Civista Bancshares (CIVB) Risk Factors

The financial services industry is extensively regulated. We are subject to extensive state and federal regulation, supervision and legislation that govern almost all aspects of our operations. These laws and regulations are primarily intended for the protection of consumers, depositors, borrowers and the deposit insurance fund, not to benefit our shareholders. Regulations affecting banks and financial services businesses are undergoing continuous change and management cannot predict the effect of those changes. While such changes are generally intended to lessen the regulatory burden on financial institutions, the impact of any changes to laws and regulations or other actions by regulatory agencies could adversely affect our business. Regulatory authorities have extensive discretion in connection with their supervisory and enforcement activities, including the ability to impose restrictions on the operation of an institution and the ability to determine the adequacy of an institution's allowance for loan losses. Failure to comply with applicable laws, regulations and policies could result in sanctions being imposed by the regulatory agencies, including the imposition of civil money penalties, which could have a material adverse effect on our operations and financial condition. Even the reduction of regulatory restrictions could have an adverse effect on us if such lessening of restrictions increases competition within our industry or market areas.

We are subject to extensive federal, state and local taxes, including income, excise, sales/use, payroll, franchise, withholding and ad valorem taxes. Changes to tax laws could have a material adverse effect on our results of operations, fair values of net deferred tax assets and obligations of states and political subdivisions held in our investment securities portfolio. In addition, our customers are subject to a wide variety of federal, state and local taxes. Changes in taxes paid by our customers may adversely affect their ability to purchase homes or consumer products, which could adversely affect their demand for our loans and deposit products. In addition, such negative effects on our customers could result in defaults on the loans we have made and decrease the value of mortgage-backed securities in which we have invested.

A significant portion of Civista's loan portfolio is secured by real property. During the ordinary course of business, Civista forecloses on and takes title to properties securing certain loans. In doing so, there is a risk that hazardous or toxic substances could be found on these properties. If hazardous or toxic substances are found, Civista may be liable for remediation costs, as well as for personal injury and property damage. Environmental laws and evolving regulation may require Civista to incur substantial expenses and may materially reduce the affected property's value or limit Civista's ability to use or sell the affected property. In addition, future laws and regulations or more stringent interpretations or enforcement policies with respect to existing laws or regulations may increase Civista's exposure to environmental liability. Environmental reviews of real property before initiating foreclosure actions may not be sufficient to detect all potential environmental hazards. The remediation costs and any other financial liabilities associated with an environmental hazard could have a material adverse effect on our business, financial condition and results of operations. Climate change, severe weather, natural disasters, acts of war or terrorism and other external events could significantly impact our business. Natural disasters, including severe weather events of increasing strength and frequency due to climate change, acts of war or terrorism, and other adverse external events could have a significant impact on our ability to conduct business or upon third parties who perform operational services for us or our customers. Such events could affect the stability of our deposit base, impair the ability of borrowers to repay outstanding loans, impair the value of collateral securing loans, cause significant property damage, result in lost revenue or cause us to incur additional expenses.

