Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - UNB

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A. Risk Factors
An investment in the Company involves risk, some of which, including market, liquidity, credit, operational, legal, compliance, reputational and strategic risks, could be substantial and is inherent in our business. The material risks and uncertainties that management believes affect the Company are described below. Any of the following risks could affect the Company’s financial condition and results of operations and could be material and/or adverse in nature. You should consider all of the following risks together with all of the other information in this Annual Report on Form 10-K.

13

Credit and Interest Rate Risks
Our loans are concentrated in certain areas of Vermont and New Hampshire and adverse conditions in those markets could adversely affect our operations.
We are exposed to real estate and economic factors throughout Vermont and New Hampshire. Further, because a substantial portion of our loan portfolio is secured by real estate in Vermont and New Hampshire, the value of the associated collateral is subject to real estate market conditions in those states and in the northern New England region more generally. Further, because a substantial portion of our loan portfolio is secured by real estate in Vermont and New Hampshire, the value of the associated collateral is subject to real estate market conditions in those states and in the northern New England region more generally. Adverse economic, political and business developments or natural hazards may affect these areas and the ability of property owners in these areas to make payments of principal and interest on the underlying loans. If these areas experience adverse economic, political or business conditions, or significant natural hazards, we would likely experience higher rates of loss and delinquency on our loan portfolio than if the portfolio were more geographically diverse. If these areas experience adverse economic, political or business conditions, or significant natural hazards, we would likely experience higher rates of loss and delinquency on our loan portfolio than if the portfolio were more geographically diverse.

If our allowance for credit losses is not sufficient to cover actual loan losses, our earnings could decrease.If our allowance for loan losses is not sufficient to cover actual loan losses, our earnings could decrease.
As a lender, we are exposed to the risk that our loan customers may not repay their loans according to their terms and that the collateral or guarantees securing these loans may be insufficient to assure repayment. The underwriting and credit monitoring policies and procedures that we have adopted to address this risk may not prevent unexpected losses that could have a material adverse effect on our business, financial condition, results of operations and cash flows. Our future success will depend, in part, upon our ability to address the needs of our customers by using technology to provide products and services that will satisfy customer demands for convenience, as well as to create additional efficiencies in our operations. We maintain an allowance for credit losses to provide for loan defaults and non-performance, which also includes increases for new loan growth. While we believe that our allowance for credit losses is appropriate to cover expected losses, we cannot provide assurance that we will not increase the allowance for credit losses further or that regulators will not require us to increase the allowance for credit losses, which could have a material adverse effect on our net income and financial condition.
Management makes various assumptions and judgments about the collectability of our loan portfolio, which are regularly reevaluated and are based in part on:
current and forecasted economic conditions and their estimated effects on specific borrowers;
an evaluation of the existing relationships among loans, potential credit losses and the present level of the allowance for credit losses;
results of examinations of our loan portfolios by regulatory agencies; and
management's internal review of the loan portfolio.
In determining the size of the allowance for credit losses, we rely on an analysis of our loan portfolio, our experience and a third-party economic forecast. If our assumptions prove to be incorrect, our current allowance for credit losses may not be sufficient to cover the losses.
In addition, third parties, including our federal and state regulators, periodically evaluate the adequacy of our allowance for credit losses and may communicate with us concerning the methodology or judgments that we have raised in determining the allowance for credit losses. As a result of this input, we may be required to assign different risk ratings to specific credits, increase our provision for credit losses, and/or recognize further loan charge offs which could have a material adverse effect on our net income and financial condition.

Our commercial, commercial real estate and construction loan portfolio may expose us to increased credit risks.
At December 31, 2025, approximately 41% of our loan portfolio was comprised of commercial and commercial real estate loans. In general, commercial and commercial real estate loans have historically posed greater credit risks than owner occupied residential mortgage loans. The repayment of commercial real estate loans depends on the business and financial condition of borrowers. Economic events and changes in government regulations, which we and our borrowers cannot control or reliably predict, could have an adverse impact on the cash flows generated by the businesses and properties securing our commercial and commercial real estate loans and on the values of the collateral securing those loans. Repayment of commercial loans depends substantially on the borrowers’ underlying business, financial condition and cash flows. Commercial loans are generally collateralized by equipment, inventory, accounts receivable and other fixed assets. Compared to real estate, that type of collateral is more difficult to monitor, its value is harder to ascertain, it may depreciate more rapidly and it may not be as readily saleable if repossessed. Compared to real estate, that type of collateral is more difficult to monitor, its value is harder to ascertain, it may depreciate more rapidly and it may not be as readily saleable if repossessed.

Changes in interest rates and interest rate volatility may reduce our profitability.
Our consolidated earnings and financial condition are primarily dependent upon net interest income, which is the difference between interest earned from loans and investments and interest paid on deposits and borrowings. Net interest income can be affected significantly by changes in market interest rates. In particular, changes in relative interest rates may reduce our net interest income as the difference between interest income and interest expense decreases. As a result, we have adopted asset and liability management policies to minimize the potential adverse effects of changes in interest rates on net interest income, primarily by altering the mix and maturity of loans, investments and funding sources. However, despite these measures there can be no assurance that a change in interest rates will not negatively impact our results of operations or financial condition. However, there can be no assurance that a 14change in interest rates will not negatively impact our results of operations or financial condition.
14

Because market interest rates may change by differing magnitudes and at different times, significant changes in interest rates over an extended period of time could reduce overall net interest income.

The fair value of our investment securities can fluctuate due to factors outside of our control, and impairment of investment securities could require charges to earnings, which could result in a negative impact on our results of operations.
As of December 31, 2025, the carrying value of our investment securities portfolio was approximately $326.3 million. Factors beyond our control can significantly influence the fair value of securities in our portfolio and can cause potential adverse changes to the fair value of these securities. These factors include, but are not limited to, rating agency actions in respect to the securities, defaults by the issuer or with respect to the underlying securities and changes in market interest rates and instability in the capital markets. Any of these factors, among others, could cause impairments and realized and/or unrealized losses in future periods and declines in other comprehensive income, which could have an adverse effect on our business, financial condition and results of operations. Deterioration or continued weakness in any of these conditions could result in increases in loan delinquencies and nonperforming assets, decreases in loan collateral values, the value of our investment portfolio and demand for our products and services.
AFS debt securities in an unrealized loss position, are evaluated by management for impairment, to determine whether the decline in fair value has resulted from credit losses or other factors. In making this assessment, management considers the extent to which fair value is less than amortized cost, any changes to the rating of the security by a rating agency, and adverse conditions specifically related to the security and the issuer, among other factors. If this assessment indicates that a credit loss exists, management compares the present value of cash flows expected to be collected from the security with the amortized cost basis of the security. If the present value of cash flows expected to be collected is less than the amortized cost basis for the security, a credit loss exists and an ACL is recorded, limited to the amount by which the amortized cost basis of the security exceeds its fair value. Any impairment that has not been recorded through an ACL is recognized in other comprehensive income (loss), net of applicable taxes.

