First Interstate Bancsystem (FIBK) Risk Analysis

We are subject to income and other taxes in the United States and in the various state and local jurisdictions where we operate. The laws and regulations related to tax matters are extremely complex and subject to varying interpretations. Although management believes our positions are reasonable, we are subject to audit by the Internal Revenue Service in the United States and by state and local tax authorities in all the jurisdictions in which we conduct business operations. While we believe we comply with all applicable tax laws, rules, and regulations in the relevant jurisdictions, the tax authorities may determine that we owe additional taxes or apply existing laws and regulations differently, which could result in a significant increase in liabilities for taxes and interest in excess of accrued liabilities and harm our business and financial condition. New tax legislative initiatives, including increases in the corporate tax rate, may be enacted, negatively impacting our effective tax rate at the federal and state level, and potentially adversely affecting our tax positions or tax liabilities. For example, the U.S. has implemented a 15% minimum tax on corporations and a 1% excise tax on certain share buybacks. We have adopted and completed material share repurchase programs over the past several years as a means by which to return value to shareholders, and the new excise tax may have a material and negative impact on our willingness to engage in such programs in the future or may materially increase our costs associated with engaging in any such programs to the extent we determine to engage in them in the future. In addition, unilateral or multi-jurisdictional actions by various tax authorities, including an increase in tax audit activity, could have an adverse impact on our tax liabilities. In any event, significant uncertainties exist with respect to the amount of our tax liabilities, including those arising from potential and already implemented changes in tax laws. These and other tax related items could increase our future tax expense, could change our future intentions regarding the use of our earnings, and could have a material adverse effect on our business, financial condition and results of operations.

We are subject to various and constantly evolving privacy, information security, and data protection laws and regulatory guidance, including without limitation: (i) certain limitations on our ability to share non-public personal information about our clients with non-affiliated third parties; (ii) requirements for certain disclosures to clients about our information collection, sharing, and security practices and that afford clients the right to "opt out" of any information sharing by us with non-affiliated third parties (with certain exceptions); and (iii) requirements that we develop, implement, and maintain a written information security program containing appropriate safeguards based on our size and complexity, the nature and scope of our activities, and the sensitivity of client information we process, as well as plans for responding to data security breaches. The number of compliance requirements facing financial institutions continues to increase year over year, as more and more states continue to update and add to their existing data security and data breach requirements and more and more states enact comprehensive data privacy laws. While we have developed policies and procedures and designed our privacy and cybersecurity risk management and governance programs to align with the various statutory and regulatory requirements to which we are subject, these requirements are constantly changing, and the financial services industry continues to face heightened regulatory scrutiny over data privacy and information security practices. Compliance with current or future privacy, data protection, and information security laws (including those regarding security breach notification) affecting client or employee data could result in higher compliance and technology costs and could restrict our ability to provide certain products and services, which could have a material adverse effect on our business, financial conditions, or results of operations. Our failure to comply with privacy, data protection, and information security laws could result in potentially significant regulatory or governmental investigations or actions, litigation, fines, sanctions, and damage to our reputation, which could have a material adverse effect on our business, financial condition, or results of operations. In addition, while we have taken steps to implement and maintain privacy policies that are accurate, comprehensive and compliant with applicable laws, regulations, rules and industry standards, we cannot ensure that our privacy policies and other statements regarding our data processing practices will be sufficient to protect us from claims, proceedings, liability or adverse publicity relating to privacy or cybersecurity. The publication of our privacy policies and other related documentation about our privacy and cybersecurity practices can subject us to potential legal claims or regulatory proceedings if they are found or alleged to be deceptive, unfair, or not representative of our actual practices. Additional risks could arise in connection with any failure or perceived failure by us, our service providers or other third parties with which we do business to provide