As part of our financial institution business, we collect, process and store sensitive consumer data by utilizing computer systems and telecommunications networks operated by both us and third-party service providers. Our necessary dependence upon automated systems to record and process transactions poses the risk that technical system flaws, employee errors, tampering or manipulation of those systems, or attacks by third parties will result in losses and may be difficult to detect. We have security and backup and recovery systems in place, as well as a business continuity plan, to ensure the computer systems will not be inoperable, to the extent possible. The Company also routinely reviews documentation of such controls and backups related to third-party service providers. Our inability to use or access these information systems at critical points in time could unfavorably impact the timeliness and efficiency of our business operations. In recent years, some banks have experienced denial of service attacks in which individuals or organizations flood the bank's website with extraordinarily high volumes of traffic, with the goal and effect of disrupting the ability of the bank to process transactions. Other businesses have been victims of ransomware attacks in which the business becomes unable to access its own information and is presented with a demand to pay a ransom in order to once again have access to its information. We could be adversely affected if one of our employees or a third-party service provider causes a significant operational break-down or failure, either as a result of human error or where an individual purposefully sabotages or fraudulently manipulates our operations or systems. We are further exposed to the risk that our third-party service providers may be unable to fulfill their contractual obligations (or will be subject to the same risks as faced by us). These disruptions may interfere with service to our customers, cause additional regulatory scrutiny and result in a financial loss or liability. We are also at risk of the impact of natural disasters, terrorism and international hostilities on our systems and effects of outages or other failures involving power or communications systems operated by others. Misconduct by employees could include fraudulent, improper or unauthorized activities on behalf of clients or improper use of confidential information. We may not be able to prevent employee errors or misconduct, and the precautions we take to detect this type of activity might not be effective in all cases. Employee errors or misconduct could subject us to civil claims for negligence or regulatory enforcement actions, including fines and restrictions on our business. In addition, there have been instances where financial institutions have been victims of fraudulent activity in which criminals pose as customers to initiate wire and automated clearinghouse transactions out of customer accounts. Although we have policies and procedures in place to verify the authenticity of our customers, we cannot assure that such policies and procedures will prevent all fraudulent transfers. Such activity can result in financial liability and harm to our reputation. We have implemented security controls to prevent unauthorized access to the computer systems, and we require our third-party service providers to maintain similar controls. However, we cannot be certain that these measures will be successful. A security breach of our computer systems and loss of confidential information, such as customer account numbers and related information, could result in a loss of customers' confidence and, thus, loss of business. While Civista maintains specific "cyber" insurance coverage, which would apply in the event of various breach scenarios, the amount of coverage may not be adequate in any particular case. Furthermore, because cyber threat scenarios are inherently difficult to predict and can take many forms, some breaches may not be covered under our cyber insurance coverage. Further, we may be impacted by data breaches at retailers and other third parties who participate in data interchanges with us and our customers that involve the theft of customer credit and debit card data, which may include the theft of our debit card personal identification numbers (PINs) and commercial card information used to make purchases at such retailers and other third parties. Such data breaches could result in us incurring significant expenses to reissue debit cards and cover losses, which could result in a material adverse effect on our results of operations. There can be no assurance that we will not suffer such cyber-attacks or other information security breaches or attempted breaches, incur resulting losses in the future. Our risk and exposure to these matters remains heightened because of, among other things, the evolving nature of these threats, and our plans to continue to implement internet and mobile banking capabilities to meet customer demand. As cyber and other data security threats continue to evolve, we may be required to expend significant additional resources to continue to modify and enhance its protective measures or to investigate and remediate any security vulnerabilities. Our assets at risk for cyber-attacks include financial assets and non-public information belonging to customers. We use several third-party vendors who have access to our assets via electronic media. Certain cyber security risks arise due to this access, including cyber espionage, blackmail, ransom, and theft. All of the types of cyber incidents discussed above could result in damage to our reputation, loss of customer business, costs of incentives to customers or business partners in order to maintain their relationships, litigation, increased regulatory scrutiny and potential enforcement actions, repairs of system damage, increased investments in cybersecurity (such as obtaining additional technology, making organizational changes, deploying additional personnel, training personnel and engaging consultants), increased insurance premiums, and loss of investor confidence and a reduction in the price of our common shares, all of which could result in financial loss and material adverse effects on our results of operations and financial condition. Noncompliance with the Bank Secrecy Act (BSA) and other anti-money laundering statutes and regulations could cause a material financial loss. The BSA and the Patriot Act contain anti-money laundering and financial transparency provisions intended to detect and prevent the use of the U.S. financial system for money laundering and terrorist financing activities. The BSA, as amended by the Patriot Act and the AMLA, requires depository institutions and their holding companies to undertake activities including maintaining an anti-money laundering program, verifying the identity of clients, monitoring for and reporting suspicious transactions, reporting on cash transactions exceeding specified thresholds, and responding to requests for information by regulatory authorities and law enforcement agencies. Financial Crimes Enforcement Network (also known as FinCEN), a unit of the Treasury Department that administers the BSA, is authorized to impose significant civil money penalties for violations of those requirements and has recently engaged in coordinated enforcement efforts with the federal bank regulatory agencies, as well as the U.S. Department of Justice, Drug Enforcement Administration, and Internal Revenue Service. The AMLA is intended to be a comprehensive reform and modernization to U.S. bank secrecy and anti-money laundering laws, which includes a codified risk-based approach to anti-money laundering compliance for financial institutions; requires the development of standards for evaluating technology and internal processes for BSA compliance; expands enforcement-related and investigation-related authority, including increasing available sanctions for certain BSA violations and instituting BSA whistleblower incentives and protections. There is also increased scrutiny of compliance with the rules enforced by the Office of Foreign Assets Control (also known as OFAC). If the Company's policies, procedures, and systems are deemed deficient, or if the policies, procedures, and systems of the financial institutions that the Company has already acquired or may acquire in the future are deficient, the Company may be subject to liability, including fines and regulatory actions such as restrictions on the Company's ability to pay dividends and the necessity to obtain regulatory approvals to proceed with certain planned business activities, including acquisition plans, which could negatively impact our business, financial condition, and results of operations. Failure to maintain and implement adequate programs to combat money laundering and terrorist financing could also have serious reputational consequences for the Company. Our business could be adversely affected through third parties who perform significant operational services on our behalf. The third parties performing operational services for the Company are subject to risks similar to those faced by the Company relating to cybersecurity, breakdowns or failures of their own systems, or misconduct of their employees. Like many other community banks, Civista also relies, in significant part, on a single vendor for the systems which allow Civista to provide banking services to Civista's customers, for which the systems are maintained on Civista's behalf by this single vendor. One or more of the third parties utilized by us may experience a cybersecurity event or operational disruption and, if any such event does occur, it may not be adequately addressed, either operationally or financially, by such third party. Certain of these third parties may have limited indemnification obligations to us in the event of a cybersecurity event or operational disruption, or may not have the financial capacity to satisfy their indemnification obligations. Financial or operational difficulties of a third party provider could also impair our operations if those difficulties interfere with such third party's ability to serve the Company. If a critical third-party provider is unable to meet the needs of the Company in a timely manner, or if the services or products provided by such third party are terminated or otherwise delayed and if the Company is not able to develop alternative sources for these services and products quickly and cost-effectively, our business could be materially adversely effected. Additionally, regulatory guidance adopted by federal banking regulators addressing how banks select, engage and manage their third-party relationships, affects the circumstances and conditions under which we work with third parties and the cost of managing such relationships.

We face competition both in originating loans and in attracting deposits within our market area, which includes North Central, West Central and South Western Ohio, South Eastern Indiana and Northern Kentucky. We compete for clients by offering personal service and competitive rates on our loans and deposit products. The type of institutions we compete with include large regional financial institutions, community banks, thrifts and credit unions operating within our market areas. Nontraditional sources of competition for loan and deposit dollars come from captive auto finance companies, mortgage banking companies, internet banks, brokerage companies, insurance companies and direct mutual funds. As a result of their size and ability to achieve economies of scale, certain of our competitors offer a broader range of products and services than we offer. We expect competition to remain intense in the future as a result of legislative, regulatory and technological changes and the continuing trend of consolidation in the financial services industry. In addition, to stay competitive in our markets we may need to adjust the interest rates on our products to match the rates offered by our competitors, which could adversely affect our net interest margin. As a result, our profitability depends upon our continued ability to successfully compete in our market areas while achieving our investment objectives.

Our success to date has been strongly influenced by our ability to attract and to retain senior management experienced in banking in the markets we serve. Our ability to retain executive officers and the current management teams will continue to be important to successful implementation of our strategies. The unexpected loss of services of any key management personnel, or the inability to recruit and retain qualified personnel in the future, could have an adverse effect on our business and financial results.