A lack of liquidity could adversely affect the Company’s financial condition and results of operations and result in regulatory restrictions.
The Company must maintain sufficient funds to respond to the needs of depositors and borrowers and for other liquidity needs. Deposits have traditionally been the Company’s primary source of funds for use in lending and investment activities and are emphasized due to the relatively lower cost of these funds. The Company also receives funds from loan repayments, investment maturities and income on other interest-earning assets, as well as borrowings. If the Company is required to rely more heavily on more expensive funding sources to support liquidity and future growth, its revenues may not increase proportionately to cover its increased costs, which would adversely affect its operating margins, profitability and growth prospects. Alternatively, the Company may need to sell a portion of its investment securities portfolio to raise funds, which, as discussed below, could result in a loss. Any decline in funding could adversely impact the Company’s ability to originate loans, invest in securities, pay expenses, or fulfill obligations such as repaying its borrowings or meeting deposit withdrawal demands, any of which could have a material adverse impact on its liquidity, business, financial condition and results of operations. A lack of liquidity could also attract increased regulatory scrutiny and potentially result in restraints imposed by regulators. Depending on the capitalization status and regulatory treatment of depository institutions, including whether an institution is subject to a supervisory prompt corrective action directive, regulatory restrictions and prohibitions may include restrictions on growth, restrictions on interest rates paid on deposits, restrictions or prohibitions on payment of dividends and restrictions on the acceptance of brokered deposits.

Elevated and volatile interest rates have reduced the value of the Company’s securities portfolio, and the Company could realize losses if it is required to sell such securities to meet liquidity needs.
The Company’s securities portfolio consists primarily of fixed income securities whose market values are sensitive to changes in interest rates. Although interest rates have declined somewhat over the past year and a half, rates remain elevated compared to historical levels; and are subject to volatility. As a result, the trading values of previously issued government and other fixed income securities continue to be lower than their historical levels, resulting in unrealized losses embedded in the Company’s securities portfolio.
While unrealized losses do not directly affect earnings unless realized, they reduce the market value of securities that may otherwise serve as a source of liquidity. The Company generally intends to hold its investment securities to maturity or recovery of amortized cost and does not currently anticipate selling such securities. However, under certain circumstances—including unanticipated deposit outflows, reduced access to wholesale funding markets, or other liquidity stress events—the Company may be required to sell securities prior to maturity.
If the Company were to sell securities in a period of elevated interest rates or adverse market conditions, it could be required to realize losses that were previously unrealized. Such realized losses could adversely affect the Company’s earnings, regulatory capital ratios, financial condition, and results of operations, and could limit financial flexibility or require the Company to raise additional capital or funding on less favorable terms.
15

Although the Company has taken, and continues to take, actions to manage interest rate risk and diversify its funding sources, including maintaining contingent liquidity resources and rebalancing its investment portfolio, there can be no assurance that these measures would be sufficient to prevent the need to sell securities at unfavorable prices in the event of significant or sustained liquidity stress.

Potential deterioration in the performance or financial position of the Federal Home Loan Bank ("FHLB") of Boston might restrict our funding needs and may adversely impact our financial condition and results of operations.
Significant components of our liquidity needs are met through our access to funding pursuant to our membership in the FHLB. The FHLB is a cooperative that provides services to its member banking institutions. The primary reason for joining the FHLB is to obtain funding. The purchase of stock in the FHLB is a requirement for a member to gain access to funding. Any deterioration in the FHLB’s performance or financial condition may affect our ability to access funding and/or require us to deem the required investment in FHLB stock to be impaired. If we are not able to access funding through the FHLB, we may not be able to meet our liquidity needs, which could have an adverse effect on our results of operations or financial condition. Similarly, if we deem all or part of our investment in FHLB stock impaired, such action could have an adverse effect on our financial condition or results of operations.

Prepayments of loans may negatively impact our business.
Generally, our customers may prepay the principal amount of their outstanding loans at any time. The speed at which such prepayments occur, as well as the size of such prepayments, are within our customers’ discretion and are influenced by the interest rate environment, over which we have no control. The speed at which such prepayments occur, as well as the size of such prepayments, are within our customers’ discretion. If customers prepay the principal amount of their loans, and we are unable to lend those funds to other borrowers or invest the funds at the same or higher interest rates, our interest income will be reduced. A significant reduction in interest income could have a negative impact on our results of operations and financial condition.

Environmental liability associated with our lending activities could result in losses.
In the course of business, we may acquire, through foreclosure, properties securing loans we have originated or purchased that are in default. Particularly in commercial real estate lending, there is a risk that material environmental violations could be discovered at these properties. In this event, we might be required to remedy these violations at the affected properties at our sole cost and expense. The cost of remedial action could substantially exceed the value of affected properties. We may not have adequate remedies against the prior owners or other responsible parties and could find it difficult or impossible to sell the affected properties. These events could have an adverse effect on our financial condition and results of operations.

Risks Relating to Regulation of the Industry
We operate in a highly regulated environment and may be adversely affected by changes in laws, regulations and monetary policy.
We are subject to regulation and supervision by the FRB and Union Bank is subject to regulation and supervision by the FDIC and the DFR. Federal and state laws and regulations govern numerous matters affecting us, including changes in the ownership or control of banks and bank holding companies, maintenance of adequate capital and sound financial condition, branching activities, permissible types, amounts and terms of loans and investments, permissible nonbanking activities, the level of reserves against deposits and restrictions on dividend payments. The FDIC and the DFR possess the power to issue cease and desist orders against banks subject to their jurisdiction to prevent or remedy unsafe or unsound banking practices or violations of law, and the FRB possesses similar powers with respect to bank holding companies. These and other restrictions limit the manner in which we may conduct business and obtain financing.
We are also affected by the monetary policies of the FRB. Changes in monetary or legislative policies may affect the interest rates we offer to attract deposits and the interest rates we charge on our loans in order to remain competitive, as well as the manner in which we offer deposits and make loans. Changes in monetary or legislative policies may affect the interest rates we must offer to attract deposits and the interest rates we must charge on our loans, as well as the manner in which we offer deposits and make loans. These monetary policies also affect the valuation of our investment securities and have had, and are expected to continue to have, significant effects on the operating results of depository institutions generally, including Union Bank.
The laws, rules, regulations, and supervisory guidance and policies applicable to us are subject to regular modification and change. It is impossible to predict the competitive impact that any such future changes would have on the banking and financial services industry in general or on our business in particular. It is impossible to predict the competitive impact that any such changes would have on the banking and financial services industry in general or on our business in particular. Such changes may, among other things, increase the cost of doing business, limit permissible activities, or affect the competitive balance between banks and other financial institutions. The Dodd-Frank Act instituted major changes to the regulatory regimes governing banks and other financial institutions, resulting in increased government intervention in the financial services sector. The Dodd-Frank Act instituted major changes to the banking and financial institutions regulatory regimes in light of government intervention in the financial services sector. Other changes to statutes, regulations, or regulatory policies, including changes in interpretation or implementation of statutes, regulations, or policies, could affect us in substantial and unpredictable ways. Such changes could subject us to additional costs, limit the types of financial services and products we may offer, and/or increase the ability of non-banks to offer competing financial services and products, among other things. Failure to
16

comply with laws, regulations, or policies could result in sanctions by regulatory agencies, civil money penalties, and/or reputational damage, which could have a material adverse effect on our business, financial condition, or results of operations.