adequate disclosure or transparency to our customers about the personal information collected from them and its use, to receive, document or honor the privacy preferences expressed by our customers, to protect personal information from unauthorized disclosure or to maintain proper training on privacy practices for all employees or third parties who have access to personal information in our possession or control. Moreover, many U.S. and foreign laws and regulations, including those promulgated by the SEC, require companies to provide notice of cybersecurity incidents involving certain types of personal data or unauthorized access to, or interference with, our information systems to the public, certain individuals, the media, government authorities, or other third parties. Certain of these laws and regulations include notice or disclosure obligations contingent upon the result of complex analyses, including in some cases a determination of materiality. The nature of cybersecurity incidents can make it difficult to assess an incident's overall impact quickly and comprehensively to our business, and we may make errors in our assessments. If we are unable to appropriately assess a cybersecurity incident in the context of required analyses, then we could face compliance risk under these laws and regulations, and we could be subject to lawsuits, regulatory fines or investigations, or other liabilities, any of which could adversely affect our business and operating results. Furthermore, cybersecurity incidents experienced by us, or by our customers or vendors, that lead to public disclosures may also lead to widespread negative publicity and increased government or regulatory scrutiny. Any compromise of our network or data, or any security incident experienced by a member of our supply chain, whether actual or perceived, could harm our reputation; erode customer confidence in our security measures; negatively affect our ability to attract new customers; or subject us to third-party lawsuits, regulatory fines or investigations, or other liability, any of which could adversely affect our business and operating results. Even the perception of inadequate security may damage our reputation and negatively impact our ability to win new customers and retain existing customers. Additionally, we could be required under applicable data breach reporting laws and governing contracts to expend significant capital and other resources to investigate and address any actual or suspected cybersecurity incident or to implement measures to prevent further or additional incidents. To maintain business relationships, we may find it necessary or desirable to incur costs to provide remediation and incentives to customers or other business partners following an actual or suspected security incident. While we do maintain cyber liability insurance to mitigate the financial risks associated with security incidents that is reviewed annually, we cannot be sure that our existing cybersecurity insurance will continue to be available on acceptable terms, in sufficient amounts to cover any claims we submit, or at all. Further, we cannot be sure that insurers will not deny coverage as to any claim, and some security incidents may be outside the scope of our coverage, including in instances where they are considered force majeure events, or there are applicable sub-limits on our coverage. Security incidents may result in increased costs for cybersecurity insurance. One or more large, successful claims against us in excess of our available insurance coverage, or changes in our insurance policies, including premium increases or large deductible or co-insurance requirements, could have an adverse effect on our insurance coverage and on our business, operating results, and financial condition.

We are reliant upon certain external vendors to provide products and services necessary to maintain our day-to-day operations and we currently outsource, or may outsource in the future, many of our major systems, such as certain data processing, loan servicing, credit card servicing, and deposit processing systems. Through our contractual relationships, external vendors are subject to some of the same rules and regulations that are applicable to the Company and their compliance with regulatory requirements is our responsibility. While the Company has selected these external vendors and systems carefully and continues to manage and oversee these vendors, it does not control their operations. Failure of certain external vendors or systems to perform or provide services in accordance with contractual arrangements could be disruptive to our operations and limit our ability to provide certain products and services demanded by our clients. Because our information technology and telecommunications systems interface with and depend on third-party systems, we could experience disruptions if demand for such services exceeds capacity or such third-party systems fail or experience interruptions. If significant, sustained, or repeated, a system failure or disruption could compromise our ability to operate effectively, damage our reputation, result in a loss of client business, and/or subject us to additional regulatory scrutiny and possible financial liability. Any of the failures or disruptions mentioned above could negatively impact our financial condition, results of operations, and cash flows. Replacing these third-party vendors could also entail significant delay and expense.

