Quiver Quantitative

Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - CCNE

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A. Risk Factors and the section captioned "Forward-Looking Statements and Factors that Could Affect Future Results" in Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations of this report and other cautionary statements set forth elsewhere in this report.

ITEM 1. BUSINESS

CNB Financial Corporation (the "Corporation") is a financial holding company registered under the Bank Holding Company Act of 1956, as amended (the "BHC Act"). It was incorporated under the laws of the Commonwealth of Pennsylvania in 1983 for the purpose of engaging in the business of a financial holding company. On April 26, 1984, the Corporation acquired all of the outstanding capital stock of County National Bank, a national banking chartered institution. In December 2006, County National Bank changed its name to CNB Bank (the "Bank") and became a state bank chartered in Pennsylvania and subject to regulation by the Pennsylvania Department of Banking and Securities (the "Pennsylvania Department of Banking") and the Federal Deposit Insurance Corporation. In October 2013, the Corporation acquired FC Banc Corp. and its subsidiary, The Farmers Citizens Bank. In July 2016, the Corporation acquired Lake National Bank, and in July 2020, the Corporation acquired Bank of Akron.

In addition to the Bank, the Corporation has four other subsidiaries. CNB Securities Corporation is incorporated in Delaware and currently maintains investments in debt and equity securities. CNB Insurance Agency, incorporated in Pennsylvania, provides for the sale of nonproprietary annuities and other insurance products. CNB Risk Management, Inc. is a Delaware-based captive insurance company which insures against certain risks unique to the operations of the Corporation and its subsidiaries and for which insurance may not be currently available or economically feasible in today's insurance marketplace. Holiday Financial Services Corporation ("Holiday"), incorporated in Pennsylvania, offers small balance unsecured loans and secured loans, primarily collateralized by automobiles and equipment, to borrowers with higher risk characteristics and currently has nine offices within the Corporation’s market area.

CNB Bank

The Bank was originally chartered as a national bank in 1934 and is now a Pennsylvania-chartered bank. The CNB Bank franchise operates twenty full-service branch locations in Central and North Central Pennsylvania.

ERIEBANK, a division of the Bank, began operations in 2005. In July 2016, the Corporation acquired Lake National Bank, which operated two full-service branches in Mentor, Ohio, approximately 20 miles east of Cleveland, Ohio. The Bank continues to operate one of these branch locations within its ERIEBANK franchise, with the other location ceasing operations in August 2020. In December 2021, the Corporation opened a full-service branch in Cleveland, Ohio. The Bank currently operates thirteen full-service branch locations within its ERIEBANK franchise, a division of the Bank, with its headquarters in Erie, Pennsylvania.

In October 2013, the Corporation acquired FC Banc Corp. and its subsidiary, The Farmers Citizens Bank. The Bank currently operates seven full-service branch locations as FCBank, a division of the Bank, with its headquarters in Worthington, Ohio.

In 2016, the Bank received regulatory approval to conduct business in the State of New York as BankOnBuffalo, a division of the Bank. In July 2020, the Corporation acquired Bank of Akron, with its branch locations operating with BankOnBuffalo. The Bank currently operates twelve branch locations, one mobile branch and one drive-up office as BankOnBuffalo, a division of the Bank, with its headquarters in Buffalo, New York.

In 2021, the Bank received regulatory approval to conduct business in the Commonwealth of Virginia as Ridge View Bank, a division of the Bank. The Bank currently operates three full-serve branch locations and one loan production office in Southwest Virginia.

In 2023, the Bank launched Impressia Bank, a full-service banking division dedicated to the professional and financial development and advancement of women business owners and women leaders. This women-focused commercial bank operates within the existing geographic footprint of each of CNB Bank’s other divisions and also has an online presence.

Table of Contents

The Bank had one loan production office, one drive-up office, one mobile office, and 55 full-service branch offices located in various communities in its market area at December 31, 2024. The CNB Bank franchise's primary market areas are the Pennsylvania counties of Blair, Cambria, Centre, Clearfield, Elk, Indiana, Jefferson, and McKean. ERIEBANK, a division of the Bank, operates in the Pennsylvania counties of Crawford, Erie, and Warren and in the Ohio counties of Ashtabula, Cuyahoga, Geauga, Lake, and Lorain. FCBank, a division of the Bank, operates in the Ohio counties of Crawford, Delaware, Franklin, Knox, Marion, Morrow and Richland. BankOnBuffalo, a division of the Bank, operates in the New York counties of Erie and Niagara. Ridge View Bank, a division of the Bank, operates in the Virginia counties of Botetourt, Craig, Franklin, and Roanoke. Impressia Bank, a division of the Bank, operates in the Bank’s primary market areas.

The Bank is a full-service bank engaging in a full range of banking activities and services for individual, business, governmental and institutional customers. These activities and services principally include checking, savings, and time deposit accounts; real estate, commercial, industrial, residential and consumer loans; and a variety of other specialized financial services. The Bank’s Private Client Solutions division offers a full range of client services, including private banking and wealth and asset management.

Merger with ESSA Bancorp, Inc.

On January 9, 2025, the Corporation and CNB Bank entered into a definitive merger agreement (the “Merger Agreement”) with ESSA Bancorp, Inc. (“ESSA”) and its subsidiary bank, ESSA Bank & Trust Company (“ESSA Bank”), pursuant to which the Corporation will acquire ESSA in an all-stock transaction. Subject to the terms and conditions of the Merger Agreement, which has been approved by the boards of directors of each party, ESSA will merge with and into the Corporation, with the Corporation as the surviving entity, and immediately thereafter, ESSA Bank will merge with and into the Bank, with the Bank as the surviving bank (the “Merger”). Under the terms of the Merger Agreement, each outstanding share of ESSA common stock will be converted into the right to receive 0.8547 shares of the Corporation’s common stock. The transaction is currently expected to close in the third quarter of 2025, subject to customary closing conditions, including the receipt of regulatory approvals and approvals by the shareholders of ESSA and the Corporation.

Competition

The financial services industry in the Corporation’s service area continues to be extremely competitive, both among commercial banks and with other financial service providers such as consumer finance companies, thrifts, investment firms, mutual funds, and credit unions. The increased competition has resulted from changes in legal and regulatory guidelines as well as from economic conditions. Mortgage banking firms, leasing companies, financial affiliates of industrial companies, brokerage firms, retirement fund management firms, and even government agencies provide additional competition for loans and other financial services. Some of the financial service providers operating in the Corporation’s market area operate on a large-scale regional or national basis and possess greater resources than those of the Corporation. The Corporation is generally competitive with all competing financial institutions in its service area with respect to interest rates paid on time and savings deposits, service charges on deposit accounts, and interest rates charged on loans.

Supervision and Regulation

The Corporation is a bank holding company that has elected financial holding company status, and the Bank is a Pennsylvania state-chartered bank that is not a member of the Federal Reserve System. Accordingly, the Corporation is subject to the oversight of the Board of Governors of the Federal Reserve System (the "Federal Reserve Board") and the Pennsylvania Department of Banking and is regulated under the BHC Act, and the Bank is subject to the oversight of the Pennsylvania Department of Banking and the Federal Deposit Insurance Corporation ("FDIC"), as its primary federal regulator. The Corporation and the Bank are also subject to various requirements and restrictions under federal and state law, such as requirements to maintain reserves against deposits, restrictions on the types, amounts and terms and conditions of loans that may be granted, and limitations on the types of investments that may be made and the types of services that may be offered. Various consumer financial protection laws and regulations also affect the operation of the Bank and, pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act (the "Dodd-Frank Act"), the Consumer Financial Protection Bureau ("CFPB") is authorized to write additional rules on consumer financial products and services which could affect the operations of the Bank and Holiday. In addition to the impact of regulation, commercial banks are significantly affected by the actions of the Federal Reserve Board, including actions taken with respect to interest rates, as the Federal Reserve Board attempts to control the money supply and credit availability in the U.S. in order to influence the economy.

Table of Contents

The following summary sets forth certain of the material elements of the regulatory framework applicable to bank holding companies and their subsidiaries and provides certain specific information about us and our subsidiaries. It does not describe all of the provisions of the statutes, regulations and policies that are identified. To the extent that the following information describes statutory and regulatory provisions, it is qualified in its entirety by express reference to each of the particular statutory and regulatory provisions. A change in applicable statutes, regulations or regulatory policy may have a material effect on our business.

Bank Holding Company Regulation

As a bank holding company that controls a Pennsylvania state-chartered bank, the Corporation is subject to regulation and examination by the Pennsylvania Department of Banking and the Federal Reserve Board. We are required to file with the Federal Reserve Board an annual report and such additional information and submissions as the Federal Reserve Board may require pursuant to the BHC Act and applicable regulations. For instance, the BHC Act requires each bank holding company to obtain the approval of the Federal Reserve Board before it may acquire substantially all the assets of any bank, or before it may acquire ownership or control of any voting shares of any bank if, after such acquisition, it would own or control, directly or indirectly, more than five percent of any class of voting shares of such bank. Such a transaction may also require approval of the Pennsylvania Department of Banking.

Pursuant to provisions of the BHC Act and regulations promulgated by the Federal Reserve Board thereunder, the Corporation may only engage in, or own companies that engage in, activities deemed by the Federal Reserve Board to be permissible for bank holding companies or financial holding companies. Activities permissible for bank holding companies include those that are so closely related to banking or managing or controlling banks as to be a proper incident thereto. Activities for financial holding companies include those that are "so closely related to banking as to be a proper incident thereto" as well as certain additional activities deemed "financial in nature or incidental to such financial activity" or complementary to a financial activity and that do not pose a substantial risk to the safety and soundness of the banking organization or the financial system.

The Corporation must obtain permission from or provide notice to the Federal Reserve Board prior to engaging in most new business activities.

Regulation of CNB Bank

Federal and state banking laws and regulations govern, among other things, the scope of a bank’s business, the investments a bank may make, the reserves against deposits a bank must maintain, the loans a bank makes and collateral it takes, the activities of a bank with respect to mergers and acquisitions, the establishment of branches, management practices, and numerous other aspects of banking operations.

Source of Strength Doctrine

Under Section 616 of the Dodd-Frank Act, a bank holding company is required to serve as a source of financial strength to its subsidiary banks and may not conduct its operations in an unsafe or unsound manner. In addition, it is the Federal Reserve Board’s policy that a bank holding company must also serve as a source of managerial strength to its subsidiary banks, and a bank holding company should stand ready to use available resources to provide adequate capital funds to its subsidiary banks during periods of financial stress or adversity and should maintain the financial flexibility and capital-raising capacity to obtain additional resources for assisting its subsidiary banks. A bank holding company’s failure to meet its obligations to serve as a source of strength to its subsidiary banks will generally be considered by the Federal Reserve Board to be an unsafe and unsound banking practice, a violation of the Federal Reserve Board regulations, or both. This doctrine is commonly known as the "source of strength" doctrine.

