S&T Bancorp (STBA) Risk Analysis

The financial services industry is highly competitive, and we encounter strong competition for deposits, loans and other financial services in our market area, including online providers of these products and services. Our principal competitors include other local, regional and national financial services providers, such as other financial holding companies, commercial banks, financial technology companies, credit unions, finance companies and brokerage and insurance firms, including competitors that provide their products and services online. Many of our non-bank competitors are not subject to the same degree of regulation that we are and have advantages over us in providing certain services. Additionally, many of our competitors are significantly larger than we are and have greater access to capital and other resources. Failure to compete effectively for deposit, loan and other financial services customers in our markets could cause us to lose market share, slow our growth rate and have an adverse effect on our financial condition and results of operations.

Reputational risk, or the risk to our business, earnings, liquidity and capital from negative public opinion, is inherent in our operations. Negative public opinion could result from our actual or alleged conduct in a variety of areas, including legal and regulatory compliance, lending practices, corporate governance, cybersecurity incident or breach, failures by third parties whom we interact with, litigation, ethical issues or inadequate protection of customer information. Financial companies are highly vulnerable to reputational damage when they are found to have harmed customers, particularly retail customers, through conduct that is illegal or viewed as unfair, deceptive, manipulative or otherwise wrongful. We are dependent on third-party providers for a number of services that are important to our business. Refer to the risk factor titled, "We rely on certain critical third-party providers for a number of services that are important to our business. An interruption or cessation of an important service by any third-party provider could have a material adverse effect on our business." for additional information. A failure by any of these third-party service providers could cause a disruption in our operations, which could result in negative public opinion about us or damage to our reputation. We expend significant resources to comply with regulatory requirements, and the failure to comply with such regulations could result in reputational harm or significant legal or remedial costs. Damage to our reputation could adversely affect our ability to retain and attract new customers and employees, expose us to litigation and regulatory action and adversely impact our earnings and liquidity.

As discussed above, under "Supervision and Regulation" in Item 1, we are subject to extensive state and federal regulation, supervision and legislation that govern nearly every aspect of our operations. The regulations are primarily intended to protect depositors, customers and the banking system as a whole, not shareholders. These regulations affect our lending practices, capital structure, investment practices, dividend policy and growth, among other things. Congress and federal regulatory agencies continually review banking laws, regulations and policies for possible changes. The Dodd-Frank Act, enacted in July 2010, instituted major changes to the banking and financial institutions regulatory regimes. Other changes to statutes, regulations or policies could affect us in substantial and unpredictable ways. Any regulatory changes could subject us to additional costs of regulatory compliance and of doing business, limit the types of financial services and products we may offer and/or increase the ability of non-banks to offer competing financial services and products, among other things, and could divert management's time from other business activities. Failure to comply with applicable laws, regulations, policies or supervisory guidance could lead to enforcement and other legal actions by federal or state authorities, including criminal or civil penalties, the loss of FDIC insurance, the revocation of a banking charter, other sanctions by regulatory agencies, and/or damage to our reputation. The ramifications and uncertainties of the level of government intervention and regulatory changes in the U.S. financial system could also adversely affect us. The regulations that we are subject to at this time relate to institutions with assets less than $10 billion. Should our assets cross the $10 billion threshold, we will be subject to different and additional regulations. Failure to comply with the different or additional regulations could further adversely affect us.

From time to time, customers and others make claims and take legal action pertaining to the performance of our responsibilities. Whether customer claims and legal action related to the performance of our responsibilities are founded or unfounded, if such claims and legal actions are not resolved in a manner favorable to us, they may result in significant expenses, attention from management and financial liability. Any financial liability or reputational damage could have a material adverse effect on our business, which, in turn, could have a material adverse effect on our financial condition and results of operations.

ESG standards, expectations and norms are constantly changing. There has been an increased focus from regulators, investors, customers, employees and other stakeholders concerning ESG practices and disclosure, including climate change, hiring practices, the diversity of the work force, diversity, equity and inclusion practices, racial and social justice issues and shareholder rights. Environmental focus and concern over the effects of climate change have resulted in increased political and social initiatives directed toward climate change. Governments have entered into international agreements with respect to climate change, and U.S. federal and state legislatures, regulatory agencies and supervisory authorities, including those with oversight of financial institutions, have proposed initiatives seeking to mitigate the effects of climate change. While many of the current regulatory proposals do not apply directly to S&T, continued focus on climate change may lead to the promulgation of new regulations or supervisory guidance applicable to S&T and, as a result, we may experience increased compliance costs and other compliance-related risks. Furthermore, our customers could be impacted by regulatory initiatives focused on addressing and mitigating the effects of climate change resulting in an adverse impact on their financial condition and creditworthiness. Depending on the nature of the initiative, the business impacted, and the composition of loan portfolio, our business and results of operations could be negatively impacted by climate change initiatives directed at our customers. In January 2025, an executive order to withdraw the United States from the Paris Agreement was issued. While it is not possible to predict the impact these actions may have on our business or the business of our customers, such actions could prompt more activity from state and local legislatures and administrative agencies to pass new laws or regulations on climate change that could adversely impact our business and the business of our customers. Additionally, our business and the business of our customers could be negatively impacted by disruptions in economic activity resulting from the physical impacts of climate change. Furthermore, new government regulations with respect to other ESG matters could also result in new or more stringent forms of ESG oversight and expanded mandatory and voluntary reporting, diligence, disclosure and ESG-related compliance costs. In addition, we could be criticized for the scope of such initiatives or perceived as not acting responsibly in connection with these matters. Failure to adapt to or comply with regulatory requirements or investor or stakeholder expectations and standards with respect to ESG matters or failure to successfully manage varied stakeholder expectations could have a material adverse impact on our future results of operations, financial position, cash flows, ability to do business with certain third parties and our stock price.

Our business is highly dependent on the security and efficacy of our infrastructure, computer and data management systems, as well as those of third parties with whom we interact. Cybersecurity risks for financial institutions have significantly increased in recent years in part because of the proliferation of new technologies, the use of the Internet and telecommunications technologies to conduct financial transactions, and the increased sophistication and activities of organized crime, hackers, terrorists and other external parties, including foreign state actors. Our operations rely on the secure processing, transmission, storage and retrieval of confidential, proprietary and other information in our computer and data management systems and networks, and in the computer and data management systems and networks of third parties. We rely on digital technologies, computer, database and email systems, software, and networks to conduct our operations. In addition, to access our network and products and services, our customers and third parties may use personal mobile devices or computing devices that are outside of our network environment. We have taken measures to implement backup systems and other safeguards to support our operations, but our ability to conduct business may be adversely affected by any significant disruptions to us or to third parties with whom we interact. We further issue debit cards which are susceptible to compromise at the point of sale via the physical terminal through which transactions are processed and by other means of hacking. The security and integrity of these transactions are dependent upon the retailers' vigilance and willingness to invest in technology and upgrades. Issuing debit cards to our clients exposes us to potential losses, which, in the event of a data breach at one or more major retailers may adversely affect our business, financial condition, and results of operations. Financial services institutions, and third parties whom they conduct business with, have been subject to, and are likely to continue to be the target of, cyber attacks, including computer viruses, malicious or destructive code, phishing attacks, denial of service or other security breaches that could result in the unauthorized release, gathering, monitoring, misuse, loss or destruction of confidential, proprietary and other information of the institution, its employees or customers or of third parties, or otherwise materially disrupt network access or business operations. For example, denial of service attacks have been launched against a number of large financial institutions and several large retailers have disclosed substantial cybersecurity breaches affecting debit accounts of their customers. We have experienced cybersecurity incidents in the past, such as vendor malware attacks, phishing and other social engineering schemes designed to gain access to confidential information from our employees, customers or vendors and, although not material, we anticipate that we could experience further incidents of that nature as well as other types of attempts or incidents. There can be no assurance that we will not suffer material losses or other material consequences relating to technology failure, cyber incidents or other information or security breaches. In addition to external threats, insider threats also present a risk to us. Insiders, having legitimate access to our systems and the information contained in them, have the opportunity to make inappropriate use of the systems and information, or as a result of human error, misconduct or malfeasance, expose us to risk. We have policies, procedures, and controls in place designed to prevent or limit this risk, but we cannot guarantee that these policies, procedures and controls fully mitigate this risk. Additionally, a number of our employees have shifted to working from remote locations, which we expect to remain high for the foreseeable future, increasing the number of surfaces that require protection and the overall risks and exposures to cyber threats. We have taken and continue to take measures to design, implement and reassess our controls, backup systems and other safeguards to support our operations, but no matter how well designed or implemented, we may not be able to anticipate and prevent all potential types of security incidents and breaches, and we may not be able to implement effective preventive measures against such security breaches in a timely manner. As cyber threats continue to evolve, we may also be required to expend significant additional resources to continue to modify or enhance our systems or to investigate and remediate vulnerabilities. System enhancements and updates have further potential to create risks associated with implementing and integrating new systems. Due to the complexity and interconnectedness of information technology systems, the process of enhancing our systems can itself create a risk of systems disruptions and security issues. Any of these matters could result in failure, circumvention of our security systems, or significant disruptions to us or third parties with whom we interact, misappropriation or destruction of our confidential information and/or that of our customers, or damage to our customers' and/or third parties' computers or systems, loss of our customers and business opportunities, and could result in a violation of applicable privacy laws and other laws, litigation exposure, regulatory fines, penalties or intervention, loss of confidence in our security measures, reputational damage, reimbursement or other compensatory costs, and additional compliance costs. In addition, any of the matters described above could have a material adverse impact on our results of business operations and financial condition. Any of the foregoing risks may cause us to experience a cybersecurity incident, attack or breach. A successful security breach of our information or security systems or those of third parties whom we interact with could incur substantial costs or other negative consequences which cause us to suffer material losses. Examples of such material losses include, but are not limited to: (1) remediation costs, such as liability for stolen assets or information, repairs of system damage, and incentives to customers in an effort to maintain relationships after an attack; (2) violations of applicable privacy and other laws; (3) loss of confidence in its security measures; (4) increased cybersecurity protection costs, such as organizational changes, deploying additional personnel and protection technologies, training employees, and engaging third party experts and consultants; (5) significant litigation exposure; (6) harm to our reputation; (7) financial loss; and (8) damage to our competitiveness, stock price, and long-term shareholder values. There can be no assurance we will not suffer material losses or other material consequences relating to technology failure, cyber incidents or other information or security breaches experienced by us or the third parties whom we interact. While we maintain a cyber insurance policy that is designed to cover a majority of loss resulting from cybersecurity breaches, there is no assurance such coverage or other protective measures we employ will be adequate to address all potential material adverse impacts as cybersecurity incidents increase in frequency and magnitude. Any breach of our system security could result in disruption of our operations, unauthorized access to confidential customer information, significant regulatory costs, litigation exposure and other possible damages, loss or liability. Such costs or losses could exceed the amount of available insurance coverage, if any, and would adversely affect our earnings. Moreover, we are subject to laws and regulations in the United States and other jurisdictions regarding privacy, data protection and data security and there continues to be heightened legislative and regulatory focus in this area. These laws and regulations are rapidly evolving and increasing in complexity and will require us to incur costs, some of which may be significant, to achieve and maintain compliance and could restrict our ability to provide certain products and services which could have an adverse effect on our business, financial condition and results of operations. Furthermore, as cybersecurity incidents increase in frequency and magnitude, we may be unable to obtain cybersecurity insurance in amounts and on terms we view as adequate for our operations. For more information on how the Company manages cybersecurity risk, please refer to the discussion provided below under "Part I, Item 1C. Cybersecurity."

The financial services industry is constantly undergoing rapid technological change with frequent introductions of new technology-driven products and services. The effective use of technology increases efficiency and enables financial institutions to better service customers and reduce costs. Our future success depends, in part, upon our ability to address the needs of our customers by using technology to provide products and services that will satisfy their demands, as well as create additional efficiencies within our operations. Many of our large competitors have substantially greater resources to invest in technological improvements. We may not be able to effectively implement new technology-driven products and services quickly or be successful in marketing these products and services to our customers. Failure to successfully keep pace with technological change affecting the financial services industry, including but not limited to changes affecting our information systems resulting in incidents, attacks or breaches in cybersecurity, could have a material adverse impact on our business, financial condition and results of operations.

Our business requires that we attract, develop, and maintain a highly skilled workforce. Competition for qualified employees and personnel in the banking industry is strong, and there are a limited number of qualified persons with knowledge of, and experience in, the banking industry where we conduct our business. Our ability to attract and retain skilled personnel cost effectively is subject to a variety of external factors, including the limited availability of qualified personnel in the workforce in the local markets in which we operate, unemployment levels within those markets, prevailing wage rates, which have increased significantly, health and other insurance costs, and changes in employment and labor laws. Furthermore, the complexities introduced into the labor market as a result of the transition to increased work-from-home arrangements have impacted the competitive landscape in our labor market. Based on current conditions in the labor market, we have experienced some difficulty in retaining and attracting personnel and there is no assurance that we will be able to continue to successfully do so.

We are dependent for the majority of our technology, including our core operating system, on certain critical third-party providers. If these companies were to discontinue providing services to us, we may experience significant disruption to our business. In addition, each of these third parties faces the risk of cyber attack, information breach or loss, or technology failure. If any of our critical third-party service providers experience such difficulties, or if there is any other disruption in our relationships with them, we may be required to find alternative sources of such services. We are dependent on these critical third-party providers securing their information systems, over which we have limited control, and a breach of their information systems could adversely affect our ability to process transactions, service our clients or manage our exposure to risk and could result in the disclosure of sensitive, personal customer information, which could have a material adverse impact on our business through damage to our reputation, loss of business, remedial costs, additional regulatory scrutiny or exposure to civil litigation and possible financial liability. Assurance cannot be provided that we could negotiate terms with alternative service sources that are as favorable or could obtain services with similar functionality as found in existing systems without the need to expend substantial resources, if at all, thereby resulting in a material adverse impact on our business and results of operations.