Cullen/Frost Bankers (CFR) Risk Factors

From time to time, customers make claims and take legal action pertaining to our performance of our fiduciary responsibilities. Whether customer claims and legal action related to our performance of our fiduciary responsibilities are founded or unfounded, if such claims and legal actions are not resolved in a manner favorable to us they may result in significant financial liability and/or adversely affect the market perception of us and our products and services as well as impact customer demand for those products and services. Any financial liability or reputational damage could have a material adverse effect on our business, financial condition and results of operations.

We are subject to federal and applicable state tax laws and regulations. Changes in these tax laws and regulations, some of which may be retroactive to previous periods, could increase our effective tax rates and, as a result, could negatively affect our current and future financial performance. Furthermore, tax laws and regulations are often complex and require interpretation. In the normal course of business, we are routinely subject to examinations and challenges from federal and applicable state tax authorities regarding the amount of taxes due in connection with investments we have made and the businesses in which we have engaged. Recently, federal and state taxing authorities have become increasingly aggressive in challenging tax positions taken by financial institutions. These tax positions may relate to tax compliance, sales and use, franchise, gross receipts, payroll, property and income tax issues, including tax base, apportionment and tax credit planning. The challenges made by tax authorities may result in adjustments to the timing or amount of taxable income or deductions or the allocation of income among tax jurisdictions. If any such challenges are made and are not resolved in our favor, they could have a material adverse effect on our business, financial condition and results of operations.

We face substantial competition in all areas of our operations from a variety of different competitors, many of which are larger and may have more financial resources than us. Such competitors primarily include national, regional, and community banks within the various markets where we operate. Recent regulation has reduced the regulatory burden of large bank holding companies, and raised the asset thresholds at which more onerous requirements apply, which could cause certain large bank holding companies with less than $250 billion in total consolidated assets, which were previously subject to more stringent enhanced prudential standards, to become more competitive or to pursue expansion more aggressively. We also face competition from many other types of financial institutions, including, without limitation, savings and loans, credit unions, finance companies, brokerage firms, insurance companies and other financial intermediaries. The financial services industry could become even more competitive as a result of legislative, regulatory and technological changes and continued consolidation. Also, technology and other changes have lowered barriers to entry and made it possible for non-banks to offer products and services traditionally provided by banks. In particular, the activity of fintechs/wealthtechs has grown significantly over recent years and is expected to continue to grow. Some fintechs/wealthtechs are not subject to the same regulation as we are, which may allow them to be more competitive. Fintechs/wealthtechs have and may continue to offer bank or bank-like products and a number of such organizations have applied for bank or industrial loan charters while others have partnered with existing banks to allow them to offer deposit products to their customers. Increased competition from fintechs/wealthtechs and the growth of digital banking may also lead to pricing pressures as competitors offer more low-fee and no-fee products. Additionally, consumers can maintain funds that would have historically been held as bank deposits in brokerage accounts or mutual funds. Consumers can also complete transactions such as paying bills and/or transferring funds directly without the assistance of banks. In addition, the emergence, adoption and evolution of new technologies that do not require intermediation, including distributed ledgers such as digital assets and blockchain, as well as advances in robotic process automation, could significantly affect the competition for financial services. The process of eliminating banks as intermediaries, known as "disintermediation," could result in the loss of fee income, as well as the loss of customer deposits and the related income generated from those deposits. Further, many of our competitors have fewer regulatory constraints and may have lower cost structures than us. Additionally, due to their size, many competitors may be able to achieve economies of scale and, as a result, may offer a broader range of products and services as well as better pricing for those products and services than we can. Our ability to compete successfully depends on a number of factors, including, among other things, (i) the ability to develop, maintain and build long-term customer relationships based on top quality service, high ethical standards and safe, sound assets; (ii) the ability to expand within our marketplace and with our market position; (iii) the scope, relevance and pricing of products and services offered to meet customer needs and demands; (iv) the rate at which we introduce new products and services relative to our competitors; (v) customer satisfaction with our level of service; and (vi) industry and general economic trends. Failure to perform in any of these areas could significantly weaken our competitive position, which could adversely affect our growth and profitability, which, in turn, could have a material adverse effect on our business, financial condition and results of operations. Compliance and Regulatory Risks