Our computer systems and network infrastructure and those of third-party service providers on which we are dependent, are subject to security risks and could be susceptible to cyber-attacks, such as denial-of-service attacks, hacking, malware, terrorist activities, and other cybersecurity incidents. Industry experts report increasing cyber-attacks against financial services institutions, and the cost of responding to cybersecurity incidents is higher for victims within the financial sector relative to other sectors. Financial services institutions have reported breaches in the security of their websites or other systems, some of which have involved sophisticated and targeted attacks intended to obtain unauthorized access to confidential information, destroy data, disable or degrade service, achieve illicit financial gain, or sabotage systems, often through the introduction of computer viruses, malware, ransomware, cyber-attacks, and other means. Denial-of-service attacks have been launched against several large financial services institutions, primarily resulting in inconvenience, but can also cause operational disruption. Ransomware and other types of cyber-attacks could be more disruptive and damaging. Hacking and identity theft risks arising from instances of data loss or compromise could also cause serious reputational harm to the Company and the Bank. Our reliance on vendors subjects us to additional cybersecurity risks and vulnerabilities and other threats to our business operations, as vendor security incidents are common. For example, the hardware and software we purchase from suppliers and vendors to facilitate financial services and perform company operations are at risk of having embedded malware, viruses, and other methods intended to develop unauthorized access to confidential information. These types of attacks, known as "supply-chain attacks," have become more prevalent and are creating additional risks through the solutions and tools upon which we rely. While we have a third-party risk management program to oversee our vendors and procurement, our ability to successfully mitigate these risks that occur in the hardware and software of these vendors is limited. Although we generally have agreements relating to cybersecurity and data privacy in place with our vendors, we cannot guarantee that such agreements will prevent a cyber-incident impacting our systems or information or enable us to obtain adequate or any reimbursement from our service providers in the event we should suffer any such incidents. Additionally, the existence of cyber-attacks or security breaches at third-party vendors with access to our data may not be disclosed to us in a timely manner. To the extent we experience supply-chain attacks, our business and reputation could be materially adversely affected, and these third (or fourth) party security incidents could give rise to legal and regulatory risk for the Company and the Bank. We also face more indirect technology, cybersecurity, and operational risks relating to the customers, clients, and other third parties with whom we do business or upon whom we rely to facilitate or enable our business activities, including, for example, financial counterparties, regulators, and providers of critical infrastructure such as internet access and electrical power. As a result of increasing consolidation, interdependence, and complexity of financial entities and technology systems, a technology failure, cyber-attack, or other information or security breach that significantly degrades, deletes, or compromises the systems or data of one or more of the entities within our operating ecosystem could have a material impact on us and on our customers. This consolidation, interconnectivity, and complexity within the financial services sector increases the risk of operational failure. Any third-party or fourth-party technology failure, cyber-attack, or other information or security breach, termination, or constraint within our ecosystem could, among other things, adversely affect our ability to effect transactions, service our clients, manage our exposure to risk, or expand our business. In addition, we provide our clients with the ability to bank remotely, including online, through their mobile devices, and over the telephone. The secure transmission of confidential information over the internet and other remote channels is a critical element of remote banking. Our network, or the network of third parties upon which we rely, could be vulnerable to unauthorized access, computer viruses, malware, phishing schemes, and other internal and external security breaches. We may be required to spend significant capital and other resources to protect against threats, or to alleviate problems caused by security breaches or malicious software. To the extent that our activities or the activities of our clients involve the storage and transmission of confidential information, security breaches and malware could expose us to claims, regulatory scrutiny, litigation, and other possible liabilities. Other possible points of intrusion or disruption not within the Company's control include internet service providers, electronic mail portal providers, social media portals, distant-server (cloud) service providers, electronic data security providers, telecommunications companies, and smart phone manufacturers. Despite efforts to evaluate threats to the security of our systems and data and to implement controls and policies and procedures designed to address the same, cyber threats are rapidly evolving, and we may not be able to anticipate or prevent all such attacks, nor may we be able to implement guaranteed preventive measures against such security breaches. The techniques used by cyber criminals change frequently, may be novel (for example, "zero-day" vulnerabilities), and/or may not be recognized until launched or later (for example, threat actor evading detection for some time), and can originate from a wide variety of sources, including external service providers. These risks may increase in the future as we continue to increase our mobile payment and other internet-based product offerings and expand our internal usage of web-based