as tariffs on U.S. imports, which may create economic volatility. Our financial performance generally, and in particular the ability of borrowers to pay interest on and repay principal of outstanding loans and the value of collateral securing those loans, as well as demand for loans and other products and services we offer, is highly dependent upon the business environment in the markets where we operate and in the United States as a whole. Unlike banks that are more geographically diversified, we are a regional bank that provides services to customers primarily in Georgia, South Carolina, North Carolina, Tennessee, Florida and Alabama. The market conditions in these markets may be different from, and could be worse than, the economic conditions in the United States as a whole. Adverse changes in business and economic conditions generally or specifically in the markets in which we operate could affect our business, including causing one or more of the following negative developments:

•a decrease in the demand for loans and other products and services offered by us;

•a decrease in the value of the collateral securing our residential or CRE loans;

•a permanent impairment of our assets; or

•an increase in the number of customers or other counterparties who default on their loans or other obligations to us, which could result in a higher level of NPAs, net charge-offs and provision for loan losses.

The Federal Reserve has implemented significant economic strategies that have affected interest rates, inflation, asset values, and the shape of the yield curve. These strategies have had, and will continue to have, a significant impact on our business and on many of our clients.

In 2022 and much of 2023, in response to inflationary pressures, the Federal Reserve increased interest rates substantially. Starting in the third quarter of 2024, in response to decreasing rates of inflation, the Federal Reserve started to lower interest rates. Fluctuations in interest rates have had and can continue to have significant and sometimes adverse effects upon our business as well as the business of many of our customers. See Interest Rate and Yield Curve Risks in this Item 1A of this Report.

Federal Reserve strategies can, and often are intended to, affect the domestic money supply, inflation, interest rates, and the shape of the yield curve.

Effects on the yield curve often are most pronounced at the short end of the curve, which is of particular importance to us and other banks. Among other things, easing strategies are intended to lower interest rates, expand the money supply, and stimulate economic activity, while tightening strategies are intended to increase interest rates, tighten the money supply, and restrain economic activity. Many external factors may interfere with the effects of these plans or cause them to be changed, sometimes quickly. Such factors include significant economic trends or events as well as significant international monetary policies and events. Such strategies also can affect the U.S. and world-wide financial systems in ways that may be difficult to predict. Risks associated with interest rates and the yield curve are discussed in this Item 1A under the caption Interest Rate and Yield Curve Risks.


INTEREST RATE AND YIELD CURVE RISKS

We are subject to interest rate risk because a significant portion of our business involves borrowing and lending money, and investing in financial instruments.

A considerable amount of our profitability is dependent on net interest income, which is the difference between interest income earned on loans, leases and investment securities and interest expense paid on deposits, other borrowings, senior debt and subordinated notes. The absolute level of interest rates as well as changes in interest rates, including changes to the shape of the yield curve, may affect our level of interest income, the primary component of our gross revenue, as well as the level of our interest expense. In a period of changing interest rates, interest expense may increase at different rates than the interest earned on assets, impacting our net interest income. Interest rate fluctuations are caused by many factors which, for the most part, are not under our control. For example, national monetary policy implemented by the Federal Reserve plays a significant role in the determination of interest rates. Additionally, competitor pricing and the resulting negotiations that occur with our customers also impact the rates we collect on loans and the rates we pay on deposits.

Because of significant competitive pressures in our markets and the negative impact of these pressures on our deposit and loan pricing, coupled with the fact that a significant portion of our loan portfolio has variable rate pricing that moves in concert with changes to benchmark rates, our net interest margin may be negatively impacted if these short-term rates continue to decrease and we are unable to lower deposit pricing commensurately. As interest rates change, we expect that we will periodically

experience “gaps” in the interest rate sensitivities of our assets and liabilities, meaning that either our interest-bearing liabilities (usually deposits and borrowings) will be more sensitive to changes in market interest rates than our interest-earning assets (usually loans and investment securities), or vice versa. In either event, if market interest rates should move contrary to our position, this “gap” may work against us, and our results of operations and financial condition may be negatively affected.

We have entered into certain hedging transactions, including interest rate swaps, which are designed to lessen elements of our interest rate exposure. If interest rates do not change in the manner anticipated, such transactions may not be effective and our results of operations may be adversely affected.

High volatility in the yield curve, including sharp movements on and changes in the slope of the curve, can complicate or reduce the efficacy of our balance sheet management practices.

The yield curve is a reflection of interest rates applicable to short and long-term debt. The yield curve is steep when short-term rates are much lower than long-term rates; it is flat when short-term rates and long-term rates are nearly the same; and it is inverted when short-term rates exceed long-term rates. Historically, the yield curve is usually upward sloping (higher rates for longer terms). However, the yield curve can be relatively flat or inverted (downward sloping), which has happened several times in the past few years. A flat or inverted yield curve, which tends to decrease net interest margin, would adversely impact our lending businesses and investment portfolio. In 2022 and through most of 2023, the Federal Reserve increased rates in response to inflation and, during much of this time, the yield curve was inverted. In September 2024, the yield curve became upward sloping, but remains relatively flat. See Risks Associated From Changes in Economic Conditions and Monetary Policy within this section of the Report for additional information.


