Popular (BPOP) Risk Analysis

Our businesses are highly regulated, and the laws and regulations that apply to us have a significant impact on our

from departments and agencies of the U.S. and Puerto Rico governments, including those that investigate compliance with

U.S. sanctions and consumer protection laws and regulations, which may expose us to significant penalties and collateral

consequences, and could result in higher compliance costs or restrictions on our operations. We from time-to-time self-report compliance matters to, or receive requests for information from, departments and agencies of the U.S. and Puerto Rico governments, including with respect to compliance with consumer protection laws and regulations. For example, BPPR has in the past received requests for information, such as subpoenas and civil investigative demands from U.S. government regulators, including concerning add-ons on consumer products, real estate appraisals and residential and construction loans in Puerto Rico. BPPR has also self-identified and reported to applicable regulators compliance matters related to U.S. sanctions, as well as mortgage, credit reporting and other consumer lending practices. Incidents of this nature and investigations or examinations by governmental authorities have resulted in the past, and may in the future result, in judgments, settlements, fines, enforcement actions, penalties or other sanctions adverse to the Corporation,which could materially and adversely affect the Corporation's business, financial condition, results of operations or capital position or cause serious reputational harm. Any such settlements or orders that we enter into, or that regulatory authorities impose on us could require enhancements to our procedures and controls and entail significant operational and compliance costs. Furthermore, issues or delays in satisfying the requirements of a regulatory settlement or action on a timely basis could result in additional penalties and enforcement actions, which could be significant. In connection with the resolution of regulatory proceedings, enforcement authorities may seek admissions of wrongdoing and, in some cases, criminal pleas, which could lead to increased exposure to private litigation,loss of clients or customers, and restrictions on offering certain products or services. In addition, responding to information-gathering requests, investigations and other regulatory proceedings, regardless of the ultimate outcome of the matter, could be time-consuming, expensive and divert management attention from our business. Financial services institutions such as Popular have been subject to heightened expectations and regulatory scrutiny in recent years. Our regulators' oversight is not limited to banking and financial services laws but extends to other significant laws such as those related to anti money laundering, anti-bribery and anti-corruption laws. Further, regulators in the performance of their supervisory and enforcement duties, have significant discretion and power to prevent or remedy what they deem to be unsafe and unsound practices or violations of laws by banks and bank holding companies. Therefore, the outcome of any investigative or enforcement action, which may take years and be material to Popular, may be difficult to predict or estimate.

Complying with economic and trade sanctions programs and anti-money laundering laws and regulations can increase our

found to have failed to comply with applicable economic and trade sanctions programs and anti-money laundering laws

and regulations, we could be exposed to fines, sanctions and penalties, and other regulatory actions, as well as

operational risks that could have a material adverse effect on us. Third parties provide key components of our business operations, such as data processing, information security, recording and monitoring transactions, online banking interfaces and services, Internet connections and network access. The most important of these third-party service providers for us is Evertec. We are dependent on Evertec for the provision of essential services to our business, including certain of our core financial transaction processing and information technology and security services. As a result,we are particularly exposed to the operational risks of Evertec, including those related to its security architecture and potential breakdowns or failures of Evertec's systems or internal controls environment. Over the course of our relationship with Evertec, we have experienced interruptions and delays in key services provided by Evertec, as well as cyber events, as a result of system breakdowns, their exposure to zero-day vulnerabilities, misconfigurations,human error, application obsolescence and dependency on shared infrastructure components and shared environments, which have in certain cases also led to exposure of Popular information and BPPR customer information. In particular, the current level of obsolescence in the hardware and software used by Evertec to service us exposes us to heightened operational and cybersecurity risks, including system outages. Our ability to cure legacy obsolescence in the hardware and software we procure from Evertec, to expand our oversight over security services being provided by Evertec, as well as to effect the segregation of our shared infrastructure, is expected to be lengthy and complex, which exacerbates our exposure to resulting operational, including cybersecurity, risks. See "The transition to new financial services technology providers, and the replacement of services currently provided to us by Evertec, will be lengthy and complex" in the Operational Risks section of Item 1A in this Form 10-K below. While we select third-party vendors carefully and have increased our oversight of these relationships, our oversight is constrained by the level of our ongoing visibility into our vendor's systems and operations, and we do not have direct control over their actions, assets or services. Any problems caused by these vendors, including those resulting from disruptions in the services provided, vulnerabilities in or breaches of the vendor's systems or environments, failure of the vendor to handle current or higher volumes, failure of the vendor to provide services for any reason or poor performance of services, failure of the vendor to notify us of a reportable event in a timely manner, our vendors' misuse of artificial intelligence and other automatic decision making technologies, could adversely affect our ability to deliver products and services to our customers and otherwise conduct our business, disrupt our operations, result in potential liability to clients and customers, result in the imposition of fines, penalties or judgments by our regulators, lead to exposure of our information or that of our customers or harm to our reputation, any of which could materially and adversely affect us. The inability of our third-party service providers to timely address cybersecurity threats may further exacerbate these risks. Financial or operational difficulties of a third-party vendor could also hurt our operations if those difficulties interfere with the vendor's ability to serve us. Replacing these third-party vendors, when possible, could also create significant delay and expense. Accordingly, the use of third parties creates an unavoidable inherent risk to our business operations.