Identity Theft

The Fair Credit Reporting Act’s Red Flags Rule requires financial institutions with covered accounts (e.g., consumer bank accounts and loans) to develop, implement, and administer an identity theft prevention program. This program must include reasonable policies and procedures to detect suspicious patterns or practices that indicate the possibility of identity theft, such as inconsistencies in personal information or changes in account activity.

Table of Contents

Capital Adequacy

The Capital Rules adopted in 2013 by the Federal Reserve Board, the FDIC, and the Office of the Comptroller of the Currency ("OCC") generally implement the Basel Committee on Banking Supervision’s capital framework, referred to as Basel III, for strengthening international capital standards. The Capital Rules revised the definitions and components of regulatory capital, increased risk-based capital requirements, and made selected changes to the calculation of risk-weighted assets. The risk-weighting categories in the Capital Rules are standardized and include a risk-sensitive number of categories, depending on the nature of the assets, generally ranging from 0% for U.S. government and agency securities to 600% for certain equity exposures, and resulting in higher risk weights for a variety of assets.

The Capital Rules: (i) include “Common Equity Tier 1” (“CET1”) and a related regulatory capital ratio of CET1 to risk-weighted assets; (ii) specify that Tier 1 capital consists of CET1 and “Additional Tier 1 capital” instruments meeting certain revised requirements; (iii) mandate that most deductions/adjustments to regulatory capital measures be made to CET1 and not to the other components of capital; and (iv) expand the scope of the deductions from and adjustments to capital as compared to existing regulations. Under the Capital Rules, for most banking organizations, including the Corporation, the most common form of Additional Tier 1 capital is non-cumulative perpetual preferred stock, and the most common forms of Tier 2 capital are subordinated notes and a portion of the allocation for allowance for credit losses, in each case, subject to the Capital Rules’ specific requirements.

Pursuant to the Capital Rules, the minimum capital ratios are as follows:

•4.5% CET1 to risk-weighted assets;

•6.0% Tier 1 capital (that is, CET1 plus Additional Tier 1 capital) to risk-weighted assets;

•8.0% Total capital (that is, Tier 1 capital plus Tier 2 capital) to risk-weighted assets; and

•4.0% Tier 1 capital to average consolidated assets as reported on consolidated financial statements (called “leverage ratio”).

The Capital Rules also include a “capital conservation buffer,” composed entirely of CET1, in addition to these minimum risk-weighted asset ratios (which are each of the first three ratios described above, but not the leverage ratio). The capital conservation buffer is designed to absorb losses during periods of economic stress. Banking institutions that do not hold the requisite capital conservation buffer will face constraints on dividends, capital instrument repurchases, interest payments on capital instruments and discretionary bonus payments based on the amount of the shortfall. Thus, the capital standards applicable to the Corporation include an additional capital conservation buffer of 2.5% of CET1, effectively resulting in minimum ratios inclusive of the capital conservation buffer of (i) CET1 to risk-weighted assets of at least 7%, (ii) Tier 1 capital to risk-weighted assets of at least 8.5%, and (iii) total capital to risk-weighted assets of at least 10.5%.

The Capital Rules provide for a number of deductions from and adjustments to CET1. These include, for example, the requirement that mortgage servicing assets, deferred tax assets arising from temporary differences that could not be realized through net operating loss carrybacks, and significant investments in non-consolidated financial entities be deducted from CET1 above certain thresholds. In July 2019, the OCC, the Federal Reserve Board and the FDIC adopted a final rule intended to simplify the Capital Rules described above for non-advanced approaches rule institutions, including provisions related to these deductions and adjustments. Institutions were required to implement the provisions of the simplification rule by April 1, 2020.

The Capital Rules also permit most banking organizations to retain, through a one-time permanent election, the capital treatment that existed before the 2013 Capital Rules were issued for accumulated other comprehensive income. The Corporation made the one-time permanent election to retain the previous capital treatment for accumulated other comprehensive income.

The Capital Rules also preclude certain hybrid securities, such as trust preferred securities, from inclusion in bank holding companies’ Tier 1 capital, although bank holding companies that had total consolidated assets of less than $15 billion at December 31, 2009 may include trust preferred securities issued prior to May 19, 2010 as a component of Tier 1 capital.

Table of Contents

In September 2019, the OCC, the Federal Reserve Board and the FDIC adopted a final rule that is intended to further simplify the Capital Rules for depository institutions and their holding companies that have less than $10 billion in total consolidated assets, such as us, if such institutions meet certain qualifying criteria. This final rule became effective on January 1, 2020. Under this final rule, if we meet the qualifying criteria, including having a leverage ratio (equal to Tier 1 capital divided by average total consolidated assets) greater than 9%, we will be eligible to opt into the community bank leverage ratio framework. If we opt into this framework, we will be considered to have satisfied the generally applicable risk-based and leverage capital requirements in the Capital Rules (as modified pursuant to the simplification rule) and will be considered to have met the well-capitalized ratio requirements for Prompt Corrective Action ("PCA") purposes. To date, we have not opted in to this community bank leverage ratio framework.

Dividend Restrictions

The Corporation is a legal entity separate and distinct from the Bank. Declaration and payment of cash dividends by the Corporation depends upon cash dividend payments to the Corporation by the Bank, which is our primary source of revenue and cash flow.

As a Pennsylvania state-chartered bank, the Bank is subject to regulatory restrictions on the payment and amounts of dividends under the Pennsylvania Banking Code.

The payment of dividends by the Bank and the Corporation may also be affected by other factors, such as the requirement to maintain adequate capital above regulatory requirements. The federal banking agencies have indicated that paying dividends that deplete a depository institution’s capital base to an inadequate level would be an unsafe and unsound banking practice. A depository institution may not pay any dividend if payment would cause it to become undercapitalized or if it already is undercapitalized. Moreover, the federal banking agencies have issued policy statements that provide that bank holding companies and insured banks should generally only pay dividends out of current operating earnings. Federal banking regulators have the authority to prohibit banks and bank holding companies from paying a dividend if the regulators deem such payment to be an unsafe or unsound practice.

Prompt Corrective Action and Safety and Soundness

Under applicable PCA statutes and regulations, depository institutions are placed into one of five capital categories, ranging from "well capitalized" to "critically undercapitalized." The PCA statute and regulations provide for progressively more stringent supervisory measures as an insured depository institution’s capital category declines. An institution that is not well capitalized is generally prohibited from accepting brokered deposits and offering interest rates on deposits higher than the prevailing rate in its market. An undercapitalized depository institution must submit an acceptable restoration plan to the appropriate federal banking agency. One requisite element of such a plan is that the institution’s parent holding company must guarantee compliance by the institution with the plan, subject to certain limitations.

At December 31, 2024, the Bank qualified as "well capitalized" under applicable regulatory capital standards.

Bank holding companies and insured depository institutions may also be subject to potential enforcement actions of varying levels of severity by the federal banking agencies for unsafe or unsound practices in conducting their business, or for violation of any law, rule, regulation, condition imposed in writing by the agency, or term of a written agreement with the agency. In more serious cases, enforcement actions may include the issuance of directives to increase capital; the issuance of formal and informal agreements; the imposition of civil monetary penalties; the issuance of a cease and desist order that can be judicially enforced; the issuance of removal and prohibition orders against officers, directors, and other institution affiliated parties; the termination of the insured depository institution’s deposit insurance; the appointment of a conservator or receiver for the insured depository institution; and the enforcement of such actions through injunctions or restraining orders based upon a judicial determination that the FDIC, as receiver, would be harmed if such equitable relief was not granted.

Table of Contents

Community Reinvestment Act

Under the Community Reinvestment Act of 1977 ("CRA"), the FDIC is required to assess the record of all financial institutions it supervises to determine if these institutions are meeting the credit needs of the community (including low and moderate income neighborhoods) which they serve. CRA performance evaluations are based on a four-tiered rating system: Outstanding, Satisfactory, Needs to Improve, and Substantial Noncompliance. CRA performance evaluations are considered in evaluating applications for such things as mergers, acquisitions, and applications to open branches. The Bank received a CRA rating of "Satisfactory" at its most recent CRA exam. The FDIC, along with other federal bank regulators, published in October 2023 substantially updated regulations regarding CRA, as well as some amendments to this final rule in March 2024, which became effective on April 1, 2024, with various phase-in periods.

Restrictions on Transactions with Affiliates and Insiders

The Bank is subject to the restrictions of Sections 23A and 23B of the Federal Reserve Act and the implementing Regulation W. The Bank's "affiliates" for purposes of these sections include, among other potential entities, the Corporation and its direct subsidiaries. Section 23A requires that loans or extensions of credit by the Bank to an affiliate, purchases by the Bank of securities issued by an affiliate, purchases by the Bank of assets from an affiliate (except as may be exempted by order or regulation), the Bank’s acceptance of securities or debt obligations issued by an affiliate as collateral for a loan or extension of the credit to a third party, the Bank’s acceptance of a guarantee or letter of credit on behalf of an affiliate, a transaction with an affiliate involving the borrowing or lending of securities to the extent the transaction causes the Bank to have credit exposure to the affiliate, and a derivative transaction with an affiliate, to the extent the Bank will have credit exposure to the affiliate (collectively, "Covered Transactions") be on terms and conditions consistent with safe and sound banking practices. Section 23A also imposes various qualitative and quantitative requirements and restrictions on Covered Transactions and imposes collateralization and other requirements on certain of these transactions. Section 23B requires that all Covered Transactions and certain other transactions, including the sale of securities or other assets by the Bank to an affiliate and the payment of money or the furnishing of services by the Bank to an affiliate, be on terms comparable to those prevailing for similar transactions with nonaffiliates.

The Bank is also subject to Sections 22(g) and 22(h) of the Federal Reserve Act, and the implementation of Regulation O issued by the Federal Reserve Board. These provisions impose limitations on loans and extensions of credit by the Bank to its and its affiliates' executive officers, directors and principal shareholders and their related interests. The limitations restrict the terms and aggregate amount of such transactions. Regulation O also imposes certain recordkeeping and reporting requirements.

Deposit Insurance and Premiums

The deposits of the Bank are insured up to applicable limits per insured depositor by the FDIC. The standard maximum deposit insurance amount is $250,000 per depositor, per insured depository institution, per ownership category, in accordance with applicable FDIC regulations.