REPUTATION RISKS

Our ability to conduct and grow our businesses, and to obtain and retain clients, is highly dependent upon external perceptions of our business practices and financial stability.

Our reputation is a key asset for us. Reputation risk, or the risk to our earnings, liquidity and capital from negative public opinion, is inherent in our business. Our reputation is affected principally by our business practices and how those practices are perceived and understood by others. Negative public opinion could adversely affect our ability to keep and attract customers and expose us to adverse legal and regulatory consequences.


CREDIT AND COUNTERPARTY RISK

We face the risk that our clients may not repay their loans or other obligations and that the realizable value of collateral may be insufficient to avoid a charge-off.

We also face risks that other counterparties, in a wide range of situations, may fail to honor their obligations to pay us. In our business some level of credit charge-offs is unavoidable and overall levels of credit charge-offs can vary substantially over time. Lending activities are inherently risky. When we lend money or commit to lend, we incur credit risk or the risk of loss if borrowers do not repay their loans or other credit obligations.

Rising interest rates, inflation and a weakening economy adversely affect the ability of some borrowers to repay outstanding loans as well as the value of the collateral securing some of these loans. If loan customers with significant loan balances fail to repay their loans, our results of operations, financial condition and capital levels will suffer.

We are exposed to higher credit and concentration risk from our CRE, commercial and industrial and commercial construction lending.

Our credit risk and credit losses can increase if our loans become concentrated to borrowers engaged in the same or similar activities or to borrowers who, as a group, may be uniquely or disproportionately affected by economic or market conditions. As of December 31, 2024, approximately 74% of our loan portfolio consisted of commercial loans, including commercial and industrial, equipment financing, commercial construction and CRE mortgage loans. These types of loans are typically larger than residential real estate loans or consumer loans. During periods of lower economic growth or challenging economic periods, small to medium-sized businesses may be impacted more severely and more quickly than larger businesses. Consequently, the ability of such businesses to repay their loans may deteriorate, and in some cases this deterioration may occur quickly, which would adversely affect our results of operations and financial condition. An increase in non-performing loans could result in a net loss of earnings from these loans, an increase in the provision for loan losses and an increase in loan charge-offs, all of which could have a material adverse effect on our business, financial condition and results of operations.

Deterioration in economic conditions, housing conditions and commodity and real estate values and an increase in unemployment in certain states or locations could result in materially higher credit losses if loans are concentrated in those locations. Our loans are heavily concentrated in our primary markets of Georgia, South Carolina, North Carolina, Tennessee, Florida and Alabama. These markets may have different or weaker performance than other areas of the country and our portfolio may be more negatively impacted than a financial services company with wider geographic diversity.

See the section captioned “Loans” in the “Balance Sheet Review” section of Part II, Item 7. MD&A of this Report for further discussion related to commercial and industrial, construction and CRE loans.

We maintain an ACL, which is a reserve established through a provision for credit losses charged to expense. CECL has created more volatility in the level of our ACL because it relies on macroeconomic forecasts. It is possible that CECL may increase the cost of lending in the industry and result in slower loan growth and lower levels of net income. The level of the allowance reflects our continuing evaluation of factors including current economic forecasts, historical loss experience, the volume and types of loans, and specific credit risks. The determination of the appropriate level of the ACL inherently involves subjectivity in our modeling and requires us to make estimates of current credit risks and future trends, all of which may undergo material changes or vary from our historical experience. Deterioration in economic conditions affecting borrowers, changing economic forecasts, new information regarding existing loans, identification of additional problem loans and other factors, both within and outside of our control, may require an increase in the ACL. If we are required to materially increase our level of ACL for any reason, such increase could adversely affect our business, financial condition and results of operations.

In addition, bank regulatory agencies periodically review our ACL and may require an increase in the provision for credit losses or the recognition of further loan charge-offs, based on judgments different than those of management. Furthermore, if charge-offs in future periods exceed the ACL, we will need additional provisions to increase the ACL. Any increases in the ACL will result in a decrease in net income and, possibly, capital, and may have a material adverse effect on our business, financial condition and results of operations.

See the section captioned “Allowance for Credit Losses” in Part II, Item 7. MD&A of this Report for further discussion related to our process for determining the appropriate level of the ACL.


REGULATORY, LEGISLATIVE AND LEGAL RISKS

We are subject to a challenging regulatory environment that restricts our activities.

We operate in heavily regulated industries. Our regulatory burdens, including both operating restrictions and ongoing compliance costs, are substantial. We are subject to many banking, deposit, insurance, securities brokerage and underwriting, and consumer lending regulations in addition to the rules applicable to all companies whose securities are publicly traded in the U.S. securities markets. Failure to comply with applicable regulations could result in financial, structural, and operational penalties. In addition, efforts to comply with applicable regulations may increase our costs and/or limit our ability to pursue certain business opportunities. See Supervision and Regulation in Item 1 of this Report for additional information concerning financial industry regulations. Federal and state regulations significantly limit the types of activities in which we, as a financial institution, may engage. In addition, we are subject to a wide array of other regulations that govern other aspects of how we conduct our business, such as in the areas of

employment and intellectual property. Additionally, we expect the incoming federal administration will implement a regulatory reform agenda that is significantly different than that of the prior administration, affecting the rulemaking, supervision, examination and enforcement priorities of the federal banking agencies.