products and applications. Further, targeted social engineering attacks may be sophisticated and difficult to prevent and our employees, clients, or other users of our systems may be fraudulently induced to disclose sensitive information, allowing cyber criminals to gain access to our systems or data of our clients. Cyber-attacks also could include phishing attempts or e-mail fraud to cause payments or information to be transmitted to an unintended recipient and could include the use of AI and machine learning to launch more automated, targeted and coordinated attacks on targets. In addition, some of our employees work remotely, including while traveling for business, which increases our cybersecurity risk, creates data accessibility concerns, and makes us more susceptible to security breaches or business disruptions. While we have implemented measures to secure remote access to our systems and to educate our users on the risks associated with working remotely, we cannot guarantee that unauthorized access will not occur through these remote channels. A successful penetration or circumvention of system security could cause us serious negative consequences, including significant disruption of operations, misappropriation of confidential information, or damage to our computers or systems or to those of our clients and counterparties. A successful security breach or other cybersecurity incident involving our computer systems and network infrastructure, or those of the third-party service providers upon which we rely, could result in violations of applicable data privacy and data security/data breach and other laws and contractual requirements, financial loss to us or to our clients, loss of confidence in our security measures, significant litigation exposure, and harm to our reputation, all of which could have a material adverse effect on our business, financial condition, and results of operations.

Our clients are located predominantly in Arizona, Colorado, Idaho, Iowa, Kansas, Minnesota, Missouri, Montana, Nebraska, North Dakota, Oregon, South Dakota, Washington, and Wyoming. Unlike larger banks that are more geographically diversified, our profitability largely depends on the general economic conditions in these areas. Deterioration in economic conditions could result in the following consequences, any of which could have a material adverse effect on our business, financial condition, liquidity, and results of operations: - demand for our products and services may decline;- loan delinquencies, problem assets, and foreclosures may increase;- increases in the provisions for credit losses and loans and lease charge-offs;- decrease in net interest income derived from lending activities;- collateral for loans, especially real estate, may decline in value;- future borrowing power of our clients may be reduced;- the value of our securities portfolio may decline;- the net worth and liquidity of loan guarantors may decline, impairing their ability to honor commitments to us; and - increases in our operating expenses associated with attending to the effects of the above noted consequences. Volatility and uncertainty related to inflation and the effects of inflation, which may lead to increased costs for businesses and consumers and potentially contribute to poor business and economic conditions generally, may enhance or contribute to some of the risks discussed herein. For example, higher inflation, or volatility and uncertainty related to inflation, could reduce demand for our products, adversely affect the creditworthiness of the Company's borrowers, or result in lower values for our investment securities and other interest-earning assets. The Federal Reserve stated its current objective is to return the rate of inflation to 2% and it has been aggressively acting to achieve this goal. Throughout 2022 and through July 2023, the Federal Reserve raised the federal funds rate to a targeted rate between 5.25% and 5.5% in an effort to curb inflation. With the general inflationary pressures easing, the Federal Reserve paused raising interest rates during the second half of 2023 and decreased the federal funds rate by 100 basis points between September and December 2024. As market interest rates rise, we experience competitive pressures to increase the rates we pay on deposits, which may decrease our net interest income. In addition, inflationary pressures will increase our operating costs and could have a significant negative effect on our borrowers and the values of collateral securing loans, which could negatively affect our financial performance. To the extent these monetary policies do not mitigate the volatility and uncertainty related to inflation and the effects of inflation, or to the extent conditions otherwise worsen, we could experience adverse effects on our business, financial condition, and results of operations. Deflationary pressures, while possibly lowering our operating costs, could also have a significant negative effect on our borrowers, especially our business borrowers, and the values of underlying collateral securing loans, which could negatively affect our business, financial condition, and results of operations. Additionally, a significant decline in general economic conditions caused by the economic slowdown in Europe and the United States, the impact of trade negotiations, escalating tensions with China, economic conditions in China, including the global economic impacts of the Chinese economy, China's regulation of commerce, escalating military tensions in Europe as a result of Russia's military action in Ukraine, and the conflict in Israel and the surrounding regions, the outbreak of other international or domestic hostilities or other unrest, a default by the United States or other governments in repaying financial obligations, a shutdown of all or part of the United States government or other governments, the effects of pandemics or other health crises, acts of terrorism, climate-related events such as prolonged drought, unemployment, or other economic and geopolitical factors beyond our control, could further impact these local economic conditions and negatively affect our business and results of operations.