The FDIC uses a risk-based assessment system that imposes insurance premiums based on a risk matrix that takes into account the bank’s capital level and supervisory rating. The base for insurance assessments is the average consolidated total assets less tangible equity capital of a financial institution. Assessment rates are calculated using formulas that take into account the risk of the institution being assessed.

In November 2023, the FDIC announced a special assessment on all insured depository institutions with more than $5 billion in total assets, including the Bank, in order to recover the loss to the DIF associated with protecting uninsured depositors following the closures of Silicon Valley Bank and Signature Bank. The special assessment is being collected over an eight-quarter collection period (and potentially longer), beginning with the first quarterly assessment period of 2024. The assessment base for the special assessment is equal to an insured depository institution’s ("IDI’s") estimated uninsured deposits reported as of December 31, 2022, adjusted to exclude the first $5 billion, applicable either to the IDI, if an IDI is not a subsidiary of a holding company, or at the banking organization level, to the extent that an IDI is part of a holding company with one or more subsidiary IDIs.

Table of Contents

Financial Privacy and Data Security

The Corporation is subject to federal laws, including the Gramm-Leach-Bliley Act, and certain state laws containing consumer privacy protection provisions. These provisions limit the ability of banks and other financial institutions to disclose nonpublic information about consumers to affiliated and non-affiliated third parties and limit the reuse of certain consumer information received from non-affiliated financial institutions. These provisions require notice of privacy policies to consumers and, in some circumstances, allow consumers to prevent disclosure of certain nonpublic personal information to affiliates or non-affiliated third parties by means of opt-out or opt-in authorizations.

The Gramm-Leach-Bliley Act requires that financial institutions implement comprehensive written information security programs that include administrative, technical, and physical safeguards to protect consumer information. Federal banking agencies have also adopted guidelines for establishing information security standards and programs to protect such information. Further, pursuant to interpretive guidance issued under the Gramm-Leach-Bliley Act and certain state laws, financial institutions are required to notify customers of security breaches that result in unauthorized access to their nonpublic personal information.

Incentive Compensation

The Dodd-Frank Act requires the federal banking agencies and the Securities and Exchange Commission (the "SEC") to establish joint regulations or guidelines prohibiting incentive-based payment arrangements at specified regulated entities, including the Corporation and the Bank, with at least $1 billion in total consolidated assets that encourage inappropriate risks by providing an executive officer, employee, director or principal shareholder with excessive compensation, fees, or benefits that could lead to material financial loss to the entity. The federal banking agencies and the SEC proposed such regulations in 2016, and issued re-proposed regulations in substantially the same form in May 2024, which have not been finalized. If the regulations are adopted in the form proposed or a similar form, they will restrict the manner in which executive compensation is structured.

USA PATRIOT Act

Under Title III of the USA PATRIOT Act, all financial institutions are required to take certain measures to identify their customers, prevent money laundering, monitor customer transactions, and report suspicious activity to U.S. law enforcement agencies. Financial institutions also are required to respond to requests for information from federal banking agencies and law enforcement agencies. Information sharing among financial institutions for the above purposes is encouraged by an exemption granted to complying financial institutions from the privacy provisions of the Gramm-Leach-Bliley Act and other privacy laws. Financial institutions that hold correspondent accounts for foreign banks or provide private banking services to foreign individuals are required to take measures to avoid dealing with certain foreign individuals or entities, including foreign banks with profiles that raise money laundering concerns, and are prohibited from dealing with foreign "shell banks" and persons from jurisdictions of particular concern. The primary federal banking agencies and the Secretary of the Treasury have adopted regulations to implement several of these provisions. All financial institutions also are required to establish internal anti-money laundering programs. The effectiveness of a financial institution in combating money laundering activities is a factor to be considered in any application submitted by the financial institution under the Bank Merger Act. The Bank has in place a Bank Secrecy Act and USA PATRIOT Act compliance program and engages in very few transactions of any kind with foreign financial institutions or foreign persons.

Office of Foreign Assets Control Regulation

The United States government has imposed economic sanctions that affect transactions with designated foreign countries, nationals, and others. These are typically known as the "OFAC" rules based on their administration by the U.S. Treasury Department Office of Foreign Assets Control. The Office of Foreign Assets Control-administered sanctions targeting countries take many different forms. Generally, they contain one or more of the following elements: (i) restrictions on trade with or investment in a sanctioned country, including prohibitions against direct or indirect imports from and exports to a sanctioned country and prohibitions on U.S. persons engaging in financial transactions relating to making investments in, or providing investment-related advice or assistance to, a sanctioned country; and (ii) a blocking of assets in which the government or specially designated nationals of the sanctioned country have an interest, by prohibiting transfers of property subject to U.S. jurisdiction (including property in the possession or control of U.S. persons). Blocked assets (property and bank deposits) cannot be paid out, withdrawn, set off, or transferred in any manner without a license from the Office of Foreign Assets Control. Failure to comply with these sanctions could have serious legal and reputational consequences.

Table of Contents

Other Federal Laws and Regulations

State usury and other credit laws limit the amount of interest and various other charges collected or contracted by a bank on loans. The Bank is also subject to lending limits on loans to one borrower and regulatory guidance on concentrations of credit. The Bank’s loans and other products and services are also subject to numerous federal and state consumer financial protection laws, including, but not limited to, the following:

•Truth-In-Lending Act, which governs disclosures of credit terms to consumer borrowers;

•Truth-in-Savings Act, which governs disclosures of the terms of deposit accounts to consumers;

•Home Mortgage Disclosure Act, requiring financial institutions to provide information to regulators to enable determinations as to whether financial institutions are fulfilling their obligations to meet the home lending needs of the communities they serve and not discriminating in their lending practices;

•Equal Credit Opportunity Act, prohibiting discrimination on the basis of race, sex or other prohibited factors in extending credit;

•Real Estate Settlement Procedures Act, which imposes requirements relating to real estate settlements, including requiring lenders to disclose certain information regarding the nature and cost of real estate settlement services;

•Fair Credit Reporting Act, covering numerous areas relating to certain types of consumer information and identity theft;

•Privacy provisions of the Gramm-Leach-Bliley Act and related regulations, which require that financial institutions provide privacy policies to consumers, to allow customers to "opt out" of certain sharing of their nonpublic personal information, and to safeguard sensitive and confidential customer information;

•Electronic Funds Transfer Act, which is a consumer protection law regarding electronic fund transfers; and

•Numerous other federal and state laws and regulations, including those related to consumer protection and bank operations.

Governmental Policies

Our earnings are significantly affected by the monetary and fiscal policies of governmental authorities, including the Federal Reserve Board. Among the instruments of monetary policy used by the Federal Reserve Board to implement these objectives are open-market operations in U.S. Government securities and federal funds, changes in the discount rate on member bank borrowings and changes in reserve requirements against member bank deposits. These instruments of monetary policy are used in varying combinations to influence the overall level of bank loans, investments and deposits, and the interest rates charged on loans and paid for deposits. The Federal Reserve Board frequently uses these instruments of monetary policy, especially its open-market operations and the discount rate, to influence the level of interest rates and to affect the strength of the economy, the level of inflation or the price of the dollar in foreign exchange markets. The monetary policies of the Federal Reserve Board have had a significant effect on the operating results of banking institutions in the past and are expected to continue to do so in the future. It is not possible to predict the nature of future changes in monetary and fiscal policies, or the effect which they may have on our business and earnings.

Other Legislative Initiatives

Proposals may be introduced in the United States Congress, in the Pennsylvania Legislature, and/or by various bank regulatory authorities that could alter the powers of, and restrictions on, different types of banking organizations and which could restructure part or all of the existing regulatory framework for banks, bank and financial holding companies and other providers of financial services. Moreover, other bills may be introduced in Congress which would further regulate, deregulate or restructure the financial services industry, including proposals to substantially reform the regulatory framework. It is not possible to predict whether any such proposals will be enacted into law or, even if enacted, what effect such action may have on our business and earnings.

Table of Contents

Human Capital

As of December 31, 2024, the Corporation had a total of 790 employees, of which 769 were full time and 21 were part time.

The Corporation respects and values the responsibilities of the Corporation to act with integrity in a number of community-focused areas, including being reasonably environmentally considerate, and avoiding discrimination of any investors, customers, or employees by promoting a company culture that reflects of the communities the Corporation serves. The Corporation emphasizes relevant governance principles and compliance considerations in strategic planning, human capital management and leadership development (which includes recruiting and retaining employees), and vendor management, as relationships with third parties represent critical connections to and extensions of the values, operating principles, and the commitment to legal and regulatory compliance of the Corporation and the Board of Directors.

Strategic Planning and Related Training

The Corporation has established a formal Strategic Plan, the framework of which has, as its foundation, the core values and principles that have been fundamental to the Corporation’s long-term success. These attributes include respect, integrity, accountability, leadership, professionalism, collaboration, client-focused, innovation, inclusion, and volunteerism. In establishing these core values and principles as the foundation upon which all other strategic objectives are anchored, the Corporation seeks to further develop and sustain a corporate culture with sensitivity to the entirety of the Corporation’s business and demographic footprint and environment in which it operates. The differences among the Corporation's Board of Directors and employees, and its customers and community members, are respected and embraced to drive innovative products, services, and solutions that effectively meet the variety of needs among the Corporation’s broad group of stakeholders.

Human Capital Management and Leadership Development

The Corporation firmly believes in the importance of succession planning and, as such, has in place a formal succession planning process for all named executive officers, members of the executive management team, and regional presidents. The succession plan was successfully utilized in 2024 after the resignation of a named executive officer, resulting in a seamless transition to a senior executive within the Corporation. A critical factor of the Corporation’s succession plan is the training and development of its management team to create a strong internal pipeline of talent to produce the future leaders of the Corporation. The Corporation’s succession planning process is further strengthened by its presence in diversified markets that lead to opportunities to attract and retain talent with broad-based skills and experiences.

The Corporation is dedicated to recognizing the unique contribution of each employee and is committed to supporting a workplace that understands, accepts and values the similarities and differences between individuals. The Corporation’s key human capital management objectives are to recruit, hire, develop and promote a deeply and broadly experienced employee team that collectively translates into an exceptional workforce committed to fostering, promoting, preserving, and reflecting the entire spectrum of the Corporation’s communities and culture, while successfully executing the Corporation’s business strategies and exemplifying its corporate values. To support these objectives, the Corporation’s Employee Experience processes and programs are designed and operated to:

•Attract and develop talented employees, specifically skilled for their position, from across the spectrum of professional experience, life experience, socio-economic background, and geographic representation;

•Prepare all members of the Corporation's team for critical roles and leadership positions both now and the future, in serving as employees and valuable community members;

•Reward and support employees fairly and without discrimination based on successful performance and through competitive pay and benefit programs;

•Enhance the Corporation’s culture through efforts to better understand, foster, promote, and preserve a culture in alignment with the Corporation's core values; and

•Evolve and invest in technology, tools, and resources to better support employees of varying skills and backgrounds at work.