Failure to maintain certain regulatory capital levels and ratios could result in regulatory actions that would be materially adverse to our shareholders.

U.S. capital standards are discussed under the captions Capital Adequacy and Prompt Corrective Action in Item 1 of this Report and the caption “Capital Resources and Dividends” in Item 7 of this report. Pressures to maintain appropriate capital levels and address business needs in a changing economy could result in certain mandatory and possible additional discretionary actions by regulators that, if undertaken, could be dilutive or otherwise have an adverse effect on our shareholders. Such actions could include: reduction or elimination of dividends; the issuance of common or preferred stock, or securities convertible into stock; or the issuance of any class of stock having rights that are adverse to those of the holders of our existing classes of common or preferred stock. In addition, these requirements could have a negative impact on our ability to lend, grow deposit balances, make acquisitions or make share repurchases or redemptions. Higher capital levels could also lower our return on equity. Additional information concerning these risks and our management of them, all of which is incorporated into this Item 1A by this reference, appears: under the captions Capital Adequacy and Prompt Corrective Action in Item 1 of this report; under the caption “Capital Resources and Dividends” of Part II, Item 7. MD&A; and Note 21 Regulatory Matters, of Part II, Item 8. Financial Statements.

Political dysfunction and volatility within the federal government, both at the regulatory and Congressional level, creates significant potential for major and abrupt shifts in federal policy regarding bank regulation, taxes, and the economy, any of which could have significant and adverse impacts on our business and financial performance.

Certain of our operations and customers are dependent on the regular operation of the federal or state government or programs they administer. For example, our SBA lending program depends on interaction with the SBA, an independent agency of the federal government. During a lapse in funding, such as has occurred during previous federal government “shutdowns”, the SBA may not be able to engage in such interaction. Similarly, loans we make through USDA lending programs may be delayed or adversely affected by lapses in funding for the USDA. In addition, customers who depend directly or indirectly on providing goods and services to federal or state governments or their agencies may reduce their business with us or delay repayment of loans due to lost or delayed revenue from those relationships. If funding for these lending programs or federal spending generally is reduced as part of the appropriations process or by administrative decision, demand for our services may be reduced. Any of these developments could have a material adverse effect on our financial condition, results of operations or liquidity.

Legal disputes are an unavoidable part of business, and the outcome of pending or threatened litigation cannot be predicted with any certainty.

We face the risk of litigation from clients, associates, vendors, contractual parties, and other persons, either singly or in class actions, and from federal or state regulators. We manage those risks through internal controls, personnel training, insurance, litigation management, our compliance and ethics processes, and other means. However, the commencement, outcome, and magnitude of litigation cannot be predicted or controlled with any certainty. Substantial legal liability or significant regulatory action against us could have material adverse financial effects or cause significant reputational harm to us, which in turn could seriously harm our business prospects.

Data privacy is becoming a major political concern. The laws governing it are new, and are likely to evolve and expand.

Many non-regulated, non-banking companies have gathered large amounts of personal details about millions of people, and have the ability to analyze that data and act on that analysis very quickly. This situation has prompted governmental responses. Two prominent responses are the European Union General Data Protection Regulation and the California Consumer Privacy Act. Neither is a banking industry regulation, but both apply to banks in relation to certain clients. Further general regulation to protect data privacy appears likely, and banking industry regulations might be enlarged as well.


LIQUIDITY AND FUNDING RISK

Liquidity is essential to our business model and a lack of liquidity, or an increase in the cost of liquidity, could materially impair our ability to fund our operations and jeopardize our results of operation, financial condition and cash flows.

Liquidity represents an institution’s ability to provide funds to satisfy demands from depositors, borrowers and other creditors by either converting assets into cash or accessing new or existing sources of incremental funds. Liquidity risk arises from the possibility that we may be unable to satisfy current or future funding requirements and needs.

Deposit levels may be affected by several factors, including rates paid by competitors, general interest rate levels, returns available to customers on alternative investments, general economic and market conditions, customer concerns about the safety and soundness of our bank, whether real or perceived, or the U.S. banking system in general and other factors. Loan repayments are a relatively stable source of funds but are subject to the borrowers’ ability to repay loans, which can be adversely affected by a number of factors including changes in general economic conditions, adverse trends or events affecting business industry groups or specific businesses, declines in real estate values or markets, business closings or lay-offs, inclement weather, natural disasters and other factors. Furthermore, loans generally are not readily convertible to cash.

We anticipate we will continue to rely primarily on deposits, loan repayments, and cash flows from our investment securities to provide liquidity. However, from time to time, secondary sources may be used to augment our primary funding sources. The availability of these secondary funding sources is subject to broad economic conditions, to regulation and to investor assessment of our financial strength and, as such, the cost of funds may fluctuate significantly and/or the availability of such funds may be restricted, thus impacting our net interest income, our immediate liquidity and/or our access to additional liquidity. Additionally, if we fail to remain “well-capitalized” our ability to utilize brokered deposits may be restricted.