Additional requirements imposed by the Dodd-Frank Act could adversely affect us.
The Dodd-Frank Act comprehensively reformed the regulation of financial institutions, products and services. Among other things, the Dodd-Frank Act established the CFPB as an independent government bureau which derives its funding from the FRB. Among other things, the Dodd-Frank Act established the CFPB as an independent bureau of the FRB. The CFPB has the authority to prescribe rules for all depository institutions governing the provision of consumer financial products and services, which may result in rules and regulations that reduce the profitability of such products and services or impose greater costs and restrictions on us and our subsidiaries. The Dodd-Frank Act also established new minimum mortgage underwriting standards for residential mortgages, and the regulatory agencies have focused on the examination and supervision of mortgage lending and servicing activities.
The CFPB’s qualified mortgage rule, or “QM Rule,” became effective on January 10, 2014. The QM Rule requires mortgage lenders, prior to originating most residential mortgage loans, to make a determination of a borrower’s ability to repay the loan and establishes protections from liability under this requirement for so-called “qualified mortgages” that meet certain heightened criteria. If a mortgage lender does not appropriately establish a borrower’s ability to repay the loan, the borrower may be able to assert against the originator of the loan or any subsequent transferee, as a defense to foreclosure by way of recoupment or setoff, a violation of the ability-to-repay requirement. Loans that meet the definition of “qualified mortgage” will be presumed to have complied with the ability-to-repay standard. Although amendments to the QM Rule adopted by the CFPB in March 2021 will make it less challenging for a loan to meet the definition, the QM Rule and related ability-to-repay requirements and similar rules could nevertheless still limit Union's ability to make certain types of loans or loans to certain borrowers, or could make it more expensive and time-consuming to make these loans, which could limit the Bank’s growth or profitability.
Current and future legal and regulatory requirements, restrictions, and regulations may adversely impact our profitability and may have a material and adverse effect on our business, financial condition, or results of operations; may require us to invest significant management attention and resources to evaluate and make any changes required by the legislation and related regulations; and may make it more difficult for us to attract and retain qualified executive officers and employees.Current and future legal and regulatory requirements, restrictions, and regulations, including those imposed under the Dodd-Frank Act, may adversely impact our profitability and may have a material and adverse effect on our business, financial condition, or results of operations; may require us to invest significant management attention and resources to evaluate and make any changes required by the legislation and related regulations; and may make it more difficult for us to attract and retain qualified executive officers and employees.

We are subject to stringent capital requirements which may adversely impact our return on equity, require additional capital raises, or limit our ability to pay dividends or repurchase shares.
Federal regulations establish minimum capital requirements for insured depository institutions, including minimum risk-based capital and leverage ratios, and define “capital” for calculating these ratios. The minimum capital requirements are: (i) a common equity Tier 1 capital ratio of 4.5%; (ii) a Tier 1 to risk-based assets capital ratio of 6%; (iii) a total capital ratio of 8%; and (iv) a Tier 1 leverage ratio of 4%. The regulations also establish a “capital conservation buffer” of 2.5%, which if complied will result in the following minimum ratios: (i) a common equity Tier 1 capital ratio of 7.0%; (ii) a Tier 1 to risk-based assets capital ratio of 8.5%; and (iii) a total capital ratio of 10.5%. An institution will be subject to limitations on paying dividends, engaging in share repurchases and paying discretionary bonuses if its capital level falls below the capital conservation buffer amount. The application of these capital requirements could, among other things, require us to maintain higher capital resulting in lower returns on equity, and we may be required to obtain additional capital to comply or be subject to regulatory actions if we are unable to comply with such requirements.

We may incur fines, penalties and other negative consequences from regulatory violations, possibly even inadvertent or unintentional violations. We may incur fines, penalties and other negative consequences from regulatory violations, possibly even inadvertent or unintentional violations.
As a financial institution, we are subject to a complex system of laws, regulations and regulatory guidance. We maintain systems and procedures designed to ensure that we comply with applicable laws, regulations and regulatory guidance. We maintain systems and procedures designed to ensure that we comply with applicable laws and regulations. However, some legal/regulatory frameworks provide for the imposition of fines or penalties for noncompliance even though the noncompliance was inadvertent or unintentional and even though there was in place at the time systems and procedures designed to ensure compliance. For example, we are subject to regulations issued by the Office of Foreign Assets Control, or “OFAC,” that prohibit financial institutions from participating in the transfer of property belonging to the governments of certain foreign countries and designated nationals of those countries and certain other persons or entities whose interest in property is blocked by OFAC-administered sanctions. OFAC may impose penalties for inadvertent or unintentional violations even if reasonable processes are in place to prevent the violations. There may be other negative consequences resulting from a finding of noncompliance, including restrictions on certain activities. Such a finding may also damage our reputation and could restrict the ability of institutional investment managers to invest in our securities.

We face significant legal risks, both from regulatory investigations and proceedings and from private actions brought against us.
Our businesses and operations are subject to increasing regulatory oversight and scrutiny, which could lead to regulatory investigations or enforcement actions.Our businesses and operations are also subject to increasing regulatory oversight and scrutiny, which could lead to regulatory investigations or enforcement actions. These and other initiatives from federal and state officials could result in judgments,
17

settlements, fines or penalties, or require us to restructure our operations and activities, all of which could lead to reputational damage, or higher operational costs, or both, thereby reducing our revenue.
From time to time we are named as a defendant or are otherwise involved in various legal proceedings. There is no assurance that litigation with private parties will not increase in the future. Future actions against us may result in judgments, settlements, fines, penalties or other results adverse to us, which could materially adversely affect our business, financial condition or results of operations, or cause serious reputational harm to us. As a participant in the financial services industry, we are exposed to a high level of litigation related to our business and operations. Although we maintain insurance, the scope of this coverage may not provide us with full, or even partial, coverage in any particular case. As a result, a judgment against us in any such litigation could have a material adverse effect on our financial condition and results of operation. As a result, a judgment against us in any such litigation could have a material adverse effect on our financial condition and results of operation.

Accounting and Tax Risks
Changes in accounting standards can be difficult to predict and can materially impact how we record and report our financial condition and results of operations.
Our accounting policies and methods are fundamental to how we record and report our financial condition and results of operations. From time to time, the FASB changes the financial accounting and reporting standards that govern the preparation of our financial statements. These changes can be hard to anticipate and implement and can materially impact how we record and report our financial condition and results of operations.

Changes in tax laws and regulations and differences in interpretation of tax laws and regulations may adversely impact our financial statements.
State or federal tax authorities may interpret tax laws and regulations differently than we do and challenge tax positions that we have taken on tax returns. This may result in differences in the treatment of revenues, deductions, credits and/or differences in the timing of these items. The differences in treatment may result in payment of additional taxes, interest or penalties that could have a material adverse effect on our results. In addition, there may be future changes to tax laws, administrative rulings or court decisions that could adversely affect our financial condition, including an increased provision for income taxes and/or reduced net income. We are not able to predict the timing or impact of any changes in state or federal tax laws. The taxing authorities also regulate the information reporting requirements that Union is subject to, and which continue to increase and require resources to comply with.