To monitor changes in the Corporation’s employee and management groups relative to both composition and growth, the Corporation uses, among other tools, recurring management and employee surveys, profile analyses, and summaries of year-over-year changes to the pools of employees and management within its various banking divisions and the Corporation as a whole, and utilizes the results to track progress and improve the effectiveness of the Corporation’s leadership development and workforce profile and personnel management practices.

Table of Contents

The Corporation offers a robust range of training programs tailored to meet the needs of employees across all levels and departments. Through the CNB Academy, the Corporation’s learning management system, the Corporation delivers targeted learning solutions that empower employees to excel in their roles while advancing their professional growth. The Corporation’s training programs are designed to support a culture of continuous learning and career progression. From foundational skills in client interactions to advanced leadership development, employees are equipped with the tools and knowledge to succeed in their current roles and prepare for future opportunities. Career-focused programs like the Mentoring Program, Career Path Planning, and Rising Professionals enable employees to map and achieve their long-term aspirations. By aligning training programs with strategic planning, the Corporation ensures employees are empowered to deliver exceptional service and contribute to organizational success. Through the Corporation’s integrated approach, it builds a resilient, innovative workforce that is prepared to adapt to industry challenges and opportunities while upholding the core values that define its institution.

A critical measure is the opportunity for individuals from all professional and demographic backgrounds to advance into senior leadership positions. These leaders have a greater ability to drive innovation and change and provide the Corporation with financial services expertise to ensure the Corporation benefits from the active engagement and perspectives of all groups within its workforce and communities.

Community Involvement and Social Impacts

The Corporation serves as a cornerstone institution of both financial support and community service in the markets in which it serves. The Corporation is committed to strengthening these communities through the active volunteering of its employees. The Corporation’s employees actively participate in their local communities through volunteer activities in education, economic development, human and health services, and community reinvestment. During 2024, the Corporation’s employees collectively contributed 34,741 hours in voluntary support to 1,397 organizations, with 88% of employees actively participating. Additionally, there were approximately $1.5 million in donations to community organizations and events within the communities the Corporation serves. To encourage employees to give back to their communities, the Corporation introduced the Volunteer Time Off Program, which provides employees with up to 16 hours of paid time off annually to volunteer for nonprofit organizations and local causes who may need volunteer assistance during typical weekday business hours. In 2024, the program was met with tremendous enthusiasm, with employees dedicating a collective total of 3,585 hours to volunteer service across the communities the Corporation serves. Importantly, employees contributed nearly nine times of additional volunteering hours of their own time beyond those hours covered by the Volunteer Time Off Program. From participating in local food drives to mentoring youth and supporting nonprofit initiatives, the program has helped strengthen the Corporation’s ties to its communities while fostering a culture of service among its team members. This initiative reflects the Corporation’s core values of giving back and making a meaningful difference in the lives of others.

The Corporation also promotes economic development through investments in community-strengthening initiatives, such as affordable housing and revitalization efforts. In 2024, the Corporation invested in two new projects that demonstrate its commitment in this area. Located in a distressed section of downtown Rochester, New York, the Corporation supported a project to rehabilitate four historic commercial buildings into a mixed-use community with four commercial spaces and eleven residential apartments through a combination of debt financing of $9.6 million and an equity investment of $4.1 million in historic tax credits generated by the project. The commercial space will be available at affordable rents to generate economic and small business opportunities particularly marketed towards local and minority/women-owned business enterprises. Additionally, in Parma, Ohio, the Corporation provided debt financing of $5.5 million and made an equity investment of $4.2 million in low-income housing tax credits to support a project to rehabilitate low-income senior housing facility, with 63 units. The project includes extensive improvements to make the facility more energy efficient and to increase the number of units that are handicap accessible.

The Corporation remains deeply committed to promoting financial education within its communities. Through a variety of initiatives, the Corporation aims to empower individuals with the knowledge and tools they need to achieve financial wellness. In 2024, the Corporation launched the Financial Wellness Center, offering a series of free, publicly available online trainings that cover a wide range of finance topics, from budgeting basics to retirement planning. In 2024, CNB Bank partnered with twelve local schools to host seven financial reality fairs for high school students, providing hands-on experiences to help them understand budgeting, saving, and preparing for unexpected expenses. To further support financial literacy, lunch-and-learn sessions are offered regularly on topics such as saving for college, building a healthy financial mindset, and retirement planning. Five lunch and learns were hosted by the Corporation in 2024, with more planned for 2025. These initiatives reflect the Corporation’s dedication to fostering a financially informed and resilient community.

Table of Contents

The Corporation continued to focus on increasing its outreach to those who have been traditionally underserved by the financial institution industry. Examples of some the Corporation’s key recent initiatives are outlined below.

In 2025, the Corporation's new financial education center and community banking office is scheduled to open in downtown Erie, PA. Located on Parade Street, this location aims to provide financial education and accessible banking to underserved communities, promoting economic empowerment, and narrowing the wealth gap. This location will be the first bank to open on Parade Street in over a decade.

Launched in May 2023, Impressia Bank is CNB Bank’s sixth division and is dedicated to empowering women business owners and leaders. Headquartered in Buffalo, NY, with additional team members located in Ohio and Pennsylvania, Impressia Bank provides specialized services such as SBA and grant advisory services, wealth management, and private banking. Impressia’s mission is to close the gender funding gap and advance economic empowerment for women by offering innovative financial solutions, mentorship, and leadership development opportunities.

BankOnBuffalo’s BankOnWheels initiative enhances financial inclusion by delivering banking services to underserved communities. By addressing disparities in access to financial resources, BankOnWheels empowers individuals and communities to fully participate in the economy. The first of its kind operated by any financial institution in Western New York, BankOnWheels is a full-service, yet fully mobile bank branch, which will enable the bank to deliver essential banking services to communities with little or no access to such services today. The BankOnWheels rotates between four locations in the cities of Buffalo and Niagara Falls, which are located in communities underserved by banks.

In May 2023, CNB Bank launched the At Ease Program, tailored to meet the unique financial needs of veterans, active-duty service members, and their families. This program offers specialized benefits, including waived fees, free financial tools, and mobile banking services, reflecting the Corporation's commitment to honoring and supporting the military community.

Available Information

The Corporation makes available free of charge on its website (www.cnbbank.bank) its Annual Report on Form 10-K, its quarterly reports on Form 10-Q, current reports on Form 8-K, and amendments to those reports filed or furnished pursuant to Section 13(a) or 15(d) of the Securities Exchange Act of 1934, as amended, as soon as practicable after it electronically files such material with, or furnishes it to, the SEC. Information on the Corporation’s website is not incorporated by reference into this report.

Shareholders may obtain a copy of the Corporation’s Annual Report on Form 10-K free of charge by writing to: CNB Financial Corporation, 1 South Second Street, PO Box 42, Clearfield, PA 16830, Attn: Shareholder Relations.

The SEC maintains an internet site that contains reports, proxy statements and other information about electronic filers such as the Corporation. The site is available at http://www.sec.gov.

ITEM 1A. RISK FACTORS

The Corporation’s financial condition and results of operations are subject to various risks inherent in its business. The material risks and uncertainties that management believes affect the Corporation are described below. If any of these risks actually occur, the Corporation’s business, financial condition, liquidity, results of operations and prospects could be materially and adversely affected. The following risks together with all of the other information in this Annual Report on Form 10-K should be considered.

Table of Contents

Economic Risks

Economic conditions could adversely affect our business and financial results.

The Corporation’s financial condition and results of operations are impacted by global markets and economic conditions over which the Corporation has no control. Periods of high inflation since the start of 2021 have led to increased costs for businesses and consumers. In addition, international trade disputes, including threatened or implemented tariffs imposed by the U.S. and threatened or implemented tariffs imposed by foreign countries in retaliation, could result in further inflationary pressures that impact costs. An economic downturn or recession, including deterioration in the economic conditions in the U.S., or a slowing or stalled recovery therefrom, may have a material adverse effect on our business, financial condition or results of operations. Poor economic conditions have in the past adversely affected, and may in the future affect, the demand for the Corporation’s products, the creditworthiness of the Corporation’s borrowers and the value of the Corporation’s investment securities and other interest-earning assets. In particular, the Corporation may face the following risks in connection with the economic or market environment:

•The Corporation’s and the Bank’s ability to borrow from other financial institutions or to access the debt or equity capital markets on favorable terms or at all could be adversely affected by disruptions in the capital markets or other events, including actions by rating agencies and deteriorating investor expectations.

•The Corporation faces increased regulation of the banking and financial services industry. Compliance with such regulation may increase its costs and limit its ability to pursue business opportunities.

•Market developments may affect customer confidence levels and may cause increases in loan delinquencies and default rates, which management expects would adversely impact the Bank’s charge-offs and provision for credit losses.

•Market developments may adversely affect the Bank’s securities portfolio by causing other-than-temporary-impairments, prompting write-downs and securities losses.

•Competition in the banking and financial services industry could intensify as a result of the consolidation of financial services companies in connection with current market conditions.

The Corporation may not be able to meet its cash flow needs on a timely basis at a reasonable cost, and the Corporation’s cost of funds for banking operations may significantly increase as a result of general economic conditions, interest rates and competitive pressures.

Liquidity is the ability to meet cash flow obligations as they come due and cash flow needs on a timely basis and at a reasonable cost. The liquidity of the Bank is used to make loans and to repay deposit and borrowing liabilities as they become due, or are demanded by customers and creditors. Many factors affect the Bank’s ability to meet liquidity needs, including variations in the markets served by its network of offices, its mix of assets and liabilities, reputation and standing in the marketplace, and general economic conditions.

The Bank’s primary source of funding is customer deposits, gathered throughout its network of banking offices. Periodically, the Corporation utilizes term borrowings from the Federal Home Loan Bank (the "FHLB") of Pittsburgh, of which the Bank is a member, and other lenders to meet funding obligations. In addition, the Bank also maintains borrowing capacity with the Federal Reserve Bank of Philadelphia. The Bank’s securities and loan portfolios provide a source of contingent liquidity that could be accessed in a reasonable time period through sales.

Significant changes in general economic conditions, market interest rates, competitive pressures or otherwise, could cause the Bank’s deposits to decrease relative to overall banking operations, and it would have to rely more heavily on brokered funds and borrowings in the future, which are typically more expensive than deposits.