An inability to maintain or raise funds (including the inability to access secondary funding sources) in amounts necessary to meet our liquidity needs would have a substantial negative effect on our liquidity. Our access to funding sources in amounts adequate to finance our activities, or on terms attractive to us, could be impaired by factors that affect us specifically or the financial services industry in general. For example, factors that could detrimentally impact our access to liquidity sources include our financial results, a decrease in the level of our business activity due to a market downturn or adverse regulatory action against us, a reduction in our credit rating, any damage to our reputation, counterparty availability, changes in the activities of our business partners, changes affecting our loan portfolio or other assets, or any other event that could cause a decrease in depositor or investor confidence in our creditworthiness and business. Our access to liquidity could also be impaired by factors that are not specific to us, such as general business conditions, interest rate fluctuations, severe volatility or disruption of the financial markets or negative views and expectations about the prospects for the financial services industry as a whole, or legal, regulatory, accounting, and tax environments governing our funding transactions. In addition, our ability to raise funds is strongly affected by the general state of the U.S. and world economies and financial markets as well as the policies and capabilities of the U.S. government and its agencies, and may become increasingly difficult due to economic and other factors beyond our control.

A downgrade of our credit rating could limit our access to borrowings or increase our borrowing costs.

Credit ratings are subject to ongoing review by rating agencies, which consider a number of factors, including our financial strength, performance, prospects and operations as well as factors not under our control. Rating agencies could make adjustments to our credit ratings at any time, and there can be no assurance that they will maintain our ratings at current levels or that downgrades will not occur. If rating agencies were to downgrade our credit rating, our borrowing costs would increase or the availability of borrowing sources could be limited. Additionally, a downgrade could occur at a time that is disadvantageous when our need for borrowings is high, further increasing our overall cost of funds. If the downgrade is due to lower earnings performance, elevated credit losses, capital deficiencies or other factors, collateral requirements for secured borrowings could also be elevated which could further limit our borrowing capacity and increase our borrowing costs.

The proportion of our deposit account balances that exceed FDIC insurance limits may expose us to enhanced liquidity risk in times of financial distress.

Uninsured deposits historically have been viewed by the FDIC as less stable than insured deposits. As a result, in the event of financial distress, uninsured depositors historically have been more likely to withdraw their deposits.

If a significant portion of our deposits were to be withdrawn within a short period of time such that additional sources of funding would be required to meet withdrawal demands, we may be unable to obtain funding at favorable terms, which may have an adverse effect on our net interest margin. Moreover, obtaining adequate funding to meet our deposit obligations may be more challenging during periods of elevated prevailing interest rates, such as the present period. Our ability to attract depositors during a time of actual or perceived distress or instability in the marketplace may be limited. Further, interest rates paid for borrowings generally exceed the interest rates paid on deposits. This spread may be exacerbated by higher prevailing interest rates. In addition, because our investment securities lose value when interest rates rise, after-tax proceeds resulting from the sale of such assets may be diminished during periods when interest rates are elevated. Under such circumstances, we may be required to access funding from sources such as the Federal Reserve’s discount window in order to manage our liquidity risk.


ACCOUNTING AND TAX RISKS

The preparation of our consolidated financial statements in conformity with U.S. GAAP requires management to make significant assumptions, estimates and judgments that affect the financial statements.

Management must make significant assumptions and estimates and exercise significant judgment in selecting and applying accounting and reporting policies. In some cases, management must select a policy from two or more alternatives, any of which may be reasonable under the circumstances, which may result in reporting materially different results than would have been reported under a different alternative. The estimate that is consistently one of our most critical is the level of the allowance for credit losses. However, other estimates can be highly significant at discrete times or during periods of varying length. Estimates are made at specific points in time. As actual events unfold, estimates are adjusted accordingly. Due to the inherent nature of these estimates, it is possible that, at some time in the future, we may significantly increase the allowance for credit losses and/or sustain credit losses that are significantly higher than the provided allowance, or we may recognize a significant provision for impairment of assets, or we may make some other adjustment that will differ materially from the estimates that we make today. Moreover, in some cases, especially concerning litigation and other contingency matters where critical information is inadequate, often we are unable to make estimates until fairly late in a lengthy process.

The accounting standard setters, including the FASB, the SEC and other regulatory agencies, periodically change the financial accounting and reporting standards that govern the preparation of our consolidated financial statements. For additional information, refer to Note 2 to our consolidated financial statements contained in this Report. These changes can be difficult to predict and can materially impact how we record and report our financial condition and results of operations. In some cases, we could be required to apply a new or revised standard retroactively, which would result in the recasting of our prior period financial statements.

We could be subject to changes in tax laws, regulations and interpretations or challenges to our income tax provision.

We compute our income tax provision based on enacted tax rates in the jurisdictions in which we operate. Any change in enacted tax laws, rules or regulatory or judicial interpretations, any adverse outcome in connection with tax audits in any jurisdiction or any change in the pronouncements relating to accounting for income taxes could adversely affect our effective tax rate, tax payments and results of operations.

Our internal controls and procedures may fail or be circumvented.

Maintaining and adapting our internal controls over financial reporting, disclosure controls and procedures and effective corporate governance policies and procedures (“controls and procedures”) is expensive and requires significant management attention. Moreover, as we continue to grow, our controls and procedures may become more complex and require additional resources to ensure

they remain effective amid dynamic regulatory and other guidance. Failure to implement effective controls and procedures or circumvention of our controls and procedures could harm our business, results of operations and financial condition or cause us to fail to meet our public reporting obligations.


