Central Pacific Financial (CPF) Risk Analysis

During the ordinary course of business, we may foreclose on and take title to properties securing certain loans that we have originated or acquired. We also own several of our branch locations and are building new branch locations in the State of Hawaii. For any real property that we may possess, there is a risk that hazardous or toxic substances could be found on these properties. If hazardous or toxic substances are found, we may be liable for remediation costs, as well as for personal injury and property damage and costs of complying with applicable environmental regulatory requirements. Failure to comply with such requirements can result in penalties. Environmental laws may require us to incur substantial expenses and may materially reduce the affected property's value or limit our ability to use, sell or lease the affected property. In addition, future laws or more stringent interpretations or enforcement policies with respect to existing laws may increase our exposure to environmental liability. The remediation costs and any other financial liabilities associated with an environmental hazard could have a material adverse effect on our business, financial condition or results of operations.

Competition for qualified employees and personnel in the banking industry is intense and there is a limited number of qualified persons with knowledge of, and experience in, the regional banking industry, especially in the Hawaii market. The process of recruiting personnel with the combination of skills and attributes required to carry out our strategies is often lengthy. Our success depends to a significant degree upon our ability to attract and retain qualified management, loan origination, finance, administrative, marketing, and technical personnel, and upon the continued contributions of our management and personnel. In particular, our success has been and continues to be highly dependent upon the abilities of key executives, including our Chairman, President and Chief Executive Officer, our Senior Executive Vice President and Chief Financial Officer, our Senior Executive Vice President and Chief Risk Officer, and our other executive officers and certain other employees.

We rely upon certain third-party vendors to provide products and services necessary to maintain our day-to-day operations, including, providing the core processing system that services the Bank, as well as data processing and storage, online and mobile banking interfaces and services, internet connections, telecommunications, and network access. Accordingly, our operations are exposed to the risk that these vendors might not perform in accordance with applicable contractual arrangements or service level agreements, as the vendors may experience service outages, cybersecurity attacks, data breaches, or other events that may impair their ability to provide fully functioning systems or other services. The failure of an external vendor to perform in accordance with applicable contractual arrangements or service level agreements could be disruptive to our operations and could have a material adverse effect on our business, financial condition or results of operations, and/or damage our reputation. Further, third-party vendor risk management continues to be an area of high regulatory focus. Failure to follow applicable regulatory guidance in this area could expose us to regulatory actions. The ongoing operation of many financial institutions may be closely interrelated as a result of credit, trading, execution of transactions or other relationships between the institutions. As a result, concerns about, or a default or threatened default by, one institution could lead to significant market-wide liquidity and credit problems, losses or defaults by other institutions. This risk may adversely affect financial intermediaries, such as clearing agencies, clearing houses, banks, securities firms and exchanges with which we interact on a daily basis, and, therefore, could adversely affect us. Any of these operational or other risks could materially adversely affect our business, financial condition and results of operations.

We face substantial competition in all areas of our operations from a variety of different competitors, many of which are larger and may have more financial resources. Such competitors primarily include national, regional and community banks within the various markets we operate. Additionally, various out of state banks conduct business in the market areas in which we currently operate. We also face competition from many other types of financial institutions, including without limitation, savings banks, credit unions, finance companies, financial service providers, including mortgage providers and brokers, operating via the internet and other technology platforms, brokerage firms, insurance companies, factoring companies and other financial intermediaries. The financial services industry could become even more competitive as a result of legislative, regulatory and technological changes and continued consolidation. Banks, securities firms and insurance companies can merge under the umbrella of a financial holding company, which can virtually offer any type of financial service, including banking, securities underwriting, insurance (both agency and underwriting) and merchant banking. Technology has also lowered barriers to entry and made it possible for non-banks to offer products and services traditionally provided by banks, such as automatic transfer and automatic payment systems. Many of our competitors have fewer regulatory constraints and may have lower cost structures. Additionally, due to their size, many competitors may be able to achieve economies of scale and, as a result, may offer a broader range of products and services as well as better pricing for those products and services than we can. Our ability to compete successfully depends on a number of factors, including, among other things: - the ability to develop, maintain and build upon long-term customer relationships based on top quality service, high ethical standards and safe, sound assets;- the ability to expand our market position;- the scope, relevance and pricing of products and services offered to meet customer needs and demands;- the rate at which we introduce new products and services relative to our competitors;- customer satisfaction with our level of service; and - industry and general economic trends. Failure to perform in any of these areas could significantly weaken our competitive position and adversely affect our growth and profitability, which in turn, could have a material adverse effect on our financial condition and results of operations. In addition, the soundness of our financial condition may also affect our competitiveness. Customers may decide not to do business with the Bank due to its financial condition.

We may enter into agreements with BaaS partners pursuant to which we will provide certain banking services for the BaaS partner customers. Ensuring contractual and regulatory compliance with these agreements will require additional internal and external resources which will increase our compliance costs and could adversely affect our business. If our BaaS partners are not successful in achieving customer acceptance of their programs or terminate the agreements before the end of their respective terms, our revenue under the various agreements may be limited or may cease altogether. There is a risk that our BaaS partners may change their strategic focus or business model; these changes could impact the Company's business arrangements that we may enter into with our BaaS partners and may adversely impact the Company's financial projections and financial returns on our BaaS programs. In addition, our regulators may hold us responsible for the activities of our partners with respect to various aspects of the marketing or administration of their programs, which may result in increased operational and compliance costs for us or potentially compliance violations as a result of BaaS partner activities, any of which could have a material adverse effect on our financial condition or results of operations.

Threats to our reputation can come from many sources, including adverse sentiment about financial institutions generally, negative sentiment about our business, unethical practices, employee mistakes, misconduct or fraud, failure to deliver minimum standards of service or quality, failure of any product or service offered by us to meet our customers' expectations, compliance deficiencies, government investigations, security breaches, litigation, and questionable, unlawful or fraudulent activities of our partners (including BaaS partners), contract counterparties, employees or customers. We have policies and procedures in place to protect our reputation and promote ethical conduct, but these policies and procedures may not be fully effective to address reputational threats in all circumstances. Negative publicity regarding our business, employees, partners, contracting counterparties, employees or customers, with or without merit, may result in the loss of customers, investors and employees, costly litigation, a decline in revenues and increased governmental scrutiny and regulation.

