Trico Bancshares (TCBK) Risk Analysis

We are subject to the PCI-DSS, issued by the Payment Card Industry Security Standards Council. PCI-DSS contains compliance guidelines with regard to our security surrounding the physical and electronic storage, processing and transmission of cardholder data. Compliance with PCI-DSS and implementing related procedures, technology and information security measures requires significant resources and ongoing attention. Costs and potential problems and interruptions associated with the implementation of new or upgraded systems and technology, such as those necessary to achieve compliance with PCI-DSS or with maintenance or adequate support of existing systems could also disrupt or reduce the efficiency of our operations. Any material interruptions or failures in our payment-related systems or third parties that we rely upon could have a material adverse effect on our business, results of operations and financial condition. If there are amendments to PCI-DSS, the cost of compliance could increase, and we may suffer loss of critical data and interruptions or delays in our operations as a result. If we or our service providers are unable to comply with the standards imposed by PCI-DSS, we may be subject to fines and restrictions on our ability to offer certain services, which could materially and adversely affect our business.

In the course of our business, we may foreclose and take title to real estate and could be subject to environmental liabilities with respect to these properties. We may be held liable to a governmental entity or to third parties for property damage, personal injury, investigation and clean-up costs incurred by these parties in connection with environmental contamination, or may be required to investigate or clean-up hazardous or toxic substances, or chemical releases at a property. The costs associated with investigation or remediation activities could be substantial. In addition, if we are the owner or former owner of a contaminated site, we may be subject to common law or contractual claims by third parties based on damages and costs resulting from environmental contamination emanating from the property. When applicable, we establish contingent liability reserves for this purpose based on future reasonable and estimable costs developed by qualified soil and chemical engineering consultants. If we become subject to significant environmental liabilities or if our contingency reserve estimates are incorrect, our business, financial condition and results of operations could be materially adversely affected.

From time to time, we implement new lines of business or offer new products and services within existing lines of business. There are substantial risks and uncertainties associated with these efforts, particularly in instances where the markets are not fully developed. In developing and marketing new lines of business and/or new products and services we invest significant time and resources. Initial timetables for the introduction and development of new lines of business and/or new products or services may not be achieved, and price and profitability targets may not prove feasible. External factors, such as compliance with regulations, competitive alternatives, and shifting market preferences, may also impact the successful implementation of a new line of business or a new product or service. The financial services industry is continually undergoing rapid technological change with frequent introductions of new technology-driven products and services. Our future success depends, in part, upon our ability to address the needs of our customers by using technology to provide products and services that will satisfy customer demands, as well as to create additional efficiencies in our operations. Many of our competitors have substantially greater resources to invest in technological improvements. We may not be able to effectively implement new technology driven products and services or be successful in marketing these products and services to our customers. In addition, our implementation of certain new technologies, such as those related to artificial intelligence ("AI"), automation and algorithms, in our business processes may have unintended consequences due to their limitations or our failure to use them effectively. In addition, the growing reliance on AI technologies by vendors, business partners, and technology solutions or applications introduces additional risks, including but not limited to: Algorithmic Bias that may result in unintended discriminatory outcomes and harm our reputation, loss of proprietary and confidential information through use of AI technologies, unauthorized access or breaches of data could compromise the integrity of our systems with AI dependency, evolving regulations and legal frameworks surrounding AI may pose challenges leading to legal and financial consequences for non-compliance, and protecting the intellectual property associated with AI technologies may be challenging, and unauthorized use or infringement by third parties could bring harm to our competitive position or reputation. Furthermore, cloud technologies are also critical to the operation of our systems, and our reliance on cloud technologies is growing. Failure to successfully keep pace with technological change affecting the financial services industry could have a material adverse effect on our business, financial condition and results of operations. Furthermore, any new line of business, new product or service and/or new technology could have a significant impact on the effectiveness of our system of internal controls. Failure to successfully manage these risks in the development and implementation of new lines of business, new products or services and/or new technologies could have a material adverse effect on our business, financial condition and results of operations.