GEOGRAPHIC AND CLIMATE RISKS

We are subject to risks of operating in various jurisdictions.

Our success is also influenced heavily by population growth, income levels, loans and deposits and on stability in real estate values in our markets. To a significant degree our banking business is exposed to economic, regulatory, natural disaster, and other risks that primarily impact the southeastern U.S. states where we do most of our traditional banking business. If that region of the U.S. did not grow or was to experience adversity not shared by other parts of the country, for example the risk of hurricanes in our geographic footprint, we would likely experience adversity to a degree not shared by those competitors which have a broader or different regional footprint. If market and economic conditions deteriorate, this may lead to valuation adjustments on our loan portfolio and losses on defaulted loans and on the sale of other real estate owned. Additionally, such adverse economic conditions in our market areas, specifically decreases in real estate property values due to the nature of our loan portfolio, the majority of which is secured by real estate, could reduce our growth rate, affect the ability of our customers to repay their loans and generally affect our financial condition and results of operations. We are less able than larger institutions to spread the risks of unfavorable local economic conditions across a larger number of more diverse economies.

Natural disasters and weather-related events, exacerbated by climate change, could have a negative impact on our results of operations and financial condition.

We operate in markets in which natural disasters, including tornadoes, severe storms, fires, floods, hurricanes and earthquakes have occurred. Although our banking offices are geographically dispersed throughout portions of the southeastern United States and we maintain insurance coverage for such events, a significant natural disaster in or near one or more of our markets could have a material adverse effect on our financial condition, results of operations or liquidity.

The markets in which we operate also are exposed to the adverse impacts of climate change, as well as uncertainties related to the transition to a low-carbon economy. Climate change presents both immediate and long-term risks to us and our customers and clients, with the risks expected to increase over time. Climate risks can arise from both physical risks (those risks related to the physical effects of climate change) and transition risks (risks related to regulatory, compliance, technological, stakeholder and legal changes from a transition to a low-carbon economy). The physical and transition risks can manifest themselves differently across our risk categories in the short, medium and long terms.

The physical risk from climate change could result from increased frequency and/or severity of adverse weather events. For example, adverse weather events could damage or destroy our properties or our counterparties’ properties and other assets and disrupt operations, making it more difficult for counterparties to repay their obligations, whether due to reduced profitability, asset devaluations or otherwise. These events could also increase the volatility in financial markets and increase our counterparty exposures and other financial risks, which may result in lower revenues and higher cost of credit. For example, the cost of property and flood insurance in Florida has increased significantly in recent years, which has increased the cost of doing business. This can hinder profitability of existing customers and creates a higher barrier to entry for new businesses, which could decrease demand for borrowing for potential and existing customers.

Transition risks may arise from changes in regulations or market preferences toward a low-carbon economy, which in turn could have negative impacts on asset values, results of operations or our reputation or that of our customers and clients.


STOCK HOLDING AND GOVERNANCE RISKS

The inability of our subsidiaries to declare and pay dividends or other distributions to the Holding Company could adversely affect its liquidity and ability to declare and pay dividends.

Future dividends, if any, will be declared and paid at the Board’s discretion and will depend on a number of factors including, among others, asset quality, earnings performance, liquidity and capital requirements. Our principal

source of funds used to pay cash dividends on our common and preferred stock is dividends that we receive from the Bank. As a South Carolina state-chartered bank, the Bank is subject to limitations on the amount of dividends that it is permitted to pay, as described under “Supervision and Regulation - Payment of Dividends” in Part I, Item 1 of this Report. The federal banking agencies have also issued policy statements which provide that bank holding companies and insured banks should generally only pay dividends out of current earnings. The Federal Reserve may also prevent the payment of a dividend by the Bank if it determines that the payment would be an unsafe and unsound banking practice. The Holding Company and the Bank must also maintain the CET1 capital conservation buffer of 2.5% to avoid becoming subject to restrictions on capital distributions, including dividends. If the Bank is not permitted to pay cash dividends to the Holding Company, it is unlikely that we would be able to continue to pay dividends on our common stock or to pay interest on our indebtedness.

Holders of our indebtedness and of depositary shares related to our Series I preferred stock have rights that are senior to those of our common shareholders.

At December 31, 2024, we had outstanding senior debentures, subordinated debentures, trust preferred securities and accompanying subordinated debentures and preferred stock totaling $342 million. Payments of the principal and interest on the senior debentures, subordinated debentures and the subordinated debentures accompanying the trust preferred securities and dividends on the preferred stock are senior to payments with respect to shares of our common stock. We also conditionally guarantee payments of the principal and interest on the trust preferred securities. As a result, we must make payments on these debt instruments (including the related trust preferred securities) and preferred shares before any dividends can be paid on our common stock and, in the event of bankruptcy, dissolution or liquidation, the holders of the debt and preferred shares must be satisfied before any distributions can be made on our common stock. We have the right to defer distributions on the subordinated debentures related to the trust preferred securities (and the related guarantee of payments on the trust preferred securities) for up to five years, during which time no dividends may be paid on our common stock. If our financial condition deteriorates or if we do not receive required regulatory approvals, we may be required to defer distributions on the subordinated debentures related to the trust preferred securities (and the related guarantee of payments on the trust preferred securities).