We may be required to write down goodwill and other identifiable intangible assets.
When we acquire a business, a portion of the purchase price of the acquisition may be allocated to goodwill and other identifiable intangible assets. The excess of the purchase price over the fair value of the net identifiable tangible and intangible assets acquired determines the amount of the purchase price that is allocated to goodwill acquired. At December 31, 2025, there was no remaining unamortized identifiable intangible asset and our goodwill from the 2011 Branch Acquisition was approximately $2.2 million. Under current accounting standards, if we determine that goodwill or intangible assets are impaired, we would be required to write down the value of these assets to fair value. We conduct an annual review, or more frequently if events or circumstances warrant, to determine whether goodwill is impaired. We recently completed our goodwill impairment analysis as of December 31, 2025 and concluded goodwill was not impaired. We conduct a review of our other intangible assets for impairment should events or circumstances warrant. We cannot provide assurance that we will not be required to take an impairment charge in the future. Any impairment charge would have a negative effect on our shareholders’ equity and financial results and may cause a decline in our stock price.

The accuracy of our financial statements and related disclosures could be affected if the judgments, assumptions or estimates used in our critical accounting policies are inaccurate.
The preparation of financial statements and related disclosure in conformity with GAAP requires us to make judgments, assumptions and estimates that affect the amounts reported in our consolidated financial statements and accompanying notes. Our critical accounting policies, which are described in Item 7 of this report under “Management’s Discussion and Analysis of Financial Condition and Results of Operations - Critical Accounting Policies”, constitute those significant accounting policies and methods used in the preparation of our consolidated financial statements that we consider “critical” because they require judgments, assumptions and estimates that materially affect our consolidated financial statements and related disclosures. As a result, if future events differ significantly from management's judgments, assumptions and estimates in our critical accounting policies, those events or assumptions could have a material impact on our consolidated financial statements and related disclosures.

Risks Relating to the Company's Stock
If we do not maintain net income growth, the market price of our common stock could be adversely affected.
Our return on stockholders’ equity and other measures of profitability, which affect the market price of our common stock,
18

depend in part on our continued growth and expansion. Our growth strategy has two principal components: internal growth and external growth. Our ability to generate internal growth is affected by the competitive factors described below as well as by the primarily rural characteristics and related demographic features of the markets we serve.

We are a holding company and depend on Union Bank for dividends, distributions and other payments.
We are a legal entity that is separate and distinct from Union Bank. Our revenue (on a parent company only basis) is derived primarily from interest and dividends paid to us by Union Bank. Our right, and consequently the right of our shareholders, to participate in any distribution of the assets or earnings of any subsidiary through the payment of such dividends or otherwise is necessarily subject to the prior claims of creditors including holders of our subordinated notes, and also including depositors, in the case of Union Bank, except to the extent that certain claims of Union in a creditor capacity may be recognized. Our right, and consequently the right of our shareholders, to participate in any distribution of the assets or earnings of any subsidiary through the payment of such dividends or otherwise is necessarily subject to the prior claims of creditors (including depositors, in the case of Union Bank), except to the extent that certain claims of Union in a creditor capacity may be recognized.

Our stockholders may not receive dividends on our common stock.
Holders of our common stock are entitled to receive dividends only when, as and if declared by our board of directors. Although we have historically declared regular quarterly cash dividends on our common stock, we are not required to do so and our board of directors may reduce or eliminate our common stock dividend, or change the frequency at which dividends are paid, in the future. The FRB has the authority to prohibit a bank holding company, such as us, from paying dividends if it deems such payment to be an unsafe or unsound practice. The FDIC has the authority to use its enforcement powers to prohibit Union from paying dividends to us if, in its opinion, the payment of dividends would constitute an unsafe or unsound practice. Federal law also prohibits the payment of dividends by a bank that will result in the bank failing to meet its applicable capital requirements on a pro forma basis. Further, our ability to pay dividends would be restricted if we do not maintain a required capital conservation buffer under applicable regulatory capital rules. A reduction or elimination of dividends could adversely affect the market price of our common stock.

We may need to raise additional capital in the future and such capital may not be available when needed or on acceptable terms.
As a bank holding company, we are required by the FRB to maintain adequate levels of capital to support our operations.As a bank holding company, we are required by regulatory authorities to maintain adequate levels of capital to support our operations. We may need to raise additional capital in the future to provide us with sufficient capital resources and liquidity to meet our commitments and business needs. Our ability to raise additional capital, if needed, will depend on, among other things, conditions in the capital markets at that time, which are outside of our control, and our financial performance. We cannot assure you that such capital will be available to us on acceptable terms or at all. Our inability to raise sufficient additional capital on acceptable terms when needed could subject us to certain activity restrictions or to a variety of enforcement remedies available to the FRB, including limitations on our ability to pay dividends or pursue acquisitions, the issuance by the FRB of a capital directive to increase capital and to the extent the capital of Union Bank is adversely affected, the termination of deposit insurance by the FDIC. Our inability to raise sufficient additional capital on acceptable terms when needed could subject us to certain activity restrictions or to a variety of enforcement remedies available to the regulatory authorities, including limitations on our ability to pay dividends or pursue acquisitions, the issuance by regulatory authorities of a capital directive to increase capital and the termination of deposit insurance by the FDIC.

Market volatility may impact our business and the value of our common stock.
Our business performance and the trading price of our common stock may be affected by many factors affecting financial institutions, including the interest rate environment, volatility in the credit, mortgage and housing markets, the markets for securities relating to mortgages or housing, and the value of debt and mortgage-backed securities and other securities that we hold in our investment portfolio.Our business performance and the trading price of shares of our common stock may be affected by many factors affecting financial institutions, including volatility in the credit, mortgage and housing markets, the markets for securities relating to mortgages or housing, and the value of debt and mortgage-backed and other securities that we hold in our investment portfolio. Market volatility in financial institution stocks may also result from high profile bank failures. In addition, government action and legislation may impact us and the value of our common stock. Government action and legislation may also impact us and the value of our common stock. We cannot predict what impact, if any, market volatility will have on our business or share price and for these and other reasons our shares of common stock may trade at a price lower than that at which they were purchased.

Certain provisions of our articles of incorporation may have an anti-takeover effect.
Provisions of our articles of incorporation and bylaws and regulations and federal banking laws, including regulatory approval requirements, could make it more difficult for a third party to acquire us, even if doing so would be perceived to be beneficial to our shareholders.Provisions of our certificate of incorporation and bylaws and regulations and federal banking laws, including regulatory approval requirements, could make it more difficult for a third party to acquire us, even if doing so would be perceived to be beneficial to our shareholders. The combination of these provisions may inhibit a non-negotiated merger or other business combination, which, in turn, could adversely affect the market price of our common stock.

If we identify any material weakness in our internal controls over financial reporting and fail to correct it, or otherwise fail to maintain effective internal controls over financial reporting, we may not be able to report our financial results accurately and timely, in which case our business may be harmed, investors may lose confidence in the accuracy and completeness of our financial reports, and the price of our common stock may decline. Although we maintain an insurance policy covering certain cybersecurity risks which we believe provides appropriate coverage for a financial institution of our size and business and technology profile, we cannot provide any assurance that such policy would be sufficient to cover all financial losses or damages we might suffer in the event that we or one of our third party vendors experiences a system failure or suffers a system intrusion or other cyberattack.
Our management is responsible for establishing and maintaining adequate internal controls over financial reporting and for evaluating and reporting on our system of internal controls. Our internal controls over financial reporting are designed to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with GAAP.
19

We are subject to FDICIA and other rules that govern financial institutions. Recent amendments to FDICIA and its implementing regulations increased the asset-size thresholds and modified certain requirements related to internal control reporting and auditor attestation. Under the revised framework, institutions that meet applicable asset thresholds are required to provide management’s assessment of the effectiveness of internal control over financial reporting, and institutions that exceed higher asset thresholds are also required to obtain an attestation report from their independent registered public accounting firm on the effectiveness of those controls. While these changes may affect the scope, timing, and cost of compliance, they do not reduce management’s responsibility to maintain effective internal controls over financial reporting or the risk that control deficiencies could arise. As we grow or as regulatory requirements evolve, we may become subject to additional or more stringent FDICIA requirements, including expanded documentation, testing, and governance expectations.
If we identify material weaknesses in our internal controls over financial reporting in the future, if we cannot comply with the requirements of FDICIA in a timely manner or attest that our internal controls over financial reporting are effective, or if our independent registered public accounting firm cannot express an opinion as to the effectiveness of our internal controls over financial reporting when required, we may not be able to report our financial results accurately and timely. As a result, investors, counterparties and customers may lose confidence in the accuracy and completeness of our financial reports; our liquidity, access to capital markets and perceptions of our creditworthiness could be adversely affected; and the market price of our common stock could decline. In addition, we could become subject to investigations by the Nasdaq stock exchange, on which our common stock is listed, the SEC, the FRB, the FDIC, or other regulatory authorities, which could require additional financial and management resources. These events could have an adverse effect on our business, financial condition and results of operations. These events could have an adverse effect on our financial condition and results of operations.

Environmental, social and governance oversight may influence the Company's stock price and increase compliance costs.
Some investors have begun to consider how corporations, such as the Company, are addressing environmental, social, and governance matters, commonly referred to as "ESG" matters, when making investment decisions. Investor advocacy groups, investment funds and influential investors are also increasingly focused on these practices, especially as they relate to the environment, health and safety, diversity, labor conditions, and human rights. Specific examples of matters being evaluated as part of the investment decision or recommendation by certain investors include the business risks of climate change and the adequacy of companies' responses to climate change, diversity of a company's management and/or board of directors, community involvement and charitable giving, and the inclusion of ESG factors in the determination of the executive compensation. These shifts in investing priorities may result in adverse effects on the trading price of the Company's common stock if investors determine, whether real or perceived, that the Company's ESG actions are not satisfactory.

Operational Risks
We are exposed to losses from fraud, theft, and other financial crimes, which could adversely affect our results of operations and financial condition.
We face the risk of losses arising from fraudulent or criminal activity, including unauthorized transactions, account takeovers, forged, altered, or counterfeit instruments, and other schemes targeting our customers, employees, or systems. These risks include, among others, check fraud, wire and ACH fraud, debit card fraud, mobile and remote deposit fraud, and other payment‑related misconduct. Fraudulent activity may be difficult to detect or prevent, particularly where transactions are initiated through customer channels or where applicable funds availability requirements require us to make funds available before fraudulent activity is identified. Despite the implementation of fraud detection systems, internal controls, customer authentication procedures, and employee training, such measures may not be effective in preventing all losses. Losses resulting from fraud may result in direct financial exposure, customer reimbursement obligations, litigation, regulatory scrutiny, reputational harm, or increased operational and compliance costs. In addition, evolving fraud techniques, including those that exploit remote deposit capture and other electronic delivery channels, may increase the frequency or severity of losses. Any of these factors could adversely affect our business, results of operations, and financial condition.

A failure in or breach of our operational systems, information systems, or infrastructure, or those of our third party vendors and other service providers, may result in financial losses, loss of customers, or damage to our reputation.Operational RisksA failure in or breach of our operational systems, information systems, or infrastructure, or those of our third party vendors and other service providers, may result in financial losses, loss of customers, or damage to our reputation.
We rely heavily on communications and information systems to conduct our business. In addition, we rely on third parties to provide key components of our infrastructure, including internet connections, network access and processing services. These types of information and related systems are critical to the operation of our business and essential to our ability to perform day-to-day operations, and, in some cases, are critical to the operations of certain of our customers. These third parties with which we do business or that facilitate our business activities, including exchanges, clearing firms, financial intermediaries or vendors that provide services or security solutions for our operations, could also be sources of operational and information security risk to us, including breakdowns or failures of their own systems or capacity constraints. Although we have safeguards and business continuity plans in place, our business operations may be adversely affected by significant and widespread disruption to our physical infrastructure or operating systems that support our business and our customers, resulting in financial losses, loss of customers, or damage to our reputation.
20