The Company, our customers, our vendors, and other third parties have experienced security breaches and cyber attacks in the past, and it is inevitable that additional breaches and attacks will occur in the future. While such breaches and attacks have not materially impacted the Company to date, future security breaches and cyber attacks could result in serious and harmful consequences for us or our clients and customers. A principal reason that we cannot provide absolute security against cyber attacks is that we may not always be possible to anticipate, detect or recognize threats to the Company's systems, or to implement effective preventive measures against all breaches because: the techniques used in cyber attacks evolve frequently and are increasingly sophisticated, and therefore may not be recognized until launched; cyber attacks can originate from a wide variety of sources, including our own employees, cyber-criminals, hacktivists, groups linked to terrorist organizations or hostile countries, or third parties whose objective is to disrupt the operations of financial institutions more generally; we do not have control over the cybersecurity of the systems of the large number of clients, customers, counterparties and third-party service providers with which we do business; and it is possible that a third party, after establishing a foothold on an internal network without being detected, might obtain access to other networks and systems. The risk of a security breach due to a cyber attack could increase in the future due to factors such as: our ongoing expansion of mobile and digital banking and other internet-based products and applications, and the increased use of remote access to facilitate remote arrangements for employees, vendors and other third parties. In addition, a third party could misappropriate confidential information obtained by intercepting signals or communications from mobile devices used by our employees. A successful penetration or circumvention of the security of our systems or the systems of a vendor, governmental body or another market participant could cause serious negative consequences, including: significant disruption of our operations and those of our clients, customers and counterparties, including: losing access to operational systems; misappropriation of our confidential information or that of our clients, customers, counterparties, employees, regulators, or other individuals; disruption of or damage to our systems and those of our clients, customers and counterparties; the inability, or extended delays in the ability, to fully recover and restore data that has been stolen, manipulated or destroyed or the inability to prevent systems from processing fraudulent transactions; allegations or violations by the Company of applicable privacy and other laws; financial loss to us or to our clients, customers, counterparties, employees, or others; loss of confidence in our cybersecurity and business resiliency measures; dissatisfaction among our clients, customers or counterparties; significant exposure to litigation and regulatory fines, penalties or other sanctions; and harm to our reputation, all of which could have a material adverse effect on us. If personal, confidential or proprietary information of customers or others in the Bank's or such vendors' or other third-parties' possession were to be mishandled or misused, we could suffer significant regulatory consequences, reputational damage and financial loss, as discussed earlier regarding the Bank's 2023 cyberattack. The extent of a particular cyber attack and the steps that we may need to take to investigate the attack may not be immediately clear, and it may take a significant amount of time before such an investigation or determination, judicial or otherwise, can be completed. While such an investigation is ongoing, we may not necessarily know the full extent of the harm caused by the cyber attack, and that damage may continue to spread. These factors may inhibit our ability to provide rapid, full and reliable information about the cyber attack to its clients, customers, counterparties and regulators, and the public. Furthermore, it may not be clear how best to contain and remediate the harm caused by the cyber attack, and certain errors or actions could be repeated or compounded before they are discovered and remediated. Any or all of these factors could further increase the costs and consequences of a cyber attack. Although we devote significant resources to maintain and regularly upgrade our systems and processes that are designed to protect the security of our computer systems, software, networks, and other technology assets and the confidentiality, integrity, and availability of information belonging to us and our customers, there is no assurance that our security measures will be sufficient. We have implemented employee and customer awareness training regarding phishing, malware, and other cyber risks, however there can no assurances that this training will be effective or sufficient. Furthermore, these risks are expected to increase in the future as we continue to increase our electronic payments and other internet-based product offerings and expand our internal usage of web-based products and applications. Continued geographical turmoil, including the ongoing conflict between Russia and Ukraine, has heightened the risk of cyberattack and has created new risk for cybersecurity, and similar concerns. For example, the United States government has warned that sanctions imposed against Russia by the United States in response to its conflict with Ukraine could motivate Russia to engage in malicious cyber activities against the United States. Our procedures and safeguards to prevent unauthorized access to confidential information and to defend against cyberattacks seeking to disrupt our operations must be continually evaluated and enhanced to address the ever-evolving threat landscape and changing cybersecurity regulations. These preventative actions require the investment of significant resources and management time and attention. Nevertheless, we may not be able to anticipate, prevent, timely detect and/or effectively remediate all security breaches. Any inability to prevent or adequately respond to the issues described above could disrupt the Company's business, inhibit its ability to retain existing customers or attract new customers, otherwise harm its reputation and/or result in financial losses, litigation, increased costs or other adverse consequences that could be material to the Company.