Uncertainties continue regarding the potential for a renegotiation of international trade agreements by the Trump administration after changes in United States trade policies, legislation, treaties, and tariffs were taken by the Biden administration. These changes, including trade policies and tariffs affecting other countries, including China, countries comprising the European Union or Middle East, Canada, and Mexico, and retaliatory tariffs by such countries, could materially harm our business. Tariffs and retaliatory tariffs have been imposed, and additional tariffs and retaliatory tariffs are periodically discussed. If maintained, the newly announced tariffs and the potential escalation of trade disputes, a trade war or other governmental action related to tariffs or international trade agreements or policies, as well as potential epidemics or pandemics, have the potential to negatively impact our and/or our clients' costs, demand for our clients' products, and/or the U.S. economy or certain sectors thereof and, thus, adversely affect our business, financial condition, and results of operations.

There is intense competition among banks in the Company's market areas. In addition, the Company competes with other providers of financial services, such as savings and loan associations, credit unions, consumer finance companies, securities firms, insurance companies, commercial finance and leasing companies, factoring companies, the mutual funds industry, financial technology ("fintech") companies, full-service brokerage firms, and discount brokerage firms, some of which are subject to less extensive regulations than us with respect to the products and services they provide. Our success depends, in part, on our ability to adapt our products and services to evolving industry standards and client expectations. There is increasing pressure to provide products and services at lower prices. Lower prices can reduce our net interest margin and revenues from our fee-based products and services. In addition, the adoption of new technologies by competitors, including internet banking services, mobile applications, and advanced ATM functionality, could require us to make substantial expenditures to modify or adapt our existing products and services. Also, these and other capital investments in our business may not produce expected growth in earnings anticipated at the time of the expenditure. The Company may not be successful in introducing new products and services, achieving market acceptance of its products and services, anticipating or reacting to consumers' changing technological preferences, or developing and maintaining loyal clients. In addition, we could lose market share to the shadow banking system or other non-traditional banking organizations. Some of our larger competitors may have greater capital and resources than the Company, higher lending limits, and products and services not offered by us. Any potential adverse reactions to our financial condition or status in the marketplace, as compared to its competitors, could limit our ability to attract and retain clients and to compete for new business opportunities. The inability to attract and retain clients or to effectively compete for new business may have a material and adverse effect on our financial condition and results of operations. The Company also experiences competition from non-bank companies inside and outside of its market area and, in some cases, from companies other than those traditionally considered financial sector participants. In particular, technology companies have begun to focus on the financial sector and offer software and products primarily over the internet, with an increasing focus on mobile device delivery. These companies generally are not subject to regulatory requirements comparable to those to which financial institutions are subject and may accordingly realize certain cost savings and offer products and services at more favorable rates and with greater convenience to the client. For example, a number of companies offer bill pay and funds transfer services that allow clients to avoid using a bank. Technology companies are generally positioned and structured to quickly adapt to technological advances and directly focus resources on implementing those advances. This competition could result in the loss of fee income and client deposits and related income. In addition, changes in consumer spending and saving habits could adversely affect our operations, and the Company may be unable to develop competitive and timely new products and services in response. As technology continues to advance, continuous innovation is expected to exert long-term pressure on the financial services industry.