Deterioration in the values of real properties securing our commercial, mortgage loan and construction portfolios have in

acts of violence or war, or the emergence of pandemics or epidemics, could cause a disruption in our operations or other

Unforeseen or catastrophic events, including extreme weather events and other natural disasters, man-made disasters,

could cause substantial harm and have an adverse effect on our business and results of operations. Cybersecurity risks for large financial institutions such as Popular have increased significantly in recent years in part because of the proliferation of new technologies, such as mobile banking, cloud hosting, artificial intelligence and the ability to conduct instant financial transactions anywhere globally, as well as due to geopolitical conflicts and the increased sophistication and activities of organized crime, hackers, terrorists, nation-states, hacktivists and other parties. The risk of cyber-attacks is expected to increase with the evolution and emergence of new technologies such as artificial intelligence and quantum computing. In the ordinary course of business, we rely on electronic communications and information systems to conduct our operations and to transmit and store sensitive data. Notwithstanding our defensive measures and the significant resources we devote to protecting the security of our systems, there is no assurance that all of our security measures will be effective at all times,especially as the threats from cyber-attacks are continuous and severe. The risk of a security breach due to a cyber-attack is expected to increase as we continue to expand our mobile banking and other internet-based product offerings, the use of the cloud for system development and hosting and internal use of internet-based products and applications. We continue to detect and identify attacks that are becoming more sophisticated and increasing in volume, as well as attackers that respond rapidly to changes in defensive countermeasures. The most significant cyber-attack risks that we or our critical service providers may face include, but are not limited to, e-fraud, denial-of-service (DDoS), ransomware, computer intrusion and the exploitation of software zero-day vulnerabilities that might result in disruption of services, in the exposure or loss of customer or proprietary data, and significant financial loss. Loss from e-fraud occurs when cybercriminals compromise our systems or the systems of our customers and extract funds from customer's credit cards or bank accounts, including through brute force,password spraying and credential stuffing attacks directed at gaining unauthorized access to individual accounts. Denial-of-service attacks intentionally disrupt the ability of legitimate users, including customers and employees, to access networks, websites and online resources. Computer intrusion attempts, either direct or through social engineering (pretext calls), supply chain compromise,email, text or voice messages, including using brand impersonation (regularly referred to as phishing, vishing, smishing and quishing), have resulted in and may continue to result in the compromise of sensitive customer data, such as account numbers,credit cards and social security numbers, and could present significant reputational, legal and regulatory costs to Popular if successful. Our customer-facing platforms are also routinely attacked by threat actors aiming to gain unauthorized access to our clients' accounts. Although we have implemented defensive measures designed to protect against such attacks, there is no assurance that these defensive measures will keep pace with threats that are continuous and growing in severity. For example,certain customers have been affected by brute force attacks on one of our platforms, which resulted in certain of our customers log-in credentials and information being exposed and accounts being taken over, resulting in fraudulent transfers or withdrawals. Popular customers have also been impacted by card skimming events in our ATM terminals. As a result, we have notified, and conducted additional remediation for, customers identified as affected by these incidents. Cyber-security risks have also been recently exacerbated by the discovery of zero-day vulnerabilities in widely distributed third party software, which have in the past affected and in the future could affect Popular's or any of its service provider's systems, as further detailed below. The increased use of remote access and third-party video conferencing solutions to enable work-from-home arrangements for employees and facilitate the use of digital channels by our customers, has also increased our exposure to cyber-attacks, including through the use of deep fakes and brand impersonation. In addition, a third party could misappropriate confidential information obtained by intercepting signals or communications from mobile devices used by Popular's customers or employees. Recent geopolitical conflicts have also exacerbated the risks related to supply-chain compromises and de-stabilizing activities of nation-state sponsored actors. Although we are regularly targeted by unauthorized threat-actor activity, we have not, to date,experienced any material losses as a result of cyber-attacks. A material compromise or circumvention of the security of our systems could have serious negative consequences for us,including significant disruption of our operations and those of our clients, customers and counterparties, misappropriation of confidential information of Popular or that of our clients, customers, counterparties or employees, or damage to computers or systems used by us or by our clients, customers and counterparties, and could result in violations of applicable privacy and other laws, financial loss to us or to our customers, increased regulatory scrutiny and enforcement actions, customer dissatisfaction,significant litigation exposure and harm to our reputation, all of which could have a material adverse effect on us. The extent of a particular cyber-attack and the steps that we may need to take to investigate the attack may not be immediately clear, and it may take a significant amount of time before such an investigation can be completed. While such an investigation is ongoing, Popular may not necessarily know the full extent of the harm caused by the cyber-attack, and that damage may continue to spread. These factors may inhibit our ability to provide rapid, full and reliable information about the cyber-attack to our clients, customers, counterparties and regulators, as well as the public. Moreover, new regulations