The DIF maintained by the FDIC to resolve bank failures is funded by fees assessed on insured depository institutions. The costs of resolving bank failures increased for a period of time and decreased the DIF. The FDIC collected a special assessment in 2009 to replenish the DIF and also required a prepayment of an estimated amount of future deposit insurance premiums. If the costs of future bank failures increase, the deposit insurance premiums required to be paid by Civista may also increase. The FDIC recently adopted rules revising its assessments in a manner benefitting banks with assets totaling less than $10 billion. There can be no assurance, however, that assessments will not be changed in the future. We are subject to examinations and challenges by tax authorities. In the normal course of business, we are routinely subject to examinations and challenges from federal and state tax authorities regarding positions taken regarding their respective tax returns. State tax authorities have become increasingly aggressive in challenging tax positions taken by financial institutions, especially those positions relating to tax compliance and calculation of taxes subject to apportionment. Any challenge or examination by a tax authority may result in adjustments to the timing or amount of taxable net worth or taxable income, or deductions or the allocation of income among tax jurisdictions. Management believes it has taken appropriate positions with respect to all tax returns and does not anticipate that any examination would have a material impact on our Consolidated Financial Statements. However, the outcome of such examinations and ultimate resolution of any resulting assessments are inherently difficult to predict. Thus, no assurance can be given that our tax liability for any tax year open to examination will be as reflected in our current and historical Consolidated Financial Statements. Accounting changes could impact our reported financial condition or results of operations. The accounting standard setters, including the Financial Accounting Standards Board (the FASB), the SEC and other regulatory bodies, periodically change the financial accounting and reporting guidance that governs the preparation of our consolidated financial statements. The pace of change continues to accelerate and changes in accounting standards can be hard to predict and could materially impact how we record and report our financial condition and results of operations. In some cases, we could be required to apply new or revised guidance retroactively, resulting in the restatement of prior period financial statements. The preparation of consolidated financial statements in conformity with U.S. generally accepted accounting principles ("GAAP") requires management to make significant estimates that affect the financial statements. Due to the inherent nature of these estimates, actual results may vary materially from management's estimates. In June 2016, FASB issued a new accounting standard for recognizing current expected credit losses, commonly referred to as CECL. CECL will result in earlier recognition of credit losses and requires consideration of not only past and current events but also reasonable and supportable forecasts that affect collectability. The Company adopted CECL effective January 1, 2023. Upon adoption of CECL, credit loss allowances have increased, which have decreased retained earnings and regulatory capital. While the federal banking regulators adopted rules that allow banks to phase in the day-one impact of CECL on regulatory capital over three years, Civista Bank did not choose to phase in the impact. ASU 2016-13 implementation poses operational risk, including the failure to properly transition internal processes or systems, which could lead to call report errors, financial misstatements, or operational losses.

Our success depends to a significant extent upon local and national economic and political conditions, as well as governmental fiscal and monetary policies. Conditions such as inflation, recession, unemployment, changes in interest rates, fiscal and monetary policy, an increasing federal government budget deficit, the failure of the federal government to raise the federal debt ceiling and/or possible future U.S. government shutdowns over budget disagreements, slowing gross domestic product, tariffs, a U.S. withdrawal from or significant renegotiation of trade agreements, trade wars, and other factors beyond our control may adversely affect Civista's deposit levels and composition, the quality of investment securities available for purchase, demand for loans, the ability of Civista's borrowers to repay their loans, and the value of the collateral securing loans made by Civista. Disruptions in U.S. and global financial markets, and changes in oil production in the Middle East also affect the economy and stock prices in the U.S., which can affect our earnings capital, as well as the ability of Civista's customers to repay loans. Because we have a significant amount of real estate loans, decreases in real estate values could adversely affect the value of property used as collateral and our ability to sell the collateral upon foreclosure. Adverse changes in the economy may also have a negative effect on the ability of our borrowers to make timely repayments of their loans, which would have an adverse impact on our earnings and cash flows.

Although we primarily invest in securities issued by United States government agencies and sponsored entities and United States state and local governments with limited credit risk, certain of our investment securities possess higher credit risk since they represent beneficial interests in structured investments collateralized by residential mortgages, debt obligations and other similar assets. Even securities issued by United States government agencies and sponsored entities may entail risk depending on political and economic changes. Regardless of the level of credit risk, all investment securities are subject to changes in market value due to changing interest rates, implied credit spreads and credit ratings. We may experience increasing scrutiny and evolving expectations from customers, regulators, investors, and other stakeholders with respect to the Company's environmental, social and governance practices. Financial institutions are facing increasing scrutiny from customers, regulators, investors, and other stakeholders related to their environmental, social, and governance ("ESG") practices and disclosure. Investor advocacy groups, investment funds, and influential investors are also increasingly focused on these practices, especially as they relate to the environment, health and safety, diversity, labor conditions, and human rights. Increased ESG-related compliance costs for the Company as well as among our suppliers, vendors and various other parties within our supply chain could result in increases to our overall operational costs. Failure to adapt to or comply with regulatory requirements or investor or stakeholder expectations and standards could negatively impact our reputation, ability to do business with certain partners, access to capital, and the price of our common shares. New government regulations could also result in new or more stringent forms of ESG oversight and expanding mandatory and voluntary reporting, diligence, and disclosure.