As a financial institution, we are susceptible to fraudulent activity, information security breaches and cybersecurity-related incidents that may be committed against us, our customers or our business partners (including by our own employees and consultants), which may result in financial losses or increased costs to us or our customers or our business partners, disclosure or misuse of our information or our client information, misappropriation of assets, privacy breaches against our clients, litigation, or damage to our reputation. Such fraudulent activity may take many forms, including: check fraud, electronic fraud, wire fraud, phishing, social engineering, and other dishonest acts. Information security breaches and cybersecurity-related incidents may include fraudulent or unauthorized access to systems used by us, our vendors, or our clients, denial or degradation of service attacks, and malware or other cyber-attacks. The techniques used in cyber-attacks change rapidly and are increasingly sophisticated, including through the use of generative artificial intelligence and deepfakes, and potential future use of quantum computing, and as a result, cyber attacks or data security breaches may be more difficult to anticipate. In recent periods, there continues to be a rise in electronic fraudulent activity, security breaches, and cyber-attacks within the financial services industry, especially in the commercial banking sector due to cyber criminals targeting commercial bank accounts. Consistent with industry trends, we have also experienced an increase in attempted electronic fraudulent activity, security breaches, and cybersecurity-related incidents in recent periods. Moreover, in recent periods, several large corporations, including other financial institutions and retail companies, have suffered major data breaches, in some cases exposing not only confidential and proprietary corporate information, but also sensitive financial and other personal information of their customers and employees and subjecting them to potential fraudulent activity. Some of our clients may have been affected by these breaches, which increase their risks of identity theft, credit card fraud and other fraudulent activity that may involve their accounts with us. We use automation and technology tools to help reduce some risks of human error. Nonetheless, we continue to also rely on many manual processes to conduct our business and manage our risks. In addition, use of automation tools does not eliminate the need for effective design and monitoring of their operation to ensure they operate as intended. Enhanced use of automation may present its own risks. Automated systems may themselves experience outages or problems. Some tools are dependent on the quality of the data used by the tool to learn and enhance the process for which it is responsible. Bad, missing or anomalous data can adversely affect the functioning of such tools. Information pertaining to us and our clients is maintained, and transactions are executed, on the networks and systems of us, our clients and certain of our third-party partners, such as our online banking or reporting systems. The secure maintenance and transmission of confidential information, as well as execution of transactions over these systems, are essential to protect us and our clients against fraud and security breaches and to maintain our clients' confidence. Breaches of information security also may occur, and in infrequent cases have occurred, through intentional or unintentional acts by those having access to our systems or our clients' or counterparties' confidential information, including employees. In addition, increases in criminal activity levels and sophistication, advances in computer capabilities, new discoveries, vulnerabilities in third-party technologies (including browsers and operating systems) or other developments could result in a compromise or breach of the technology, processes and controls that we use to prevent fraudulent transactions and to protect data about us, our clients and underlying transactions, as well as the technology used by our clients to access our systems. Although we have developed, and continue to invest in, systems and processes that are designed to detect and prevent data security breaches and cyber-attacks and periodically test our security, we may fail to anticipate or adequately mitigate breaches of security or experience data privacy breaches that could result in loss of business to us and/or our clients, damage to our reputation, incurrence of additional expenses, disruption to our business, our inability to grow our online services or other businesses, additional regulatory scrutiny or penalties, including resulting violations of law (whether federal or in one or more states) or our exposure to civil litigation and possible financial liability - any of which could have a material adverse effect on our business, financial condition and, results of operations. More generally, publicized information concerning security and cyber-related problems and other data privacy breaches could inhibit the use or growth of digital or web-based applications or solutions as a means of conducting commercial or retail transactions. Such publicity may also cause damage to our reputation as a financial institution, which could have a material adverse effect on our business, financial condition, and results of operations. See "Cybersecurity" under Part I, Item 1C for a further discussion of cybersecurity risk management, strategy and governance.

The financial services industry is continually undergoing rapid technological change with frequent introductions of new technology-driven products and services. The effective use of technology increases efficiency and enables financial institutions to better serve customers and to reduce costs. Our future success depends, in part, upon our ability to address the needs of our customers by using technology to provide products and services that will satisfy customer demands, as well as to create additional efficiencies in our operations. Many of our competitors have substantially greater resources to invest in technological improvements. We may not be able to effectively implement new technology-driven products and services or be successful in marketing these products and services to our customers. In addition, there are a limited number of qualified persons in our local marketplace with the knowledge and experience required to effectively maintain our information technology systems and implement our technology initiatives. Failure to successfully attract and retain qualified personnel, or keep pace with technological change affecting the financial services industry could have a material adverse impact on our business and, in turn, our financial condition and results of operations. We or our third-party vendors, clients or counterparties may develop or incorporate artificial intelligence ("AI") technology in certain business processes, services or products. AI is a relatively new technology that is rapidly evolving and there remains many uncertainties. The development and use of AI presents a number of risks and challenges to our business, including legal and regulatory, compliance, operational, information security, fraud and reputational risks. The financial services industry in general is exposed to risks arising from the use of AI technologies by bad actors to commit fraud, misappropriate funds and facilitate cyberattacks. Generative AI, if used to perpetrate fraud or launch cyberattacks, could create panic at a particular financial institution or exchange, which could pose a threat to financial stability. Statistical and quantitative models and other quantitatively-based analyses, both built internally and from third-party vendors, is increasingly being used in our operations, decision making, and risk management framework. While these quantitative techniques and approaches improve our decision-making, they also create the possibility that faulty data or flawed quantitative approaches could yield adverse outcomes or regulatory scrutiny. Additionally, because of the complexity inherent in these approaches, misunderstanding or misuse of their outputs could similarly result in suboptimal decision-making.