An interruption or breach in security of our information systems or those related to merchants and third party vendors, including as a result of cyber attacks, could disrupt our business, result in the disclosure or misuse of confidential customer or proprietary information, damage our reputation, or result in financial losses.
Our technologies, systems, networks and software, and those of other financial institutions have been, and are likely to continue to be, the target of cybersecurity threats and attacks, which may range from uncoordinated individual attempts to sophisticated and targeted measures directed at us. These cybersecurity threats and attacks may include, but are not limited to, attempts to access information, including customer and Company information, malicious code, computer viruses and denial of service attacks that could result in unauthorized access, misuse, loss or destruction of data (including confidential customer information), account takeovers, unavailability of service, ransomware attacks or other events. These cybersecurity threats and attacks may include, but are not limited to, attempts to access information, including customer and company information, malicious code, computer viruses and denial of service 18attacks that could result in unauthorized access, misuse, loss or destruction of data (including confidential customer information), account takeovers, unavailability of service or other events. These types of threats may result from human error, fraud or malice on the part of external or internal parties, or from accidental technological failure. Further, to access our products and services our customers may use computers and mobile devices that are beyond our security control systems. The risk of a security breach or disruption, particularly through cyber-attack or cyber intrusion, including by computer hackers, has increased as the number, intensity and sophistication of attempted attacks and intrusions from around the world have increased.
Our business requires the collection and retention of large volumes of customer data, including payment card numbers and other personally identifiable information in various information systems that we maintain and in those maintained by third parties with whom we contract to provide data services. We also maintain important internal Company data such as personally identifiable information about our employees and information relating to our operations. The integrity and protection of that customer and Company data is important to us. As customer, public, legislative and regulatory expectations and requirements regarding operational and information security have increased, our operations systems and infrastructure must be continually safeguarded and monitored for potential failures, disruptions and breakdowns.
Our customers and employees have been, and will continue to be, targeted by parties using fraudulent e-mails and other communications in attempts to misappropriate passwords, payment card numbers, bank account information or other personal information or to introduce viruses to our customers’ computers. These communications may appear to be legitimate messages sent by Union Bank or other businesses, but direct recipients to fake websites operated by the sender of the e-mail or request that the recipient send a password or other confidential information via e-mail or download a program. These communications may appear to be legitimate messages sent by the Bank or other businesses, but direct recipients to fake websites operated by the sender of the e-mail or request that the recipient send a password or other confidential information via e-mail or download a program. Despite our efforts to mitigate these threats through product improvements, use of encryption and authentication technology to secure online transmission of confidential consumer information, and customer and employee education, such attempted frauds against us or our merchants and our third party service providers remain a serious issue. The pervasiveness of cyber security incidents in general and the risks of cyber-crime are complex and will continue to evolve.
Although we make significant efforts to maintain the security and integrity of our information systems and have implemented various measures to manage the risk of a security breach or disruption, there can be no assurance that our security efforts and measures will be effective or that attempted security breaches or disruptions would not be successful or damaging. Even the most well-protected information, networks, systems and facilities remain potentially vulnerable because attempted security breaches, particularly cyber-attacks and intrusions, or disruptions will occur in the future, and because the techniques used in such attempts are constantly evolving and generally are not recognized until launched against a target, and in some cases are designed not to be detected and, in fact, may not be detected. Accordingly, we may be unable to anticipate these techniques or to implement adequate security barriers or other preventative measures, and thus it is virtually impossible for us to entirely mitigate this risk. A security breach or other significant disruption could: (i) disrupt the proper functioning of our networks and systems and therefore our operations and/or those of certain of our customers; (ii) result in the unauthorized access to, and destruction, loss, theft, misappropriation or release of confidential, sensitive or otherwise valuable information of ours or our customers, including account numbers and other financial information; (iii) result in a violation of applicable privacy, data breach and other laws, subjecting the Bank to additional regulatory scrutiny and exposing the Company to civil litigation, governmental fines and possible financial liability; (iv) require significant management attention and resources to remedy the damages that result; or (v) harm our reputation or cause a decrease in the number of customers that choose to do business with us or reduce the level of business that our customers do with us. A security breach or other significant disruption could: 1) disrupt the proper functioning of our networks and systems and therefore our operations and/or those of certain of our customers; 2) result in the unauthorized access to, and destruction, loss, theft, misappropriation or release of confidential, sensitive or otherwise valuable information of ours or our customers, including account numbers and other financial information; 3) result in a violation of applicable privacy, data breach and other laws, subjecting the Bank to additional regulatory scrutiny and exposing the Bank to civil litigation, governmental fines and possible financial liability; 4) require significant management attention and resources to remedy the damages that result; or 5) harm our reputation or cause a decrease in the number of customers that choose to do business with us or reduce the level of business that our customers do with us. The occurrence of any such failures, disruptions or security breaches could have a negative impact on our results of operations, financial condition, and cash flows as well as damage our brand and reputation.
Although we maintain an insurance policy covering certain cybersecurity risks which we believe provides appropriate coverage for a financial institution of our size and business and technology profile, we cannot provide any assurance that such policy would be sufficient to cover all financial losses or damages we might suffer in the event that we or one of our third party vendors experiences a system failure or suffers a system intrusion or other cyberattack.

We rely on other companies to provide key components of our business infrastructure.
Third party vendors provide key components of our business infrastructure such as internet connections, network access and core application processing. While we have selected these third party vendors carefully, we do not control their actions. Any
21

problems caused by these third parties, including as a result of their not providing us their services for any reason or their performing their services poorly, could adversely affect our ability to deliver products and services to our customers or otherwise conduct our business efficiently and effectively. Replacing these third party vendors could also entail significant business disruption, delay and expense.

We are piloting and selectively using artificial intelligence and machine learning technologies in limited, primarily internal functions, which exposes us to operational, regulatory, and reputational risks that could adversely affect our business.
We have begun piloting artificial intelligence (“AI”) and machine learning tools in certain internal and support functions, such as data analysis, fraud monitoring support, compliance processes, and operational efficiency initiatives. These technologies are complex and evolving, and our experience with them remains limited. AI systems may produce inaccurate, incomplete, or misleading outputs, or behave in ways that are difficult to predict or explain. Errors or failures in these tools—whether due to data limitations, model design, third‑party technology, or employee misuse—could impair decision‑making, reduce the effectiveness of internal controls, or require us to suspend or modify pilot programs.
The legal and regulatory framework governing AI use in banking is developing and uncertain. Banking regulators have increased focus on governance, risk management, and controls related to emerging technologies, including AI. Although our current AI use is limited, our existing policies, procedures, and internal control frameworks may not fully address the risks associated with AI technologies. If regulators determine that our oversight, documentation, or controls are inadequate, we could be required to enhance governance, incur additional compliance costs, or limit future use of AI tools.
In addition, even limited AI use may create reputational risk. Internal system failures, data issues, cybersecurity incidents, or negative perceptions regarding the appropriateness of AI use in banking could adversely affect our relationships with customers, regulators, and other stakeholders. As we evaluate whether to expand AI use over time, these risks may increase and could have a material adverse effect on our business, results of operations, or financial condition.

Strategic Risks
Competition in the local banking industry may impair our ability to attract and retain customers at current levels.
Competition in the markets in which we operate may limit our ability to attract and retain customers. In particular, we compete for loans, deposits and other financial products and services with local independent banks, thrift institutions, savings institutions, mortgage brokerage firms, credit unions, finance companies, trust companies, mutual funds, insurance companies and brokerage and investment banking firms operating locally as well as nationally. Additionally, we compete with banks and other financial institutions with larger capitalization, as well as financial intermediaries not subject to bank regulatory restrictions, which have larger lending limits and are able to serve the credit and investment needs of larger customers. Additionally, banks and other financial institutions with larger capitalization, as well as financial intermediaries not subject to bank regulatory restrictions, have larger lending limits and are able to serve the credit and investment needs of larger customers. There is also increased competition by out-of-market competitors through the Internet. If we are unable to attract and retain customers, we may be unable to continue our loan growth and our results of operations and financial condition may otherwise be negatively impacted. If we are unable to attract and retain customers, we may be unable to continue our loan growth and our results of operations and financial condition may otherwise be negatively impacted.

We may incur significant losses as a result of ineffective risk management processes and strategies.
We seek to monitor and control our risk exposure through a risk and control framework encompassing a variety of separate but complementary financial, credit, operational, compliance and legal reporting systems, internal controls, management review processes and other mechanisms. While we employ a broad and diversified set of risk monitoring and risk mitigation techniques, those techniques and the judgments that accompany their application may not be effective and may not anticipate every economic and financial outcome in all market environments or the specifics and timing of such outcomes.

Expansion or contraction of our branch network may adversely affect our financial results.
The Company cannot assure that the opening of new branches will be accretive to earnings within a reasonable period of time or at all. Numerous factors contribute to the performance of a new branch, such as suitable location, qualified personnel, and an effective marketing strategy. Additionally, it takes time for a new branch to gather sufficient loans and deposits to generate income sufficient to cover its operating expenses. Difficulties we experience in opening new branches may have a material adverse effect on the our financial condition and results of operations. Additionally, we cannot assure that the closing of branches would not adversely affect earnings.

We must adapt to information technology changes in the financial services industry, which could present operational issues, require significant capital spending, or impact our reputation.
The financial services industry is constantly undergoing technological changes, with frequent introductions of new technology-driven products and services. We invest significant resources in information technology system enhancements in order to meet customer expectations and provide functionality and security at an appropriate level. We invest significant resources in information technology system enhancements in order to provide functionality and security at an appropriate level. The effective use of technology increases efficiency and enables financial institutions to better serve customers and reduce costs. Our future success will depend, in part, upon our ability to address the needs of our customers by using technology to provide products and services that will satisfy
22

customer demands for convenience, as well as to create additional efficiencies in our operations. We may not be able to effectively implement new technology-driven products and services or be successful in marketing these products and services to our customers. Failure to successfully implement and integrate future system enhancements could adversely impact our ability to provide timely and accurate financial information in compliance with legal and regulatory requirements, which could result in sanctions from regulatory authorities. Such sanctions could include fines and suspension of trading in our stock, among others. In addition, future system enhancements could have higher than expected costs and/or result in operating inefficiencies, which could increase the costs associated with the implementation as well as ongoing operations.
Failure to properly utilize system enhancements that are implemented in the future could result in impairment charges that adversely impact our financial condition and results of operations and could result in significant costs to remediate or replace the defective components. In addition, we may incur significant training, licensing, maintenance, consulting and amortization expenses during and after systems implementations, and any such costs may continue for an extended period of time.

Economic Risks
External economic factors, such as changes in monetary policy and inflation and deflation, may have an adverse effect on our business, financial condition and results of operations.
Our financial condition and results of operations are affected by credit policies of monetary authorities, particularly the Federal Reserve. Actions by monetary and fiscal authorities, including the Federal Reserve, could lead to inflation, deflation or other economic phenomena that could adversely affect our financial performance. The primary impact of inflation on our operations most likely will be reflected in increased operating costs. Conversely, deflation generally will tend to erode collateral values and diminish loan quality. Virtually all of our assets and liabilities are monetary in nature. As a result, interest rates have a more significant impact on our performance than general levels of inflation or deflation. Inevitably, not all of our interest rate-sensitive assets and liabilities will re-price simultaneously and in equal volume in response to changes in the federal funds rate, and therefore the potential for interest rate exposure exists.

Our financial condition and results of operations have been adversely affected, and may continue to be adversely affected, by general market and economic conditions.Economic RisksOur financial condition and results of operations have been adversely affected, and may continue to be adversely affected, by general market and economic conditions.
We have been, and continue to be, impacted by general business and economic conditions in the United States and, to a lesser extent, abroad. These conditions include short-term and long-term interest rates, inflation, money supply, political issues, legislative and regulatory changes, fluctuations in both debt and equity capital markets, broad trends in industry and finance, unemployment and the condition of the U.S. economy and the local economies in which we operate, all of which are beyond our control. Deterioration or continued weakness in any of these factors could result in increases in loan delinquencies and nonperforming assets, and in decreases in loan collateral values, the value of our investment portfolio and the demand for our products and services. Deterioration or continued weakness in any of these conditions could result in increases in loan delinquencies and nonperforming assets, decreases in loan collateral values, the value of our investment portfolio and demand for our products and services.

Our business and financial results could be adversely affected by the political environment and governmental policies.
Our business and financial results may also be affected by changes in government policies following the 2024 U.S. election and the new administration. There remains significant market uncertainty as to how the current U.S. administration's corresponding policy changes could impact us or our customers. For example, the current U.S. administration has adopted and may consider trade policies and tariffs, other controls on imports or exports, and other foreign policy initiatives that could affect our business and supply chains. The U.S. federal government, U.S. states and certain other countries and regions have adopted or are considering legislation, regulation or policies that reflect diverse, diverging and, in some cases, potentially conflicting policy goals. Compliance with such laws, regulations or policies, including any that may be adopted in the future, could, among other things, increase the costs of operating our business, reduce the demand for our products and services, impact our ability to meet or maintain current or future goals or targets or continue initiatives and increase our legal, operational and reputational risks, any or all of which could materially adversely affect our results of operations. Failure, or perceived failure, to comply with any legislation, regulation or policy, including as a result of making good faith interpretations that may differ from those taken by enforcement authorities in relevant jurisdictions, could potentially result in substantial fines, criminal sanctions, reputational harm or operational changes.

General Risks
We may be unable to attract and retain key personnel.
Our success depends, in large part, on our ability to attract and retain key personnel. Competition for qualified personnel in the financial services industry can be intense and we may not be able to hire or retain the key personnel that we depend upon for success. The unexpected loss of services of one or more of our key personnel could have a material adverse impact on our business because of the loss of their skills, knowledge of the markets in which we operate and years of industry experience, and because of the difficulty of promptly finding qualified replacement personnel.


23

We are subject to reputational risk.
We are dependent on our reputation within our market area, as a trusted and responsible financial service provider, for all aspects of our relationships with customers, employees, vendors, third-party service providers, and others, with whom we conduct business or potential future business. Our actual or perceived failure to (i) identify and address potential conflicts of interest, ethical issues, money-laundering, or privacy issues; (ii) meet legal and regulatory requirements applicable to Union and to the Company; (iii) maintain the privacy of customer and accompanying personal information; (iv) maintain adequate record keeping; or (v) identify the legal, reputational, credit, liquidity and market risks inherent in our products, could give rise to reputational risk that could harm our business prospects and adversely affect our financial condition and results of operations. Our actual or perceived failure to (a) identify and address potential conflicts of interest, ethical issues, money-laundering, or privacy issues; (b) meet legal and regulatory requirements applicable to the Bank and to the Company; (c) maintain the privacy of customer and accompanying personal information; or (d) maintain adequate record keeping; and (e) identify the legal, reputational, credit, liquidity and market risks inherent in our products, could give rise to reputational risk that could harm our business prospects and adversely affect our financial condition and results of operations. If we fail to address any of these issues in an appropriate manner, we could be subject to additional legal risks, which, in turn, could increase the size and number of litigation claims and damages asserted or subject us to enforcement actions, fines and penalties and cause us to incur related costs and expenses. Our ability to attract and retain customers and employees could be adversely affected to the extent our reputation is damaged.

We face significant and increasing competition in the financial services industry.
We operate in a highly competitive environment that includes financial and non-financial services firms, including traditional banks, online banks, financial technology companies, wealth management companies and others. These companies compete on the basis of, among other factors, size, quality and type of products and services offered, price, technology and reputation. Emerging technologies have the potential to intensify competition and accelerate disruption in the financial services industry. In recent years, non-financial services firms, such as financial technology companies, have begun to offer services traditionally provided by financial institutions. These firms attempt to use technology and mobile platforms to enhance the ability of companies and individuals to make payments, borrow money, save and invest. Our ability to compete successfully depends on a number of factors, including our ability to develop and execute strategic plans and initiatives; to develop competitive products and utilize evolving technologies; and to attract, retain and develop a highly skilled employee workforce. If we are not able to compete successfully, we could be placed at a competitive disadvantage, which could result in the loss of customers and market share, and our business, results of operations and financial condition could suffer.

