Glacier Bancorp (GBCI) Risk Analysis

We are subject to the income tax laws of the United States, the states within our footprint, and other jurisdictions where we conduct business. These laws are complex and subject to different interpretations. In determining the provision for income taxes, management makes judgments and estimates about the application of these inherently complex laws, related regulations, and case law. In the process of preparing our tax returns, management attempts to make reasonable interpretations of the tax laws. These interpretations are subject to challenge by the tax authorities upon audit or to reinterpretation based on management's ongoing assessment of facts and evolving case law. Changes in tax laws, regulations, or case law may result in an adverse impact to our effective tax rate, tax obligations, and financial results. Additionally, challenges made by tax authorities during an audit may result in adjustments to our tax return filings, resulting in similar adverse impacts to our financial position.

The safe and responsible integration of AI technology as it rapidly evolves presents emerging ethical and legal challenges, and the use of such technologies may result in diminished brand trust and reputational harm. As with many innovations, AI presents risks and challenges that could significantly disrupt our business model, such as risks related to implementation of AI technologies, including operational risks stemming from system failures or disruptions of business processes as well as increased costs associated with acquiring, deploying, and maintaining AI technologies. In addition, the use of AI by bad actors presents increasingly complex and sophisticated security threats to our data and the confidential data of our customers and employees. These potential security threats require additional efforts and investments to maintain network security and the security of the data we possess. The regulatory landscape surrounding AI technologies is also evolving, and the ways in which these technologies will be regulated by federal, state, and local governments, self-regulatory bodies, or other regulatory authorities remains uncertain and may be inconsistent from jurisdiction to jurisdiction. Some states within our market areas have enacted or proposed legislation and policies regulating AI with a focus on consumer rights, bias, transparency and misuse. The president has responded by issuing an executive order seeking to centralize AI policies and to identify and challenge inconsistent state laws. Such AI regulations may result in operational costs to modify, maintain, or align our business practices with the rapidly evolving, potentially unclear, or conflicting regulatory regimes, or constrain our ability to develop, deploy, or maintain these technologies.

In the normal course of its business, the Bank collects, processes and retains sensitive and confidential customer and consumer information. Despite the security measures we have in place, our facilities and systems may be vulnerable to cyber-attacks, security breaches, acts of vandalism, computer viruses, misplaced or lost data, programming or human errors, attacks enhanced or facilitated by AI, and other similar events. Information security risks for financial institutions such as the Bank have increased recently in part because of new technologies, the use of the Internet and telecommunications technologies (including mobile devices) to conduct financial and other business transactions, and the increased sophistication and activities of organized crime, foreign actors, hackers, perpetrators of fraud, terrorists and others. In addition to cyberattacks or other security breaches involving the theft of sensitive and confidential information, hackers have engaged in attacks against financial institutions designed to disrupt key business services such as customer-facing web sites. National and international economic and geopolitical conditions may also increase the number of cyber security threats the Bank may face. We may not be able to anticipate or implement effective preventative measures against all security breaches of these types. Although the Bank employs detection and response mechanisms designed to contain and mitigate security incidents, early detection may be thwarted by sophisticated attacks and malware designed to avoid detection, which continue to evolve. Additionally, the Bank faces the risk of operational disruption, failure, termination or capacity constraints of any of the third parties that facilitate its business activities, including third-party service providers, vendors, exchanges, clearing agents, clearing houses or other financial intermediaries. Such parties could also be the source of an attack on, or breach of, the Bank's operational systems. Our operational controls and third-party management programs may not always provide adequate oversight and control over these parties. Inadequate performance by third parties can adversely affect our ability to deliver products and services to our customers and conduct our business. Replacing or finding alternatives for underperforming vendors can be difficult and costly, potentially adversely impacting our customers and operations. Any failures, interruptions or security breaches in our operational or security systems, or those of our third-party service providers, including as a result of cyberattacks, could disrupt business, result in the disclosure or misuse of confidential or proprietary information or a violation of privacy or other laws, or expose us to civil litigation, regulatory fines or losses not covered by insurance, and increase costs. See "Item 1C. Cybersecurity" for additional information regarding our efforts to detect, identify, assess, manage, and respond to risks from cybersecurity threats.

The financial services industry continues to experience rapid technological changes with frequent introductions of new technology-driven products and services by both other regulated entities and by companies that are not subject to the extensive regulations applicable to banks. The effective use of technology increases efficiency and enables financial institutions to better serve customers and to reduce costs. Our future success will depend upon our ability to address the needs of our customers by using technology to provide products and services that will satisfy customer demands for convenience and additional features, as well as create additional efficiencies in our operations. We may not be able to effectively implement new technology-driven products or services, or be successful in marketing these products and services. Additionally, the implementation of technological changes and upgrades to maintain current systems and integrate new ones may cause service interruptions, transaction processing errors and system conversion delays and may cause us to fail to comply with applicable laws and regulations. There can be no assurance that we will be able to successfully manage the risks associated with increased dependency on technology.

We believe our success to date has been substantially dependent on our executive management team. In addition, our unique model relies on the Presidents of our separate Bank divisions, particularly in light of our decentralized management structure in which Bank divisions have significant local decision-making authority. The unexpected loss of any of these individuals could have an adverse effect on our business, financial condition, results of operations, and future growth prospects.