may require us to disclose information about a cybersecurity event before it has been resolved or fully investigated. Furthermore, it may not be clear how best to contain and remediate the potential harm caused by the cyber-attack, and certain errors or actions could be repeated or compounded before they are discovered and remediated. Cyber-attacks could also cause interruptions in our operations and result in the incurrence of significant costs, including those related to forensic analysis and legal counsel. We also rely on third parties for the performance of a significant portion of our information technology functions and the provision of information security, technology and business process services. As a result, a successful compromise or circumvention of the security of the systems of these third-party service providers could have serious negative consequences for us, including compromise of our systems, misappropriation of our confidential information or that of our clients, customers, counterparties or employees, or other negative implications identified above with respect to a cyber-attack on our systems. The most important of these third-party service providers for us is Evertec. As a result, we depend on Evertec to identify and remediate certain of our cybersecurity vulnerabilities. Cyber-attacks at third-party service providers are also becoming increasingly common, and, as a result,cybersecurity risks relating to our vendors, including Evertec have increased. Certain risks particular to Evertec and our dependence on third parties are discussed under "We rely on other companies to provide key components of our business infrastructure,including certain of our core financial transaction processing and information technology and security services, which exposes us to a number of operational risks that could have a material adverse effect on us" in the Operational Risks section of Item 1A in this Form 10-K. During 2021, we determined that, as a result of the widely reported breach of Accellion, Inc.'s File Transfer Appliance tool, which was being used at the time of such breach by a U.S.-based third-party advisory services vendor of Popular, personal information of certain Popular customers was compromised. During 2023, personal information of Popular customers' data was compromised in a data breach incident that impacted MOVEit, the third-party file transfer platform used by one of our service providers. In both instances, Popular notified, as required or otherwise deemed appropriate, customers identified as affected by the incident. Furthermore, during 2024, threat actors exploited a zero-day vulnerability in the Fortinet enterprise management server software used by Evertec, which migrated to one of Popular's domain controllers due to a shared network environment. While Evertec determined that no BPPR customer information was exfiltrated as a result of this incident, the event underscores the risks inherent in Popular's dependency on Evertec. Although these incidents did not have a material effect on Popular, including its business strategy, results of operations or financial condition, and our third-party service providers agreed to cover external remediation costs associated therewith, a compromise of Popular information or the personal information of our customers maintained by third party vendors could result in significant regulatory consequences, reputational damage and financial loss to us. The success of our business depends in part on the continuing ability of these (and other) third parties to perform these functions and services in a timely and satisfactory manner, which performance could be disrupted or otherwise adversely affected due to failures or other information security events originating at the third parties or at the third parties' suppliers or vendors (so-called "fourth party risk"). We may not be able to effectively directly monitor or mitigate fourth-party risk, in particular as it relates to the use of common suppliers or vendors by the third parties that perform functions and services for us. As cyber threats continue to evolve, we also expect to expend significant additional resources to continue to modify or enhance our layers of defense or to investigate and remediate additional information security vulnerabilities or incidents. The obsolescence in our hardware or software limits our ability to mitigate vulnerabilities. System enhancements and updates also create risks associated with implementing new systems and integrating them with existing ones, including risks associated with supply chain compromises and the software development lifecycle of the systems used by us and our service providers. In addition,addressing certain information security vulnerabilities, such as hardware-based vulnerabilities, may affect the performance of our information technology systems. The ability of our hardware and software providers to deliver patches and updates to mitigate vulnerabilities in a timely manner can introduce additional risks, particularly when a vulnerability is being actively exploited by threat actors. Moreover, our efforts to timely mitigate vulnerabilities and manage such risks, given the rise in number and urgency of required patches and third-party software, as well as the obsolescence in some of our hardware and software, may impact our day-to-day operations, the availability of our systems and delay the deployment of technology enhancements and innovation. If Popular's operational systems, or those of external parties on which Popular's businesses depend, are unable to meet the requirements of our businesses and operations or bank regulatory standards, or if they fail, have other significant shortcomings or are impacted by cyber-attacks, Popular could be materially and adversely affected.

impact us in the future. A significant portion of our business involves lending money, which exposes us to credit risk and risk of loss if borrowers do not repay their loans, leases, credit cards or other credit obligations. The performance of these credit portfolios significantly affects our financial condition and results of operations. We have in the past been adversely affected by negative changes in the financial condition of our clients due to weakness in the Puerto Rico and U.S. economy. If the current economic environment were to deteriorate, more customers may have difficulty in repaying their credit obligations, which may result in higher levels of credit losses and reserves for credit losses.

If we are unable to meet constant technological changes and react quickly to meet new industry standards, including as a