We may from time to time issue additional senior or subordinated indebtedness or preferred stock that would have to be repaid before our shareholders would be entitled to receive any of our assets.

Our stock price can be volatile.

Stock price volatility may make it more difficult for you to resell your common stock when you want and at prices you find attractive. Our stock price can fluctuate significantly in response to a variety of factors, some of which are unrelated to our financial performance, including, among other things:

•actual or anticipated variations in quarterly results of operations;

•recommendations by securities analysts;

•operating and stock price performance of other companies that investors deem comparable to us;

•news reports relating to trends, concerns and other issues in the financial services industry;

•perceptions in the marketplace regarding us and/or our competitors;

•new technology used, or services offered, by competitors;

•significant acquisitions or business combinations, strategic partnerships, joint ventures or capital commitments by or involving us or our competitors;

•failure to integrate acquisitions or realize anticipated benefits from acquisitions;

•changes in government regulations; or

•geopolitical conditions such as acts or threats of war, terrorism, military conflicts, the effects (or perceived effects) of pandemics and trade relations.

General market fluctuations, including real or anticipated changes in the strength of the local economy; industry factors and general economic and political conditions and events, such as economic slowdowns or recessions; interest rate changes, oil price volatility or credit loss trends could also cause our stock price to decrease regardless of our operating results.

Our corporate organizational documents and the provisions of Georgia law to which we are subject contain certain provisions that could have an anti-takeover effect and may delay, make more difficult or prevent an attempted acquisition of United that you may favor.

These provisions include:

•allowing the Board to consider the interests of our employees, customers, suppliers and creditors when considering an acquisition proposal;

•that all amendments to the articles and certain portions of the bylaws must be approved by a majority of the outstanding shares of our capital stock entitled to vote;

•requiring that any business combination involving United be approved by 75% of the outstanding shares of United’s common stock excluding shares held by stockholders who are deemed to have an interest in the transaction unless the business combination is approved by 75% of United’s directors;

•restricting removal of directors except for cause and upon the approval of two-thirds of the outstanding shares of our capital stock entitled to vote;

•that any special meeting of shareholders may be called only by the chairman, chief executive officer, president, chief financial officer, board of directors or the holders of 25% of the outstanding shares of United’s capital stock entitled to vote; and

•establishing certain advance notice procedures for matters to be considered at an annual meeting of shareholders.

The issuance of our preferred stock, while providing desirable flexibility in connection with possible acquisitions, financings and other corporate purposes, could have the effect of making it more difficult for a third party to acquire, or of discouraging a third party from acquiring, a controlling interest in us. In addition, certain provisions of Georgia law, including a provision which restricts certain business combinations between a Georgia corporation and certain affiliated shareholders, may delay, discourage or prevent an attempted acquisition or change in control of United.

Our stockholders may suffer dilution if we raise capital through public or private equity financings to fund our operations, to increase our capital, or to expand.

If we raise funds by issuing equity securities or instruments that are convertible into equity securities, the percentage ownership of our current common stockholders will be reduced, the new equity securities may have rights and preferences superior to those of our common or outstanding preferred stock, and additional issuances could be at a sales price which is dilutive to current stockholders. We may issue or be required to issue additional shares of common stock, or securities convertible into, exchangeable for or representing rights to acquire shares of common stock in order to maintain capital at desired or regulatory-required levels. We could also issue additional equity securities directly as consideration in acquisitions of other financial institutions or other investments that we may make that would be dilutive to stockholders in terms of voting power and share-of-ownership, and could be dilutive financially or economically.


OTHER EXTERNAL RISKS

Pandemics and outbreaks of communicable diseases, acts of terrorism and other adverse external events may lead to periods of significant volatility in financial and other markets, and could adversely affect our ability to conduct normal business and could harm our clients, businesses, financial condition and results of operations.

Widespread outbreaks of communicable diseases and acts of terrorism may cause significant disruption in the international and United States economies and financial markets and could have an adverse effect on our business and results of operations. Governments of the states in which we have operations may take preventative or protective actions, such as imposing restrictions on travel and business operations, advising or requiring individuals to limit or forego their time outside of their homes, and ordering temporary closures of businesses that have been deemed to be non-essential.

ITEM 1B. UNRESOLVED STAFF COMMENTS

None.

CYBERSECURITY

Policy statements and regulations by state and federal bank regulators indicate that financial institutions should design multiple layers of security controls to establish lines of defense and to ensure that their risk management processes also address the risk posed by compromised customer credentials, including security measures to reliably authenticate customers accessing internet-based services of the financial institution. For example, a financial institution’s management is expected to maintain sufficient business continuity planning processes to ensure the rapid recovery, resumption and maintenance of the institution’s operations after a cyberattack involving destructive malware.

A rule issued by federal financial regulatory agencies imposes upon banking organizations and their service providers notification requirements for significant cybersecurity incidents. Banks’ service providers are required under that rule to notify any affected bank to or on behalf of which the service provider provides services “as soon as possible” after determining that it has experienced an incident that materially disrupts or degrades, or is reasonably likely to materially disrupt or degrade, covered services provided to such bank for as much as four hours.

The GLB Act’s Safeguards Rule requires financial institutions to: (i) appoint a qualified individual to oversee and implement their information security programs; (ii) implement additional criteria for information security risk assessments; (iii) implement safeguards identified by assessments, including access controls, data inventory, data disposal, change management, and monitoring, among other things; (iv) implement information system monitoring in the form of either “continuous monitoring” or “periodic penetration testing;” (v) implement additional controls including training for security personnel, periodic assessment of service providers, written incident response plans, and periodic reports from the qualified individual to the board of directors. Additionally, multiple states and Congress are considering laws or regulations which could create new individual privacy rights and impose increased obligations on companies handling personal data.

Risk management and strategy

The regulatory requirements referenced above recognize that, in the ordinary course of business, we rely on electronic communications and information systems to conduct our operations and store sensitive data. “Information systems” means electronic information resources that we own or use, including physical or virtual infrastructure controlled by these information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the information necessary to maintain or support our operations. We face significant and persistent cybersecurity risks due to: the breadth of geographies, networks, and systems we must defend against cybersecurity attacks; the complexity, technical sophistication, value, and widespread use of our systems, products and processes; the attractiveness of our systems, products and processes to threat actors (including state-sponsored organizations) seeking to inflict harm on us or our customers; the substantial level of harm that could occur to us and our customers were we to suffer impacts of a material cybersecurity incident; and our use of third-party products, services and components. Because cybersecurity threats continue to evolve, we have been required and may continue to be required to expend significant resources to continue to implement, modify or enhance our protective measures or to investigate and remediate any information security vulnerabilities. Financial expenditures may also be required to meet regulatory changes in the information security and cybersecurity domains. Risks and exposures related to cybersecurity attacks are expected to remain significant for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as the expanding use of internet banking, mobile banking and other technology-based products and services by us and our customers. See “Item 1A. – Risk Factors” in this Report for a further discussion of risks related to cybersecurity.

The underlying controls of our cyber risk management program are based on recognized best practices and standards for cybersecurity and information technology, including frameworks such as the Center for Internet Security’s Critical Security Controls and the Federal Financial Institutions Examination Council’s Cybersecurity Assessment. We periodically engage third-parties to assess our cyber risk program and technical controls. To address cybersecurity threats (defined as potential unauthorized occurrences on or conducted through our information systems that may result in adverse effects on the confidentiality, integrity, or availability of those systems or any information residing in those systems therein), we have implemented an incident and event response program. That program, which is designed to identify, assess, manage, mitigate, and respond to cybersecurity threats, is integrated within our overall enterprise risk management and business continuity frameworks. We employ an in-depth, layered, defensive approach that leverages people,

processes and technology to manage and maintain cybersecurity controls. We also employ a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity relative to our information systems, as well as to report on any suspected advanced persistent threats. An ongoing enterprise-wide security awareness training program is in place to help protect our data, systems, and networks from malicious attacks and cyber threats. The program is designed to allow for the detection and timely and efficient recovery from cybersecurity incidents (defined as unauthorized occurrences, or a series of related unauthorized occurrences, on or conducted through our information systems that jeopardize the confidentiality, integrity, or availability of those systems or any information residing therein) and events by providing a well-defined, organized approach for handling any potential threats to the confidentiality, integrity, and/or availability of our information systems.

In many instances we rely on third-party providers to facilitate providing products and services to our customers. As a part of our overall cybersecurity risk management framework and, in addition to assessing our own cybersecurity preparedness, we also have a process in place to manage cybersecurity risks associated with third-party service providers. To help mitigate adverse impacts from a cybersecurity incident, we assess third-party vendors as a part of our vendor onboarding and continued due diligence which includes processes to assess information security posture. Depending upon the level of perceived security risk, we may impose security requirements upon a supplier, including: maintaining an effective security management program; abiding by information handling and asset management requirements; and notifying us in the event of any known or suspected cyber incident. We periodically conduct (or engage a third party to conduct) reviews of third-party hosted applications with a specific focus on any sensitive data shared with third parties. The internal business owners of hosted applications, depending upon the level of risk, are required to provide a report as to their controls (e.g., a System and Organization Controls (SOC) 2 or ISO 27001 (Information and Security Certification) or similar report).

Our information security team in combination with other third-party vendors monitor our information systems for suspicious activity, such as unauthorized intrusions. Suspected or confirmed threats, incidents, or events, however, also may be reported by bank employees, customers, intrusion detection systems, third-party servicers, or government entities. Once reported, cybersecurity incidents are to be brought to the attention of our Information Technology and Security Team. Depending upon the nature and perceived threat level of the reported event, our overall enterprise risk management process would require the involvement of other management and response teams representing other groups (e.g., Information Technology, Information Security, Legal/Compliance, Corporate Security, Internal Audit, Human Resources, Finance/Accounting, Corporate Communications, Designated Cyber Coach) within our organization.

