MainStreet Bancshares (MNSB) Risk Analysis

In the course of our business, we may purchase real estate, or we may foreclose on and take title to real estate. Although we exercise prudent due diligence when making loans, we could be subject to environmental liabilities with respect to these properties. We may be held liable to a governmental entity or to third parties for property damage, personal injury, investigation and clean-up costs incurred by these parties in connection with environmental contamination or may be required to investigate or clean up hazardous or toxic substances or chemical releases at a property. The costs associated with investigation or remediation activities could be substantial. In addition, if we are the owner or former owner of a contaminated site, we may be subject to common law claims by third parties based on damages and costs resulting from environmental contamination emanating from the property. Any significant environmental liabilities could cause an adverse effect on our business, financial condition and results of operations.

Liquidity is essential to our business. An inability to raise funds through deposits, borrowings, the sale of loans and other sources could have a substantial negative effect on our liquidity. Our access to funding sources in amounts adequate to finance our activities, or on terms that are acceptable to us, could be impaired by factors that affect us specifically or the financial services industry or the economy in general. Factors that could detrimentally affect our access to liquidity sources include, among other things, a decrease in the level of our business activity as a result of a downturn in the markets in which our loans are concentrated and an adverse regulatory action against us. Our ability to borrow could also be impaired by factors that are not specific to us, such as a disruption in the financial markets or negative views and expectations about the prospects for the financial services industry. Among other sources of funds, we rely heavily on deposits for funds to make loans and provide for our other liquidity needs. However, our loan demand has historically exceeded the rate at which we have been able to build core deposits for which there is substantial competition from a variety of different competitors, so we have relied on interest-sensitive deposits, including wholesale deposits, as sources of funds. Those deposits may not be as stable as other types of deposits and, in the future, depositors may not renew those deposits when they mature, or we may have to pay a higher rate of interest to attract or retain them or to replace them with other deposits or with funds from other sources. Not being able to attract deposits, or to retain or replace them as they mature, would adversely affect our liquidity. Paying higher deposit rates to attract, retain or replace those deposits could have a negative effect on our interest margin and operating results. A failure to maintain adequate liquidity could have a material adverse effect on our business, financial condition and results of operation. Operational Risks

General. From time to time, we implement new lines of business, or offer new products and product enhancements as well as new services within our existing lines of business and we will continue to do so in the future. There are risks and uncertainties associated with these efforts, particularly in instances where the markets are not fully developed. In implementing, developing, or marketing new lines of business, products, product enhancements or services, we may invest significant time and resources, although we may not assign the appropriate level of resources or expertise necessary to make these new lines of business, products, product enhancements or services successful or to realize their expected benefits. Further, initial timetables for the introduction and development of new lines of business, products, product enhancements or services may not be achieved, and price and profitability targets may not prove feasible. External factors, such as compliance with regulations, competitive alternatives and shifting market preferences, may also impact the ultimate implementation of a new line of business or offerings of new products, product enhancements or services. Furthermore, any new line of business, product, product enhancement or service could have a significant impact on the effectiveness of our system of internal controls. Failure to successfully manage these risks in the development and implementation of new lines of business or offerings of new products, product enhancements or services could have an adverse impact on our business, financial condition or results of operations. Payments Services. In 2016, we added a new funding source by way of facilitating payment services. We are continuing to identify and solicit new customers in need of these specialized services. The primary reasons for expanding into payment services are to secure an additional source of low-cost deposits and to capture additional fee income. A bank's risks when dealing with a processor account are similar to risks from other activities in which customers conduct transactions through the bank on behalf of the customers' clients. It is necessary for a bank to implement an adequate processor approval, monitoring and auditing program that extends beyond credit risk management and is conducted on an ongoing basis. When a bank is not able to identify and understand the nature and source of transactions processed through accounts, the bank's risks and the likelihood of suspicious activity can increase. Without these precautions, a bank could be vulnerable to processing illicit or sanctioned transactions. BAAS Software Solutions. Developing and deploying a software program has added, and may contain to add, additional risk, including financial, cybersecurity, compliance and reputational concerns. In 2021, the Company began development of a proprietary BAAS solution, Avenu, to provide an embedded banking solution that connects our partners (fintech, application developers, money movers, and entrepreneurs) directly and seamlessly to our Software as a Service (SAAS). At the end of 2024, management reviewed the Avenu platform's performance. Delays in bringing Avenu to market and subsequent changes in revenue generation potential necessitated a review for impairment and a resulting charge to earnings of the full value of its capitalized intangible software. For additional information, see "Management's Discussion and Analysis of Financial Condition and Results of Operations."

Banking and other financial services companies, such as ours, rely on technology companies to provide information technology products and services necessary to support their day-to-day operations. Technology companies frequently enter into litigation based on allegations of patent infringement or other violations of intellectual property rights. In addition, patent holding companies seek to monetize patents they have purchased or otherwise obtained. Competitors of our vendors, or other individuals or companies, may from time to time claim to hold intellectual property sold to us by our vendors. Such claims may increase in the future as the financial services sector becomes more reliant on information technology vendors. The plaintiffs in these actions frequently seek injunctions and substantial damages. Regardless of the scope or validity of such patents or other intellectual property rights, or the merits of any claims by potential or actual litigants, we may have to engage in protracted litigation. Such litigation is often expensive, time-consuming, disruptive to our operations and distracting to management. If we are found to infringe one or more patents or other intellectual property rights, we may be required to pay substantial damages or royalties to a third party. In certain cases, we may consider entering into licensing agreements for disputed intellectual property, although no assurance can be given that such licenses can be obtained on acceptable terms or that litigation will not occur. These licenses may also significantly increase our operating expenses. If legal matters related to intellectual property claims were resolved against us or settled, we could be required to make payments in amounts that could have an adverse effect on our business, financial condition and results of operations. As described below these competitors include banks, other financial institution and non-banks offering services and products previously only provided by banks.

Operations Risk. Our business is dependent on our ability to process, store and transmit, on a daily basis, numerous transactions. These transactions, as well as the information technology services we provide to clients, often must adhere to client-specific guidelines, as well as legal and regulatory standards. Developing and maintaining our operational systems and infrastructure is challenging, particularly as a result of rapidly evolving legal and regulatory requirements and technological shifts. Our financial, accounting, data processing or other operating systems and facilities may fail to operate properly or become disabled as a result of events that are wholly or partially beyond the Company's control, such as a spike in transaction volume, cyber-attack or other unforeseen catastrophic events, which may adversely affect our ability to process these transactions or provide services. In addition, our operations rely on the secure processing, storage and transmission of confidential, proprietary and other information on our computer systems, networks. and cloud infrastructure. Although we take protective measures to maintain the confidentiality, integrity, and availability of our and our clients' information across all geographic and product lines, and endeavor to modify these protective measures as circumstances warrant, the nature of the threats continues to evolve. As a result, our computer systems, software, and networks may be vulnerable to unauthorized access, loss or destruction of data (including confidential and proprietary client information), account takeovers, unavailability of service, computer viruses or other malicious code, cyber-attacks and other events that could have an adverse security impact. Despite the defensive measures we take to manage our internal technological and operational infrastructure, these threats may originate externally from third parties such as foreign governments, organized crime and other hackers, and outsource or infrastructure-support providers and application developers or may originate internally from within our organization. Given the increasingly high volume of our transactions, certain errors may be repeated or compounded before they can be discovered and rectified. We also face the risk of operational disruption, failure, termination or capacity constraints of any of the third parties that facilitate our business activities, including exchanges, clearing agents, clearing houses or other financial intermediaries. Such parties could also be the source of an attack on, or breach of, our operational systems, data or infrastructure. In addition, as interconnectivity with our clients grows, we increasingly face the risk of operational failure with respect to our clients' systems. Vendor Support Risk. As discussed below, we rely on external vendors to support our operations. We also rely on vendors to provide part of the services we deliver to customers. While we have a vendor management program policy in place and believe we have selected our vendors appropriately, we cannot directly control their employees or their operating environments. A breach or failure of a chosen vendor could have a material adverse impact on our operating environment and may expose the Company's or our customers' data which could result in operational, compliance and/or reputational risks. Replacing a chosen vendor could also result in a significant delay and expense. Internet Risk. Our services and technology solutions rely on internet communications. Computers connected to the internet are vulnerable to many types of threats by cyber criminals. Although none of these types of attacks have had a material impact on our business to date, we anticipate that the efforts to attack our systems, and those of our customers and vendors, will grow in complexity and volume. As such, we have developed an incident response plan to coordinate the efforts following the identification of an attack. Failure to maintain a secure computing environment, stay up to date on security vulnerabilities or deploy adequate technologies to protect against attacks, may subject our information and systems to security breaches that could compromise confidential information and damage our reputation and business. We rely on industry-standard encryption and authentication security systems to provide the security required to protect our data. Periodically our systems are subjected to scans, exploitations and audits by a qualified independent third party to evaluate the effectiveness of our security controls and system configurations. Cyber criminals may attempt to trick employees, customers or vendors through phishing schemes or other methods to disclose sensitive information. Employees receive annual security training and are periodically assessed through simulated attack tools to assist with behavior shaping and coaching against social engineering threats. If one or more of these events occurs, it could potentially jeopardize the confidential, proprietary and other information processed and stored in, and transmitted through, the Company's computer systems and networks, or otherwise cause interruptions or malfunctions in our, as well as our clients' or other third parties' operations, which could result in damage to our reputation, substantial costs, regulatory penalties and/or client dissatisfaction or loss. Potential costs of a cyber incident may include, but would not be limited to, remediation costs, increased protection costs, lost revenue from the unauthorized use of proprietary information or the loss of current and/or future customers, and litigation. Insurance Risk. We maintain an insurance policy through the Company's blanket bond at the maximum of currently available limits. However, we cannot assure you that this policy would be sufficient to cover all financial losses, damages, and penalties, including lost revenues, should the Company experience any one or more of our or a third party's systems failing or experiencing attack. A cyber-attack or other security incident, including one that results in the theft, loss, manipulation, or misuse of information (including personal information), or the disabling of systems and access to information critical to business operations, may result in increased costs, reductions in revenue, reputational damage, legal exposure and business disruptions. A "deep fake" incident, which involves synthetic media that is created using artificial intelligence to create realistic images, videos, or audio recordings of people that appear to be real but are not. This technology has the potential to be used for malicious purposes, such as spreading misinformation or impersonating individuals.  Deep fakes could have a material impact on the Company in a number of ways, including: - Loss of reputation - deep fakes could be used to damage a company's reputation by creating false or misleading content that is attributed to the company,- Financial losses - deep fakes could be used to manipulate the stock market by creating false or misleading information about a company's financial performance, and - Legal liability - deep fakes could expose companies to legal liability for defamation, copyright infringement, or other claims. Our ability to provide our products and services, many of which are internet-based, and communicate with our customers, depends upon the management and safeguarding of information systems and infrastructure, networks, software, data, technology, methodologies and business secrets, including those of our service providers. Our products and services involve the collection, authentication, management, usage, storage, transmission and eventual destruction of sensitive and confidential information, including personal information, regarding our customers and their accounts, our employees, our partners and other third parties with which we do business. We also have arrangements in place with third parties through which we share and receive information about their customers who are or may become our customers. The financial services industry, including the Company, is particularly at risk because of the use of and reliance on digital banking products and other digital services, including mobile banking products, such as mobile payments, and other internet- and cloud-based products and applications, and the development of additional remote connectivity solutions, which increase cybersecurity risks and exposure. Technologies, systems, networks, and other devices of the Bank as well as those of our employees, service providers, partners and other third parties with whom we interact, have been and may continue to be the subject of cyber-attacks and other security incidents, including computer viruses, hacking, malware, ransomware, supply chain attacks, vulnerabilities, credential stuffing, or phishing or other forms of social engineering. Such cyber-attacks and other security incidents are designed to lead to various harmful outcomes, such as unauthorized transactions in the Bank's  accounts, unauthorized or unintended access to or release, gathering, monitoring, disclosure, loss, destruction, corruption, disablement, encryption, misuse, modification or other processing of confidential or sensitive information (including personal information), intellectual property, software, methodologies or business secrets, disruption, sabotage or degradation of service, systems or networks, or other damage. These threats may derive from, among other things, error, fraud or malice on the part of our employees, insiders, or third parties or may result from accidental technological failure or design flaws. Any of these parties may also attempt to fraudulently induce employees, service providers, customers, partners or other third-party users of our systems or networks to disclose confidential or sensitive information (including personal information) in order to gain access to our systems, networks or data or that of our customers, partners, or third parties with whom we interact, or to unlawfully obtain monetary benefit through misdirected or otherwise improper payment. For instance, any party that obtains our confidential or sensitive information (including personal information) through a cyber-attack or other security incident may use this information for ransom, to be paid by us or a third party, as part of a fraudulent activity that is part of a broader criminal activity, or for other illicit purposes. Cyber and information security risks for financial institutions like us continue to increase due to the proliferation of new technologies, the industry-wide shift to reliance upon the internet to conduct financial transactions, and the increased sophistication and activities of malicious actors, organized crime, perpetrators of fraud, hackers, terrorists, activists, extremist parties, formal and informal instrumentalities of foreign governments, state-sponsored actors and other external parties. In addition, our customers access our products and services using personal devices that are necessarily external to our security control systems. There has also been a significant proliferation of consumer information available on the internet resulting from breaches of third-party entities, including personal information, log-in credentials and authentication data. This threat could include the risk of unauthorized account access, data loss and fraud. The use of artificial intelligence, "bots" or other automation software can increase the velocity and efficacy of these types of attacks. We will likely face an increasing number of attempted cyber-attacks as we expand our mobile and other internet-based products and services, as well as our usage of mobile and cloud technologies and as we provide more of these services to a greater number of banking customers. The methods and techniques employed by malicious actors change frequently, are increasingly sophisticated and often are not fully recognized or understood until after they have occurred, and some techniques could occur and persist for an extended period of time before being detected and remediated. We may also be unable to hire, develop and retain talent that keeps pace with the rapidly changing cyber threat landscape, and which are capable of preventing, detecting, mitigating or remediating these risks. Although we seek to maintain a robust suite of authentication and layered information security controls, any one or combination of these controls could fail to prevent, detect, mitigate or remediate these risks in a timely manner. A disruption or breach, including as a result of a cyber-attack or media reports of perceived security vulnerabilities at the Bank or at our service providers, could result in legal and financial exposure, regulatory intervention, litigation, remediation costs, card reissuance, supervisory liability, damage to our reputation or loss of confidence in the security of our systems, products and services that could adversely affect our business. There can be no assurance that unauthorized access or cyber incidents will not occur or that we will not suffer material losses in the future. If future attacks are successful or if customers are unable to access their accounts online for other reasons, it could adversely impact our ability to service customer accounts or loans, complete financial transactions for our customers or otherwise operate any of our businesses or services. In addition, a breach or attack affecting one of our service providers or other third parties with which we interact could harm our business even if we do not control the service that is attacked. Further, our ability to monitor our service providers' cybersecurity practices is limited. Although the agreements that we have in place with our service providers generally include requirements relating to cybersecurity and data privacy, we cannot guarantee that such agreements will prevent a cyber incident impacting our systems or information or enable us to obtain adequate or any reimbursement from our service providers in the event we should suffer any such incidents. In addition, the increasing prevalence and the evolution of cyber-attacks and other efforts to breach or disrupt our systems or networks or those of our customers, service providers, partners or other third parties with which we interact has led, and will likely continue to lead, to increased costs to us with respect to preventing, detecting, mitigating and remediating these risks, as well as any related attempted fraud. In order to address ongoing and future risks, we must expend resources to support protective security measures, investigate and remediate any vulnerabilities of our information systems and infrastructure and invest in new technology designed to mitigate security risks. Further, high profile cyber incidents at the Bank or other financial institutions could lead to a general loss of customer confidence in financial institutions that could negatively affect us, including harming the market perception of the effectiveness of our security measures or the global financial system in general, which could result in reduced use of our financial products. We have insurance against some cyber risks and attacks; nonetheless, our insurance coverage may not be sufficient to offset the impact of a material loss event (including if our insurer denies coverage as to any particular claim in the future), and such insurance may increase in cost or cease to be available on commercially reasonable terms, or at all, in the future.

Our ability to grow and compete is dependent on the Company's ability to build or acquire the necessary operational and technological infrastructure and to manage the cost of that infrastructure as we expand. In our case, operational risk can manifest itself in many ways, such as errors related to failed or inadequate processes, faulty or disabled computer systems, fraud by employees or outside persons and exposure to external events. As discussed below, we are dependent on our operational infrastructure to help manage these risks. In addition, we are heavily dependent on the strength and capability of our technology systems that the Company uses both to interface with customers and to manage internal financial and other systems. Our ability to develop and deliver new products that meet the needs of our existing customers and attract new ones depends on the functionality of our technology systems. Additionally, our ability to run our business in compliance with applicable laws and regulations is dependent on these infrastructures. We continuously monitor our operational and technological capabilities and make modifications and improvements as circumstances warrant. In some instances, the Company may build and maintain these capabilities itself. We outsource many of these functions to third parties. These third parties may experience errors or disruptions that could adversely impact the Company and over which it may have limited control. We also face risk from the integration of new infrastructure platforms and/or new third-party providers of such platforms into the Company's existing businesses. Many of our larger competitors have substantially greater resources to invest in technological improvements. As a result, they may be able to offer additional or superior technologies compared to those that we will be able to provide, which could put us at a competitive disadvantage. Accordingly, we may lose customers seeking new technology-driven products and services to the extent we are unable to compete effectively.

