Approach to Data Security Risks

The ability to mitigate security risks is dependent upon an effective risk assessment process that identifies, measures, controls and monitors threats. To meet the requirements of Banner's Information Security Program and FDIC rules and guidelines, management completes an annual risk assessment of the reasonably foreseeable internal and external threats to Bank and client information as well as information systems assets.

Risk levels are determined by considering the likelihood and potential damage of a threat event. Controls are established to mitigate risks to levels believed to be acceptable. If risk levels are considered high or a gap is identified, new controls or mitigating controls are put into place to reduce the risk, including a risk managment plan. Protecting the Bank's internal and external network from attack is a key concern and involves regular risk assessment, oversight and implementation of new strategies and tools as they become available.

We note the following trends, which are not specific to Banner, but help to inform our data security risk management approach:

• Cyberattacks and malicious data breaches usually involve some form of social engineering and up to 90 percent of malicious data breaches involve social engineering.

• E-mail security concerns including phishing, spoofing and business email compromise

• Increase in ransomware threats and other cybersecurity vulnerabilities with third-party providers.

• Evolving data security risk associated with transitioning data to a cloud delivery platform.

• High alert levels associated with nation-state cyberwarfare and espionage due to the conflict in Eastern Europe and other threats.

Bank leadership evaluates and discloses data breaches in accordance with relevant frameworks set forth in applicable law and regulation.

Cyber Security Events

If leadership determines the Bank has experienced a computer-security incident,  we will notify the appropriate regulatory agencies in accordance with notification requirements. If client data was compromised, we will notify clients in accordance with regulatory requirements.

Example of Events of Requiring Notification: The following is a non-exhaustive list of incidents that generally are considered “notification incidents” to the Bank's primary regulator, and potentially to clients if PII or NPI data is compromised:

• Large-scale distributed denial of service attacks that disrupt client account access for an extended period of time;

• Computer hacking incident that disables banking operations for an extended period of time;

• Malware on a banking organization's network that poses an imminent threat to the banking organization's core business lines or critical operations or that requires the banking organization to disengage any compromised products or information systems that support the banking organization's core business lines or critical operations from internet-based network connections; or

• A ransom malware attack that encrypts a core banking system or related backup data.

At Banner Bank, we are dedicated to creating a safe environment for our clients' data. We continually make investments in new technologies and resources to strengthen our defenses and stop threats. The methodology for our information security program involves three main pillars:

People

• Prioritization of cybersecurity matters by our Board of Directors, executive management and other leaders.

• An Information Security Program led by our Chief Information Officer and Chief Information Security Officer.

• Security awareness program for all employees that both informs and tests their knowledge.

• Highly skilled Cyber Incident Response and Crisis Management teams to deal quickly and effectively with any data issue.

Technology

• A defense-in-depth strategy that includes preventative, detective and corrective controls.

• Security controls are validated on an ongoing basis to maintain effective defenses.

• Independent penetration testing is conducted regularly.

Processes

• Technology changes are carefully implemented to address security considerations. Data loss prevention controls are in place to mitigate the risk of loss or exfiltration of data.

• Emerging risk, technologies and vulnerabilities are identified and managed through our Information Security Risk Assessment.

• Access controls follow the principle of least privilege.

• Vulnerability management program includes a rigorous patching program and the use of supported software and hardware.

Banner Bank operates in a highly regulated environment. The Bank's primary federal regulator is the FDIC. The primary federal regulator of Banner Corporation, the Bank's parent company, is the Federal Reserve. As a publicly traded company, Banner Corporation is also subject to certain reporting frameworks overseen by the United States Securities and Exchange Commission.

The Bank's information security risk assessments were informed by a variety of materials and business resources including the following:

• ISO 27002 Gramm Leach Bliley Act (GLBA) Section 501(b)

• Interagency Guidelines Establishing Information Security Standards (12 CFR Part 364, Appendix B)

• Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook

• Various other FFIEC and FDIC regulatory guidance

• NIST Cyber Security Framework