Item 1B. Unresolved Staff Comments
Not applicable.

Item 1C.Item 1A. Cybersecurity
Our Company faces a number of cybersecurity risks in connection with the operation of our business which could have a material adverse effect on our business financial condition, results of operations, cash flows, or reputation. As part of the operation of our business, the Company, and our service providers, use, store, and process data for our customers, employees, partners, and suppliers. A cybersecurity incident impacting any of these entities could materially and adversely affect our operations, performance, or results of operations. In addition, as a financial services company we are subject to extensive regulatory compliance requirements, including those established by the FRB, FDIC and the DFR. To address these risks and regulatory requirements, the Company established a robust cybersecurity risk management program. This program safeguards sensitive customer data, financial transactions, and our information systems, serving as a vital component of our broader enterprise risk management strategy.

Risk Management Oversight and Governance
The Company's Board of Directors is charged with overseeing and approving Union's risk management framework and monitoring adherence to related policies required by applicable statutes, regulations and principles of safety and soundness. Union's Information Security Officer (ISO) provides periodic updates regarding cybersecurity risks and the cybersecurity program to the Board of Directors. Additionally, awareness and training on cybersecurity topics is provided to the Company's Board of Directors on a regular basis. Consistent with this responsibility the Board has delegated primary oversight responsibility over the risk management framework and oversight of the cybersecurity program, including oversight of cybersecurity risk and cybersecurity risk management, to Union's IT Steering Committee.
Union's IT Steering Committee includes Bank information technology personnel, information security personnel, other department leaders and stakeholders, and Union's senior management team. This Committee receives regular updates on the state of Union's cybersecurity program, including any incidents, and reviews and approves information technology or information security related projects and proposals. These team members are also responsible for the resolution of any findings and implementation of recommendations from internal and external audits and examinations.
Union's ISO is responsible for implementing and maintaining the cybersecurity program with support from Union's Information Security team. The Information Security team consists of Union's ISO, members of the risk and compliance department,
24

security staff, and information technology members, all of whom collaboratively work together to manage cybersecurity risks. The ISO reports directly to Union's Senior Risk Officer.
Cybersecurity Risk Management Program
The program is designed to identify, assess, manage, mitigate, and respond to cyber threats with the goal of preventing cybersecurity incidents to the extent feasible, while also increasing our system resilience and ability to minimize business disruption in the event we experience a cyber incident. Our program is structured to be nimble and adaptable to changes in cybersecurity threats over time and to respond to emerging threats in a timely and efficient manner.
Our Information Security team, led by our ISO, is responsible for monitoring our information systems for vulnerabilities and mitigating any issues. The Information Security team works collaboratively across the Company to understand the potential impacts of a cybersecurity incident and prioritize mitigation and other measures based on, among other things, the materiality to our business. The Information Security team has established processes designed to monitor threats in the cybersecurity landscape which include interacting with intelligence networks, working with researchers, discussions with peers at other companies, monitoring social media, reviewing government alerts and other news items and attending industry specific security conferences and trainings. The team regularly monitors our internal network and customer-facing network to identify any security issues. In addition, the Company augments the team’s monitoring via the engagement of external vendors who provide continuous threat monitoring services of the Company’s environment.
As part of our assessment of the risks to our Company, the Information Security team conducts annual cybersecurity risk assessments to evaluate the inherent risk of our applications and the strength of our controls, and identify the residual risk for each application. In addition, we conduct regular reviews and testing of critical network and application systems to assess their security. We have adopted internal Company-wide Information Technology and Information Security policies which are reviewed and updated annually and approved by our Board of Directors. Our employees and the Board of Directors attend annual trainings that are designed to raise awareness about cybersecurity threats, reduce our vulnerability, and encourage consideration of cybersecurity threats across the Company.
We regularly review and update our investments in information technology security to identify and protect critical assets, provide monitoring and alerts, and, as needed, engage third-party experts. To assess the effectiveness of our program, we have engaged consultants to conduct penetration testing and other vulnerability assessments. Additionally, our Internal Audit department and external auditors conduct assessments of different systems to provide the Audit Committee with information on our risk management processes, including cybersecurity risk management. We also test our defenses internally and conduct regular cybersecurity simulations and tabletop exercises with members of senior management present. These tests and assessments provide useful insights into the strengths and weaknesses of our cybersecurity framework.
Our cybersecurity framework is designed to protect our customers, employees, investors, and our intellectual property. Before purchasing third-party technology or other solutions that could expose the Company’s assets and electronic information, our Information Security team completes security reviews on the vendors. Contracts are also negotiated to ensure language is included to address cybersecurity risk limitation and remediation. We also conduct ongoing reviews of cybersecurity risks associated with our third-party service providers. As part of the Company’s Vendor Management Program, periodic reviews are conducted for certain third-party vendors. Members of our Information Security team work with department managers and application owners to review System and Organization Controls (“SOC”) 1 or SOC 2 reports. In the event a third-party vendor is required but unable to provide either a SOC 1 or SOC 2 report, this group conducts additional reviews to assess the cybersecurity preparedness of the specific vendor. This assessment of the risks associated with the use of third-party service providers is part of our overall vendor management and cybersecurity risk management framework.
To date, cybersecurity risks have not materially affected us. We do experience attacks on our data and systems that have been halted by the technical policies and cybersecurity systems in place. For more information about the cybersecurity risks we face, see "Risk Factors - Operational Risks" in Part I, Item 1A of this Annual Report.

Recently Filed
Click on a ticker to see risk factors
Ticker * File Date
ENBP 32 minutes ago
SFDL an hour ago
OVTZ an hour ago
UNB an hour ago
LFAC 2 hours ago
SWDR 2 hours ago
SLBK 2 hours ago
FSEA 6 hours ago
VSCO 7 hours ago
MIST 7 hours ago
DG 8 hours ago
AEVA 16 hours ago
OZ 18 hours ago
PELI 19 hours ago
YSS 19 hours ago
FLY 20 hours ago
ODYS 21 hours ago
SBXD 21 hours ago
STRW 21 hours ago
ASST 21 hours ago
SPIR 21 hours ago
ELDN 21 hours ago
COLA 21 hours ago
BKKT 21 hours ago
AWX 21 hours ago
NBY 21 hours ago
NLST 21 hours ago
COEP 21 hours ago
LUNR 21 hours ago
MSAI 21 hours ago
RCAT 21 hours ago
BFRG 21 hours ago
HRGN 22 hours ago
ECOR 22 hours ago
ZNOG 22 hours ago
WWR 22 hours ago
FIVE 22 hours ago
SAIL 22 hours ago
RLMD 22 hours ago
ALMS 22 hours ago
TPTA 22 hours ago
KOYN 22 hours ago
MOV 1 day, 4 hours ago
EQPT 1 day, 4 hours ago
PLBC 1 day, 5 hours ago
MREO 1 day, 5 hours ago
TSHA 1 day, 6 hours ago
SIG 1 day, 6 hours ago
MLCI 1 day, 6 hours ago
GRTX 1 day, 7 hours ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard