Old National Bancorp Capital (ONB) Risk Analysis

Old National is subject to federal and applicable state income tax laws and regulations. Income tax laws and regulations are often complex and require significant judgment in determining the Company's effective tax rate and in evaluating the Company's tax positions. Changes in tax laws, changes in interpretations, guidance or regulations currently in effect or that may be promulgated, or challenges to judgments or actions that the Company may take with respect to tax laws could negatively impact our current and future financial performance. In addition, our determination of our tax liability is subject to review by applicable tax authorities. In the normal course of business, we are routinely subject to examinations and challenges from federal and applicable state and local taxing authorities regarding the amount of taxes due in connection with investments we have made and the businesses in which we have engaged. Recently, federal and state and local taxing authorities have been increasingly aggressive in challenging tax positions taken by financial institutions. The challenges made by taxing authorities may result in adjustments to the timing or amount of taxable income or deductions, or the allocation of income among tax jurisdictions. Any such challenges that are not resolved in our favor may adversely affect our effective tax rate, tax payments or financial condition.

Our success depends, in large part, on our ability to attract and retain key people. Competition for the best employees in most of the activities we engage in can be intense. We may not be able to hire the best people for key roles or retain them. In addition, work-from-home and hybrid work arrangements may exacerbate the challenges of attracting and retaining talented and diverse employees as job markets may be less constrained by physical geography. Our current or future approach to in-office and work-from-home arrangements may not meet the needs or expectations of our current or prospective employees or may not be perceived as favorable as compared to the arrangements offered by competitors, which could adversely affect our ability to attract and retain employees. The loss of any of our key personnel or an inability to continue to attract, retain, and motivate key personnel could adversely affect our business.

Third party vendors provide key components of our business infrastructure, including certain data processing and information services. Third parties may transmit confidential, propriety information on our behalf. Although we require third party providers to maintain certain levels of information security, such providers may remain vulnerable to breaches, unauthorized access, misuse, computer viruses, or other malicious attacks that could ultimately compromise sensitive information. While we may contractually limit our liability in connection with attacks against third party providers, Old National remains exposed to the risk of loss associated with such vendors. In addition, operational errors, information system failures, or interruptions of vendors' systems, or difficulty communicating with vendors, could expose us to disruption of operations, loss of service or connectivity to customers, reputational damage, and litigation risk that could have a material adverse effect on our business and, in turn, our financial condition and results of operations. In addition, our operations are exposed to risk that vendors will not perform in accordance with the contracted arrangements under service level agreements. Although we have selected external vendors carefully, we do not control their actions. The failure of an external vendor to perform in accordance with the contracted arrangements under service level agreements, because of changes in the vendor's organizational structure, financial condition, support for existing products and services, or strategic focus or for any other reason, could be disruptive to our operations, which could have a material adverse effect on our business and, in turn, our financial condition and results of operations. Replacing a vendor, particularly a large national entity with a dominant market presence, such as a number of our current vendors, could also cause us to incur significant delays and expenses.

Old National may have to foreclose on collateral real property to protect Old National's investment and may thereafter own and operate such property, in which case Old National will be exposed to the risks inherent in the ownership of real estate. The amount that Old National, as a mortgagee, may realize after a default is dependent upon factors outside of Old National's control, including, but not limited to: (i) general or local economic conditions; (ii) neighborhood values; (iii) size, use, and location of the properties; (iv) interest rates; (v) real estate tax rates; (vi) operating expenses of the mortgaged properties; (vii) environmental remediation liabilities; (viii) ability to obtain and maintain adequate occupancy of the properties; (ix) zoning laws; (x) governmental rules, regulations and fiscal policies; and (xi) acts of God. Certain expenditures associated with the ownership of real estate, principally real estate taxes, insurance, and maintenance costs, may adversely affect the income from the real estate. Therefore, the cost of operating real property may exceed the income earned from such property, and Old National may have to advance funds in order to protect Old National's investment or dispose of the real property at a loss. The foregoing expenditures and costs could adversely affect Old National's ability to generate revenues, resulting in reduced levels of profitability.

Like other U.S. financial services companies, the Company has been and expects to continue to be the target of cyber-attacks and other attempts to disrupt its operations. Although we devote significant resources to maintain and regularly upgrade our systems and processes that are designed to protect the security of our computer systems, software, networks, and other technology assets and the confidentiality, integrity, and availability of information belonging to us and our clients, there is no assurance that our security measures, or those of our external vendors, will provide absolute security. Further, to access our products and services our clients may use computers and mobile devices that are beyond our security control systems. In fact, many other financial services institutions and companies engaged in data processing have reported breaches in the security of their websites or other systems, some of which have involved sophisticated and targeted attacks intended to obtain unauthorized access to confidential information, destroy data, disable or degrade service, or sabotage systems, often through the introduction of computer viruses or malware, cyberattacks, and/or malicious code, or by means of phishing attacks, social engineering and other means. As our reliance on technology systems and the connectivity of third parties (including contractors) and electronic devices to our systems increase, the potential risks of technology-related interruptions in our operations or the occurrence of cyber incidents also increase. Our technologies, systems, and networks, and those of our external vendors, as well as our customers' devices are periodically the target of cyberattacks and may be the target of future cyberattacks. Malicious actors may also attempt to fraudulently induce employees, customers or other users of our systems to disclose sensitive information, including passwords and other identifying information, in order to gain access to data or our systems. Certain financial institutions in the United States have also experienced attacks from technically sophisticated and well-resourced third parties that were intended to disrupt normal business activities by making internet banking systems inaccessible to clients for extended periods. These "denial-of-service" attacks typically do not breach data security systems, but require substantial resources to defend, and may affect client satisfaction and behavior. There have been several well-publicized attacks on various companies, including in the financial services industry, and personal, proprietary, and public e-mail systems in which the perpetrators gained unauthorized access to confidential information and customer data, often through the introduction of computer viruses or malware, cyberattacks, phishing, or other means. Even if not directed at the Company or its subsidiaries specifically, attacks on other entities with whom we do business or on whom we otherwise rely or attacks on financial or other institutions important to the overall functioning of the financial system could adversely affect, directly or indirectly, aspects of our business. Despite our efforts to ensure the integrity of our systems, it is possible that we may not be able to anticipate or to implement effective preventive measures against all security breaches, especially because the techniques used change frequently or are not recognized until launched, and because security attacks can originate from a wide variety of sources, including persons who are involved with organized crime or associated with external service providers or who may be linked to terrorist organizations or hostile foreign governments. As cyber threats continue to evolve, including as a result of the increased use of artificial intelligence, we may be required to expend significant additional resources to continue to modify or enhance our systems or to investigate and remediate vulnerabilities. System enhancements and updates may also create risks associated with implementing and integrating new systems. Due to the complexity and interconnectedness of information technology systems, the process of enhancing our systems can itself create a risk of systems disruptions and security issues. If our security systems were penetrated or circumvented, it could cause serious negative consequences for us, including significant disruption of our operations, misappropriation of our confidential information or that of our clients, or damage our computers or systems and those of our clients and counterparties, and could result in violations of applicable privacy and other laws, financial loss to us or to our clients, loss of confidence in our security measures, client dissatisfaction, significant litigation exposure, regulatory action, and harm to our reputation, all of which could have a material adverse effect on us.

The financial services industry is continually undergoing rapid technological change with frequent introductions of new technology-driven products and services. The effective use of technology increases efficiency and enables financial institutions to better serve clients and to reduce costs. Old National's future success depends, in part, upon its ability to address client needs by using technology to provide products and services that will satisfy client demands, as well as to create additional efficiencies in Old National's operations. Old National may not be able to effectively implement new technology-driven products and services or be successful in marketing these products and services to its clients. Failure to successfully keep pace with technological change affecting the financial services industry could negatively affect Old National's growth, revenue, and profit. Failure to successfully implement and integrate future system enhancements could adversely affect the Company's ability to provide timely and accurate financial information in compliance with legal and regulatory requirements, which could result in sanctions from regulatory authorities. Future system enhancements could have higher than expected costs and/or result in operating inefficiencies, which could increase the costs associated with the implementation as well as ongoing operations. Upgrading the Company's computer systems, software, and networks subjects the Company to the risk of disruptions, failures, or delays due to the complexity and interconnectedness of the Company's computer systems, software, and networks. The failure to properly upgrade or maintain these computer systems, software, and networks could result in greater susceptibility to cyber-attacks, particularly in light of the greater frequency and severity of attacks in recent years, as well as the growing prevalence of supply chain attacks affecting software and information service providers. Failures related to upgrades and maintenance also increase risks related to unauthorized access and misuse. There can be no assurance that any such disruptions, failures, or delays will not occur or, if they do occur, that they will be adequately addressed.

In our market area, Old National encounters significant competition from other commercial banks, savings and loan associations, credit unions, mortgage banking firms, FinTech companies, consumer finance companies, securities brokerage firms, insurance companies, money market mutual funds, and other financial services companies. Our competitors may have substantially greater resources and lending limits than Old National does and may offer services that Old National does not or cannot provide. Some of our nonfinancial institution competitors may have fewer regulatory constraints, broader geographic service areas, and, in some cases, lower cost structures and, as a result, may be able to compete more effectively for business. In particular, the activity of marketplace lenders and other FinTechs has grown significantly over recent years and is expected to continue to grow. FinTechs have and may continue to offer bank or bank-like products. For example, a number of FinTechs have applied for, and in some cases received, bank or industrial loan charters. In addition, other FinTechs have partnered with existing banks to allow them to offer deposit products to their customers. Regulatory changes may also make it easier for FinTechs to partner with banks and offer deposit products. Our ability to originate residential mortgage loans has also been adversely affected by the increased competition resulting from the unprecedented involvement of the U.S. government and government-sponsored entities in the residential mortgage market. Other recent regulation has reduced the regulatory burden of large bank holding companies and raised the asset thresholds at which more onerous requirements apply, which could cause certain large bank holding companies with less than $250 billion in total consolidated assets, which were previously subject to more stringent enhanced prudential standards, to become more competitive or to pursue expansion more aggressively. There is also increased competition from out-of-market competitors through online and mobile channels. In addition, the emergence, adoption and evolution of new technologies that do not require intermediation, including distributed ledgers, as well as advances in automation, could significantly affect competition for financial services. Old National's profitability depends upon our continued ability to compete successfully in our market area.

Technology and other changes now allow many clients to complete financial transactions without using banks. For example, consumers can pay bills and transfer funds directly without going through a bank. This process of eliminating banks as intermediaries could result in the loss of fee income, as well as the loss of client deposits and income generated from those deposits. In addition, changes in consumer spending and savings habits could adversely affect Old National's operations, and Old National may be unable to timely develop competitive new products and services in response to these changes.