Third parties provide key components of our business infrastructure such as data processing, internet connections, network access, cloud computing access, core application processing, statement production and account analysis. Our business depends on the successful and uninterrupted functioning of our information technology and telecommunications systems and third-party servicers. The failure of these systems, or the termination of a third-party software license or service agreement on which any of these systems is based, could interrupt our operations. Because our information technology and telecommunications systems interface with and depend on third-party systems, we could experience service denials if demand for such services exceeds capacity or such third-party systems fail or experience interruptions. Replacing vendors or addressing other issues with our third-party service providers could entail significant delay and expense. If we are unable to efficiently replace ineffective service providers, or if we experience a significant, sustained or repeated system failure or service denial, it could compromise our ability to operate effectively, damage our reputation, result in a loss of customer business, and subject us to additional regulatory scrutiny and possible financial liability, any of which could have an adverse effect on our business, financial condition and results of operations.

A substantial portion of our loan portfolio consists of commercial and residential real estate-related loans, including construction and residential and commercial mortgage loans. As of December 31, 2024, we had approximately $357.7 million of owner-occupied and $560.1 million of investment commercial real estate loans outstanding, which represented approximately 19.5% and 30.5%, respectively, of our loan portfolio as of December 31, 2024. As of that same date, we had approximately $393.4 million of construction real estate loans and $439.5 million of residential real estate loans, which represented 21.4% and 23.9% respectively. The adverse consequences from real estate-related credit risks tend to be cyclical and are often driven by local and national economic developments that are not controllable or entirely foreseeable by us or our borrowers. As a result: - we have a greater risk of loan defaults and losses in the event of economic weaknesses associated with commercial and residential real estate in our market area and nationally, which may have a negative effect on the ability of our borrowers to timely repay their loans or the value of collateral securing those loans; and - loan concentrations and the associated risks related to commercial and residential real estate may pose additional regulatory credit risk concerns, including interest rate risk due to maturity considerations, liquidity risk due to funding considerations and risks to earnings and capital. During the ordinary course of our business, we may foreclose on and take title to properties securing certain loans, in which event we become exposed to the costs and risks inherent in the ownership of commercial and residential real estate, which could have an adverse effect on our business, financial condition and results of operations. The amount that we, as a mortgagee, may realize after a default is dependent upon factors outside of our control, including: - general or local economic conditions;- environmental clean-up liabilities;- neighborhood values;- interest rates;- real estate tax rates;- operating expenses of the foreclosed properties;- supply of and demand for rental units or properties;- ability to obtain and maintain adequate occupancy of the properties;- zoning laws;- governmental rules, regulations and fiscal policies; and - extreme weather conditions or other natural or man-made disasters. Certain expenditures associated with the ownership of real estate, principally real estate taxes and maintenance costs, may also adversely affect our operating expenses. In recent years commercial real estate markets both nationally and locally have been adversely affected by the COVID-19 pandemic. Remote employee work opportunities during the pandemic have impacted, and may continue to impact, the occupancy of commercial properties. Weakness in our commercial real estate market could result in an increased delinquency rate and losses from these loans. We believe that the resilience of our market and borrowers provides an ability to adjust to and withstand such risks. However, increased losses from this portfolio could have an adverse effect on our business, financial condition and results of operations.

We face strong competition in making loans, attracting deposits and hiring and retaining experienced employees from various competitors, many of which are larger and have greater financial resources than the Company. Price competition for loans and deposits may result in our charging lower interest rates on loans and paying higher interest rates on deposits, thereby reducing our net interest income. Price competition also may limit our ability to originate loans and adversely affect our growth and profitability. Competition makes it more difficult and costly to attract and retain qualified employees.