The banking industry is undergoing technological changes with frequent introductions of new technology-driven products and services. In addition to improving customer services, the effective use of technology increases efficiency and enables financial institutions to reduce costs. Our future success will depend, in part, on our ability to address the needs of our customers by using technology to provide products and services that will satisfy customer demands for convenience as well as to create additional efficiencies in our operations. Many of our competitors have substantially greater resources than we do to invest in technological improvements. We may not be able to effectively implement new technology-driven products and services or successfully market such products and services to our customers. In addition,advances in technology such as digital, mobile, telephone, text, and online banking; e-commerce; and self-service automatic teller machines and other equipment, as well as changing customer preferences to access our products and services through digital channels, could decrease the value of our branch network and other assets. We may close or sell certain branches and restructure or reduce our remaining branches and work force. These actions could lead to losses on assets, expense to reconfigure branches and loss of customers in certain markets. As a result, our business, financial condition or results of operations may be adversely affected.

We conduct most of our business in California. As a result of this geographic concentration, our financial results may be impacted by economic conditions in California. Deterioration in the economic conditions in California could result in the following consequences, any of which could have a material adverse effect on our business, financial condition, results of operations and cash flows: - problem assets and foreclosures may increase,- demand for our products and services may decline,- low cost or non-interest-bearing deposits may continue to decrease, and - collateral for loans made by us, especially real estate, may experience a decline in value and/or cash flows, in turn reducing customers' borrowing or repayment ability, and reducing the value of assets and collateral associated with our existing loans. In view of the concentration of our operations and the collateral securing our loan portfolio in California, we may be particularly susceptible to the adverse effects of any of these consequences, any of which could have a material adverse effect on our business, financial condition, results of operations and cash flows.

Our operations and our customer base are primarily located in California where natural and other disasters may occur. California is vulnerable to natural disasters and other risks, such as earthquakes, fires, droughts and floods, the nature and severity of which may be impacted by climate change. These types of natural catastrophic events have at times disrupted the local economies, our business and customers in these regions. Such events could also affect the stability of our deposit base, impact real estate values, impair the ability of borrowers to obtain adequate insurance or repay outstanding loans, impair the value of collateral securing loans and cause significant property damage, result in losses of revenue and/or cause us to incur additional expenses. In addition, catastrophic events occurring in other regions of the world may have an impact on our customers and in turn, on us. Our business continuity and disaster recovery plans may not be successful upon the occurrence of one of these scenarios, and a significant catastrophic event anywhere in the world could materially adversely affect our operating results.

Our business exposes us to fraud risk from loan and deposit customers, the parties we do business with, as well as from employees, contractors and vendors. We rely on financial and other data from new and existing customers which could turn out to be fraudulent when accepting such customers, executing their financial transactions and making and purchasing loans and other financial assets. In times of increased economic stress we are at increased risk of fraud losses. We believe we have underwriting and operational controls in place to prevent or detect such fraud, but cannot provide assurance that these controls will be effective in detecting fraud or that we will not experience fraud losses or incur costs or other damage related to such fraud, at levels that adversely affect financial results or reputation. Our lending customers may also experience fraud in their businesses which could adversely affect their ability to repay their loans or make use of services. The Company's and its customers' exposure to fraud may increase our financial risk and reputation risk as it may result in unexpected loan losses that exceed those that have been provided for in the allowance for credit losses. In addition, we are subject to risk from the conduct of its employees, including the negative impact that can result from employee misconduct or failure by employees to conduct themselves in accordance with our policies, all of which could damage our reputation and result in loss of customers or other financial loss or expose us to increased regulatory or other risk.