There are inherent risks associated with our lending activities. These risks include, among other things, the impact of changes in interest rates and changes in the economic conditions in the markets where we operate as well as those across the State of Texas and the United States. Increases in interest rates and/or weakening economic conditions could adversely impact the ability of borrowers to repay outstanding loans or the value of the collateral securing these loans. As of December 31, 2023, approximately 84.4% of our loan portfolio consisted of commercial and industrial, energy, construction and commercial real estate mortgage loans. These types of loans are generally viewed as having more risk of default and are typically larger than residential real estate loans or consumer loans. Because our loan portfolio contains a significant number of commercial and industrial, energy, construction and commercial real estate loans with relatively large balances, the deterioration of one or a few of these loans could cause a significant increase in non-performing loans. Increases in non-performing loans have resulted in a net loss of earnings from particular loans, an increase in credit loss expense and an increase in loan charge-offs, and these and future instances could have a material adverse effect on our business, financial condition and results of operations. Certain of our credit exposures are concentrated in industries that may be more susceptible to the long-term risks of climate change, natural disasters or global pandemics. To the extent that these risks may have a negative impact on the financial condition of borrowers, it could also have a material adverse effect on our business, financial condition and results of operations. See the section captioned "Loans" in Item 7. Management's Discussion and Analysis of Financial Condition and Results of Operations elsewhere in this report for further discussion related to commercial and industrial, energy, construction and commercial real estate loans.

Reputation risk, or the risk to our earnings, liquidity, and capital from negative public opinion, is inherent in our business. Negative public opinion could adversely affect our ability to keep and attract customers and expose us to adverse legal and regulatory consequences. Negative public opinion could result from our actual or alleged conduct in any number of activities, including (i) lending practices, (ii) branching strategy, (iii) product and service offerings, (iv) corporate governance, (v) regulatory compliance, (vi) mergers and acquisitions, (vii) disclosure, (viii) sharing or inadequate protection of customer information, (ix) successful or attempted cyber-attacks against us, our customers or our third-party partners or vendors and (x) failure to discharge any publicly announced commitments to employees or environmental, social and governance initiatives or to respond adequately to social and sustainability concerns from the viewpoint of our stakeholders from actions taken by government regulators and community organizations in response to our conduct. Negative public opinion could also result from adverse news or publicity that impairs the reputation of the financial services industry generally or from the actions of our employees, customers, affiliates or third parties with whom we do business. In addition, our reputation or prospects may be significantly damaged by adverse publicity or negative information regarding us, whether or not true, that may be posted on social media, non-mainstream news services or other parts of the internet, and this risk is magnified by the speed and pervasiveness with which information is disseminated through those channels. Because we conduct most of our business under the "Frost" brand, negative public opinion about one business could affect our other businesses.

We require liquidity to meet our deposit and debt obligations as they come due. Our access to funding sources in amounts adequate to finance our activities or on terms that are acceptable to us could be impaired by factors that affect us specifically or the financial services industry or economy generally. Factors that could reduce our access to liquidity sources include a downturn in the Texas economy, difficult credit markets or adverse regulatory actions against us. Our access to deposits may also be affected by the liquidity needs of our depositors. A substantial majority of our liabilities are demand, savings, interest checking and money market deposits, which are payable on demand or upon several days' notice, while by comparison, a substantial portion of our assets are loans, which cannot be called or sold in the same time frame. We may not be able to replace maturing deposits and advances as necessary in the future, especially if a large number of our depositors sought to withdraw their accounts, regardless of the reason. Our access to deposits may be negatively impacted by, among other factors, periods of low interest rates or higher interest rates which could promote increased competition for deposits, including from new financial technology competitors, or provide customers with alternative investment options. Additionally, negative news about us or the banking industry in general could negatively impact market and/or customer perceptions of our company, which could lead to a loss of depositor confidence and an increase in deposit withdrawals, particularly among those with uninsured deposits. Furthermore, as we and other regional banking organizations experienced in 2023, the failure of other financial institutions may cause deposit outflows as customers spread deposits among several different banks so as to maximize their amount of FDIC insurance, move deposits to banks deemed "too big to fail" or remove deposits from the banking system entirely. As of December 31, 2023, approximately 53% of our deposits were uninsured and we rely on these deposits for liquidity. A failure to maintain adequate liquidity could have a material adverse effect on our business, financial condition and results of operations.

Our success depends, in large part, on our ability to attract and retain key people. Competition for the best people in many activities engaged in by us is intense including with respect to compensation and emerging workplace practices, accommodations and remote work options, and we may not be able to hire people or to retain them. We do not currently have employment agreements or non-competition agreements with any of our senior officers. The unexpected loss of services of key personnel could have a material adverse impact on our business, financial condition and results of operations because of their customer relationships, skills, knowledge of our market, years of industry experience and the difficulty of promptly finding qualified replacement personnel. In addition, the scope and content of U.S. banking regulators' policies on incentive compensation, as well as changes to these policies, could adversely affect our ability to hire, retain and motivate our key employees.

We rely on certain external vendors to provide products and services necessary to maintain our day-to-day operations. These third-party vendors are sources of operational and informational security risk to us, including risks associated with operational errors, information system failures, interruptions or breaches and unauthorized disclosures of sensitive or confidential client or customer information. If these vendors encounter any of these issues, or if we have difficulty communicating with them, we could be exposed to disruption of operations, loss of service or connectivity to customers, reputational damage, and litigation risk that could have a material adverse effect on our business and, in turn, our financial condition and results of operations. In addition, our operations are exposed to risk that these vendors will not perform in accordance with the contracted arrangements under service level agreements. Although we have selected these external vendors carefully, we do not control their actions. The failure of an external vendor to perform in accordance with the contracted arrangements under service level agreements, because of changes in the vendor's organizational structure, financial condition, support for existing products and services or strategic focus or for any other reason, could be disruptive to our operations, which could have a material adverse effect on our business and, in turn, our financial condition and results of operations. Replacing these external vendors could also entail significant delay and expense.

As of December 31, 2023, we had $935.3 million of energy loans which comprised approximately 5.0% of our loan portfolio at that date. Furthermore, energy production and related industries represent a large part of the economies in some of our primary markets. Actions by members of the Organization of Petroleum Exporting Countries ("OPEC") can impact global crude oil production levels and lead to significant volatility in global oil supplies and market oil prices. In recent years, decreased market oil prices compressed margins for many U.S. and Texas-based oil producers, particularly those that utilize higher-cost production technologies such as hydraulic fracking and horizontal drilling, as well as oilfield service providers, energy equipment manufacturers and transportation suppliers, among others. In March of 2020, disagreements between members of OPEC signaled that production levels would rise and, when coupled with the uncertainties of the COVID-19 pandemic, led to a significant decline in market oil prices. As the global economy emerged from pandemic lockdowns in 2021, the demand for oil naturally increased and supply could not keep up with the sudden surge in demand. Consequently, oil prices began to rise. The current wars in Ukraine and Israel have also impacted global oil supplies and caused further volatility in oil prices. The price per barrel of crude oil was approximately $72 on December 31, 2023, down from $80 on December 31, 2022. While losses in our energy portfolio have not been significant in recent years, we have experienced increased losses within our energy portfolio in years that were impacted by significant oil price volatility, particularly in 2020. Future oil price volatility could have negative impacts on the U.S. economy, in particular, the economies of energy-dominant states such as Texas, and our borrowers and customers.

Banking and other financial services companies, including us, rely on technology companies to provide information technology products and services necessary to support day-to-day operations. Technology companies frequently enter into litigation based on allegations of patent infringement or other violations of intellectual property rights. In addition, patent holding companies seek to monetize patents they have purchased or otherwise obtained. Competitors of our vendors, or other individuals or companies, have from time to time claimed to hold intellectual property sold to us by our vendors or in use by us and we are, and may in the future be, named as defendants in various related legal claims. Such claims may increase in the future as the financial services sector becomes more reliant on information technology vendors. The plaintiffs in these actions frequently seek injunctions and substantial damages and may also seek to enter into licensing agreements with us to obtain ongoing fees. Regardless of the scope or validity of such patents or other intellectual property rights, or the merits of any claims by potential or actual litigants, we may have to engage in protracted litigation. Such litigation is often expensive, time-consuming, disruptive to our operations and distracting to management. If we are found to infringe upon one or more patents or other intellectual property rights, we may be required to pay substantial damages or royalties to a third-party. In certain cases, we have entered, and in the future may consider entering, into licensing agreements for disputed intellectual property, although no assurance can be given that such licenses can be obtained on acceptable terms or that litigation will not occur. These licenses may also significantly increase our operating expenses. If legal matters related to intellectual property claims were resolved against us or settled, we could be required to make payments in amounts that could have a material adverse effect on our business, financial condition and results of operations.

In the ordinary course of business, we rely on electronic communications and information systems to conduct our operations and to store sensitive data. Any failure, interruption or breach in security of these systems could result in significant disruption to our operations. Information security breaches and cybersecurity-related incidents include, but are not limited to, attempts to access information, including customer and company information, malicious code, computer viruses and denial of service attacks that could result in unauthorized access, theft, misuse, loss, release or destruction of data (including confidential customer information), account takeovers, unavailability of service or other events. These types of threats may derive from human error, fraud or malice on the part of external or internal parties or may result from accidental technological failure. Our technologies, systems, networks and software have been and continue to be subject to cybersecurity threats and attacks, which range from uncoordinated individual attempts to sophisticated and targeted measures directed at us. Any failures related to upgrades and maintenance of our technology and information systems could further increase our information and system security risk. Our increased use of cloud and other technologies, such as remote work technologies, also increases our risk of being subject to a cyber-attack. The risk of a security breach or disruption, particularly through cyber-attack or cyber-intrusion, has increased as the number, intensity and sophistication of attempted attacks and intrusions from around the world have increased. Our customers, employees and third parties that we do business with have been, and will continue to be, targeted by parties using fraudulent e-mails and other communications in attempts to misappropriate passwords, bank account information or other personal information or to introduce viruses or other malware programs to our information systems, the information systems of our merchants or third-party service providers and/or our customers' personal devices, which are beyond our security control systems. Though we endeavor to mitigate these threats through product improvements, use of encryption and authentication technology and customer and employee education, such cyber-attacks against us, our merchants, our third-party service providers and our customers remain a serious issue and have been successful in the past. Although we make significant efforts to maintain the security and integrity of our information systems and have implemented various measures to manage the risks of a security breach or disruption, there can be no assurance that our security efforts and measures will be effective or that attempted security breaches or disruptions would not be successful or damaging. Even well protected information, networks, systems and facilities remain potentially vulnerable to attempted security breaches or disruptions because the techniques used in such attempts are constantly evolving and generally are not recognized until launched against a target, and in some cases are designed not to be detected and, in fact, may not be detected. Accordingly, we may be unable to anticipate these techniques or to implement adequate security barriers or other preventative measures, and thus it is virtually impossible for us to entirely mitigate this risk. Furthermore, in the event of a cyber-attack, we may be delayed in identifying or responding to the attack, which could increase the negative impact of the cyber-attack on our business, financial condition and results of operations. While we maintain specific "cyber" insurance coverage, which would apply in the event of various breach scenarios, the amount of coverage may not be adequate in any particular case. Furthermore, because cyber threat scenarios are inherently difficult to predict and can take many forms, some breaches may not be covered under our cyber insurance coverage. A security breach or other significant disruption of our information systems or those related to our customers, merchants or our third-party vendors, including as a result of cyber-attacks, could (i) disrupt the proper functioning of our networks and systems and therefore our operations and/or those of our customers; (ii) result in the unauthorized access to, and destruction, loss, theft, misappropriation or release of confidential, sensitive or otherwise valuable information of ours or our customers; (iii) result in a violation of applicable privacy, data breach and other laws, subjecting us to additional regulatory scrutiny and exposing us to civil litigation, enforcement actions, governmental fines and possible financial liability; (iv) require significant management attention and resources to remedy the damages that result; or (v) harm our reputation or cause a decrease in the number of customers that choose to do business with us. The occurrence of any of the foregoing could have a material adverse effect on our business, financial condition and results of operations.