Incident and risk event levels each vary from no (or low) risk to crisis (high) risk. The determination of the incident and risk level will dictate the level of personnel that will be responsible for addressing the incident, controlling the effects of the incident and formulating the response to the incident. Responses may include, when appropriate and/or required, notification to regulatory agencies (e.g., Federal Reserve, FinCEN, SEC), authorities (e.g., F.B.I., Department of Justice), customers, third parties or internal personnel.

Each of the management and response teams, within its assigned level, is responsible for providing an orderly response to security incidents and risk events; preventing a serious loss of profits, public confidence, or information assets by providing an immediate, effective, and skillful response to any unexpected event which negatively impacts the confidentiality, integrity, and/or availability of our systems, network, or the non-public personal information of its customers, interruptions to customers’ experiences, or other anomalous situations; taking the steps it deems necessary to contain, mitigate, or resolve a security incident or risk event; and investigating suspected security incidents and risk events in a timely and cost effective manner, reporting findings to management, determining an appropriate course of action, and coordinating communications to customers, regulatory authorities, and law enforcement agencies as necessary.

Following a cybersecurity incident, and during its investigation and the formulation of a response, our processes also envision measures designed to contain and/or eradicate the incident and prevent further effects. Once it is determined that the incident has been resolved, we then work to establish appropriate controls (if applicable) to address similar future events and/or prevent another similar event from occurring in the future. We have experienced, and will continue to experience, cyber incidents in the normal course of business. To date, however, we have not experienced any previous cybersecurity incidents that have materially affected or are reasonably likely to materially affect our business strategy, results of operations, or financial condition.

Governance

Our cybersecurity program is headed by our Chief Information Security Officer (CISO), who reports to our Chief Information Officer. Our CISO is informed about and monitors prevention, detection, mitigation and remediation efforts through regular communication and reporting from professionals in the information security team, several of whom have extensive records of service in financial institutions and cybersecurity. Our CISO has over 20 years of experience in IT operations/security roles in the financial services industry and holds a cybersecurity certification as a Certified Information Systems Security Professional (“CISSP”). Other members of

his team also hold CISSP certifications as well as CompTIA Security+, SANS Institute Cloud Security Essentials, SANS Institute GIAC Certified Enterprise Defender, SANS Institute Security Awareness Professional, Certified Information Security Manager, GIAC Certified Incident Handler, Certified in Risk and Information Systems Control, and GIAC Cyber Threat Intelligence certifications.

As part of its oversight responsibilities over the Company risks and controls, the Board ultimately is responsible for overseeing our cyber and information security risks. The Board has delegated this responsibility to its Risk Committee. At each quarterly meeting of the Risk Committee, our CISO reports to the Risk Committee regarding security testing, training, audits, key cybersecurity metrics, and our efforts to identify, prepare for, prevent, and respond to critical threats. The Risk Committee receives regular updates on the status of our information security program, penetration testing results, infrastructure assessments, threat environment, security operations, operational events, vendor and supply chain security, and application/data security. On an annual basis, the CISO presents a cybersecurity program update to the Risk Committee.

Recently Filed

Click on a ticker to see risk factors

Ticker *	File Date
SAFX	3 days, 14 hours ago
RVRC	3 days, 14 hours ago
AIRS	3 days, 14 hours ago
CYCU	3 days, 14 hours ago
CBDY	3 days, 14 hours ago
GEMI	3 days, 14 hours ago
SOLC	3 days, 14 hours ago
ZVSA	3 days, 14 hours ago
LCGMF	3 days, 14 hours ago
TRNR	3 days, 14 hours ago
SLSN	3 days, 14 hours ago
LTUM	3 days, 14 hours ago
SVAQ	3 days, 14 hours ago
INKT	3 days, 14 hours ago
GNLN	3 days, 14 hours ago
NCNO	3 days, 14 hours ago
CEPS	3 days, 14 hours ago
STSS	3 days, 14 hours ago
BDCO	3 days, 14 hours ago
SKAS	3 days, 14 hours ago
TE	3 days, 14 hours ago
JWSMF	3 days, 14 hours ago
AQMS	3 days, 14 hours ago
FCCI	3 days, 14 hours ago
INIS	3 days, 14 hours ago
DUOT	3 days, 14 hours ago
GOCO	3 days, 14 hours ago
PED	3 days, 14 hours ago
BLNK	3 days, 14 hours ago
HTCR	3 days, 14 hours ago
SRG	3 days, 14 hours ago
ADTX	3 days, 14 hours ago
ALTI	3 days, 14 hours ago
SVIX	3 days, 14 hours ago
PLAY	3 days, 14 hours ago
TCRT	3 days, 14 hours ago
ACRG	3 days, 14 hours ago
BNZI	3 days, 14 hours ago
TOGI	3 days, 14 hours ago
RPMT	3 days, 14 hours ago
SKVI	3 days, 14 hours ago
ISRLF	3 days, 14 hours ago
SCWO	3 days, 14 hours ago
CRAQ	3 days, 14 hours ago
BITF	3 days, 14 hours ago
UAVS	3 days, 14 hours ago
CNTA	3 days, 14 hours ago
DSS	3 days, 14 hours ago
FCAP	3 days, 14 hours ago
AMOD	3 days, 14 hours ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - UCBI

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - UCBI

-New additions in green-Changes in blue-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing