What changed in INTERNATIONAL BANCSHARES CORP's 2025 10-K compared to 2024?

Across the narrative sections we track, INTERNATIONAL BANCSHARES CORP (IBOC) added 168 paragraphs, removed 148, and edited 138 between the 2024 and 2025 10-K filings. The biggest movers are Item 1. Business (+120/−102), Item 1A. Risk Factors (+29/−28), Item 1C. Cybersecurity (+15/−14).

Did INTERNATIONAL BANCSHARES CORP add new Risk Factors in the 2025 10-K?

Yes — Item 1A Risk Factors shows 29 new/edited paragraphs and 28 removed paragraphs versus the 2024 10-K.

What changed in INTERNATIONAL BANCSHARES CORP's MD&A (Item 7) in 2025?

Item 7 Management's Discussion & Analysis shows 1 new/edited paragraphs and 1 removed paragraphs year-over-year. Read the side-by-side diff to see exactly which revenue, margin, and outlook commentary was rewritten.

Did INTERNATIONAL BANCSHARES CORP update its Cybersecurity disclosure (Item 1C) in 2025?

Item 1C Cybersecurity has 15 paragraph-level changes between the 2024 and 2025 filings.

Did INTERNATIONAL BANCSHARES CORP's Legal Proceedings (Item 3) change in 2025?

Item 3 shows 2 added/edited paragraphs and 2 removed paragraphs — usually indicating new litigation disclosed or settled cases removed.

Where does this IBOC 10-K diff come from?

The source filings are INTERNATIONAL BANCSHARES CORP's official 2024 and 2025 Form 10-K annual reports from SEC EDGAR. 10q10k.net parses each filing, aligns paragraphs by section (Item 1, 1A, 1C, 2, 3, 7, 7A), and highlights every added, removed and edited sentence side-by-side.

What changed in INTERNATIONAL BANCSHARES CORP's 10-K — 2024 vs 2025

Paragraph-level year-over-year comparison of INTERNATIONAL BANCSHARES CORP's 2024 and 2025 10-K annual filings, covering the Business, Risk Factors, Legal Proceedings, Cybersecurity, MD&A and Market Risk sections. Every new, removed and edited paragraph is highlighted side-by-side so you can see exactly what management changed in the 2025 report.

+168 added−148 removedSource: 10-K (2026-02-26) vs 10-K (2025-02-27)

Top changes in INTERNATIONAL BANCSHARES CORP's 2025 10-K

168 paragraphs added · 148 removed · 138 edited across 6 sections

Item 1. Business+120 / −102 · 95 edited
Item 1A. Risk Factors+29 / −28 · 26 edited
Item 1C. Cybersecurity+15 / −14 · 13 edited
Item 3. Legal Proceedings+2 / −2 · 2 edited
Item 5. Market for Registrant's Common Equity+1 / −1 · 1 edited

Item 1. Business

Business — how the company describes what it does

95 edited+25 added−7 removed196 unchanged

2024 filing

2025 filing

Biggest changeCommunity Reinvestment Act Under the CRA, the FDIC is required to assess the record of each Subsidiary Bank to determine if the bank meets the credit needs of its entire community, including low- and moderate-income neighborhoods served by the bank, and to take that record into account in its evaluation of any application made by the bank for, among other things, approval of the acquisition or establishment of a branch or other deposit facility, an office relocation, a merger, or the acquisition of shares of capital stock of another financial institution.

Biggest changeIn the event of a liquidation or other resolution of an insured depository institution like any of our Subsidiary Banks, the claims of depositors and other general or subordinated creditors of the bank are entitled to a priority of payment over the claims of holders of any obligation of the bank to its shareholders, including any depository institution holding company (like us) or any shareholder or creditor thereof. 18 Table of Contents Community Reinvestment Act Under the CRA, the FDIC is required to assess the record of each Subsidiary Bank to determine if the bank meets the credit needs of its entire community, including low- and moderate-income neighborhoods served by the bank, and to take that record into account in its evaluation of any application made by the bank for, among other things, approval of the acquisition or establishment of a branch or other deposit facility, an office relocation, a merger, or the acquisition of shares of capital stock of another financial institution.

Similarly, in 5 Table of Contents response to any increase in geopolitical tensions or strained U.S.-Mexico relations, depositors from Mexico may seek alternative financial institutions that are perceived as being more integrated within the Mexican financial industry, which could cause us to face increased competition.

Similarly, in response to any increase in geopolitical tensions or strained U.S.-Mexico relations, depositors from Mexico may seek 5 Table of Contents alternative financial institutions that are perceived as being more integrated within the Mexican financial industry, which could cause us to face increased competition.

Our completion of the transition from LIBOR during the second quarter of 2023 did not have any adverse impacts on our business, financial 6 Table of Contents condition, or results of operations, and each of the loan documents, financial instruments, and other agreements related to our LIBOR-based securities had fallback provisions that determined what reference rate would replace LIBOR upon its discontinuation.

Our completion of the transition from LIBOR during the second quarter of 2023 did not have any adverse impacts on our business, financial condition, or results of operations, and each of the loan documents, financial instruments, and other agreements related to 6 Table of Contents our LIBOR-based securities had fallback provisions that determined what reference rate would replace LIBOR upon its discontinuation.

In October 2023, the federal regulators adopted a joint final rule to strengthen and modernize the CRA regulations, which was consistent with the 2022 proposed rule.

In October 2023, the federal regulators adopted a joint final rule to strengthen and modernize the CRA regulations, (the 2023 CRA Rule), which was consistent with the 2022 proposed rule.

Also, the Texas Finance Code includes a “super parity” provision with procedures for state banks to notify the Texas Banking Commissioner if the bank intends to conduct any activity permitted for any depository institution in the United States. Texas Banking Commissioner has 30 days after receiving such notice to prohibit the activity.

Also, the Texas Finance Code includes a “super parity” provision with procedures for state banks to notify the Texas Banking Commissioner if the bank intends to conduct any activity permitted for any depository institution in the United States. The Texas Banking Commissioner has 30 days after receiving such notice to prohibit the activity.

As stated in our Board-approved Code of Ethics and Business Conduct, we expect all of our officers, directors, and employees to practice fair dealing, honesty, and integrity in every aspect of our interactions with other IBC employees, our customers, vendors, shareholders, suppliers, competitors, and government authorities, and the communities we serve. None of our employees are represented by any collective bargaining unit or are parties to a collective bargaining agreement.

As stated in our Board-approved Code of Ethics and Business Conduct, we expect all of our officers, directors, and employees to practice fair dealing, honesty, and integrity in every aspect of their interactions with other IBC employees, our customers, vendors, shareholders, suppliers, competitors, and government authorities, and the communities we serve. None of our employees are represented by any collective bargaining unit or are parties to a collective bargaining agreement.

Significant recent CFPB developments that may affect operations and compliance costs include: ● positions taken by the CFPB on fair lending, including applying the disparate impact theory which could make it more difficult for lenders to charge different rates or to apply different terms to loans to different customers; ● the CFPB’s final rule amending Regulation C, which implements the Home Mortgage Disclosure Act, requiring most lenders to report expanded information in order for the CFPB to more effectively monitor fair lending concerns and other information shortcomings identified by the CFPB; ● positions taken by the CFPB regarding the Electronic Fund Transfer Act and Regulation E, which governs responsibilities and obligations related to consumer electronic funds transfers; ● focused efforts on enforcing certain compliance obligations the CFPB deems a priority, such as automobile loan servicing, debt collection, mortgage origination and servicing, remittances, and fair lending, among others; ● the CFPB’s proposed Dodd-Frank Section 1033 consumer financial data sharing rule, which will require financial institutions to provide consumers and their authorized parties access to certain consumer financial 19 Table of Contents data obtained and maintained by the financial institution; and ● the CFPB’s continued focus on bank fees and charges, including supervision and enforcement actions and bulletins related to overdraft and non-sufficient funds fees. In light of the current political climate in Washington, DC and changes in CFPB leadership in recent years, we cannot predict what additional actions may be taken by the CFPB with respect to its previous regulations, rulings, and decisions and any impact on our operations.

Significant recent CFPB developments that may affect operations and compliance costs include: ● positions taken by the CFPB on fair lending, including applying the disparate impact theory which could make it more difficult for lenders to charge different rates or to apply different terms to loans to different customers; ● the CFPB’s final rule amending Regulation C, which implements the Home Mortgage Disclosure Act, requiring most lenders to report expanded information in order for the CFPB to more effectively monitor fair lending concerns and other information shortcomings identified by the CFPB; ● positions taken by the CFPB regarding the Electronic Fund Transfer Act and Regulation E, which governs responsibilities and obligations related to consumer electronic funds transfers; ● focused efforts on enforcing certain compliance obligations the CFPB deems a priority, such as automobile loan servicing, debt collection, mortgage origination and servicing, remittances, and fair lending, among others; ● the CFPB’s proposed Dodd-Frank Section 1033 consumer financial data sharing rule, which will require financial institutions to provide consumers and their authorized parties access to certain consumer financial data obtained and maintained by the financial institution; and ● the CFPB’s continued focus on bank fees and charges, including supervision and enforcement actions and bulletins related to overdraft and non-sufficient funds fees. In light of the current political climate in Washington, DC and changes in CFPB leadership in recent years, we cannot predict what additional actions may be taken by the CFPB with respect to its previous regulations, rulings, and decisions and any impact on our operations.

Key updates over the years have included: (i) the CFPB making multiple revisions to Regulation X and Regulation Z that have addressed force-placed insurance, early intervention, loss-mitigation requirements, and periodic statement requirements (ii) the CFPB issuing a final interpretive rule amending the mortgage servicing rules, clarifying the interaction of the Fair Debt Collection Practices Act (FDCPA), and addressing the insufficiency of hazard insurance; (iii) the CFPB, FRB, and OCC finalizing amendments to the official interpretations that implement special appraisal requirements for “higher-risk mortgages” or “higher-priced mortgages”; (iv) the CFPB modifying the TILA-RESPA Integrated Disclosure Rule implemented in Regulations X and Z to create tolerances for the total of payments and to provide guidance on sharing the integrated disclosures with various parties involved in the mortgage origination process; and (v) the CFPB issuing an interim final rule to give servicers more flexibility regarding 22 Table of Contents when to communicate about foreclosure prevention options with borrowers who have requested a cease in communication under federal debt collection law and how to respond and communicate with potential successors in interest.

Key updates over the years have included: (i) the CFPB making multiple revisions to Regulation X and Regulation Z that have addressed force-placed insurance, early intervention, loss-mitigation requirements, and periodic statement requirements (ii) the CFPB issuing a final interpretive rule amending the mortgage servicing rules, clarifying the interaction of the Fair Debt Collection Practices Act (FDCPA), and addressing the insufficiency of hazard insurance; (iii) the CFPB, FRB, and OCC finalizing amendments to the official interpretations that implement special appraisal requirements for “higher-risk mortgages” or “higher-priced mortgages”; (iv) the CFPB modifying the TILA-RESPA Integrated Disclosure Rule implemented in Regulations X and Z to create tolerances for the total of payments and to provide guidance on sharing the integrated disclosures with various parties involved in the mortgage origination process; and (v) the CFPB issuing an interim final rule to give servicers more flexibility regarding when to communicate about foreclosure prevention options with borrowers who have requested a cease in communication under federal debt collection law and how to respond and communicate with potential successors in interest.

Our principal assets at December 31, 2024, consisted of all the outstanding capital stock of four Texas state banking associations and one Oklahoma state banking corporation as follows: ● International Bank of Commerce, located in Laredo, Texas (IBC); ● Commerce Bank, located in Laredo, Texas (Commerce Bank); ● International Bank of Commerce, located in Brownsville, Texas (IBC Brownsville); ● International Bank of Commerce, located in Zapata, Texas (IBC Zapata); and ● International Bank of Commerce, located in Oklahoma City, Oklahoma (IBC-Oklahoma). These five subsidiary banks are collectively referred to in this report as our “Subsidiary Banks.” Our philosophy focuses on customer service as represented by the motto, “We Do More.” Our Subsidiary Banks maintain a strong commitment to their local communities by, among other things, appointing selected community members to local advisory boards.

Our principal assets at December 31, 2025, consisted of all the outstanding capital stock of four Texas state banking associations and one Oklahoma state banking corporation as follows: ● International Bank of Commerce, located in Laredo, Texas (IBC); ● Commerce Bank, located in Laredo, Texas (Commerce Bank); ● International Bank of Commerce, located in Brownsville, Texas (IBC Brownsville); ● International Bank of Commerce, located in Zapata, Texas (IBC Zapata); and ● International Bank of Commerce, located in Oklahoma City, Oklahoma (IBC-Oklahoma). These five subsidiary banks are collectively referred to in this report as our “Subsidiary Banks.” Our philosophy focuses on customer service as represented by the motto, “We Do More.” Our Subsidiary Banks maintain a strong commitment to their local communities by, among other things, appointing selected community members to local advisory boards.

The implementing regulations impose obligations on financial institutions to maintain a risk-based anti-money laundering program that includes appropriate policies, procedures, and controls to detect, prevent and report money laundering and terrorist financing and to verify the identity of their customers.

The implementing regulations impose obligations on financial institutions to maintain a risk-based anti-money laundering (AML) program that includes appropriate policies, procedures, and controls to detect, prevent and report money laundering and terrorist financing and to verify the identity of their customers.

In August 2022, the Inflation Reduction Act of 2022 (IRA) was enacted. Among other things, the IRA imposes a new 1% tax on the fair market value of stock repurchased after December 31, 2022 by publicly traded U.S. corporations.

Inflation Reduction Act of 2022 In August 2022, the Inflation Reduction Act of 2022 (IRA) was enacted. Among other things, the IRA imposes a 1% tax on the fair market value of stock repurchased after December 31, 2022 by publicly traded U.S. corporations.

A bank will be considered: ● “well capitalized” if the institution has a total risk-based capital ratio of 10.0% or greater, a CET1 capital ratio of 6.5% or greater, a Tier 1 risk-based capital ratio of 8.0% or greater, and a leverage ratio of 5.0% or greater, and is not subject to any order or written directive by any regulatory authority to meet and maintain a specific capital level for any capital measure; ● “adequately capitalized” if the institution has a total risk-based capital ratio of 8.0% or greater, a CET1 capital ratio of 4.5% or greater, a Tier 1 risk-based capital ratio of 6.0% or greater, and a leverage ratio of 4.0% or greater and is not “well capitalized”; ● “undercapitalized” if the institution has a total risk-based capital ratio that is less than 8.0%, a CET1 capital ratio less than 4.5%, a Tier 1 risk-based capital ratio of less than 6.0% or a leverage ratio of less than 4.0%; ● “significantly undercapitalized” if the institution has a total risk-based capital ratio of less than 6.0%, a CET1 capital ratio less than 3%, a Tier 1 risk-based capital ratio of less than 4.0% or a leverage ratio of less than 3.0%; and ● “critically undercapitalized” if the institution’s tangible equity is equal to or less than 2.0% of average quarterly tangible assets. An institution may be downgraded to, or deemed to be in, a capital category that is lower than indicated by its capital ratios if it is determined to be in an unsafe or unsound condition or if it receives an unsatisfactory examination rating with respect to certain matters.

A bank will be considered: ● “well capitalized” if the institution has a total risk-based capital ratio of 10.0% or greater, a CET1 capital ratio of 6.5% or greater, a Tier 1 risk-based capital ratio of 8.0% or greater, and a leverage ratio of 5.0% or greater, and is not subject to any order or written directive by any regulatory authority to meet and maintain a specific capital level for any capital measure; ● “adequately capitalized” if the institution has a total risk-based capital ratio of 8.0% or greater, a CET1 capital ratio of 4.5% or greater, a Tier 1 risk-based capital ratio of 6.0% or greater, and a leverage ratio of 4.0% or greater and is not “well capitalized”; ● “undercapitalized” if the institution has a total risk-based capital ratio that is less than 8.0%, a CET1 capital 16 Table of Contents ratio less than 4.5%, a Tier 1 risk-based capital ratio of less than 6.0% or a leverage ratio of less than 4.0%; ● “significantly undercapitalized” if the institution has a total risk-based capital ratio of less than 6.0%, a CET1 capital ratio less than 3%, a Tier 1 risk-based capital ratio of less than 4.0% or a leverage ratio of less than 3.0%; and ● “critically undercapitalized” if the institution’s tangible equity is equal to or less than 2.0% of average quarterly tangible assets. An institution may be downgraded to, or deemed to be in, a capital category that is lower than indicated by its capital ratios if it is determined to be in an unsafe or unsound condition or if it receives an unsatisfactory examination rating with respect to certain matters.

We also own five direct, non-banking subsidiaries: ● IBC Trading Company, an export trading company that is currently inactive; ● IBC Charitable and Community Development Corporation, a nonprofit corporation formed under the laws of the State of Texas to conduct charitable and community development activities; ● IBC Capital Corporation, a company incorporated in the State of Delaware for the purpose of holding certain investments; ● Premier Tierra Holdings, Inc., a liquidating subsidiary formed under the laws of the State of Texas; and ● Diamond Beach Holdings, LLC, a merchant banking entity formed under the laws of the State of Texas. 3 Table of Contents We also own fifty-percent interests in Gulfstar Group I, Ltd. and Gulfstar Group II, Ltd., together with their related entities, all of which are involved in investment banking activities; a controlling interest in four merchant banking entities; and a majority ownership interest in a real-estate development partnership.

We also own six direct, non-banking subsidiaries: ● IBC Trading Company, an export trading company that is currently inactive; ● IBC Charitable and Community Development Corporation, a nonprofit corporation formed under the laws of the State of Texas to conduct charitable and community development activities; ● IBC Capital Corporation, a company incorporated in the State of Delaware for the purpose of holding certain investments; ● WCMH, LLC, a merchant banking entity formed under the laws of the State of Texas; ● Premier Tierra Holdings, Inc., a liquidating subsidiary formed under the laws of the State of Texas; and ● Diamond Beach Holdings, LLC, a merchant banking entity formed under the laws of the State of Texas. 3 Table of Contents We also own fifty-percent interests in Gulfstar Group I, Ltd. and Gulfstar Group II, Ltd., together with their related entities, all of which are involved in investment banking activities; a controlling interest in five merchant banking entities; and a majority ownership interest in a real-estate development partnership.

The Basel III capital rules require the following minimum capital ratios to be met: ● 4.5% CET1 to risk-weighted assets, plus a capital conservation buffer of at least 2.5% (resulting in a minimum ratio of CET1 to risk-weighted assets of at least 7.0%); ● 6.0% Tier 1 capital to risk-weighted assets, plus a capital conservation buffer (resulting in a Tier 1 capital to risk-weighted assets ratio of at least 8.5%); ● 8.0% Total capital (Tier 1 capital plus Tier 2 capital) to risk-weighted assets, plus the capital conservation buffer (resulting in a minimum total capital ratio of 10.5%); and ● 4.0% minimum leverage ratio, calculated as the ratio of Tier 1 capital to average assets. The Basel III capital rules prescribe a standardized approach for risk weightings that expand the risk-weighting categories from four categories (0%, 20%, 50% and 100%), to a much larger and more risk-sensitive number of categories, depending on the nature of the assets, generally ranging from 0% for U.S. government and agency securities to 600% for certain equity exposures, resulting in higher risk weights for a variety of asset categories.

The Basel III capital rules require the following minimum capital ratios to be met: ● 4.5% CET1 to risk-weighted assets, plus a capital conservation buffer of at least 2.5% (resulting in a minimum ratio of CET1 to risk-weighted assets of at least 7.0%); ● 6.0% Tier 1 capital to risk-weighted assets, plus a capital conservation buffer (resulting in a Tier 1 capital to risk-weighted assets ratio of at least 8.5%); ● 8.0% Total capital (Tier 1 capital plus Tier 2 capital) to risk-weighted assets, plus the capital conservation buffer (resulting in a minimum total capital ratio of 10.5%); and ● 4.0% minimum leverage ratio, calculated as the ratio of Tier 1 capital to average assets. 15 Table of Contents The Basel III capital rules prescribe a standardized approach for risk weightings that expand the risk-weighting categories from four categories (0%, 20%, 50% and 100%), to a much larger and more risk-sensitive number of categories, depending on the nature of the assets, generally ranging from 0% for U.S. government and agency securities to 600% for certain equity exposures, resulting in higher risk weights for a variety of asset categories.

The CFPB also has broad authority, among other matters, to declare acts or practices to be “unfair, deceptive, or abusive,” and to develop and require new consumer disclosures. The CFPB has issued and continues to issue numerous regulations under which IBC and the Subsidiary Banks will continue to incur additional expense in connection with ongoing compliance obligations.

The CFPB also has broad authority, among other matters, to declare acts or practices to be “unfair, deceptive, or abusive,” and to develop and require new consumer disclosures. The CFPB has issued and continues to issue numerous regulations under which IBC and the Subsidiary Banks will continue to incur additional expenses in connection with ongoing compliance obligations.

The corresponding provisions of the Federal Deposit Insurance Corporation Improvement Act (FDICIA) mandate corrective actions be taken if a bank is undercapitalized. Based on our capital ratios as of December 31, 2024, our holding company and each of the Subsidiary Banks were classified as “well capitalized” under the applicable regulations.

The corresponding provisions of the Federal Deposit Insurance Corporation Improvement Act (FDICIA) mandate corrective actions be taken if a bank is undercapitalized. Based on our capital ratios as of December 31, 2025, our holding company and each of the Subsidiary Banks were classified as “well capitalized” under the applicable regulations.

As of December 31, 2024, each of our Subsidiary Banks are “well capitalized” based on the aforementioned ratios pursuant to the Basel III capital rules. Liquidity Requirements Historically, regulation and monitoring of bank and bank holding company liquidity has been addressed as a supervisory matter, without required formulaic measures.

As of December 31, 2025, each of our Subsidiary Banks are “well capitalized” based on the aforementioned ratios pursuant to the Basel III capital rules. Liquidity Requirements Historically, regulation and monitoring of bank and bank holding company liquidity has been addressed as a supervisory matter, without required formulaic measures.

Further, the Basel III capital rules establish calculations for risk-weighted assets using alternatives to credit ratings that are based on either the weighted average of the underlying collateral or a formula based on subordination position and delinquencies or the use of a 1,250% risk rating, which is be the default rating that a banking organization must apply to a securitization exposure if it does not meet certain requisite due diligence standards and does not demonstrate a 14 Table of Contents comprehensive understanding of the exposure.

Under the Financial Services Modernization Act of 1999, which is otherwise known as the Gramm-Leach-Bliley Act (GLBA), banks, securities firms and insurance companies may affiliate under an entity known as a financial holding company, which may then serve its customers’ varied financial needs through a single corporate structure.

Under the Financial Services Modernization Act of 1999, which is otherwise known as the Gramm-Leach-Bliley Act (GLBA), banks, securities firms and insurance companies may affiliate under an entity known as a financial holding company, which may then serve its customers varied financial needs through a single corporate structure.

Today, we have 166 facilities and 255 ATMs serving 75 communities in Texas and Oklahoma. Through the Subsidiary Banks, we are engaged in the business of accepting checking and savings deposits and the making of commercial, real estate, personal, home improvement, automobile and other installment and term loans.

Today, we have 166 facilities and 247 ATMs serving 75 communities in Texas and Oklahoma. Through the Subsidiary Banks, we are engaged in the business of accepting checking and savings deposits and the making of commercial, real estate, personal, home improvement, automobile and other installment and term loans.

In addition to the provisions of the 2011 proposed rule, the 2016 proposed rule specified that an incentive-based compensation arrangement would only be deemed to have appropriately balanced risk and reward if it included financial and non-financial measures of performance, was designed to allow non-financial measures of performance to override financial measures of performance, and was subject to adjustment to reflect actual losses, inappropriate risks taken, compliance deficiencies, or other measures or aspects of financial and non-financial performance.

In addition to the 24 Table of Contents provisions of the 2011 proposed rule, the 2016 proposed rule specified that an incentive-based compensation arrangement would only be deemed to have appropriately balanced risk and reward if it included financial and non-financial measures of performance, was designed to allow non-financial measures of performance to override financial measures of performance, and was subject to adjustment to reflect actual losses, inappropriate risks taken, compliance deficiencies, or other measures or aspects of financial and non-financial performance.

Under the final rule, most of the CRA changes would only affect “large” banks with assets of more than $2 billion while allowing small and mid-sized banks to elect to be evaluated based on certain of the new rules.

Under the 2023 CRA Rule, most of the CRA changes would only affect “large” banks with assets of more than $2 billion while allowing small and mid-sized banks to elect to be evaluated based on certain of the new rules.

In April 2011 and June 2016, the SEC and the federal banking agencies issued joint notices of proposed rulemaking that would prohibit a covered financial institution from establishing or maintaining any incentive-based compensation arrangements for covered persons 23 Table of Contents that expose the financial institution to inappropriate risks by providing the covered person with excessive compensation that could lead to a material financial loss.

In April 2011 and June 2016, the SEC and the federal banking agencies issued joint notices of proposed rulemaking that would prohibit a covered financial institution from establishing or maintaining any incentive-based compensation arrangements for covered persons that expose the financial institution to inappropriate risks by providing the covered person with excessive compensation that could lead to a material financial loss.

To date, the rule has not, as we do not anticipate that it will, have a significant detrimental effect on us given that it is generally consistent with the FRB’s historical practices in making control determinations.

To date, the rule has not, and we do not anticipate that it will, have a significant detrimental effect on us given that it is generally consistent with the FRB’s historical practices in making control determinations.

The PATRIOT Act also requires the bank regulatory agencies to consider the record of a bank or bank holding company in combating money laundering activities in their evaluation of bank and bank holding company merger or acquisition transactions. Anti-money laundering regulations are continually evolving.

Each Subsidiary Bank makes available certain securities products through third-party providers and provides banking services during traditional and nontraditional banking hours through their ATM network and retail locations in shopping malls and other convenient places.

Each Subsidiary Bank makes available certain securities products through third-party providers and provides banking services during traditional and non-traditional banking hours through their ATM network and retail locations in shopping malls and other convenient places.

The Dodd-Frank Act requires the federal banking agencies to jointly issue rules implementing the “source of strength” doctrine, but as of December 31, 2024, the FRB and other federal banking regulators have not yet issued such rules.

The Dodd-Frank Act requires the federal banking agencies to jointly issue rules implementing the “source of strength” doctrine, but as of December 31, 2025, the FRB and other federal banking regulators have not yet issued such rules.

Tier 2 capital generally consists of certain hybrid capital instruments and perpetual debt, mandatory convertible debt securities and a limited amount of subordinated debt, qualifying preferred stock, loan loss allowance, and unrealized holding gains on certain equity securities. The federal authorities’ risk-based capital guidelines utilize total capital to risk-weighted assets and Tier 1 capital elements.

Tier 2 capital generally consists of certain hybrid capital instruments and perpetual debt, mandatory 13 Table of Contents convertible debt securities and a limited amount of subordinated debt, qualifying preferred stock, loan loss allowance, and unrealized holding gains on certain equity securities. The federal authorities’ risk-based capital guidelines utilize total capital to risk-weighted assets and Tier 1 capital elements.

In 2021, the federal banking agencies adopted a rule governing computer security incidents and, in part, the rule requires notification by a regulated institution to its primary federal regulator in the event of certain cybersecurity-related incidents. In February 2018, the SEC published interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.

In 2021, the federal banking agencies adopted a rule governing computer security 21 Table of Contents incidents and, in part, the rule requires notification by a regulated institution to its primary federal regulator in the event of certain cybersecurity-related incidents. In February 2018, the SEC published interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.

The FRB also noted in its report that it is considering regulatory measures that would limit what it termed “safety and soundness risks of merchant banking investments.” Following this report, on September 30, 2016, the FRB published a Notice of Proposed Rulemaking (NPR) proposing to, among other things, amend the risk-based capital requirements to increase the requirements associated with a subset of merchant banking investments; specifically, merchant banking investments in companies engaged in physical commodities activities.

The FRB also noted in its report that it is considering regulatory measures that would limit what it termed “safety and soundness risks of merchant banking investments.” Following this report, on September 30, 2016, the FRB published an NPR proposing to, among other things, amend the risk-based capital requirements to increase the requirements associated with a subset of merchant banking investments; specifically, merchant banking investments in companies engaged in physical commodities activities.

Each of our Subsidiary Banks is subject to similar capital requirements adopted by the FDIC and had a leverage ratio in excess of 5% as of December 31, 2024.

Each of our Subsidiary Banks is subject to similar capital requirements adopted by the FDIC and had a leverage ratio in excess of 5% as of December 31, 2025.

Nonresident Alien Deposits In 2013, the IRS published a rule requiring U.S. banks to report on the interest they pay to nonresident alien individuals. The IRS shares that information with tax authorities in other countries with whom the United States has an agreement regarding the exchange of tax information.

Nonresident Alien Deposits In 2013, the Internal Revenue Service (IRS) published a rule requiring U.S. banks to report on the interest they pay to nonresident alien individuals. The IRS shares that information with tax authorities in other countries with whom the United States has an agreement regarding the exchange of tax information.

Financial institutions are evaluated under different CRA examinations procedures based upon their asset size classification, which asset thresholds are updated annually and were updated as of January 1, 2025.

The anti-concentration limit applicable in each of Texas and Oklahoma is 20% of all federally insured deposits in the state. The Interstate Banking Act further expanded interstate banking by allowing banks to establish de novo branches in any state that opted-in to the Interstate Banking Act’s branching provisions.

The anti-concentration limit 11 Table of Contents applicable in each of Texas and Oklahoma is 20% of all federally insured deposits in the state. The Interstate Banking Act further expanded interstate banking by allowing banks to establish de novo branches in any state that opted in to the Interstate Banking Act’s branching provisions.

Two of our Subsidiary Banks are considered “intermediate small banks” and IBC, IBC Brownsville and IBC Oklahoma are considered “large banks” under the new asset thresholds. Consumer Laws In addition to the laws and regulations discussed herein, the Subsidiary Banks are also subject to numerous consumer laws and regulations that are designed to protect consumers in transactions with banks.

Two of our Subsidiary Banks are considered “intermediate small banks” and IBC, IBC Brownsville and IBC Oklahoma are considered “large banks” under the new asset thresholds. 19 Table of Contents Consumer Laws In addition to the laws and regulations discussed herein, the Subsidiary Banks are also subject to numerous consumer laws and regulations that are designed to protect consumers in transactions with banks.

In February 2024, the NIST Cybersecurity Framework 2.0 was released, which updated the original framework by 20 Table of Contents expanding its scope to help organizations of all sizes and across sectors manage and mitigate cybersecurity risks and by emphasizing the importance of governance and supply chains in managing cybersecurity risks.

In February 2024, the NIST Cybersecurity Framework 2.0 was released, which updated the original framework by expanding its scope to help organizations of all sizes and across sectors manage and mitigate cybersecurity risks and by emphasizing the importance of governance and supply chains in managing cybersecurity risks.

These deposits comprised approximately 31%, 29% and 28% of the Subsidiary Banks’ total deposits for the three years ended December 31, 2024, 2023 and 2022, respectively. The imposition of tariffs and trade restrictions by the United States on Mexico may weaken the Mexican economy, potentially leading to lower deposit balances or increased withdrawals from our depositors domiciled in Mexico.

These deposits comprised approximately 32%, 31% and 29% of the Subsidiary Banks’ total deposits for the three years ended December 31, 2025, 2024 and 2023, respectively. The imposition of tariffs and trade restrictions by the United States on Mexico may weaken the Mexican economy, potentially leading to lower deposit balances or increased withdrawals from our depositors domiciled in Mexico.

Department of the Treasury (OFAC) publishes lists of specially designated countries and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States.

Department of the Treasury (OFAC) publishes lists of specially designated countries and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries and regimes, terrorists, transnational criminal organizations, international cartels and narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States.

At December 31, 2024, there was an aggregate of approximately $1,440,000,000 available for the payment of dividends to our holding company by our Subsidiary Banks under the capital rules applicable as of December 31, 2024, assuming that each of such banks continues to be classified as “well capitalized.” Further, we could expend the entire $1,440,000,000 and continue to be classified as “well capitalized” under the capital rules applicable as of December 31, 2024.

At December 31, 2025, there was an aggregate of approximately $1,644,000,000 available for the payment of dividends to our holding company by our Subsidiary Banks under the capital rules applicable as of December 31, 2025, assuming that each of such banks continues to be classified as “well capitalized.” Further, we could expend the entire $1,644,000,000 and continue to be classified as “well capitalized” under the capital rules applicable as of December 31, 2025.

Although updates to the CRA’s implementing regulations were necessary to address the changes in the banking industry and the increase in online and mobile banking, the changes under the final rule included significant increases in data collection, testing, and evaluation metrics related to geography and assessment areas.

Although updates to the CRA’s implementing regulations were necessary to address the changes in the banking industry and the increase in online and mobile banking, the changes under the 2023 CRA Rule included significant increases in data collection, testing, and evaluation metrics related to geography and assessment areas.

As of December 31, 2024, approximately 66% of our approximately 300-person officer management team have been with us for more than 15 years, and approximately 74% of those have been with us for more than 20 years. Our mission is to develop a banking culture that builds genuine, personal relationships with our customers and the communities we serve.

As of December 31, 2025, approximately 66% of our approximately 300-person officer management team have been with us for more than 15 years, and approximately 79% of those have been with us for more than 20 years. Our mission is to develop a banking culture that builds genuine personal relationships with our customers and the communities we serve.

The changes proposed in the NPR were significantly narrower than the FRB’s recommendations regarding merchant banking investments in its report to Congress. To date, a final rule implementing the changes put forth in the NPR has not been issued and it is uncertain what action, if any, will be taken regarding the FRB’s report.

The changes proposed in the NPR were significantly narrower than the FRB’s recommendations regarding merchant banking investments in its report to Congress. 10 Table of Contents To date, a final rule implementing the changes put forth in the NPR has not been issued and it is uncertain what action, if any, will be taken regarding the FRB’s report.

The ability of our holding company to pay dividends is largely dependent on the amount of cash derived from dividends declared by our Subsidiary Banks. The payment of dividends by any bank or bank 11 Table of Contents holding company is affected by the requirement to maintain adequate capital.

The ability of our holding company to pay dividends is largely dependent on the amount of cash derived from dividends declared by our Subsidiary Banks. The payment of dividends by any bank or bank holding company is affected by the requirement to maintain adequate capital.

In the event of a bank holding company’s bankruptcy, any commitment by the bank holding company to a federal bank regulatory agency to maintain the capital of a subsidiary bank will be assumed by the bankruptcy trustee and entitled to priority of payment.

“Large bank” now means a bank with total assets equal to or greater than $1.609 billion for December 31 of both of the prior two calendar years, “small bank” means a bank with assets of less than $1.609 billion as of December 31 of either of the prior two calendar years, and “intermediate small bank” means a bank with assets of at least $402 million as of December 31 of both of the prior two calendar years and less than $1.609 billion as of December 31 of either of the prior two calendar years.

“Large bank” now means a bank with total assets equal to or greater than $1.649 billion for December 31 of both of the prior two calendar years, “small bank” means a bank with assets of less than $1.649 billion as of December 31 of either of the prior two calendar years, and “intermediate small bank” means a bank with assets of at least $412 million as of December 31 of both of the prior two calendar years and less than $1.649 billion as of December 31 of either of the prior two calendar years.

None of our Subsidiary Banks are subject to the special assessment. Capital Adequacy Our holding company and our Subsidiary Banks are required to meet certain minimum regulatory capital guidelines. The FRB has historically utilized a system based upon risk-based capital guidelines under a two-tier capital framework to evaluate the capital adequacy of bank holding companies.

Capital Adequacy Our holding company and our Subsidiary Banks are required to meet certain minimum regulatory capital guidelines. The FRB has historically utilized a system based upon risk-based capital guidelines under a two-tier capital framework to evaluate the capital adequacy of bank holding companies.

If a depository institution fails to submit an acceptable plan, it is treated as if it is “significantly undercapitalized.” 16 Table of Contents The appropriate federal banking agency may, under certain circumstances, reclassify a well-capitalized insured depository institution as adequately capitalized.

If a depository institution fails to submit an acceptable plan, it is treated as if it is “significantly undercapitalized.” The appropriate federal banking agency may, under certain circumstances, reclassify a well-capitalized insured depository institution as adequately capitalized.

Similarly, it is possible that the legislatures of the State of Texas or the State of Oklahoma would amend applicable state laws relating to us or our Subsidiary Banks.

Similarly, it is possible that the legislatures of the State of Texas or the State of Oklahoma would amend applicable state laws relating to us or our Subsidiary Banks. 25 Table of Contents

Our team approach allows us to nurture excellence in our staff to develop superior valuation skills so that each of our staff members better understand the risks and returns of transactions better than our competitors. We provide extensive training 4 Table of Contents to our employees in an effort to ensure that our customers receive superior customer service.

Our team approach allows us to nurture excellence in our staff by developing superior valuation skills so that each of our staff members better understands the risks and returns of transactions better than our competitors. We provide extensive 4 Table of Contents training for our employees in an effort to ensure that our customers receive superior customer service.

In October 2023, the CFPB proposed a “Personal Financial Data Rights” rule, which aims to promote open, decentralized banking, protect consumers’ financial data from misuse, and foster competition in the banking industry. The CFPB published the final rule in October 2024.

In October 2023, the CFPB proposed a “Personal Financial Data Rights” rule (PFDR Rule), which aims to promote open, decentralized banking, protect consumers’ financial data from misuse, and foster competition in the banking industry.

The rule requires financial institutions to make financial data regarding consumers’ transactions and accounts more accessible for consumers and authorized third parties acting on their behalf; implement authorization procedures for third parties seeking to access consumer data, including requiring third parties to commit to data limitations and compliance with the GLBA Safeguards Framework; establish operational, performance, and security standards related to data access; and advance fair, open, and inclusive industry standards to facilitate an open banking system.

The CFPB published the final PFDR Rule in October 2024, which requires financial institutions to make financial data regarding consumers’ transactions and accounts more accessible for consumers and authorized third parties acting on their behalf; implement authorization procedures for third parties seeking to access consumer data, including requiring third parties to commit to data limitations and compliance with the GLBA Safeguards Framework; establish operational, performance, and security standards related to data access; and advance fair, open, and inclusive industry standards to facilitate an open banking system.

In addition, the 9 Table of Contents GLBA permits certain non-banking financial and financially related activities to be conducted by financial subsidiaries of banks.

In addition, the GLBA permits certain non-banking financial and financially related activities to be conducted by financial subsidiaries of banks.

The FDIC uses a risk-based assessment system that imposes premiums based upon a matrix that considers a bank’s capital level and supervisory rating. Our FDIC deposit insurance expense totaled $6,865,000, $6,285,000, and $6,987,000 in 2024, 2023 and 2022, respectively.

The FDIC uses a risk-based assessment system that imposes premiums based upon a matrix that considers a bank’s capital level and supervisory rating. Our FDIC deposit insurance expense totaled $7,151,000, $6,865,000, and $6,285,000 in 2025, 2024 and 2023, respectively.

We believe that our relations with our employees are good. Competition We are one of the largest independent financial bank holding companies in the State of Texas. Our primary market area in Texas is bordered on the east by the Galveston area, the northwest by Dallas, the southwest by Del Rio and to the southeast by Brownsville.

We believe that we maintain positive employee relations. Competition We are one of the largest independent financial bank holding companies in the State of Texas. Our primary market area in Texas is bordered on the east by the Galveston area, the northwest by Dallas, the southwest by Del Rio and to the southeast by Brownsville.

The same uncertainty exists 24 Table of Contents with respect to regulations authorized or required under the Dodd-Frank Act, but that have not yet been proposed or finalized.

The same uncertainty exists with respect to regulations authorized or required under the Dodd-Frank Act, but that have not yet been proposed or finalized.

The relevant capital measures, which reflect the standards for assessing capital adequacy under the Basel III capital rules that became effective on January 1, 2015, are the total capital ratio, the CET1 capital ratio, the Tier 1 capital ratio, and the leverage ratio.

The relevant capital measures, which reflect the standards for assessing capital adequacy under the Basel III capital rules that became effective on January 1, 2015 and were phased in through January 1, 2019, are the total capital ratio, the CET1 capital ratio, the Tier 1 capital ratio, and the leverage ratio.

Under the final rule, the estimated loss pursuant to the systemic-risk determination will be periodically adjusted, and the FDIC may cease collection early, extend the collection period, and impose a final shortfall special assessment on a one-time basis.

Increasingly, state regulators are implementing additional privacy and cybersecurity standards and regulations. Recently, several states adopted regulations requiring certain financial institutions to implement cybersecurity programs and provide detailed requirements for such programs, including data encryption requirements. Many states have also recently implemented or modified their data breach notification and data privacy requirements.

Recently, several states adopted regulations requiring certain financial institutions to implement cybersecurity programs and provide detailed requirements for such programs, including data encryption requirements. Many states have also recently implemented or modified their data breach notification and data privacy requirements.

In October 2018, the federal banking regulators further proposed to revise their liquidity requirements so that banking organizations that are not globally systemic important banks, have less than $250 billion in total consolidated assets and have less than $75 billion in each of off-balance sheet exposures, nonbank assets, cross-jurisdictional activity and short-term wholesale funding would not be subject to any LCR or net stable funding ratio requirements.

In November 2019, the federal banking regulators adopted final rules to revise their liquidity requirements so that banking organizations that are not globally systemic important banks, have less than $250 billion in total consolidated assets, and have less than $75 billion in each of off-balance sheet exposures, nonbank assets, cross-jurisdictional activity, and short-term wholesale funding are generally not subject to any LCR or net stable funding ratio requirements.

The new administration has appointed the Treasury Secretary as acting director of the CFPB. Military Lending Act In 2015, the Department of Defense issued final amendments to the rule that implements the federal Military Lending Act.

The new administration has appointed the Director of the Office of Management and Budget as acting director of the CFPB. Military Lending Act In 2015, the Department of Defense issued final amendments to the rule that implements the federal Military Lending Act.

In May 2022, the federal bank regulators, including the FDIC, issued a notice of proposed rulemaking intended to revise the CRA’s implementing regulations in order to advance the CRA’s core purpose and adapt the CRA’s regulatory framework to reflect the modern banking industry.

In May 2022, the federal bank regulators, including the FDIC, issued an NPR intended to revise the CRA’s implementing regulations in order to advance the CRA’s core purpose and adapt the CRA’s regulatory framework to reflect the modern banking industry.

All other bank holding companies will generally be required to maintain a leverage ratio of at least 4% - 5%. Our leverage ratio at December 31, 2024 was 18.84%.

All other bank holding companies will generally be required to maintain a leverage ratio of at least 4% - 5%. Our leverage ratio at December 31, 2025 was 19.86%.

The Subsidiary Banks conduct an award-winning financial literacy program in their communities as part of their community outreach. All of our Subsidiary Banks received a “Satisfactory” CRA rating in their most recently completed examinations.

Federal banking agencies make public a rating of a bank’s performance under the CRA. The Subsidiary Banks conduct an award-winning financial literacy program in their communities as part of their community outreach. All of our Subsidiary Banks received a “Satisfactory” CRA rating in their most recently completed examinations.

An institution would be prohibited from declaring any dividends, making any other capital distribution, or paying a management fee if the capital ratios drop below the levels for an adequately capitalized institution, which are 8%, 4%, and 4%, respectively.

An institution is prohibited from declaring any dividends, making any other capital distribution, or paying a management fee if its capital ratios drop below the levels for an adequately capitalized institution, which under the current framework are 8%, 6%, 4.5%, and 4%, respectively.

The proposed legislation would have also required regulators to consider a bank’s partnerships with non-depository lenders and “small-dollar” first-lien mortgages as part of CRA examinations. Like the October 2023 final regulatory revisions, the legislation focuses on applying fair-lending concepts to CRA obligations and examinations. Ultimately, however, the proposed legislation did not advance through the legislative process and was never passed.

The proposed legislation would have also required regulators to consider a bank’s partnerships with non-depository lenders and “small-dollar” first-lien mortgages as part of CRA examinations. Like the October 2023 final regulatory revisions, the proposed legislation focused on applying fair-lending concepts to CRA obligations and examinations.

The CTA aims to combat money laundering, securities and tax fraud, terrorism financing, human and drug trafficking, counterfeiting, and other corrupt, nefarious activities by preventing bad actors from concealing their ownership of U.S. entities to advance their illicit operations. On February 20, 2024, FinCEN’s rule for implementing the access and safeguard provisions of the CTA took effect.

Proposed legislation was introduced in September 2022 that would have further revised the CRA by adding several new substantive and procedural requirements.

As a result, the previous CRA regulations continue to govern. Proposed legislation was introduced in September 2022 that would have further revised the CRA by adding several new substantive and procedural requirements.

The Basel III final capital framework, among other things, (i) a minimum ratio for “Common Equity Tier 1” capital (CET1), (ii) specifies that Tier 1 capital consists of CET1 and “Additional Tier 1 capital” instruments meeting specified requirements, (iii) defines CET1 narrowly by requiring that most adjustments to regulatory capital measures be made to CET1 and not to the other components of capital and (iv) expands the scope of the adjustments as compared to pre-Basel III regulations.

Basel III requires bank holding companies and their subsidiary banks to maintain substantially more capital, with a greater emphasis on common equity. 14 Table of Contents The Basel III final capital framework, among other things, (i) establishes a minimum ratio for “Common Equity Tier 1” capital (CET1), (ii) specifies that Tier 1 capital consists of CET1 and “Additional Tier 1 capital” instruments meeting specified requirements, (iii) defines CET1 narrowly by requiring that most adjustments to regulatory capital measures be made to CET1 and not to the other components of capital and (iv) expands the scope of the adjustments as compared to pre-Basel III regulations.

We expect state-level activity to continue in this area and will continue monitoring legislative developments in Texas and Oklahoma. 21 Table of Contents Affiliate Transactions Our holding company and Subsidiary Banks are “affiliates” within the meaning of Section 23A of the Federal Reserve Act (FRA), which sets forth certain restrictions on (i) loans and extensions of credit between a bank subsidiary and affiliates, (ii) investments in an affiliate’s stock or other securities, and (iii) acceptance of such stock or other securities as collateral for loans.

Affiliate Transactions Our holding company and Subsidiary Banks are “affiliates” within the meaning of Section 23A of the Federal Reserve Act (FRA), which sets forth certain restrictions on (i) loans and extensions of credit between a bank subsidiary and affiliates, (ii) investments in an affiliate’s stock or other securities, and (iii) acceptance of such stock or other securities as collateral for loans.

Under the CTA’s access rule, a reporting company’s beneficial-ownership information is deemed confidential but can be disclosed by FinCEN to six categories of recipients, including financial institutions that are subject to customer due diligence obligations and have received the reporting company’s consent to access its beneficial-ownership information.

On February 20, 2024, the CTA’s access rule, which implements the CTA’s access and safeguard provisions, took effect, under which a reporting company’s BOI is deemed confidential but can be disclosed by FinCEN to six categories of recipients, including financial institutions that are subject to customer due diligence obligations and have received the reporting company’s consent to access its BOI.

If enforced, the CTA’s reporting rule would require corporations, limited liability companies, and similar entities to identify and report certain information concerning their beneficial owners, meaning the individuals who ultimately own or control them.

As originally contemplated, the CTA’s reporting rule would have required corporations, limited liability companies, and similar entities operating in the U.S. to identify and report certain information concerning their beneficial owners, meaning the individuals who ultimately own or control them.

Further, such secured loans and investments by a bank subsidiary are limited in amount, as to a bank holding company or any other affiliate, to 10% of such bank subsidiary’s capital and surplus and, as to the bank holding company and its affiliates, to an aggregate of 20% of such bank subsidiary’s capital and surplus.

As of December 31, 2024, we and our Subsidiary Banks employed approximately 2,103 persons full time and 233 persons part time.

As of December 31, 2025, we and our Subsidiary Banks employed approximately 2,126 people full time and 193 persons part time.

Certain restrictions do not apply to 80% or more owned sister banks of bank holding companies. Each Subsidiary Bank is wholly-owned by our holding company. Section 23B of the FRA requires that the terms of affiliate transactions be comparable to terms of similar non-affiliate transactions.

Each Subsidiary Bank is wholly-owned by our holding company. Section 23B of the FRA requires that the terms of affiliate transactions be comparable to terms of similar non-affiliate transactions.

The Basel III framework was developed by the Basel Committee on Banking Supervision, a college of central bankers and other financial regulators from the United States and other advanced economies, to strengthen international capital standards. Basel III requires bank holding companies and their subsidiary banks to maintain substantially more capital, with a greater emphasis on common equity.

Powers As a result of the FDICIA, the authority of the FDIC over state-chartered banks was expanded. The FDICIA limits state chartered banks to only those principal activities permissible for national banks, except for other activities specifically approved by the FDIC.

It is unclear whether or to what extent this rule will be implemented. 23 Table of Contents Powers As a result of the FDICIA, the authority of the FDIC over state-chartered banks was expanded. The FDICIA limits state chartered banks to only those principal activities permissible for national banks, except for other activities specifically approved by the FDIC.

Moreover, FATCA requires U.S. withholding agents, including U.S. banks, to withhold a tax (30%) on U.S.-sourced income payable to foreign financial institutions that do not agree to report certain information to the IRS regarding their U.S. accounts, as well as on payments to nonfinancial foreign entities that do not provide information on their U.S. account owners to withholding agents. 9 Table of Contents Office of Foreign Assets Control Regulation The United States has imposed economic sanctions that affect transactions with designated foreign countries, nationals, and others.

We are committed to implementing initiatives designed to promote workforce development, professional growth, and fair opportunities for all applicants and employees in all of our employment practices, including but not limited to, hiring, promoting, transferring, and compensating without regard to sex, race, color, national origin, genetic information, citizenship status, age, religion, veteran, disability, or any other characteristic protected by law.

Our employment practices are designed to promote workforce development, professional growth, and fair opportunities for all applicants and employees in all of our employment practices, including but not limited to, hiring, promoting, transferring, and compensating employees without regard to any characteristic protected by law.

Implementation of Basel IV began on January 1, 2023 and will continue over a five-year transition period by regulators in individual countries, including the U.S. federal bank regulatory agencies. The U.S. has targeted implementation of Basel IV to begin on July 1, 2025, subject to a three-year transition period with full compliance expected by July 1, 2028.

Implementation of Basel IV across the Basel Committee’s member jurisdictions began on January 1, 2023, and will continue over a five-year transition period by regulators in individual countries, including the U.S. federal bank regulatory agencies.

Part of the FAST Act amended the GLBA by providing financial institutions with an exception to the general requirement that those institutions deliver annual privacy notices. 10 Table of Contents In late 2022, the CFPB issued an outline of proposed rules related to Section 1033 of Dodd-Frank, which requires the CFPB to implement regulations providing for the sharing of consumer financial information between financial institutions and consumer-authorized data recipients.

In late 2022, the CFPB issued an outline of proposed rules related to Section 1033 of Dodd-Frank, which requires the CFPB to implement regulations providing for the sharing of consumer financial information between financial institutions and consumer-authorized data recipients.

… 47 more changes not shown on this page.

Item 1A. Risk Factors

Risk Factors — what could go wrong, per management

26 edited+3 added−2 removed105 unchanged

2024 filing

2025 filing

Biggest changeFurthermore, if BaaS models continue to be more widely utilized by fintech companies to allow non-bank entities to expand into financial-service offerings, the need for traditional banking institutions may be reduced, which could cause us to experience a decline in customer acquisition and retention and increased pricing pressure in the financial-services industry, Additionally, as use of cryptocurrencies, blockchain technologies, and decentralized financial services gain broader regulatory approval, become more widely adopted by consumers, and become integrated into mainstream financial systems, we may be subject to additional competitive pressures from these alternative financial providers. which could reduce demand for the traditional banking services that we provide and draw customers away from traditional banking institutions like ours.

Biggest changeAdditionally, as use of cryptocurrencies, blockchain technologies, and decentralized financial services gain broader regulatory approval, become more widely adopted by consumers, and become integrated into mainstream financial systems, we may be subject to additional competitive pressures from these alternative financial providers. which could reduce demand for the traditional banking services that we provide and draw customers away from traditional banking institutions like ours.

For additional information on the CECL methodology, see “Notes to Consolidated Financial Statements – (4) Allowance for Credit Losses” in our 2024 Annual Report to Shareholders, which is filed as Exhibit 13 hereto. If real estate values in our target markets decline, the loan portfolio would be impaired.

For additional information on the CECL methodology, see “Notes to Consolidated Financial Statements – (4) Allowance for Credit Losses” in our 2025 Annual Report to Shareholders, which is filed as Exhibit 13 hereto. If real estate values in our target markets decline, the loan portfolio would be impaired.

If we experience disruption in our business, unexpected significant declines in our operating results, or sustained market capitalization declines, it could result in goodwill impairment charges in the future, which would be recorded as charges against earnings. We performed an annual goodwill impairment assessment as of October 1, 2024.

As of December 31, 2024, we had approximately $108 million in junior subordinated debentures outstanding that were purchased by our statutory trusts using the proceeds from the sale of trust preferred securities to third party investors. The junior subordinated debentures are senior to our shares of common stock.

As of December 31, 2025, we had approximately $108 million in junior subordinated debentures outstanding that were purchased by our statutory trusts using the proceeds from the sale of trust preferred securities to third party investors. The junior subordinated debentures are senior to our shares of common stock.

As a result, customers may choose to maintain deposits with larger financial institutions, to remove their deposits from the banking system altogether, or to invest in higher yielding, short-term fixed- income securities, which could adversely impact our liquidity, loan funding capacity, net interest margin, and results of operations.

As a result, customers may choose to maintain deposits with larger financial institutions, to remove their deposits from the banking system altogether, or to 32 Table of Contents invest in higher yielding, short-term fixed- income securities, which could adversely impact our liquidity, loan funding capacity, net interest margin, and results of operations.

Depending on the future actions of the CFPB, the likelihood of lawsuits against financial institutions related to allegedly “unfair,” “deceptive” and “abusive” acts 32 Table of Contents and practices could increase. Moreover, the costs related to such lawsuits would be significantly increased if the CFPB restricts the use of arbitration and/or class action waivers in consumer banking contracts.

Depending on the future actions of the CFPB, the likelihood of lawsuits against financial institutions related to allegedly “unfair,” “deceptive” and “abusive” acts and practices could increase. Moreover, the costs related to such lawsuits would be significantly increased if the CFPB restricts the use of arbitration and/or class action waivers in consumer banking contracts.

Further compounding the competition we face, technology and other changes are allowing parties to complete financial transactions that historically have involved banks through alternative, non-banking methods. The process of eliminating banks as intermediaries could result in the loss of fee income, as well as the loss of customer deposits and 25 Table of Contents related income.

Earnings could also be adversely affected if the interest rates received on loans and other investments fall more quickly than the interest rates paid on deposits and other borrowings. Any substantial, unexpected, or prolonged change in market interest rates could have a material adverse effect on our financial condition and results of operations.

Earnings could also be adversely affected if the interest rates received on loans and other investments fall more quickly than the 28 Table of Contents interest rates paid on deposits and other borrowings. Any substantial, unexpected, or prolonged change in market interest rates could have a material adverse effect on our financial condition and results of operations.

We have historically had access to a number of alternative sources of liquidity, but if there is an increase in volatility in the credit and liquidity markets, there is no assurance that we will be able to obtain such liquidity on terms that are favorable to us, or at all.

We have historically had access to a 29 Table of Contents number of alternative sources of liquidity, but if there is an increase in volatility in the credit and liquidity markets, there is no assurance that we will be able to obtain such liquidity on terms that are favorable to us, or at all.

Although we have amplified our efforts to promote deposit insurance coverage with our customers, to proactively communicate with our customers in order to address any depository fears they may be experiencing as a result of the unrelated bank failures, and to implement policies for effectively managing our liquidity, deposit portfolio retention and other related matters, our financial condition, results of operation and stock price may be adversely affected by future negative events within the banking industry and negative customer or investor responses to such events. Recent volatility in the banking industry could prompt new legislation, regulations, and policy changes that could cause us to be subjected to additional regulatory oversight and supervision. Negative developments in the banking industry during 2023 and 2024, culminating in the failures of seven banks, prompted responses by the FDIC, the Federal Reserve, and the U.S.

Although we have amplified our efforts to promote deposit insurance coverage with our customers, to proactively communicate with our customers in order to address any depository fears they may be experiencing as a result of the unrelated bank failures, and to implement policies for effectively managing our liquidity, deposit portfolio retention and other related matters, our financial condition, results of operation and stock price may be adversely affected by future negative events within the banking industry and negative customer or investor responses to such events. Recent volatility in the banking industry could prompt new legislation, regulations, and policy changes that could cause us to be subjected to additional regulatory oversight and supervision. Negative developments in the banking industry from 2023 through 2025, culminating in the failures of multiple banks, prompted responses by the FDIC, the Federal Reserve, and the U.S.

We do not have an employment agreement with Mr. Nixon and the loss of his services could have a material adverse effect on our business and prospects. 28 Table of Contents Our information systems may experience an interruption or breach in security. We rely heavily on communications and information systems to conduct our business.

We do not have an employment agreement with Mr. Nixon and the loss of his services could have a material adverse effect on our business and prospects. Our information systems may experience an interruption or breach in security. We rely heavily on communications and information systems to conduct our business.

Although we have established disaster recovery policies and procedures, any such event(s) in, near, or affecting the markets we serve could have a material adverse effect on our business. 29 Table of Contents An impairment in the carrying value of our goodwill could negatively impact our earnings and capital.

Although we have established disaster recovery policies and procedures, any such event(s) in, near, or affecting the markets we serve could have a material adverse effect on our business. An impairment in the carrying value of our goodwill could negatively impact our earnings and capital.

Payments of the principal and interest on 33 Table of Contents the trust preferred securities are conditionally guaranteed by us to the extent not paid or made by each trust. We must make payments on the junior subordinated debentures (and the related trust preferred securities) before any dividends can be paid on our common stock.

Payments of the principal and interest on the trust preferred securities are conditionally guaranteed by us to the extent not paid or made by each trust. We must make payments on the junior subordinated debentures (and the related trust preferred securities) before any dividends can be paid on our common stock.

Banking and other financial services companies, including us and our Subsidiary Banks, rely on technology companies to provide information technology products and services necessary to support our day-to-day operations. Technology companies frequently enter into litigation based on allegations of patent infringement or other violations of 31 Table of Contents intellectual property rights.

Any such failure in our analytical or forecasting tools or models could have a material adverse effect on our business, financial condition, and results of operations. 30 Table of Contents We may be adversely affected by declining crude oil prices.

Any such failure in our analytical or forecasting tools or models could have a material adverse effect on our business, financial condition, and results of operations. We may be adversely affected by declining crude oil prices.

The loss of revenue streams and the reduction of lower cost deposits as a source of funds could have a material adverse effect on our financial condition and results of operations.

The loss of revenue streams and the reduction of lower cost deposits as a source of funds could have a material adverse effect on our financial condition 26 Table of Contents and results of operations.

Our financial condition, results of operation and stock price may be negatively impacted by negative publicity risk, diminished depositor confidence in depository institutions, and the increased threat of bank-run contagion. A total of five FDIC-insured banks failed between March to November 2023, three of which occurred during a less than two-month period from March to May 2023, and two more failed in 2024.

In his first week in office, President Trump signed an executive order entitled Strengthening American Leadership in Digital Financial Technology, which aims to “support the responsible growth and use of digital assets, blockchain technology, and related technologies across all sectors of the economy.” In alignment with the new executive order, the SEC announced a “Crypto 2.0” dedicated to developing a clear regulatory framework for crypto assets.

On January 23, 2025, President Trump signed an executive order entitled Strengthening American Leadership in Digital Financial Technology, which aims to “support the responsible growth and use of digital assets, blockchain technology, and related technologies across all sectors of the economy.” In alignment with the new executive order, the SEC announced a “Crypto 2.0” dedicated to developing a clear regulatory framework for crypto assets.

If economic conditions in these market areas weaken or worsen due to a decline in oil prices or other factors, or fail to improve or to continue to improve, we could experience an increase in loan delinquencies and non-performing assets, decreases in loan collateral values and a decrease in demand for our products and services, any of which could have a material adverse impact on our financial condition and results of operations.

If the interest rates paid on deposits and other borrowings increase at a faster rate than the interest rates received on loans and other investments, our net interest income, and therefore earnings, could be adversely affected.

Volatility in interest rates may impact our net interest income and the valuation of our assets and liabilities. If the interest rates paid on deposits and other borrowings increase at a faster rate than the interest rates received on loans and other investments, our net interest income, and therefore earnings, could be adversely affected.

We depend on the accuracy and completeness of information about customers and counterparties as well as the soundness of other financial institutions. In deciding whether to extend credit or enter into other transactions, we may rely on information furnished by or on behalf of customers and counterparties, including financial statements, credit reports and other financial information.

In deciding whether to extend credit or enter into other transactions, we may rely on information furnished by or on behalf of customers and counterparties, including financial statements, credit reports and other financial information.

Declined economic activity in Mexico and cross-border trade resulting from the imposition of tariffs and trade restrictions may lead to lower deposit balances, increase the likelihood of loan defaults, and reduce the demand for the banking products and services that our Subsidiary Banks provide to customers domiciled in Mexico, reducing the circulating of money in our border communities as well as the major cities in Texas.

Although the Federal Reserve enacted three consecutive rate cuts in late 2024, reducing target interest rates to their current range of 4.25% to 4.50% by December 2024, the timing and extent of additional rate cuts remains uncertain.

Although the Federal Reserve enacted six rate cuts in 2024 and 2025, reducing target interest rates to their current range of 3.50% to 3.75% by December 2025, the timing and extent of additional rate cuts remains uncertain. The Federal Reserve declined to implement additional rate cuts in January 2026.

In addition, future laws or more stringent interpretations or enforcement policies with respect to existing laws may increase our exposure to environmental liability. The remediation costs and any other financial liabilities associated with an environmental hazard could have a material adverse effect on our financial condition and results of operations. Our controls and procedures may fail or be circumvented.

The remediation costs and any other financial liabilities associated with an environmental hazard could have a material adverse effect on our financial condition and results of operations. 30 Table of Contents Our controls and procedures may fail or be circumvented.

Furthermore, our revenue and profitability could be negatively impacted by the costs associated with enhancing our 26 Table of Contents existing systems, upgrading our existing technologies and product offerings, and integrating AI tools into our business and operational structure.

Furthermore, our revenue and profitability could be negatively impacted by the costs associated with enhancing our existing systems, upgrading our existing technologies and product offerings, and integrating AI tools into our business and operational structure. 27 Table of Contents The development, adoption, and integration of AI in our banking services, processes, and products may subject us to increased technological risks, costs, uncertainties, and unpredictable outcomes while increasing our compliance costs and exposing us to new operational challenges.

The development, adoption, and integration of AI in our banking services, processes, and products may subject us to increased technological risks, costs, uncertainties, and unpredictable outcomes while increasing our compliance costs and exposing us to new operational challenges. AI-driven technologies are rapidly evolving and complex, and successfully integrating AI tools requires substantial investment, expertise, and continuous monitoring.

AI-driven technologies are rapidly evolving and complex, and successfully integrating AI tools requires substantial investment, expertise, and continuous monitoring.

Removed

The Federal Reserve declined to implement additional rate cuts in January 2025 and tempered rate-cut expectations by lowering the projected number of rate cuts anticipated in 2025 from four to two rate cuts. Volatility in interest rates may impact our net interest income and the 27 Table of Contents valuation of our assets and liabilities.

Added

Further signaling support for digital assets and cryptocurrency markets, on March 6, 2025, President Trump issued an executive order entitled Establishing of the Strategic Bitcoin Reserve and United States Digital Asset Stockpile, directing the Department of the Treasury to establish a Strategic Bitcoin Reserve and a federal stockpile of other digital assets held by the U.S. government.

Removed

Macroeconomic conditions could have a material adverse effect on our business, results of operations, and financial condition.

Added

Furthermore, if BaaS models continue to be more widely utilized by fintech companies to allow non-bank entities to expand into financial-service offerings, the need for traditional banking institutions may be reduced, which could cause us to experience a decline in customer acquisition and retention and increased pricing pressure in the financial-services industry.

Added

In addition, future laws or more stringent interpretations or enforcement policies with respect to existing laws may increase our exposure to environmental liability.

Item 1C. Cybersecurity

Cybersecurity — threats and controls disclosure

13 edited+2 added−1 removed26 unchanged

2024 filing

2025 filing

Biggest changeOur CISO is responsible for ensuring appropriate security controls are implemented to prevent, detect, and respond to CATOs, establishing incident-response procedures to be employed if a CATO threat is in progress, and timely notifying our primary federal regulator of any CATO incidents that are required to be disclosed to comply with applicable laws, regulations, and CATO Policy procedures. 38 Table of Contents Notwithstanding the robust nature of our defensive measures and security processes and the multi-layered governance system that we have established to mitigate, monitor, analyze, and respond to incidents, cybersecurity threats are increasingly difficult to detect, and the risk of a data breach or cyber-attack is pervasive and severe.

Some of the steps we have taken and processes we have implemented to assess, identify, and manage material risks from cybersecurity threats include the following: · Forming a Security Council Committee (SCC), which consists primarily of members of our management team and IT department, to develop and oversee our cybersecurity policies and infrastructure and establishing a multi-tiered reporting and governance system pursuant to which our SCC reports to our Service Center Board, which reports to our Risk Committee, which reports to our Board; · Implementing heightened safety measures, physical-security controls, and controlled-access requirements to protect the Service Center that houses the hardware and infrastructure used to store and transmit sensitive and confidential bank, customer, and employee information in accordance with the FFIEC IT Examination Handbook on Information Security and designating a specialized Service Center Board within the Service Center Department to oversee the protection of the Service Center’s physical integrity; · Maintaining a clearly defined ISSP, which prescribes measures to establish and enforce our security program, addresses each component of our information security (IS) position, and advances our objectives of protecting and managing risks to our data and security systems by establishing policies, standards, controls, procedures, and guidelines that address topics such as security and privacy governance, statutory, regulatory, and contractual compliance, business and disaster recovery, change management, identification and authentication processes, expectations for continuous monitoring, asset management, third-party provider management, endpoint security, and incident responses, among others; ● Conducting an annual self-assessment using the Cyber Risk Institute (based on the NIST Cybersecurity Framework) to review our cyber risk-management strategy and framework, assess the effectiveness and legal and regulatory compliance of our organizational cybersecurity policy, and evaluate our policies and procedures for identifying risks, protecting information, detecting security threats, responding to cyber incidents, executing recovery plans, and managing levels of external dependence and resiliency; · Conducting regular cybersecurity training for our employees regarding security awareness, the proper use and handling of sensitive information, and the protocols in place to identify, assess, and manage any cybersecurity threats and periodically testing employees’ cybersecurity knowledge, policy compliance, and response rates by engaging with third-party providers to conduct internal social engineering campaigns; · Engaging in security-incident preparedness simulations and completing disaster recovery and resilience tests designed to test and strengthen any vulnerabilities in our cybersecurity infrastructure; · Employing robust encryption and anonymization technologies and other cybersecurity monitoring and auditing systems to fortify our cybersecurity framework, including through our Online Banking Enhanced Security Program, which requires the authorized users on a customer’s account to be validated and employs multi-factor authentication (MFA), which requires each of our retail and commercial customers to authenticate their identities by entering a secure access code that our MFA system automatically generates and sends to the customer each 35 Table of Contents time there is an attempted login to the customer’s online banking account; · Implementing MFA protections for our treasury customers by prohibiting their initiation of ACH transactions or wire transfers until they authenticate their identities using a security token that is generated and sent by our online-banking MFA system; ● Communicating awareness and education of security risks, social engineering and scams affecting our customers through targeted marketing and social media messaging strategies and campaigns; ● Monitoring electronic mail and other network intrusion attempts with various tools to identify and stop intrusion and malware threats; ● Scanning and assessing vulnerabilities arising from software and hardware on our network infrastructure, ATMs, software applications, computers, copiers and other electronic assets to ensure that vulnerabilities are identified and resolved timely; · Establishing a risk-appetite profile, which we review at least annually to regularly assess our cybersecurity infrastructure and software systems in a manner that ensures we capture their current state and identify emerging risks that would require changes in our cyber environment; · Leveraging internal and external auditors as well as security consultants to review the procedures, systems, and controls that comprise our ISSP to evaluate their design and operational effectiveness and to address any operational deficiencies or security weaknesses; and · Maintaining an Incident Response Plan that establishes our procedures and standards for responding to actual or potential cybersecurity threats or incidents, which we review at least annually.

Some of the steps we have taken and processes we have implemented to assess, identify, and manage material risks from cybersecurity threats include the following: 35 Table of Contents · Forming a Security Council Committee (SCC), which consists primarily of members of our management team and IT department, to develop and oversee our cybersecurity policies and infrastructure and establishing a multi-tiered reporting and governance system pursuant to which our SCC reports to our Service Center Board, which reports to our Risk Committee, which reports to our Board; · Implementing heightened safety measures, physical-security controls, and controlled-access requirements to protect the Service Center that houses the hardware and infrastructure used to store and transmit sensitive and confidential bank, customer, and employee information in accordance with the FFIEC IT Examination Handbook on Information Security and designating a specialized Service Center Board within the Service Center Department to oversee the protection of the Service Center’s physical integrity; · Maintaining a clearly defined ISSP, which prescribes measures to establish and enforce our security program, addresses each component of our information security (IS) position, and advances our objectives of protecting and managing risks to our data and security systems by establishing policies, standards, controls, procedures, and guidelines that address topics such as security and privacy governance, statutory, regulatory, and contractual compliance, business and disaster recovery, change management, identification and authentication processes, expectations for continuous monitoring, asset management, third-party provider management, endpoint security, and incident responses, among others; ● Conducting an annual self-assessment using the Cyber Risk Institute (based on the NIST Cybersecurity Framework) to review our cyber risk-management strategy and framework, assess the effectiveness and legal and regulatory compliance of our organizational cybersecurity policy, and evaluate our policies and procedures for identifying risks, protecting information, detecting security threats, responding to cyber incidents, executing recovery plans, and managing levels of external dependence and resiliency; · Conducting regular cybersecurity training for our employees regarding security awareness, the proper use and handling of sensitive information, and the protocols in place to identify, assess, and manage any cybersecurity threats and periodically testing employees’ cybersecurity knowledge, policy compliance, and response rates by engaging with third-party providers to conduct internal social engineering campaigns; · Engaging in security-incident preparedness simulations and completing disaster recovery and resilience tests designed to test and strengthen any vulnerabilities in our cybersecurity infrastructure; · Employing robust encryption and anonymization technologies and other cybersecurity monitoring and auditing systems to fortify our cybersecurity framework, including through our Online Banking Enhanced Security Program, which requires the authorized users on a customer’s account to be validated and employs multi-factor authentication (MFA), which requires each of our retail and commercial customers to authenticate their identities by entering a secure access code that our MFA system automatically generates and sends to the customer each time there is an attempted login to the customer’s online banking account; · Implementing MFA protections for our treasury customers by prohibiting their initiation of ACH transactions or wire transfers until they authenticate their identities using a security token that is generated and sent by our online-banking MFA system; ● Communicating awareness and education of security risks, social engineering and scams affecting our customers through targeted marketing and social media messaging strategies and campaigns; ● Monitoring electronic mail and other network intrusion attempts with various tools to identify and stop intrusion and malware threats; ● Scanning and assessing vulnerabilities arising from software and hardware on our network infrastructure, ATMs, software applications, computers, copiers and other electronic assets to ensure that vulnerabilities are identified and resolved timely; 36 Table of Contents · Establishing a risk-appetite profile, which we review at least annually to regularly assess our cybersecurity infrastructure and software systems in a manner that ensures we capture their current state and identify emerging risks that would require changes in our cyber environment; · Leveraging internal and external auditors as well as security consultants to review the procedures, systems, and controls that comprise our ISSP to evaluate their design and operational effectiveness and to address any operational deficiencies or security weaknesses; and · Maintaining an Incident Response Plan that establishes our procedures and standards for responding to actual or potential cybersecurity threats or incidents, which we review at least annually.

Types of incidents that would generally require the activation of our IRT include but are not limited to a breach of personal information, a denial-of-service (DoS) or distributed DoS attack, excessive port scans, a firewall breach, or a virus or malware outbreak. 37 Table of Contents · If the type of incident or the threat created by the incident necessitates a full-scale response by the IRT, the CISO notifies a team of network and security engineers, security analysts, and Windows / Unix / Linux systems administrators (collectively, the IT Security and Engineering Teams). · At the CISO’s direction, the IT Security and Engineering Teams gather intel regarding the incident and take pre-planned steps to mitigate harm, address system weaknesses, and block ongoing threats.

Types of incidents that would generally require the activation of our IRT include but are not limited to a breach of personal information, a denial-of-service (DoS) or distributed DoS attack, excessive port scans, a firewall breach, or a virus or malware outbreak. · If the type of incident or the threat created by the incident necessitates a full-scale response by the IRT, the CISO notifies a team of network and security engineers, security analysts, and Windows / Unix / Linux systems administrators (collectively, the IT Security and Engineering Teams). · At the CISO’s direction, the IT Security and Engineering Teams gather intel regarding the incident and take pre-planned steps to mitigate harm, address system weaknesses, and block ongoing threats.

As part of our cybersecurity governance framework and for purposes of establishing and maintaining our ISSP, we have established an SCC, which consists of members of our management team and IT department. The SCC is subject to oversight by the Service Center Board, the Risk Committee, and the Board.

Governance Security Council Committee . As part of our cybersecurity governance framework and for purposes of establishing and maintaining our ISSP, we have established an SCC, which consists of members of our management team and IT department. The SCC is subject to oversight by the Service Center Board, the Risk Committee, and the Board.

As part of our ISSP and strategy for managing cybersecurity risks, we have adopted the following cybersecurity policies: · Enterprise Information Systems Security Policy, which, among other objectives, prescribes a comprehensive framework for creating a practice-based Information Security Management System; protecting the confidentiality, integrity, and availability of our data and systems; providing for the development, review, maintenance, and ability to ensure the effectiveness of minimum security controls required to protect our data and systems; and recognizing the highly-networked nature of the current computing environment to provide effective company-wide management and oversight of related cybersecurity risks; · Corporate Account Takeover Policy, which serves to mitigate the risks of corporate account takeover crimes and to document our compliance with the Texas Department of Banking’s Supervisory Memorandum 1029 on “Risk Management of Account Takeovers,” dated September 30, 2019, and the FFIEC’s guidance on “Authentication and Access to Financial Institution Services and Systems,” dated August 11, 2021; · Vendor Management Policy, which provides a risk-based process for identifying, measuring, monitoring, and managing third-party relationships with new and existing vendors by requiring an assessment, categorization, and ranking of the risks associated with each third-party vendor and implements a third-party risk-management 34 Table of Contents process that focuses on risk assessment, due diligence in selecting third-party vendors, contract structuring and review, and ongoing oversight of the operational and financial performance of the third-party vendor’s products and services; · Service Center Physical Security for Data and Computing Equipment Policy, which provides directives for implementing appropriate physical security controls to protect the hardware, infrastructure, and systems that store and transmit our sensitive information and data from damage, unauthorized access, and loss of availability; to monitor, analyze, and properly disclose security alerts and information; and to administer other administrative and technical operational security procedures; and · Security Incident Response Policy, which establishes the steps necessary to ensure a timely and adequate response to security incidents impacting our security systems or infrastructure.

As part of our ISSP and strategy for managing cybersecurity risks, we have adopted the following cybersecurity policies: · Enterprise Information Systems Security Policy, which, among other objectives, prescribes a comprehensive framework for creating a practice-based Information Security Management System; protecting the confidentiality, integrity, and availability of our data and systems; providing for the development, review, maintenance, and ability to ensure the effectiveness of minimum security controls required to protect our data and systems; and recognizing the highly-networked nature of the current computing environment to provide effective company-wide management and oversight of related cybersecurity risks; · Corporate Account Takeover Policy, which serves to mitigate the risks of corporate account takeover crimes and to document our compliance with the Texas Department of Banking’s Supervisory Memorandum 1029 on “Risk Management of Account Takeovers,” dated September 30, 2019, and the FFIEC’s guidance on “Authentication and Access to Financial Institution Services and Systems,” dated August 11, 2021; · Vendor Management Policy, which provides a risk-based process for identifying, measuring, monitoring, and managing third-party relationships with new and existing vendors by requiring an assessment, categorization, and ranking of the risks associated with each third-party vendor and implements a third-party risk-management process that focuses on risk assessment, due diligence in selecting third-party vendors, contract structuring and review, and ongoing oversight of the operational and financial performance of the third-party vendor’s products and services; · Service Center Physical Security for Data and Computing Equipment Policy, which provides directives for implementing appropriate physical security controls to protect the hardware, infrastructure, and systems that store and transmit our sensitive information and data from damage, unauthorized access, and loss of availability; to monitor, analyze, and properly disclose security alerts and information; and to administer other administrative and technical operational security procedures; · Security Incident Response Policy, which establishes the steps necessary to ensure a timely and adequate response to security incidents impacting our security systems or infrastructure; and ● Artificial Intelligence Ethics & Governance Policy, which integrates AI-specific security requirements into our ISSP and incident response processes.

We have implemented robust, multi-layer security procedures and defense strategies that aim to proactively mitigate cyber risks, enable our early detection and prevention of security incidents, minimize our vulnerability to attacks, and protect us from both internal and external cybersecurity threats.

We have implemented robust, multi-layer security procedures and defense strategies that aim to proactively mitigate cyber risks, enable our early detection and 34 Table of Contents prevention of security incidents, minimize our vulnerability to attacks, and protect us from both internal and external cybersecurity threats.

Additionally, the CISO meets with our Audit Committee on a quarterly basis to inform them of material cybersecurity-related regulatory updates and with our full Board on a monthly basis to discuss and provide pertinent regulatory information. Procedures Governing our Cybersecurity Incident Responses.

Additionally, the CISO meets with our Audit Committee on a quarterly basis to inform them of material cybersecurity-related regulatory updates and with our full Board on a monthly basis to discuss and provide pertinent regulatory information. 37 Table of Contents Procedures Governing our Cybersecurity Incident Responses.

In addition to the SCC and Risk Committees, we have established a Technology Committee, a Senior Management Committee, and a Business Continuity and Disaster Recovery (BC/DR) Committee. Each oversees aspects of our ISSP and coordinates with the SCC to implement various cybersecurity procedures. Chief Information Security Officer .

At least annually, the CISO presents all of our IS policies to the Board. The CISO is also tasked with maintaining an effective Security Awareness Program and providing training to our management, Board, and employees on an annual basis.

Our CISO reports to our Senior and Executive Management Committee, the SCC, the Risk Committee, and the Chairman of the Board. At least annually, the CISO presents all of our IS policies to the Board. The CISO is also tasked with maintaining an effective Security Awareness Program and providing training to our management, Board, and employees on an annual basis.

The CISO or other designated IS personnel may participate with the Business Unit Manager in contract negotiations as needed. Procedures Governing our Corporate Account Takeover Responses.

In addition to working alongside the Vendor Manager to categorize and rank vendor risks, the Business Unit Manager participates in contract review and negotiations, establishes performance-monitoring controls, and completes vendor reviews. The CISO or other designated IS personnel may participate with the Business Unit Manager in contract negotiations as needed. Procedures Governing our Corporate Account Takeover Responses.

Depending on their risk level, we may subject certain Vendors to heightened security requirements, such as enhanced risk assessments, ongoing monitoring, or additional contractual controls to restrict their levels of information access. 36 Table of Contents Governance Security Council Committee .

Our Vendor Management Policy establishes clearly defined requirements of engagements with Vendors and requires them to uphold similar security standards to those we internally require. Depending on their risk level, we may subject certain Vendors to heightened security requirements, such as enhanced risk assessments, ongoing monitoring, or additional contractual controls to restrict their levels of information access.

Before entering into any vendor contract, the Business Unit Manager that will be contracting for the vendor’s service or product must perform a thorough risk evaluation. In addition to working alongside the Vendor Manager to categorize and rank vendor risks, the Business Unit Manager participates in contract review and negotiations, establishes performance-monitoring controls, and completes vendor reviews.

Before entering into any vendor contract, the Business Unit Manager that will be contracting for the vendor’s service or product must perform a thorough 38 Table of Contents risk evaluation.

In addition to establishing the SCC and other committees, we designated a Chief Information Security Officer (CISO) to oversee all aspects of our IS policies, procedures, and controls. Our CISO reports to our Senior and Executive Management Committee, the SCC, the Risk Committee, and the Chairman of the Board.

We have also implemented an enterprise AI governance framework, which provides cross-functional oversight of AI solutions across the Company, including the IT and Vendor Management Departments. Chief Information Security Officer . In addition to establishing the SCC and other committees, we designated a Chief Information Security Officer (CISO) to oversee all aspects of our IS policies, procedures, and controls.

Removed

Our Vendor Management Policy establishes clearly defined requirements of engagements with Vendors and requires them to uphold similar security standards to those we internally require.

Added

Our ISSP also applies to cybersecurity and data protection risks associated with artificial intelligence, including generative artificial intelligence whether those risks arise from our use of AI solutions or from AI-enabled threats and attack techniques used by malicious actors.

Added

Notwithstanding the robust nature of our defensive measures and security processes and the multi-layered governance system that we have established to mitigate, monitor, analyze, and respond to incidents, cybersecurity threats are increasingly difficult to detect, and the risk of a data breach or cyber-attack is pervasive and severe.

Item 3. Legal Proceedings

Legal Proceedings — active lawsuits and investigations

2 edited+0 added−0 removed2 unchanged

2024 filing

2025 filing

Biggest changeFurther information regarding legal proceedings has been provided in Note 15 of the Notes to Consolidated Financial Statements located on page 66 of the 2024 Annual Report to Shareholders, which is filed as Exhibit 13 hereto and incorporated herein by reference.

Biggest changeFurther information regarding legal proceedings has been provided in Note 15 of the Notes to Consolidated Financial Statements located on page 65 of the 2025 Annual Report to Shareholders, which is filed as Exhibit 13 hereto and incorporated herein by reference. Item 4. Mine Safety Disclosures None Part II

Many of these matters are in various stages of proceedings and further developments could cause management to revise our assessment of these matters.

Many of these matters are in various stages of proceedings and 39 Table of Contents further developments could cause management to revise our assessment of these matters.

Item 5. Market for Registrant's Common Equity

Market for Common Equity — stock, dividends, buybacks

1 edited+0 added−0 removed0 unchanged

2024 filing

2025 filing

Biggest changeItem 5. Market for the Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities The information set forth under the caption “Common Stock and Dividends,” “Stock Repurchase Program,” and “Equity Compensation Plan Information” located on pages 24 and 25 of our 2024 Annual Report is incorporated herein by reference.

Biggest changeItem 5. Market for Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities The information set forth under the caption “Common Stock and Dividends,” “Stock Repurchase Program,” and “Equity Compensation Plan Information” located on pages 23 and 25 of our 2025 Annual Report is incorporated herein by reference. Item 6. [Reserved]

Item 7. Management's Discussion & Analysis

Management's Discussion & Analysis (MD&A) — revenue / margin commentary

1 edited+0 added−0 removed0 unchanged

2024 filing

2025 filing

Biggest changeItem 7. Management’s Discussion and Analysis of Financial Condition and Results of Operation s The information set forth under the caption “Management’s Discussion and Analysis of Financial Condition and Results of Operations” located on pages 2 through 24 of our 2024 Annual Report is incorporated herein by reference.

Biggest changeItem 7. Management’s Discussion and Analysis of Financial Condition and Results of Operation s The information set forth under the caption “Management’s Discussion and Analysis of Financial Condition and Results of Operations” located on pages 2 through 23 of our 2025 Annual Report is incorporated herein by reference.

Top changes in INTERNATIONAL BANCSHARES CORP's 2025 10-K

Item 1. Business

Item 1A. Risk Factors

Item 1C. Cybersecurity

Item 3. Legal Proceedings

Item 5. Market for Registrant's Common Equity

Item 7. Management's Discussion & Analysis

Other IBOC 10-K year-over-year comparisons