The Corporation's management and Board of Directors, through the Asset/Liability Committee (the "ALCO"), monitor liquidity and the ALCO establishes and monitors acceptable liquidity ranges. The Bank actively manages its liquidity position through target ratios. Continual monitoring of these ratios, both historical and through forecasts under multiple rate scenarios, allows the Bank to employ strategies necessary to maintain adequate liquidity.

Changes in economic conditions, including consumer savings habits and availability of or access to capital, could potentially have a significant impact on the Bank’s liquidity position, which in turn could materially impact the Corporation’s financial condition, results of operations and cash flows.

Table of Contents

Credit and Interest Rate Risks

The Bank’s allowance for credit losses may not be adequate to cover loan losses which could have a material adverse effect on the Corporation’s business, financial condition and results of operations.

A significant source of risk for the Corporation arises from the possibility that losses will be sustained because borrowers, guarantors and related parties may fail to perform in accordance with the terms of their loan agreements. Most loans originated by the Bank are secured, but some loans are unsecured based upon management’s evaluation of the creditworthiness of the borrowers.

Collateral values and the financial performance of borrowers may be adversely affected by changes in prevailing economic, environmental and other conditions, including declines in the value of real estate, changes in interest rates and debt service levels, changes in oil and gas prices, changes in monetary and fiscal policies of the federal government, widespread disease, terrorist activity, environmental contamination and other external events, which are beyond the control of the Bank. In addition, collateral appraisals that are out of date or that do not meet industry recognized standards might create the impression that a loan is adequately collateralized when in fact it is not. Although the Bank may acquire any real estate or other assets that secure defaulted loans through foreclosures or other similar remedies, the amounts owed under the defaulted loans may exceed the value of the assets acquired.

The allowance for credit losses is subject to a formal analysis by the Credit Administration and Finance Departments of the Corporation. Following the issuance by the Financial Accounting Standards Board ("FASB") of Accounting Standards Update ("ASU") 2016-13, "Measurement of Credit Losses on Financial Instruments," the Corporation adjusted its loan allowance methodology to reflect the new standard, which requires periodic estimates of lifetime expected credit losses on financial assets and categorizes expected credit losses as allowances for credit losses under the current expected credit loss ("CECL") methodology. The Corporation measures expected credit losses of financial assets on a collective (pool) basis, when the financial assets share similar risk characteristics. Depending on the nature of the pool of financial assets with similar risk characteristics, the models utilized by the Corporation to estimate expected credit losses include a discounted cash flow ("DCF") model that discounts instrument-level contractual cash flows, adjusted for prepayments and curtailments, incorporating loss expectations, and a weighted average remaining maturity model which contemplates expected losses at a pool-level, utilizing historic loss information. The Corporation's models for estimating the allowance for credit losses consider available relevant information about the collectability of cash flows, including information about past events, current conditions, and reasonable and supportable forecasts.

The Bank monitors delinquencies and losses on a monthly basis. The Bank has adopted underwriting and credit monitoring policies and procedures, including the review of borrower financial statements and collateral appraisals, which management believes are appropriate to mitigate the risk of loss by assessing the likelihood of borrower nonperformance and the value of available collateral. The Bank also manages credit risk by diversifying its loan portfolio. An ongoing independent review, subsequent to management’s review, of individual credits is performed by an independent loan review function, which reports to the Loan Committee of the Corporation’s Board of Directors.

The determination of the appropriate level of the allowance for credit losses inherently involves a high degree of subjectivity and requires the Corporation to make significant estimates of current credit risks and future trends, all of which may undergo material changes. These factors could have a material adverse effect on the Corporation’s business, financial condition and results of operations.

Interest rate volatility could significantly reduce the Corporation’s profitability.

The Corporation’s earnings largely depend on the relationship between the yield on its earning assets, primarily loans and investment securities, and the cost of funds, primarily deposits and borrowings. This relationship, commonly known as the net interest margin, is susceptible to significant fluctuation and is affected by economic and competitive factors that influence the yields and rates, and the volume and mix of the Bank’s interest earning assets and interest bearing liabilities.

Table of Contents

Interest rate risk can be defined as the sensitivity of net interest income and of the market value of financial instruments to the direction and frequency of changes in interest rates. Interest rate risk arises from the imbalance in the re-pricing, maturity, and/or cash flow characteristics of assets and liabilities. The Corporation is subject to interest rate risk to the degree that its interest bearing liabilities re-price or mature more slowly or more rapidly or on a different basis than its interest earning assets. Changes in interest rates, including those due to federal monetary policy, will affect the levels of income and expense recorded on a large portion of the Bank’s assets and liabilities, and fluctuations in interest rates will impact the market value of all interest sensitive assets. Significant fluctuations in interest rates could have a material adverse impact on the Corporation’s business, financial condition, results of operations, or liquidity.

Interest rates remain elevated compared to recent years and may increase. As interest rates rise, we experience competitive pressures to increase the rates we pay on deposits, which may decrease our net interest income. Furthermore, elevated interest rates increase our cost of new debt or preferred capital.

The Bank’s interest rate risk measurement and management techniques incorporate the re-pricing and cash flow attributes of its balance sheet and off-balance sheet instruments as they relate to current and potential changes in interest rates. The level of interest rate risk, measured in terms of the potential future effect on earnings, is determined through the use of static gap analysis and earnings simulation modeling under multiple interest rate scenarios. Management’s objectives are to measure, monitor, and develop strategies in response to the interest rate risk profile inherent in the Bank’s balance sheet in order to preserve the sensitivity of net interest income to actual or potential changes in interest rates. For further information on risk relating to interest rates, refer to Part I, Item 7a, "Quantitative and Qualitative Disclosures about Market Risk," herein.

The Corporation’s investment securities portfolio has risks beyond its control that can significantly influence the portfolio’s fair value. Any change in current accounting principles or interpretations of these principles could impact the Corporation’s assessment of fair value and thus its determination of other-than-temporary impairment of the securities in its investment securities portfolio.

The Bank may be required to record other-than-temporary impairment charges on its investment securities if they suffer declines in value that are considered other-than-temporary. Numerous factors, including collateral deterioration underlying certain private label mortgage-backed securities, lack of liquidity for re-sales of certain investment securities, absence of reliable pricing information for certain investment securities, adverse changes in business climate, adverse actions by regulators, or unanticipated changes in the competitive environment could negatively affect the Bank’s securities portfolio in future periods. An other-than-temporary impairment charge could have a material adverse effect on the Corporation’s results of operations and financial condition.

A substantial decline in the value of the Bank’s FHLB common stock may adversely affect the Corporation’s results of operations, liquidity and financial condition.

As a requirement of membership in the FHLB of Pittsburgh, the Bank must own a minimum required amount of FHLB stock, calculated periodically based primarily on its level of borrowings from the FHLB. Borrowings from the FHLB represent the Bank’s primary source of short-term and long-term wholesale funding.

In an extreme situation, it is possible that the capitalization of an FHLB, including the FHLB of Pittsburgh, could be substantially diminished or reduced to zero. Consequently, given that there is no trading market for the Bank’s FHLB common stock, the Corporation’s management believes that there is a risk that the Corporation’s investment could be deemed impaired at some time in the future. If this occurs, it may adversely affect the Corporation’s results of operations and financial condition.

If the capitalization of the FHLB of Pittsburgh is substantially diminished, the Bank’s liquidity may be adversely impacted if it is not able to obtain alternative sources of funding.

There are 11 FHLB banks, including the FHLB of Pittsburgh, in the FHLB system. The 11 FHLB banks are jointly liable for the consolidated obligations of the FHLB system. The Corporation cannot assure you, however, that the FHLB system will be able to meet these obligations.

Table of Contents

The Bank could be held responsible for environmental liabilities relating to properties acquired through foreclosure, resulting in significant financial loss.

In the event the Bank forecloses on a defaulted commercial or residential mortgage loan to recover its investment, it may be subject to environmental liabilities in connection with the underlying real property, which could significantly exceed the value of the real property. Although the Bank exercises due diligence to discover potential environmental liabilities prior to acquiring any property through foreclosure, hazardous substances or wastes, contaminants, pollutants, or their sources may be discovered on properties during its ownership or after a sale to a third party. The Corporation cannot assure you that the Bank would not incur full recourse liability for the entire cost of any removal and cleanup on an acquired property, that the cost of removal and cleanup would not exceed the value of the property, or that the Bank could recover any of the costs from any third party. Losses arising from environmental liabilities could have a material adverse impact on the Corporation’s business, financial condition, results of operations, or liquidity.

Risks Related to an Investment in the Corporation’s Securities

Some provisions contained in the Corporation’s articles of incorporation and its bylaws and under Pennsylvania law could deter a takeover attempt or delay changes in control or management of the Corporation.

Certain anti-takeover provisions of the Pennsylvania Business Corporation Law of 1988, as amended, apply to Pennsylvania registered corporations (e.g., publicly traded companies) including, but not limited to, those relating to (1) control share acquisitions, (2) disgorgement of profits by certain controlling persons, (3) business combination transactions with interested shareholders, and (4) the rights of shareholders to demand fair value for their stock following a control transaction. Pennsylvania law permits corporations to opt-out of these anti-takeover provisions, but the Corporation has not done so. Such provisions could have the effect of deterring takeovers or delaying changes in control or management of the Corporation. Additionally, such provisions could limit the price that some investors might be willing to pay in the future for shares of the Corporation’s common stock.

For example, the Corporation’s amended and restated articles of incorporation require the affirmative vote of 66% of the outstanding shares entitled to vote to effect a business combination. In addition, the Corporation’s amended and restated articles of incorporation, subject to the limitations prescribed in such articles and subject to limitations prescribed by Pennsylvania law, authorize the Corporation’s Board of Directors, from time to time by resolution and without further shareholder action, to provide for the issuance of shares of preferred stock, in one or more series, and to fix the designation, powers, preferences and other rights of the shares and to fix the qualifications, limitations and restrictions thereof. As a result of its broad discretion with respect to the creation and issuance of preferred stock without shareholder approval, the Corporation's Board of Directors could adversely affect the voting power and other rights of the holders of common stock and, by issuing shares of preferred stock with certain voting, conversion and/or redemption rights, could discourage any attempt to obtain control of the Corporation.

The Corporation’s bylaws, as amended and restated, provide for the division of the Corporation’s Board of Directors into three classes of directors, with each serving staggered terms. In addition, any amendment to the Corporation’s bylaws must be approved by the affirmative vote of a majority of the votes cast by all shareholders entitled to vote thereon and, if any shareholders are entitled to vote thereon as a class, upon receiving the affirmative vote of a majority of the votes cast by the shareholders entitled to vote as a class.

Any of the foregoing provisions may have the effect of deterring takeovers or delaying changes in control or management of the Corporation.

The price of the Corporation’s common stock may fluctuate significantly, and this may make it difficult for you to resell shares of common stock owned by you at times or at prices you find attractive.

The price of the Corporation’s common stock on the Global Select Market of The NASDAQ Stock Market LLC ("NASDAQ") constantly changes. The Corporation expects that the market price of its common stock will continue to fluctuate, and the Corporation cannot give you any assurances regarding any trends in the market prices for its common stock.

Table of Contents

The Corporation’s stock price may fluctuate as a result of a variety of factors, many of which are beyond its control. These factors include the Corporation’s:

•past and future dividend practice;

•financial condition, performance, creditworthiness, and prospects;

•quarterly variations in the Corporation’s operating results or the quality of the Corporation’s assets;

•operating results that vary from the expectations of management, securities analysts, and investors;

•changes in expectations as to the Corporation’s future financial performance;

•announcements of innovations, new products, strategic developments, significant contracts, acquisitions, and other material events by the Corporation or its competitors;

•the operating and securities price performance of other companies that investors believe are comparable to the Corporation;

•future sales of the Corporation’s equity or equity-related securities;

•the credit, mortgage and housing markets, the markets for securities relating to mortgages or housing, and developments with respect to financial institutions generally; and

•instability in global financial markets and global economies and general market conditions, such as interest or foreign exchange rates, stock, commodity or real estate valuations or volatility, budget deficits or sovereign debt level concerns and other geopolitical, regulatory or judicial events.

The Corporation’s ability to pay dividends is limited by law and regulations.

The future declaration of dividends by the Corporation’s Board of Directors will depend on a number of factors, including capital requirements, regulatory limitations, the Corporation’s operating results and financial condition and general economic conditions. As a bank holding company, the Corporation’s principal assets and sources of income are derived from the Bank and, as a result, the Corporation’s ability to pay dividends depends primarily on the receipt of dividends from the Bank. Dividend payments from the Bank are subject to legal and regulatory limitations, generally based on retained earnings, imposed by bank regulatory agencies. The ability of the Bank to pay dividends is also subject to financial condition, regulatory capital requirements, capital expenditures, and other cash flow requirements. The Corporation cannot assure you that the Bank will be able to pay dividends to the Corporation in the future. If the Corporation were unable to receive dividends from the Bank, it would materially and adversely affect the Corporation’s liquidity and its ability to service its debt, pay its other obligations, or pay cash dividends on its common stock. The Corporation may decide to limit the payment of dividends to its stockholders even when the Corporation has the legal ability to pay them in order to retain earnings for use in the Corporation’s business.

Operational and Strategic Risks

The Bank’s loans are principally concentrated in certain areas of Pennsylvania, Ohio, New York and Virginia, and adverse economic conditions in those markets could adversely affect the Corporation’s business, financial condition and results of operations.

The Corporation’s success is dependent to a significant extent upon general economic conditions in the United States and, in particular, the local economies in Central and Northwest Pennsylvania, Central and Northeast Ohio, Western New York and Southwest Virginia - the primary markets served by the Bank. The Bank is particularly exposed to real estate and economic factors in these geographic areas, as most of its loan portfolio is concentrated among borrowers in these markets. Furthermore, because a substantial portion of the Bank’s loan portfolio is secured by real estate in these areas, the value of the associated collateral is also subject to regional real estate market conditions.

The Bank is not immune to negative consequences arising from overall economic weakness and, in particular, a sharp downturn in the local real estate markets served by the Bank. While the Bank’s loan portfolio has not shown significant signs of credit quality deterioration despite continued challenges in the U.S. economy, we cannot assure you that no deterioration will occur. An economic recession in the markets served by the Bank, and the nation as a whole, could negatively impact household and corporate incomes. This impact could lead to decreased loan demand and increase the number of borrowers who fail to pay the Bank interest or principal on their loans, and accordingly, could have a material adverse effect on the Corporation’s business, financial condition, results of operations, or liquidity.

Table of Contents

Severe weather, flooding and other effects of climate change and other natural disasters, such as earthquakes, could adversely affect our financial condition, results of operations or liquidity.

Our branch locations and our customers’ properties may be adversely impacted by flooding, wildfires, prolonged periods of extreme temperature, high winds and other effects of severe weather conditions that may be caused or exacerbated by climate change. These events can force property closures, result in property damage and/or result in delays in expansion, development or renovation of our properties and those of our customers. Even if these events do not directly impact our properties or our customers’ properties, they may impact us and our customers through increased insurance, energy or other costs. In addition, changes in laws or regulations, including federal, state or city laws, relating to climate change could result in increased capital expenditures to improve the energy efficiency of our branch locations and/or our customers’ properties. We also face investor-related climate risks. Investors are increasingly taking into account environmental, social, and governance factors, including climate risks, in determining whether to invest in companies. Our reputation and investor relationships could be damaged as a result of our involvement with activities perceived to be causing or exacerbating climate change, as well as any decisions we make to continue to conduct or change our activities in response to considerations relating to climate change.

The Corporation depends on the accuracy and completeness of information about customers and counterparties.

In deciding whether to extend credit or enter into other transactions with customers and counterparties, we rely on information furnished to us by or on behalf of customers and counterparties, including financial statements and other financial information. We also rely on representations of customers and counterparties as to the accuracy and completeness of that information and, with respect to financial statements, on reports of independent auditors. For example, in deciding whether to extend credit to clients, we may assume that a customer's audited financial statements conform to U.S. generally accepted accounting principles ("GAAP") and present fairly, in all material respects, the financial condition, results of operations and cash flows of the customer. Our earnings are significantly affected by our ability to properly originate, underwrite and service loans. Our financial condition, results of operations and capital could be negatively impacted to the extent we incorrectly assess the creditworthiness of our borrowers, fail to detect or respond to deterioration in asset quality in a timely manner, or rely on financial statements that do not comply with GAAP or are materially misleading.

Any acquisitions will be accompanied by the risks commonly encountered in acquisitions including, among other things: our ability to realize anticipated cost savings and avoid unanticipated costs relating to the merger, the difficulty of integrating operations and personnel, the potential disruption of our or the acquired company’s ongoing business, the inability of our management to maximize our financial and strategic position, the inability to maintain uniform standards, controls, procedures and policies, and the impairment of relationships with the acquired company’s employees and customers as a result of changes in ownership and management. These risks may prevent the Corporation from fully realizing the anticipated benefits of an acquisition or cause the realization of such benefits to take longer than expected.

Strong competition within the Corporation’s markets and technological change may have a material adverse impact on its profitability.

The Corporation competes with an ever-increasing array of financial service providers. As noted above, as a financial holding company and state-chartered financial institution, respectively, the Corporation and the Bank are subject to extensive regulation and supervision, including, in many cases, regulations that limit the type and scope of activities. The non-bank financial service providers that compete with the Corporation and the Bank may not be subject to such extensive regulation, supervision, and tax burden. Competition from nationwide banks, as well as local institutions, is strong in the Corporation’s markets.

The financial services industry is undergoing rapid technological change, and technological advances, including those related to artificial intelligence, are likely to intensify competition. In addition to improving customer services, effective use of technology increases efficiency and enables financial institutions to reduce costs. Accordingly, the Corporation’s future success will depend in part on its ability to address customer needs by using technology. The Corporation cannot assure you that it will be able to successfully take advantage of technological changes or advances or develop and market new technology driven products and services to its customers. Failure to keep pace with technological change affecting the financial services industry could have a material adverse effect on the Corporation's financial condition, results of operations, or liquidity.

Table of Contents

Many regional, national, and international competitors have far greater assets and capitalization than the Corporation has and greater resources to invest in technology and access to capital markets and can consequently offer a broader array of financial services than the Corporation can. We cannot assure you that we will continue to be able to compete effectively with other financial institutions in the future. Developments increasing the nature or level of competition could have a material adverse effect on the Corporation’s business, financial condition, results of operations, or liquidity. For further information on competition, refer to Part I, Item 1, "Competition," herein.

The soundness of other financial institutions with which the Corporation does business could adversely affect the Corporation’s business, financial condition or results of operations.

Our ability to engage in routine funding transactions could be adversely affected by the actions and commercial soundness of other financial institutions. Financial institutions are interrelated as a result of trading, clearing, counterparty, investment or other relationships. The Corporation routinely executes transactions with counterparties in the financial services industry such as commercial banks, brokers and dealers, investment banks and other institutional clients for a range of transactions including loan participations, derivatives, and hedging transactions. In addition, the Corporation invests in securities or loans originated or issued by financial institutions or supported by the loans they originate. Many of these transactions expose the Corporation to credit or investment risk in the event of default by the Corporation’s counterparty. In addition, the Corporation’s credit risk may be exacerbated if the collateral it holds cannot be realized or is liquidated at prices not sufficient to recover the full amount of the loan or other exposure to the Corporation. The Corporation could incur losses to its securities portfolio as a result of these issues. These types of losses may have a material adverse effect on the Corporation’s business, financial condition or results of operation.

The Corporation’s operations may be adversely affected if its external vendors do not perform as expected or if its access to third-party services is interrupted.

The Corporation relies on certain external vendors to provide products and services necessary to maintain the day-to-day operations of the Corporation. Some of the products and services provided by vendors include key components of our business infrastructure including data processing and storage and internet connections and network access, among other products and services. Accordingly, the Corporation’s operations are exposed to the risk that these vendors will not perform in accordance with the contracted arrangements or under service level agreements. The failure of an external vendor to perform in accordance with the contracted arrangements or under service level agreements, because of changes in the vendor’s organizational structure, financial condition, support for existing products and services or strategic focus or for any other reason, could disrupt the Corporation’s operations. If we are unable to find alternative sources for our vendors’ services and products quickly and cost-effectively, the failures of our vendors could have a material adverse impact on the Corporation’s business and, in turn, the Corporation’s financial condition and results of operations.

Additionally, our information technology and telecommunications systems interface with and depend on third-party systems, and we could experience service denials if demand for such services exceeds capacity, or such third-party systems fail or experience interruptions. If sustained or repeated, a system failure or service denial could result in a deterioration of our ability to process new and renewal loans, gather deposits and provide customer service, compromise our ability to operate effectively, damage our reputation, result in a loss of customer business and subject us to additional regulatory scrutiny and possible financial liability, any of which could have a material adverse effect on our financial condition and results of operations.

Table of Contents

A failure in or breach of the Corporation’s or any of its subsidiaries’ information technology network and systems, or those of third party vendors and other service providers, including as a result of cyber attacks, could disrupt the Corporation’s or any of its subsidiaries’ businesses, result in the unauthorized disclosure or misuse of confidential or proprietary information, damage its reputation, increase its costs, and/or cause losses.

The Corporation, primarily through the Bank, depends on its information technology networks and systems to continuously process, record and monitor a large number of customer transactions and to process, transmit and store proprietary and confidential information, including personal information of employees and customers. We face cybersecurity threats, including system, network or internet failures, cyber attacks, ransomware and other malware, social engineering, phishing schemes and workforce member error, negligence, or fraud. Although the Corporation has business continuity plans and other safeguards in place, any such cybersecurity incident, including those impacting personal information, could result in customer attrition, regulatory fines, penalties or intervention, reputational damage, reimbursement or other compensation costs, and/or additional compliance costs, any of which could materially adversely affect the Corporation’s results of operations or financial condition. Further, new technologies such as artificial intelligence may be more capable at evading these safeguard measures.

In addition, significant disruptions of our third party vendors’ and/or service providers’ security systems or infrastructure, or other similar data security incidents, could adversely affect our business operations and/or result in the loss, misappropriation, and/or unauthorized access, use or disclosure of, or the prevention of access to, regulated personal or confidential information, which could harm our business. While we may be entitled to damages if our third-party service providers fail to satisfy their security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award.

As of December 31, 2024, the Corporation has not experienced any material risks from cybersecurity threats, including as a result of any previous cybersecurity incidents or threats, that have materially affected the business strategy, results of operations or financial condition of the Corporation. However, there can be no assurance that the Corporation or its subsidiaries will remain unaffected in the future. Given the evolving nature of security threats and evolving safeguards, there can be no assurance that any preventive, protective, or remedial data security measures that we or our third-party service providers implement are or will be adequate to detect or prevent all cybersecurity incidents. In connection with these efforts, we have incurred costs and expect to incur additional costs as we continue to enhance our data security infrastructure and take further steps to prevent unauthorized access to our systems and the data we maintain. In addition, any actual or perceived failure by the Corporation or our vendors or business partners to comply with our privacy, confidentiality, or data security-related legal or other obligations to third parties may result in claims by third parties that we have breached our privacy- or confidentiality-related obligations, which could materially and adversely affect our business and prospects.

As a result, cybersecurity and the continued development and enhancement of the Corporation’s controls, processes and practices designed to protect its and its subsidiaries systems, computers, software, data and networks from attack, damage or unauthorized access remain a priority for the Corporation. As cyber threats continue to evolve, the Corporation may be required to expend further significant resources to continue to modify or enhance its protective measures or to investigate and remediate future information security vulnerabilities.

Additionally, while we have implemented security measures that we believe are appropriate, a regulator could deem our security measures not to be appropriate given the lack of prescriptive measures in certain data protection laws. Furthermore, increased regulation of data collection, use and retention practices, including self-regulation and industry standards, changes in existing laws and regulations, enactment of new laws and regulations, increased enforcement activity, and changes in interpretation of laws, could increase our cost of compliance and operation, limit our ability to grow our business or otherwise harm the Corporation.

Table of Contents

While we have purchased cybersecurity insurance, there are no assurances that the coverage would be adequate in relation to any incurred losses. Moreover, as cyber attacks increase in frequency and magnitude, we may be unable to obtain cybersecurity insurance in amounts and on terms we view as adequate for our operations. Further information relating to cybersecurity risk management is discussed in Item 1C. “Cybersecurity” of this report.

A pandemic and measures intended to prevent its spread, could have a material adverse effect on our business, results of operations, cash flows, and financial condition.

A pandemic could negatively impact the global economy, disrupt financial markets and international trade, and result in varying unemployment levels, all of which could negatively impact our business, results of operations, cash flows, and financial condition. In response to pandemic outbreaks, governments and other authorities around the world, including federal, state and local authorities in the United States, have imposed, and may in the future impose measures intended to mitigate its spread, including restrictions on freedom of movement and business operations such as issuing guidelines, travel bans, border closings, business closures and quarantine orders.

Our business and financial performance could be adversely affected, directly or indirectly, by terrorist activities, international hostilities or domestic civil unrest.

Neither the occurrence nor the potential impact of geopolitical instabilities, terrorist activities, international hostilities or other extraordinary events beyond the Corporation’s control can be predicted. However, these occurrences could adversely impact us, for example, by preventing us from conducting our business in the ordinary course. Also, their impact on our borrowers, depositors, other customers, suppliers or other counterparties could result in indirect adverse effects on us. Other indirect adverse consequences from these occurrences could result from impacts to the financial markets, the economy in general or in any region, or key parts of the infrastructure (such as the power grid) on which we and our customers rely. These types of indirect effects, whether specific to our counterparties or more generally applicable, could lead, for example, to an increase in delinquencies, bankruptcies or defaults that could result in the Corporation experiencing higher levels of nonperforming assets, net charge-offs and provisions for credit losses. They could also cause a reduction in demand for lending or other services that we provide.

Our use of artificial intelligence could expose us to various risks.

We have begun to utilize artificial intelligence technologies in various aspects of our business, including internal training material creation. Artificial intelligence technologies are susceptible to errors and other malfunctions which could lead to operational challenges and reputational risks. In addition, we may be subject to increasing regulations related to our use of artificial intelligence, including regulations related to privacy, data security, and intellectual property rights, which could expose us to legal risks.

Risks Related to Legal and Compliance Matters

The Corporation is subject to extensive government regulation and supervision, which may affect its ability to conduct its business and may negatively impact its financial results.

The Corporation, primarily through the Bank and its non-bank subsidiary, is subject to extensive federal and state regulation and supervision. Banking regulations are primarily intended to protect depositors’ funds, the Federal Deposit Insurance Fund and the safety and soundness of the banking system as a whole, not stockholders. These regulations affect the Corporation’s lending practices, capital structure, investment practices, dividend policy and growth, among other things. Congress and federal regulatory agencies continually review banking laws, regulations and policies for possible changes. Furthermore, political and policy goals of elected officials may change over time, which could impact the rulemaking, supervision, examination and enforcement priorities of federal banking agencies. Changes to statutes, regulations or regulatory policies, including changes in interpretation or implementation of statutes, regulations or policies, could affect the Corporation in substantial and unpredictable ways. Such changes could subject it to additional costs, limit the types of financial services and products the Corporation may offer, and/or limit the pricing it may charge on certain banking services, among other things.

Table of Contents

Failure to comply with laws, including the Bank Secrecy Act and USA Patriot Act, regulations or policies could result in sanctions by regulatory agencies, restrictions, civil money penalties and/or reputation damage, which could have a material adverse effect on the Corporation’s business, financial condition and results of operations and/or cause the Corporation to lose its financial holding company status. While the Corporation has policies and procedures designed to prevent any such violations, there can be no assurance that such violations will not occur. See the section captioned "Supervision and Regulation" in Part I, Item 1 of this report for further information.

Federal and state governments could pass legislation responsive to current credit conditions which could cause the Corporation to experience higher credit losses.

The Corporation could experience higher credit losses because of federal or state legislation or regulatory action that reduces the amount the Bank’s borrowers are otherwise contractually required to pay under existing loan contracts. Also, the Corporation could experience higher credit losses because of federal or state legislation or regulatory action that limits the Bank’s ability to foreclose on property or other collateral or makes foreclosure less economically feasible. The Corporation cannot assure you that future legislation will not significantly and adversely impact its ability to collect on its current loans or foreclose on collateral.

General Risk Factors

The Corporation relies on its management and other key personnel, and the loss of any of them may adversely affect its operations.

The Corporation is and will continue to be dependent upon the services of its executive management team. In addition, it will continue to depend on its ability to retain and recruit key client relationship managers. The unexpected loss of services of any key management personnel, or the inability to recruit and retain qualified personnel in the future, could have an adverse effect on its business and financial condition.

The Corporation's risk management framework may not be effective in mitigating risk and loss.

The Corporation maintains an enterprise risk management program that is designed to identify, quantify, monitor, report, and control the risks that it faces. These risks include, but are not limited to: strategic, interest-rate, credit, liquidity, operations, pricing, reputation, compliance, litigation, and cybersecurity. While the Corporation assesses and improves this program on an ongoing basis, there can be no assurance that its approach and framework for risk management and related controls will effectively mitigate all risk and limit losses in its business. If conditions or circumstances arise that expose flaws or gaps in the Corporation's risk-management program, or if its controls break down, the Corporation's results of operations and financial condition may be adversely affected.

Risks Related to the Merger with ESSA

The market price of the Corporation’s common stock may decline as a result of the Merger and the market price of the Corporation’s common stock after the consummation of the Merger may be affected by factors different from those affecting the price of the Corporation’s common stock before the Merger.

The market price of the Corporation’s common stock may decline as a result of the Merger if the Corporation does not achieve the perceived benefits of the Merger or the effect of the Merger on the Corporation’s financial results is not consistent with the expectations of financial or industry analysts.

In addition, the consummation of the Merger will result in the combination of two companies that currently operate as independent companies. The business of the Corporation and the business of ESSA differ. As a result, while the Corporation expects to benefit from certain synergies following the Merger, the Corporation may also encounter new risks and liabilities associated with these differences. Following the Merger, shareholders of the Corporation and ESSA will own interests in a combined company operating an expanded business and may not wish to continue to invest in the Corporation, or for other reasons may wish to dispose of some or all of their shares of the Corporation’s common stock. If, following the effective time of the Merger, large amounts of the Corporation’s common stock are sold, the price of the Corporation’s common stock could decline.

Table of Contents

Further, the results of operations of the Corporation and the market price of the Corporation’s common stock after the Merger may be affected by factors different from those currently affecting the independent results of operations of each of the Corporation and ESSA and the market price of the Corporation’s common stock. Accordingly, the Corporation’s historical market prices and financial results may not be indicative of these matters for the Corporation after the Merger.

The Merger Agreement may be terminated in accordance with its terms and the Merger may not be completed.

The Corporation and ESSA can mutually agree to terminate the Merger Agreement at any time before the Merger has been completed, and either company can terminate the Merger Agreement if:

•any regulatory approval required for consummation of the Merger and the other transactions contemplated by the Merger Agreement has been denied by final, nonappealable action of any regulatory authority, or an application for regulatory approval has been permanently withdrawn at the request of a governmental authority;

•the required approval of the issuance of common stock of the Corporation in connection with the Merger by the Corporation’s shareholders or the required approval of the Merger Agreement by the ESSA shareholders are not obtained;

•the other party materially breaches any of its representations, warranties, covenants or other agreements set forth in the Merger Agreement (provided that the terminating party is not then in material breach of any representation, warranty, covenant or other agreement contained in the Merger Agreement), which breach is not cured within 30 days of written notice of the breach, or by its nature cannot be cured prior to the closing of the Merger, and such breach would entitle the non-breaching party not to consummate the Merger; or

•the Merger is not consummated by January 9, 2026, unless the failure to consummate the Merger by such date is due to a material breach of the Merger Agreement by the terminating party.

In addition, the Corporation may terminate the Merger Agreement if:

•ESSA breaches the non-solicitation provisions in the Merger Agreement; or

•the ESSA Board of Directors:

◦fails to recommend approval of the Merger Agreement, or withdraws, modifies or changes such recommendation in a manner adverse to the Corporation’s interests; or

◦recommends, proposes or publicly announces its intention to recommend or propose to engage in an acquisition transaction with any person other than the Corporation or any of its subsidiaries; or

•ESSA fails to call, give notice of, convene and hold its special meeting.

ESSA may terminate the Merger Agreement, subject to its compliance with the Merger Agreement, if ESSA has received an acquisition proposal, and the ESSA Board of Directors has made a determination that such proposal is a superior proposal and has determined to accept such proposal.

Failure to complete the Merger could negatively impact the stock price of the Corporation and its future business and financial results.

Completion of the Merger is subject to the satisfaction or waiver of a number of conditions, including approval by ESSA shareholders of the Merger. The Corporation cannot guarantee when or if these conditions will be satisfied or that the Merger will be successfully completed. The consummation of the Merger may be delayed, the Merger may be consummated on terms different than those contemplated by the Merger Agreement, or the Merger may not be consummated at all. If the Merger is not completed, the ongoing business of the Corporation may be adversely affected, and the Corporation will be subject to several risks, including the following:

•the Corporation could incur substantial costs relating to the proposed Merger, such as legal, accounting, financial advisor, filing, printing and mailing fees; and

•the Corporation’s management and employees’ attention may be diverted from their day-to-day business and operational matters as a result of efforts relating to the attempt to consummate the Merger.

Table of Contents

In addition, if the Merger is not completed, the Corporation may experience negative reactions from the financial markets and from its customers and employees. The Corporation also could be subject to litigation related to any failure to complete the Merger or to enforcement proceedings commenced against the Corporation to perform its obligations under the Merger Agreement.

The integration of the Corporation and ESSA will present significant challenges and expenses that may result in the combined business not operating as effectively as expected, or in the failure to achieve some or all of the anticipated benefits of the transaction.

The benefits and synergies expected to result from the proposed Merger will depend in part on whether the operations of ESSA can be integrated in a timely and efficient manner with those of the Corporation. The Corporation will face challenges and costs in consolidating its functions with those of ESSA, and integrating the organizations, procedures and operations of the two businesses. The integration of the Corporation and ESSA will be complex and time-consuming, and the management of both companies will have to dedicate substantial time and resources to it. These efforts could divert management’s focus and resources from serving existing customers or other strategic opportunities and from day-to-day operational matters during the integration process. Failure to successfully integrate the operations of the Corporation and ESSA could result in the failure to achieve some of the anticipated benefits from the transaction, including cost savings and other operating efficiencies, and the Corporation may not be able to capitalize on the existing relationships of ESSA to the extent anticipated, or it may take longer, or be more difficult or expensive than expected to achieve these goals. This could have an adverse effect on the business, results of operations, financial condition or prospects of the Corporation and/or the Bank after the transaction.

ITEM 1B. UNRESOLVED STAFF COMMENTS

None.

CYBERSECURITY

Risk Management and Strategy

The Corporation maintains robust processes for assessing, identifying, and managing material risks from cybersecurity threats. The Corporation’s cybersecurity program is based on the Federal Financial Institutions Examination Council (“FFIEC”) framework which tailors the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework to be more financial services focused. The risk of cybersecurity threats is integrated into the Corporation’s Enterprise Risk Management (“ERM”) program, led by the Corporation’s Chief Risk Officer. The ERM program includes an annual risk prioritization process to identify key enterprise risks. Each key risk is assigned a risk owner to establish action plans and implement risk mitigation strategies. The Corporation’s cybersecurity threat risk action plan is managed at the enterprise level by the Chief Information Technology & Security Officer (the “CITSO”), the VP of Information Technology, and the VP of Information Security. Risk owners regularly monitor cybersecurity risks and the evolving threat landscape and review and update the cybersecurity threat risk action plan in response to newly identified threats or risk mitigation actions. To oversee and identify cybersecurity threat risks on a day-to-day basis, including from third party service providers, the Corporation maintains a third-party security operations center with round-the-clock monitoring, and the CITSO receives regular reports on industry activity. Management also assesses the cybersecurity proficiency of potential third-party suppliers before utilizing their services. The assessment identifies cybersecurity-related risks and makes recommendations to enhance the security of all new computing services. Management reassesses all suppliers on a regular interval.

The Corporation maintains a Cybersecurity Incident Response Plan (the “CSIRP”), which establishes an organizational framework and guidelines intended to facilitate an effective response and handling of cybersecurity incidents that could jeopardize the availability, integrity, or confidentiality of the Corporation’s assets. Pursuant to the CSIRP and its escalation protocols, designated personnel are responsible for assessing the severity of the incident and associated threat, containing the threat, remediating the threat, including recovery of data and access to systems, analyzing the reporting and disclosure obligations associated with the incident, and performing post-incident analysis and program improvements. While the particular personnel assigned to an incident response team will depend on the particular facts and circumstances, the CITSO and the VP of Information Security primarily lead these efforts.

Table of Contents

The Corporation works closely with its internal auditors to assess, identify, and manage cybersecurity risks. In addition, the Corporation engages with third party cybersecurity specialists to provide an independent assessment of the Corporation’s cybersecurity programs and to prepare a 3-year plan to maintain compliance and operational excellence. Management periodically reviews the 3-year plan and modifies it in response to changes in the threat landscape or otherwise as needed. Management has not identified risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, that have materially affected or are reasonably likely to materially affect the Corporation, including its business strategy, results of operations or financial condition. However, there can be no assurance that the Corporation’s security efforts and measures will be effective or that attempted security incidents or disruptions would not be successful or damaging. In addition, although the Corporation maintains cybersecurity insurance to provide some coverage for certain risks arising out of data and network breaches, there can be no assurance that the Corporation’ cybersecurity insurance coverage will be sufficient in the event of a cyber attack. See “Item 1A. Risk Factors” above for more information.

Governance

The Board of Directors is responsible for overseeing the assessment and management of enterprise-level risks that may impact the Corporation. The Audit Committee has primary responsibility for overseeing risk management, including oversight of risks from cybersecurity threats. The boards of directors of the Corporation and the Bank have also established an IT Committee, consisting of at least three independent directors, along with non-voting members from management, including the President and CEO, the Chief Financial Officer, the CITSO, the SVP of Operations, the VP of Information Technology, and the VP of Information Security. The IT Committee assists the boards of directors of the Corporation and CNB Bank in fulfilling their respective governance responsibilities for CNB’s information technology and related data security infrastructure under relevant regulatory safety and soundness requirements. Management, including the CITSO, reports on cybersecurity matters regularly to the Board, primarily through the Audit Committee and IT Committee, including an annual report regarding specific risks and mitigation efforts within the Bank and a 3-year cybersecurity threat assessment conducted by third party experts. Management provides benchmarking information and updates on key operational and compliance metrics to the Board of Directors. In addition, cybersecurity training is provided to the full Board of Directors to educate directors on the current cyber threat environment and measures companies can take to mitigate risk and impact of cyber attacks. Several members of the Board of Directors, including the Chairperson of the Audit Committee, also have cybersecurity experience.

As described above, management is actively involved in assessing and managing the Bank’s material cybersecurity risks. The Corporation's incident response plan provides clear communication protocols, including with respect to members of senior management, which may include the CEO, the CFO, the Board of Directors, the Audit Committee and external legal counsel. In addition, the incident response plan considers communications and reporting to customers, regulators and law enforcement.

The CITSO, who reports directly to the CEO, is responsible for the oversight of the Corporation’s IT operation, including the cybersecurity program, and holds a Bachelor of Science degree in Information Technology and Security and a Master of Science in Information Security and Assurance. He also holds 20 industry recognized Technology and Security certifications. The VP of Information Security reports directly to the CITSO and has responsibility for leadership of the Bank’s cybersecurity program. He holds a bachelor’s degree in mathematics and computer science, as well as several industry recognized information security certifications. The VP of Information Technology reports directly to the CITSO and has responsibility for leadership of the Bank’s Information Technology program. He holds a bachelor’s degree in information technology and has worked in the technology field for 29 years with 17 of those years in a financial institution in various technology management, security, and audit roles.

Recently Filed

Click on a ticker to see risk factors

Ticker *	File Date
CPPTL	1 day, 4 hours ago
TUSK	1 day, 4 hours ago
EQBK	1 day, 4 hours ago
FSUN	1 day, 4 hours ago
UBX	1 day, 4 hours ago
BSTT	1 day, 4 hours ago
NDLS	1 day, 4 hours ago
FNRN	1 day, 4 hours ago
SNBR	1 day, 4 hours ago
FCBC	1 day, 4 hours ago
MYFW	1 day, 4 hours ago
BRDG	1 day, 4 hours ago
AIMD	1 day, 4 hours ago
GRND	1 day, 4 hours ago
SPFI	1 day, 5 hours ago
ATRA	1 day, 5 hours ago
SGHT	1 day, 5 hours ago
CMCT	1 day, 5 hours ago
OB	1 day, 5 hours ago
NABL	1 day, 5 hours ago
NODK	1 day, 5 hours ago
RGTI	1 day, 5 hours ago
UNTY	1 day, 5 hours ago
HBT	1 day, 5 hours ago
ZCSH	1 day, 5 hours ago
ETCG	1 day, 5 hours ago
LXRX	1 day, 5 hours ago
EBTC	1 day, 5 hours ago
GSBC	1 day, 5 hours ago
CCFN	1 day, 6 hours ago
GPLB	1 day, 6 hours ago
BCBP	1 day, 6 hours ago
SBFG	1 day, 6 hours ago
HMST	1 day, 6 hours ago
CAC	1 day, 7 hours ago
BMNM	1 day, 7 hours ago
OFLX	1 day, 7 hours ago
FSTR	1 day, 7 hours ago
CARE	1 day, 8 hours ago
IBCP	1 day, 8 hours ago
BFST	1 day, 9 hours ago
LFWD	1 day, 10 hours ago
FNLC	1 day, 10 hours ago
COOK	1 day, 12 hours ago
ESPR	1 day, 12 hours ago
FORR	1 day, 12 hours ago
MASS	1 day, 12 hours ago
ADV	1 day, 12 hours ago
NBBK	1 day, 13 hours ago
WHF	1 day, 13 hours ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - CCNE

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - CCNE

-New additions in green-Changes in blue-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing