What changed in INTERNATIONAL BANCSHARES CORP's 2024 10-K compared to 2023?

Across the narrative sections we track, INTERNATIONAL BANCSHARES CORP (IBOC) added 188 paragraphs, removed 148, and edited 127 between the 2023 and 2024 10-K filings. The biggest movers are Item 1. Business (+115/−108), Item 1A. Risk Factors (+53/−21), Item 1C. Cybersecurity (+17/−16).

Did INTERNATIONAL BANCSHARES CORP add new Risk Factors in the 2024 10-K?

Yes — Item 1A Risk Factors shows 53 new/edited paragraphs and 21 removed paragraphs versus the 2023 10-K.

What changed in INTERNATIONAL BANCSHARES CORP's MD&A (Item 7) in 2024?

Item 7 Management's Discussion & Analysis shows 1 new/edited paragraphs and 1 removed paragraphs year-over-year. Read the side-by-side diff to see exactly which revenue, margin, and outlook commentary was rewritten.

Did INTERNATIONAL BANCSHARES CORP update its Cybersecurity disclosure (Item 1C) in 2024?

Item 1C Cybersecurity has 17 paragraph-level changes between the 2023 and 2024 filings.

Did INTERNATIONAL BANCSHARES CORP's Legal Proceedings (Item 3) change in 2024?

Item 3 shows 1 added/edited paragraphs and 1 removed paragraphs — usually indicating new litigation disclosed or settled cases removed.

Where does this IBOC 10-K diff come from?

The source filings are INTERNATIONAL BANCSHARES CORP's official 2023 and 2024 Form 10-K annual reports from SEC EDGAR. 10q10k.net parses each filing, aligns paragraphs by section (Item 1, 1A, 1C, 2, 3, 7, 7A), and highlights every added, removed and edited sentence side-by-side.

What changed in INTERNATIONAL BANCSHARES CORP's 10-K — 2023 vs 2024

Paragraph-level year-over-year comparison of INTERNATIONAL BANCSHARES CORP's 2023 and 2024 10-K annual filings, covering the Business, Risk Factors, Legal Proceedings, Cybersecurity, MD&A and Market Risk sections. Every new, removed and edited paragraph is highlighted side-by-side so you can see exactly what management changed in the 2024 report.

+188 added−148 removedSource: 10-K (2025-02-27) vs 10-K (2024-02-26)

Top changes in INTERNATIONAL BANCSHARES CORP's 2024 10-K

188 paragraphs added · 148 removed · 127 edited across 6 sections

Item 1. Business+115 / −108 · 89 edited
Item 1A. Risk Factors+53 / −21 · 20 edited
Item 1C. Cybersecurity+17 / −16 · 15 edited
Item 3. Legal Proceedings+1 / −1 · 1 edited
Item 5. Market for Registrant's Common Equity+1 / −1 · 1 edited

Item 1. Business

Business — how the company describes what it does

89 edited+26 added−19 removed183 unchanged

2023 filing

2024 filing

Biggest changeRather than electing a phase-in option, we immediately recognized the capital impact upon adopting the CECL accounting standards on January 1, 2020, which resulted in an increase in our allowance for probable loan losses and a one-time cumulative-effect adjustment to retained earnings upon adoption. 17 Table of Contents State Enforcement Powers The Banking Commissioners of Texas and Oklahoma may determine to close a Texas or Oklahoma state bank, respectively, if such Commissioner finds that the interests of depositors and creditors of the state bank are jeopardized through its current or imminent insolvency and that it is in the best interest of such depositors and creditors that the bank be closed.

Deposit Insurance All of the Subsidiary Banks are examined by the FDIC, which currently insures the deposits of each Subsidiary Bank up to the applicable limits provided by law.

Deposit Insurance All the Subsidiary Banks are examined by the FDIC, which currently insures the deposits of each Subsidiary Bank up to the applicable limits provided by law.

The policy provides that bank holding companies should not maintain a level of cash dividends that undermines the bank holding company’s ability to serve as a source of strength to its banking subsidiaries. The FRB has historically discouraged dividend payment ratios that are at the maximum allowable levels unless both asset quality and capital are very strong.

Our team approach allows us to nurture excellence in our staff in order to develop superior valuation skills so that each of our staff members better understand the risks and returns of transactions better than our competitors. We provide extensive 4 Table of Contents training to our employees in an effort to ensure that our customers receive superior customer service.

Our team approach allows us to nurture excellence in our staff to develop superior valuation skills so that each of our staff members better understand the risks and returns of transactions better than our competitors. We provide extensive training 4 Table of Contents to our employees in an effort to ensure that our customers receive superior customer service.

None of our Subsidiary Banks were subject to the special assessment. Capital Adequacy Our holding company and our Subsidiary Banks are required to meet certain minimum regulatory capital guidelines. The FRB has historically utilized a system based upon risk-based capital guidelines under a two-tier capital framework to evaluate the capital adequacy of bank holding companies.

None of our Subsidiary Banks are subject to the special assessment. Capital Adequacy Our holding company and our Subsidiary Banks are required to meet certain minimum regulatory capital guidelines. The FRB has historically utilized a system based upon risk-based capital guidelines under a two-tier capital framework to evaluate the capital adequacy of bank holding companies.

Our principal assets at December 31, 2023, consisted of all the outstanding capital stock of four Texas state banking associations and one Oklahoma state banking corporation as follows: ● International Bank of Commerce, located in Laredo, Texas (IBC); ● Commerce Bank, located in Laredo, Texas (Commerce Bank); ● International Bank of Commerce, located in Brownsville, Texas (IBC Brownsville); ● International Bank of Commerce, located in Zapata, Texas (IBC Zapata); and ● International Bank of Commerce, located in Oklahoma City, Oklahoma (IBC-Oklahoma). These five subsidiary banks are collectively referred to in this report as our “Subsidiary Banks.” Our philosophy focuses on customer service as represented by the motto, “We Do More.” Our Subsidiary Banks maintain a strong commitment to their local communities by, among other things, appointing selected community members to local advisory boards.

Our principal assets at December 31, 2024, consisted of all the outstanding capital stock of four Texas state banking associations and one Oklahoma state banking corporation as follows: ● International Bank of Commerce, located in Laredo, Texas (IBC); ● Commerce Bank, located in Laredo, Texas (Commerce Bank); ● International Bank of Commerce, located in Brownsville, Texas (IBC Brownsville); ● International Bank of Commerce, located in Zapata, Texas (IBC Zapata); and ● International Bank of Commerce, located in Oklahoma City, Oklahoma (IBC-Oklahoma). These five subsidiary banks are collectively referred to in this report as our “Subsidiary Banks.” Our philosophy focuses on customer service as represented by the motto, “We Do More.” Our Subsidiary Banks maintain a strong commitment to their local communities by, among other things, appointing selected community members to local advisory boards.

We teach and train our employees to understand the reality of our customers’ everyday business, and to provide practical solutions based on significant experience, ingenuity, continuity, balance, integrity, intelligence, and very strong work ethic and technical skills, including significant bilingual capabilities.

We teach and train our employees to understand the reality of our customers’ everyday business, and to provide practical solutions based on extensive experience, ingenuity, continuity, balance, integrity, intelligence, and very strong work ethic and technical skills, including significant bilingual capabilities.

The corresponding provisions of the Federal Deposit Insurance Corporation Improvement Act (FDICIA) mandate corrective actions be taken if a bank is undercapitalized. Based on our capital ratios as of December 31, 2023, our holding company and each of the Subsidiary Banks were classified as “well capitalized” under the applicable regulations.

The corresponding provisions of the Federal Deposit Insurance Corporation Improvement Act (FDICIA) mandate corrective actions be taken if a bank is undercapitalized. Based on our capital ratios as of December 31, 2024, our holding company and each of the Subsidiary Banks were classified as “well capitalized” under the applicable regulations.

As of December 31, 2023, each of our Subsidiary Banks are “well capitalized” based on the aforementioned ratios pursuant to the Basel III capital rules. Liquidity Requirements Historically, regulation and monitoring of bank and bank holding company liquidity has been addressed as a supervisory matter, without required formulaic measures.

As of December 31, 2024, each of our Subsidiary Banks are “well capitalized” based on the aforementioned ratios pursuant to the Basel III capital rules. Liquidity Requirements Historically, regulation and monitoring of bank and bank holding company liquidity has been addressed as a supervisory matter, without required formulaic measures.

Further, the Basel III capital rules establish calculations for risk-weighted assets using alternatives to credit ratings that are based on either the weighted average of the underlying collateral or a formula based on subordination position and delinquencies or the use of a 1,250% risk rating, which is be the default rating that a banking organization must apply to a securitization exposure if it does not meet certain requisite due diligence standards and does not demonstrate a comprehensive understanding of the exposure.

Today, we have 166 facilities and 256 ATMs serving 75 communities in Texas and Oklahoma. Through the Subsidiary Banks, we are engaged in the business of accepting checking and savings deposits and the making of commercial, real estate, personal, home improvement, automobile and other installment and term loans.

Today, we have 166 facilities and 255 ATMs serving 75 communities in Texas and Oklahoma. Through the Subsidiary Banks, we are engaged in the business of accepting checking and savings deposits and the making of commercial, real estate, personal, home improvement, automobile and other installment and term loans.

Some Subsidiary Banks are very active in facilitating international trade along the United States border with Mexico and elsewhere. Our international banking business includes providing letters of credit, making commercial and industrial loans and providing foreign-exchange services.

Some Subsidiary Banks are highly active in facilitating international trade along the United States border with Mexico and elsewhere. Our international banking business includes providing letters of credit, making commercial and industrial loans, and providing foreign-exchange services.

Under the final rule, most of the CRA changes will only affect “large” banks with assets of more than $2 billion while allowing small and mid-sized banks to elect to be evaluated based on certain of the new rules.

Under the final rule, most of the CRA changes would only affect “large” banks with assets of more than $2 billion while allowing small and mid-sized banks to elect to be evaluated based on certain of the new rules.

Our completion of the transition from LIBOR during the second quarter of 2023 did not have any adverse impacts on our business, financial condition, or results of operations, and each of the loan documents, financial instruments, and other agreements related to our LIBOR-based securities had fallback provisions that determined what reference rate would replace LIBOR upon its discontinuation.

Our completion of the transition from LIBOR during the second quarter of 2023 did not have any adverse impacts on our business, financial 6 Table of Contents condition, or results of operations, and each of the loan documents, financial instruments, and other agreements related to our LIBOR-based securities had fallback provisions that determined what reference rate would replace LIBOR upon its discontinuation.

Although updates to the CRA’s implementing regulations were necessary to address the changes in the banking industry and the increase in online and mobile banking, the changes under the final rule include significant increases in data collection, testing, and evaluation metrics related to geography and assessment areas.

Although updates to the CRA’s implementing regulations were necessary to address the changes in the banking industry and the increase in online and mobile banking, the changes under the final rule included significant increases in data collection, testing, and evaluation metrics related to geography and assessment areas.

In April 2011 and June 2016, the SEC and the federal banking agencies issued joint notices of proposed rulemaking that would prohibit a covered financial institution from establishing or maintaining any incentive-based compensation arrangements for covered persons that expose the financial institution to inappropriate risks by providing the covered person with excessive compensation that could lead to a material financial loss.

In April 2011 and June 2016, the SEC and the federal banking agencies issued joint notices of proposed rulemaking that would prohibit a covered financial institution from establishing or maintaining any incentive-based compensation arrangements for covered persons 23 Table of Contents that expose the financial institution to inappropriate risks by providing the covered person with excessive compensation that could lead to a material financial loss.

The Dodd-Frank Act requires the federal banking agencies to jointly issue rules implementing the “source of strength” doctrine, but as of December 31, 2023, the FRB and other federal banking regulators have not yet issued such rules.

The Dodd-Frank Act requires the federal banking agencies to jointly issue rules implementing the “source of strength” doctrine, but as of December 31, 2024, the FRB and other federal banking regulators have not yet issued such rules.

In the event of a liquidation or other resolution of an insured depository institution like any of our Subsidiary Banks, the claims of depositors and other 17 Table of Contents general or subordinated creditors of the bank are entitled to a priority of payment over the claims of holders of any obligation of the bank to its shareholders, including any depository institution holding company (like us) or any shareholder or creditor thereof.

In the event of a liquidation or other resolution of an insured depository institution like any of our Subsidiary Banks, the claims of depositors and other general or subordinated creditors of the bank are entitled to a priority of payment over the claims of holders of any obligation of the bank to its shareholders, including any depository institution holding company (like us) or any shareholder or creditor thereof.

In 2021, the federal banking agencies adopted a rule governing computer security incidents and, in part, the rule requires notification by a regulated institution to its primary federal regulator in the event of certain cybersecurity-related incidents. 20 Table of Contents In February 2018, the SEC published interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.

In 2021, the federal banking agencies adopted a rule governing computer security incidents and, in part, the rule requires notification by a regulated institution to its primary federal regulator in the event of certain cybersecurity-related incidents. In February 2018, the SEC published interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.

Compensation, fees, and benefits would be deemed excessive if the amounts paid were unreasonable or disproportionate to the value of the services performed by a covered person, taking into account an array 23 Table of Contents of factors. The proposal would apply to financial institutions with more than $1 billion in assets.

Compensation, fees, and benefits would be deemed excessive if the amounts paid were unreasonable or disproportionate to the value of the services performed by a covered person, taking into account an array of factors. The proposal would apply to financial institutions with more than $1 billion in assets.

Under the CTA’s access rule, a reporting company’s beneficial-ownership information is deemed confidential but can be disclosed by FinCEN to six categories of recipients, 8 Table of Contents including financial institutions that are subject to customer due diligence obligations and have received the reporting company’s consent to access its beneficial-ownership information.

Under the CTA’s access rule, a reporting company’s beneficial-ownership information is deemed confidential but can be disclosed by FinCEN to six categories of recipients, including financial institutions that are subject to customer due diligence obligations and have received the reporting company’s consent to access its beneficial-ownership information.

Each of our Subsidiary Banks is subject to similar capital requirements adopted by the FDIC and had a leverage ratio in excess of 5% as of December 31, 2023.

Each of our Subsidiary Banks is subject to similar capital requirements adopted by the FDIC and had a leverage ratio in excess of 5% as of December 31, 2024.

Two of our Subsidiary Banks are considered “intermediate small banks” and IBC, IBC Brownsville and IBC Oklahoma are considered “large banks” under the new asset thresholds. 18 Table of Contents Consumer Laws In addition to the laws and regulations discussed herein, the Subsidiary Banks are also subject to numerous consumer laws and regulations that are designed to protect consumers in transactions with banks.

Two of our Subsidiary Banks are considered “intermediate small banks” and IBC, IBC Brownsville and IBC Oklahoma are considered “large banks” under the new asset thresholds. Consumer Laws In addition to the laws and regulations discussed herein, the Subsidiary Banks are also subject to numerous consumer laws and regulations that are designed to protect consumers in transactions with banks.

If enacted, the legislation would broaden the types of legal violations that affect CRA scores, require banks to form community advisory committees in each market they serve (based on metropolitan statistical areas), require proof of impact for community service and charity efforts to receive CRA credit, and require large banks to collect and report even more information related to borrower demographics.

If enacted, the legislation would have broadened the types of legal violations that affect CRA scores, require banks to form community advisory committees in each market they serve (based on metropolitan statistical areas), required proof of impact for community service and charity efforts to receive CRA credit, and required large banks to collect and report even more information related to borrower demographics.

Significant recent CFPB developments that may affect operations and compliance costs include: ● positions taken by the CFPB on fair lending, including applying the disparate impact theory which could make it more difficult for lenders to charge different rates or to apply different terms to loans to different customers; ● the CFPB’s final rule amending Regulation C, which implements the Home Mortgage Disclosure Act, requiring most lenders to report expanded information in order for the CFPB to more effectively monitor fair lending concerns and other information shortcomings identified by the CFPB; ● positions taken by the CFPB regarding the Electronic Fund Transfer Act and Regulation E, which require companies to obtain consumer authorizations before automatically debiting a consumer’s account for pre-authorized electronic funds transfers; ● focused efforts on enforcing certain compliance obligations the CFPB deems a priority, such as automobile loan servicing, debt collection, mortgage origination and servicing, remittances, and fair lending, among others. ● the CFPB’s proposed Dodd-Frank Section 1033 consumer financial data sharing rule, which will require financial institutions to provide consumers and their authorized parties access to certain consumer financial data obtained and maintained by the financial institution; and ● the CFPB’s continued focus on bank fees and charges, including supervision and enforcement actions and bulletins related to overdraft and non-sufficient funds fees. In light of the current political climate in Washington, DC and changes in CFPB leadership in recent years, we cannot predict what additional actions may be taken by the CFPB with respect to its previous regulations, rulings, and decisions and any impact on our operations.

Significant recent CFPB developments that may affect operations and compliance costs include: ● positions taken by the CFPB on fair lending, including applying the disparate impact theory which could make it more difficult for lenders to charge different rates or to apply different terms to loans to different customers; ● the CFPB’s final rule amending Regulation C, which implements the Home Mortgage Disclosure Act, requiring most lenders to report expanded information in order for the CFPB to more effectively monitor fair lending concerns and other information shortcomings identified by the CFPB; ● positions taken by the CFPB regarding the Electronic Fund Transfer Act and Regulation E, which governs responsibilities and obligations related to consumer electronic funds transfers; ● focused efforts on enforcing certain compliance obligations the CFPB deems a priority, such as automobile loan servicing, debt collection, mortgage origination and servicing, remittances, and fair lending, among others; ● the CFPB’s proposed Dodd-Frank Section 1033 consumer financial data sharing rule, which will require financial institutions to provide consumers and their authorized parties access to certain consumer financial 19 Table of Contents data obtained and maintained by the financial institution; and ● the CFPB’s continued focus on bank fees and charges, including supervision and enforcement actions and bulletins related to overdraft and non-sufficient funds fees. In light of the current political climate in Washington, DC and changes in CFPB leadership in recent years, we cannot predict what additional actions may be taken by the CFPB with respect to its previous regulations, rulings, and decisions and any impact on our operations.

The FDIA establishes the following five capital tiers: (i) “well capitalized;” (ii) “adequately capitalized;” (iii) “undercapitalized;” (iv) “significantly undercapitalized;” and (v) “critically 15 Table of Contents undercapitalized.” A depository institution’s capital tier depends upon how its capital levels compare to various relevant capital measures and certain other factors, as established by regulation.

The FDIA establishes the following five capital tiers: (i) “well capitalized;” (ii) “adequately capitalized;” (iii) “undercapitalized;” (iv) “significantly undercapitalized;” and (v) “critically undercapitalized.” A depository institution’s capital tier depends upon how its capital levels compare to various relevant capital measures and certain other factors, as established by regulation.

The ability of our holding company to pay dividends is largely dependent on the amount of cash derived from dividends declared by our Subsidiary Banks. The payment of dividends by any bank or bank holding company is affected by the requirement to maintain adequate capital.

The ability of our holding company to pay dividends is largely dependent on the amount of cash derived from dividends declared by our Subsidiary Banks. The payment of dividends by any bank or bank 11 Table of Contents holding company is affected by the requirement to maintain adequate capital.

The Dodd-Frank Act created far-reaching changes across the financial regulatory landscape by addressing areas like systemic risk, capital adequacy, deposit insurance assessments, consumer financial protection, interchange fees, derivatives, lending 6 Table of Contents limits, mortgage-lending practices, investment-advisor registration, and changes among the bank regulatory agencies.

The Dodd-Frank Act created far-reaching changes across the financial regulatory landscape by addressing areas like systemic risk, capital adequacy, deposit insurance assessments, consumer financial protection, interchange fees, derivatives, lending limits, mortgage-lending practices, investment-advisor registration, and changes among the bank regulatory agencies.

The Basel III final framework requires banks and bank holding companies to measure their liquidity against specific liquidity tests that, although similar in some respects to liquidity 16 Table of Contents measures historically applied by banks and regulators for management and supervisory purposes, going forward will be required by regulation.

The Basel III final framework requires banks and bank holding companies to measure their liquidity against specific liquidity tests that, although similar in some respects to liquidity measures historically applied by banks and regulators for management and supervisory purposes, going forward will be required by regulation.

In October 2023, the CFPB proposed a “Personal Financial Data Rights” rule, which aims to promote open, decentralized banking, protect consumers’ financial data from misuse, and foster competition in the banking industry.

“Large bank” now means a bank with total assets equal to or greater than $1.564 billion for December 31 of both of the prior two calendar years, “small bank” means a bank with assets of less than $1.564 billion as of December 31 of either of the prior two calendar years, and “intermediate small bank” means a bank with assets of at least $391 million as of December 31 of both of the prior two calendar years and less than $1.564 billion as of December 31 of either of the prior two calendar years.

“Large bank” now means a bank with total assets equal to or greater than $1.609 billion for December 31 of both of the prior two calendar years, “small bank” means a bank with assets of less than $1.609 billion as of December 31 of either of the prior two calendar years, and “intermediate small bank” means a bank with assets of at least $402 million as of December 31 of both of the prior two calendar years and less than $1.609 billion as of December 31 of either of the prior two calendar years.

Under the regulations, the highest of the five categories would be a well-capitalized institution with a total risk-based capital ratio of 10%, a Tier 1 risk-based capital ratio of 6% and a Tier 1 leverage ratio of 5%.

Services, Human Capital, and Diversity and Inclusion Our Subsidiary Banks have historically focused on providing commercial banking services to small- and medium-sized businesses located in their trade areas and select international banking services. In recent years, however, our Subsidiary Banks have emphasized consumer and retail banking, including mortgage lending, as well as opening branches in retail locations and shopping malls.

Services, Human Capital, and Diversified Workplace Culture Our Subsidiary Banks have historically focused on providing commercial banking services to small- and medium-sized businesses located in their trade areas and select international banking services. In recent years, however, our Subsidiary Banks have emphasized consumer and retail banking, including mortgage lending, as well as opening branches in retail locations and shopping malls.

Certain implementing regulations that FinCEN has proposed in connection with the AMLA are still being finalized. In September 2022, FinCEN finalized its regime for beneficial-ownership reporting under the CTA, which took effect on January 1, 2024.

Certain implementing regulations that FinCEN has proposed in connection with the AMLA are still being finalized. 8 Table of Contents In September 2022, FinCEN finalized its regime for beneficial-ownership reporting under the CTA, which took effect on January 1, 2024.

If a depository institution fails to submit an acceptable plan, it is treated as if it is “significantly undercapitalized.” The appropriate federal banking agency may, under certain circumstances, reclassify a well-capitalized insured depository institution as adequately capitalized.

If a depository institution fails to submit an acceptable plan, it is treated as if it is “significantly undercapitalized.” 16 Table of Contents The appropriate federal banking agency may, under certain circumstances, reclassify a well-capitalized insured depository institution as adequately capitalized.

If enacted as proposed, the rule would require financial institutions to make financial data regarding consumers’ transactions and accounts more accessible for consumers and authorized third parties acting on their behalf; implement authorization procedures for third parties seeking to access consumer data, including requiring third parties to commit to data limitations and compliance with the GLBA Safeguards Framework; establish operational, performance, and security standards related to data access; and advance fair, open, and inclusive industry standards to facilitate an open banking system.

The rule requires financial institutions to make financial data regarding consumers’ transactions and accounts more accessible for consumers and authorized third parties acting on their behalf; implement authorization procedures for third parties seeking to access consumer data, including requiring third parties to commit to data limitations and compliance with the GLBA Safeguards Framework; establish operational, performance, and security standards related to data access; and advance fair, open, and inclusive industry standards to facilitate an open banking system.

Similarly, it is possible that the legislatures of the State of Texas or the State of Oklahoma would amend applicable state laws relating to us or our Subsidiary Banks. 24 Table of Contents

Similarly, it is possible that the legislatures of the State of Texas or the State of Oklahoma would amend applicable state laws relating to us or our Subsidiary Banks.

Insider Loans 21 Table of Contents The restrictions on loans to directors, executive officers, principal shareholders, and their related interests contained in the FRA and Regulation O apply to all insured institutions and their subsidiaries and holding companies.

Insider Loans The restrictions on loans to directors, executive officers, principal shareholders, and their related interests contained in the FRA and Regulation O apply to all insured institutions and their subsidiaries and holding companies.

As of December 31, 2023, approximately 68% of our approximately 300-person officer management team have been with us for more than 15 years, and approximately 70% of those have been with us for more than 20 years. Our mission is to develop a banking culture that builds genuine, personal relationships with our customers and the communities we serve.

As of December 31, 2024, approximately 66% of our approximately 300-person officer management team have been with us for more than 15 years, and approximately 74% of those have been with us for more than 20 years. Our mission is to develop a banking culture that builds genuine, personal relationships with our customers and the communities we serve.

In addition, the GLBA permits certain non-banking financial and financially related activities to be conducted by financial subsidiaries of banks.

In addition, the 9 Table of Contents GLBA permits certain non-banking financial and financially related activities to be conducted by financial subsidiaries of banks.

In October 2023, President Joe Biden issued an Executive Order (EO) on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI), which sets new standards for AI safety and security, establishes guidelines and processes for the equitable use of AI, calls on Congress to pass bipartisan data-privacy legislation, and directs federal agencies to take various actions to advance the safety, security, and trustworthiness of AI systems and to mitigate AI risks.

In October 2023, President Joe Biden issued an Executive Order (EO) on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI), which set new standards for AI safety and security, established guidelines and processes for the equitable use of AI, called on Congress to pass bipartisan data-privacy legislation, and directed federal agencies to take various actions to advance the safety, security, and trustworthiness of AI systems and to mitigate AI risks.

The same uncertainty exists with respect to regulations authorized or required under the Dodd-Frank Act, but that have not yet been proposed or finalized.

The same uncertainty exists 24 Table of Contents with respect to regulations authorized or required under the Dodd-Frank Act, but that have not yet been proposed or finalized.

We are committed to providing equal opportunities for applicants and employees in all of our employment practices, including but not limited to, hiring, promoting, transferring, and compensating without regard to sex, race, color, national origin, genetic information, citizenship status, age, religion, veteran, disability, or any other characteristic protected by law.

We are committed to implementing initiatives designed to promote workforce development, professional growth, and fair opportunities for all applicants and employees in all of our employment practices, including but not limited to, hiring, promoting, transferring, and compensating without regard to sex, race, color, national origin, genetic information, citizenship status, age, religion, veteran, disability, or any other characteristic protected by law.

To comply with the CTA’s reporting rule, corporations, limited liability companies, and similar entities must identify and report certain information concerning their beneficial owners, meaning the individuals who ultimately own or control them.

If enforced, the CTA’s reporting rule would require corporations, limited liability companies, and similar entities to identify and report certain information concerning their beneficial owners, meaning the individuals who ultimately own or control them.

A copy of our clawback policy is attached as Exhibit 97 hereto. The scope and content of the U.S. regulators’ policies on executive compensation are continuing to develop and are likely to continue evolving. It cannot be determined at this time whether compliance with such policies will adversely affect our ability to hire, retain, and motivate our key employees.

The scope and content of the U.S. regulators’ policies on executive compensation are continuing to develop and are likely to continue evolving. It cannot be determined at this time whether compliance with such policies will adversely affect our ability to hire, retain, and motivate our key employees.

Prior to that date, we amended and restated our Compensation Clawback Policy to meet the standards set forth in Rule 5608 and to be effective as of October 2, 2023.

Prior to that date, we amended and restated our Compensation Clawback Policy to meet the standards set forth in Rule 5608 and to be effective as of October 2, 2023. A copy of our clawback policy is attached as Exhibit 97 hereto.

We also conduct training programs on equal employment opportunities and diversity and inclusion in the workplace as well as training sessions that coach and develop talent in order to promote and retain a diverse workforce.

We also conduct training programs on equal employment opportunities as well as training sessions that coach and develop talent to promote and retain a diverse workforce.

All other bank holding companies will generally be required to maintain a leverage ratio of at least 4% - 5%. Our leverage ratio at December 31, 2023 was 17.46%.

All other bank holding companies will generally be required to maintain a leverage ratio of at least 4% - 5%. Our leverage ratio at December 31, 2024 was 18.84%.

These loans cannot exceed the institution’s total unimpaired capital and surplus, and the FDIC may determine that a lesser amount is appropriate. Insiders are subject to enforcement actions for knowingly accepting loans in violation of applicable restrictions. Mortgage Lending In 2016, the CFPB amended certain mortgage rules issued in 2013.

The FDIC uses a risk-based assessment system that imposes premiums based upon a matrix that takes into account a bank’s capital level and supervisory rating. Our FDIC deposit insurance expense totaled $6,285,000, $6,987,000, and $4,389,000 in 2023, 2022 and 2021, respectively.

The FDIC uses a risk-based assessment system that imposes premiums based upon a matrix that considers a bank’s capital level and supervisory rating. Our FDIC deposit insurance expense totaled $6,865,000, $6,285,000, and $6,987,000 in 2024, 2023 and 2022, respectively.

In addition to the generally applicable state and federal laws governing businesses and employers, we and our Subsidiary Banks are further extensively regulated by special federal and state laws governing financial institutions.

Supervision and Regulation Banking is a complex, highly regulated industry. In addition to the generally applicable state and federal laws governing businesses and employers, we and our Subsidiary Banks are further extensively regulated by special federal and state laws governing financial institutions.

FRB Approvals As a registered bank holding company we are subject to supervision by, among others, the FRB. As such, we are required to file with the FRB annual reports and other information regarding our business operations and those of our Subsidiary Banks. We are also subject to periodic examination by the FRB.

As such, we are required to file with the FRB annual reports and other information regarding our business operations and those of our Subsidiary Banks. We are also subject to periodic examination by the FRB.

Provisions in the legislation that affect deposit insurance assessments, payment of interest on demand deposits and interchange fees are likely to increase the costs associated with deposits, as well as place limitations on certain revenues those deposits may generate. Provisions that require revisions to our capital requirements could require us to seek other sources of capital in the future.

The CFPB and other federal regulators, including the Federal Housing Administration, have issued several updated guidelines and proposed regulatory revisions that signal an ongoing focus on redlining and discrimination in 22 Table of Contents mortgage lending, including revisions to the CRA and greater oversight of property appraisals, including related algorithms and machine learning tools that can be used in the appraisal process.

The CFPB and other federal regulators continue to issue guidance and regulatory updates that affect mortgage lending, including updated guidelines and proposed regulatory revisions that signal an ongoing focus on redlining and discrimination in mortgage lending, revisions to the CRA and greater oversight of property appraisals, and related algorithms and machine learning tools that can be used in the appraisal process.

Affiliate Transactions Our holding company and Subsidiary Banks are “affiliates” within the meaning of Section 23A of the Federal Reserve Act (FRA), which sets forth certain restrictions on (i) loans and extensions of credit between a bank subsidiary and affiliates, (ii) investments in an affiliate’s stock or other securities, and (iii) acceptance of such stock or other securities as collateral for loans.

We expect state-level activity to continue in this area and will continue monitoring legislative developments in Texas and Oklahoma. 21 Table of Contents Affiliate Transactions Our holding company and Subsidiary Banks are “affiliates” within the meaning of Section 23A of the Federal Reserve Act (FRA), which sets forth certain restrictions on (i) loans and extensions of credit between a bank subsidiary and affiliates, (ii) investments in an affiliate’s stock or other securities, and (iii) acceptance of such stock or other securities as collateral for loans.

As of December 31, 2023, we and our Subsidiary Banks employed approximately 2,062 persons full time and 230 persons part time.

As of December 31, 2024, we and our Subsidiary Banks employed approximately 2,103 persons full time and 233 persons part time.

Under the BHCA, a bank holding company is prohibited from acquiring direct or indirect control of any company that is not a bank or bank holding company, and must engage only in the business of banking, managing, or controlling banks and furnishing services to or performing services for its subsidiary banks, except where the FRB has determined the ownership to be so closely related to banking, managing, or controlling banks as to be a proper incident thereto. 7 Table of Contents The BHCA and the Change in Bank Control Act of 1978 require that either FRB approval must be obtained or notice must be furnished to the FRB and not disapproved prior to any person or company acquiring “control” of a bank holding company, subject to exception for certain transactions.

During the second quarter of 2000, IBC established an insurance agency subsidiary and acquired two insurance agencies. 9 Table of Contents The investments that may be made under the GLBA are substantially broader in scope than the investment activities otherwise permissible for bank holding companies and are referred to as “merchant banking investments” in “portfolio companies.” The FRB and the Secretary of the Treasury have regulations governing the scope of permissible merchant banking investments.

The investments that may be made under the GLBA are substantially broader in scope than the investment activities otherwise permissible for bank holding companies and are referred to as “merchant banking investments” in “portfolio companies.” The FRB and the Secretary of the Treasury have regulations governing the scope of permissible merchant banking investments.

Effective January 1, 2020, Texas amended its data breach notification law, limiting the time frame for notifying individuals whose data has been compromised and requiring notice to the Texas Attorney General in certain circumstances. We expect state-level activity to continue in this area and will continue monitoring legislative developments in Texas and Oklahoma.

As with the 2011 proposed rule, no final rule was adopted in connection with the 2016 rule proposal. In June 2023, the SEC included incentive-based compensation arrangements on its spring 2024 rulemaking agenda. Accordingly, a third round of proposed rulemaking on incentive-based compensation arrangements is expected to occur in the upcoming months.

As with the 2011 proposed rule, no final rule was adopted in connection with the 2016 rule proposal. In June 2023, the SEC included incentive-based compensation arrangements on its spring 2024 rulemaking agenda, signaling that a third round of proposed rulemaking on incentive-based compensation arrangements may occur. However, the SEC has not yet issued a new proposal.

The FDIC has the right to prohibit the payment of dividends by a bank where the payment is deemed to be an unsafe and unsound banking practice. 11 Table of Contents At December 31, 2023, there was an aggregate of approximately $1,229,500,000 available for the payment of dividends to our holding company by our Subsidiary Banks under the capital rules applicable as of December 31, 2023, assuming that each of such banks continues to be classified as “well capitalized.” Further, we could expend the entire $1,229,500,000 and continue to be classified as “well capitalized” under the capital rules applicable as of December 31, 2023.

At December 31, 2024, there was an aggregate of approximately $1,440,000,000 available for the payment of dividends to our holding company by our Subsidiary Banks under the capital rules applicable as of December 31, 2024, assuming that each of such banks continues to be classified as “well capitalized.” Further, we could expend the entire $1,440,000,000 and continue to be classified as “well capitalized” under the capital rules applicable as of December 31, 2024.

We elected and were approved by the FRB to become a financial holding company under the GLBA in 2000 and the election was made effective by the FRB as of March 13, 2000.

We elected and were approved by the FRB to become a financial holding company under the GLBA in 2000 and the election was made effective by the FRB as of March 13, 2000. During the second quarter of 2000, IBC established an insurance agency subsidiary and acquired two insurance agencies.

Financial institutions are allowed to issue qualifying unsecured subordinated debt (Tier 3 capital) to meet a part of their market risks. We do not have any Tier 3 capital and did not need Tier 3 capital to offset market risks. The Dodd-Frank Act directs the banking agencies to issue capital requirements for banking institutions that are countercyclical.

As of December 31, 2023, approximately 74% of our workforce self-identified as Latino or Hispanic, and over 66% self-identified as women.

As of December 31, 2024, approximately 75% of our workforce self-identified as Latino or Hispanic, and approximately 65% self-identified as women.

The GLBA significantly changed the competitive environment in which we and our Subsidiary Banks conduct business. The financial services industry will likely become even more competitive as further technological advances enable more companies to 5 Table of Contents provide financial services.

The GLBA significantly changed the competitive environment in which we and our Subsidiary Banks conduct business. The financial services industry will become even more competitive as further technological advances enable more companies to provide financial services. These technological advances may reduce the necessity of depository institutions and other financial intermediaries in the transfer of funds between parties.

Implementation of Basel IV began on January 1, 2023 and will continue over a five-year transition period by regulators in individual countries, including the U.S. federal bank regulatory agencies. The U.S. has targeted implementation of Basel IV to begin on July 1, 2025, subject to a three-year transition period with full compliance expected by July 1, 2028.

The standards address cyber-risk governance, cyber-risk management, internal dependency management, external dependency management, incident response, cyber resilience, and situational awareness. The enhanced standards would be implemented in a tiered manner, imposing more stringent standards on the systems of those entities that are critical to the functioning of the financial sector.

The enhanced standards would be implemented in a tiered manner, imposing more stringent standards on the systems of those entities that are critical to the functioning of the financial sector.

In late 2022, the CFPB issued an outline of proposed rules related to Section 1033 of Dodd-Frank, which requires the CFPB to implement regulations providing for the sharing of consumer financial information between financial institutions and consumer-authorized data recipients.

Part of the FAST Act amended the GLBA by providing financial institutions with an exception to the general requirement that those institutions deliver annual privacy notices. 10 Table of Contents In late 2022, the CFPB issued an outline of proposed rules related to Section 1033 of Dodd-Frank, which requires the CFPB to implement regulations providing for the sharing of consumer financial information between financial institutions and consumer-authorized data recipients.

The proposed legislation would also require regulators to consider a bank’s partnerships with non-depository lenders and “small-dollar” first-lien mortgages as part of CRA examinations. Like the October 2023 final regulatory revisions, the legislation focuses on applying fair-lending concepts to CRA obligations and examinations. We will continue to monitor this legislation and its potential effect on the revised CRA regulations.

The proposed legislation would have also required regulators to consider a bank’s partnerships with non-depository lenders and “small-dollar” first-lien mortgages as part of CRA examinations. Like the October 2023 final regulatory revisions, the legislation focuses on applying fair-lending concepts to CRA obligations and examinations. Ultimately, however, the proposed legislation did not advance through the legislative process and was never passed.

In December 2017, the Basel Committee on Banking Supervision unveiled its final set of standards and reforms to the Basel III regulatory capital framework, commonly called “Basel III endgame” or “Basel IV.” The Basel IV standards make changes to the capital framework first introduced as “Basel III” in 2010and aim to reduce excessive variability in banks’ calculations of risk-weighted assets and risk-weighted capital ratios.

In addition, the Basel III capital rules provide more advantageous risk weights for derivatives and repurchase-style transactions cleared through a qualifying central counterparty and increase the scope of eligible guarantors and eligible collateral for purposes of credit risk mitigation. 15 Table of Contents In December 2017, the Basel Committee on Banking Supervision unveiled its final set of standards and reforms to the Basel III regulatory capital framework, commonly called “Basel III endgame” or “Basel IV.” The Basel IV standards make changes to the capital framework first introduced as “Basel III” in 2010 and aim to reduce excessive variability in banks’ calculations of risk-weighted assets and risk-weighted capital ratios.

The Basel III capital rules require most components of “Accumulated Other Comprehensive Income (Loss)” (AOCI) to be recognized in CET1, factoring in to the calculation of CET1 all net unrealized gains (losses) on available for sale securities. The Basel III definition of CET1 also establishes the expectation that the majority of CET1 should be voting shares.

With certain exceptions, the value of stock repurchased is determined net of stock issued in the year, including shares issued pursuant to compensatory arrangements. The Basel III capital rules require most components of “Accumulated Other Comprehensive Income (Loss)” (AOCI) to be recognized in CET1, factoring into the calculation of CET1 all net unrealized gains (losses) on available for sale securities.

Three of our Subsidiary Banks received an “Outstanding” CRA rating, and two received a “Satisfactory” CRA rating in their most recently completed examinations. Financial institutions are evaluated under different CRA examinations procedures based upon their asset size classification, which asset thresholds are updated annually and were updated as of January 1, 2024.

Financial institutions are evaluated under different CRA examinations procedures based upon their asset size classification, which asset thresholds are updated annually and were updated as of January 1, 2025.

In October 2022, the United States Court of Appeals for the Fifth Circuit held that the mechanism for funding the CFPB is an unconstitutional violation of the Appropriations Clause. The CFPB petitioned the United States Supreme Court to hear its challenge to that holding, and the Supreme Court heard oral arguments in the case in October 2023.

In October 2022, the United States Court of Appeals for the Fifth Circuit held that the mechanism for funding the CFPB was an unconstitutional violation of the Appropriations Clause. In 2024, the United States Supreme Court overturned the Fifth Circuit Court’s ruling and held that the mechanism for funding the CFPB is constitutional.

The special assessment will be collected by the FDIC at an 12 Table of Contents annual rate of approximately 13.4 basis points for an anticipated total of eight quarterly assessment periods, beginning with the first quarterly assessment period of 2024. Banks with total assets under $5 billion will not be subject to the special assessment.

The special assessment is collected by the FDIC at a quarterly rate of 3.36 basis points over a total of eight anticipated quarterly assessment periods, with the FDIC collecting the first quarterly assessment on June 28, 2024. Banks with total assets under $5 billion will not be subject to the special assessment.

In 2016, the federal banking agencies proposed enhanced cyber-risk management standards for large interconnected entities and their service providers. The proposal established enhanced standards to increase the operational resilience of those entities and reduce the impact on the financial system in case of a cyber event experienced by any of them.

The proposal established enhanced standards to increase the operational resilience of those entities and reduce the impact on the financial system in case of a cyber event experienced by any of them. The standards address cyber-risk governance, cyber-risk management, internal dependency management, external dependency management, incident response, cyber resilience, and situational awareness.

It is not clear when a final rule will be issued. 10 Table of Contents Nasdaq Listing Standards Shares of our common stock are listed and trade on The Nasdaq Stock Market (Nasdaq) under the symbol “IBOC.” As such, we must comply with the quantitative and qualitative listing standards of Nasdaq.

Depository institutions with less than $10 billion in assets must comply with the final rule by April 2028. Nasdaq Listing Standards Shares of our common stock are listed and trade on The Nasdaq Stock Market (Nasdaq) under the symbol “IBOC.” As such, we must comply with the quantitative and qualitative listing standards of Nasdaq.

An Oklahoma bank generally may not pay a dividend reducing its capital and surplus without the prior approval of the Oklahoma Department of Banking.

An Oklahoma bank generally may not pay a dividend reducing its capital and surplus without the prior approval of the Oklahoma Department of Banking. The FDIC has the right to prohibit the payment of dividends by a bank where the payment is deemed to be an unsafe and unsound banking practice.

For example, the final rules are significantly different from the proposed rules in terms of risk weighting for residential mortgages and the regulatory capital treatment of certain unrealized gains and losses on trust preferred securities for common banking organizations. 14 Table of Contents A key provision of the Basel III capital rules permitted banks to make a one-time irrevocable election to opt out of the Basel III requirement to recognize most items of AOCI in regulatory capital.

Our commitment to diversity and inclusion is further underscored by our efforts to reach out to and support minority and women’s organizations and educational institutions that serve significant minority or women student populations.

Our commitment to fostering a workplace culture that attracts, develops, and retains a diverse and talented workforce is further underscored by our efforts to connect with and support minority and women’s organizations and educational institutions that serve significant minority or women student populations.

The National Institute of Standards and Technology (NIST) released a preliminary Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) in 2014, and an update to that framework in 2018. Our Subsidiary Banks are expected to incorporate the NIST Cybersecurity Framework into their infrastructures and risk-management systems, which are also governed by FFIEC guidelines.

… 54 more changes not shown on this page.

Item 1A. Risk Factors

Risk Factors — what could go wrong, per management

20 edited+33 added−1 removed80 unchanged

2023 filing

2024 filing

Biggest changeThe loss of revenue streams and the reduction of lower cost deposits as a source of funds could have a material adverse effect on our financial condition and results of operations. 25 Table of Contents External funding which we rely on, in part, to provide liquidity may not be available to us on favorable terms or at all.

Biggest changeThe loss of revenue streams and the reduction of lower cost deposits as a source of funds could have a material adverse effect on our financial condition and results of operations.

Our financial condition, results of operation and stock price may be negatively impacted by negative publicity risk, diminished depositor confidence in depository institutions, and the increased threat of bank-run contagion. A total of five FDIC-insured banks failed between March to November 2023, three of which occurred during a less than two-month period from March to May 2023.

For additional information on the CECL methodology, see “Notes to Consolidated Financial Statements – (4) Allowance for Credit Losses” in our 2023 Annual Report to Shareholders, which is filed as Exhibit 13 hereto. If real estate values in our target markets decline, the loan portfolio would be impaired.

For additional information on the CECL methodology, see “Notes to Consolidated Financial Statements – (4) Allowance for Credit Losses” in our 2024 Annual Report to Shareholders, which is filed as Exhibit 13 hereto. If real estate values in our target markets decline, the loan portfolio would be impaired.

Although we have established disaster 27 Table of Contents recovery policies and procedures, any such event(s) in, near, or affecting the markets we serve could have a material adverse effect on our business. An impairment in the carrying value of our goodwill could negatively impact our earnings and capital.

Although we have established disaster recovery policies and procedures, any such event(s) in, near, or affecting the markets we serve could have a material adverse effect on our business. 29 Table of Contents An impairment in the carrying value of our goodwill could negatively impact our earnings and capital.

Risks Related to Our Business Our allowance for probable loan losses may be insufficient. The determination of an appropriate level of loan loss allowance is an inherently difficult process and is based on numerous assumptions. This allowance represents management’s best estimate of probable losses that may exist within our existing loan portfolio.

Risks Related to Our Business Our allowance for probable loan losses may be insufficient. The determination of an appropriate level of loan loss allowance is an inherently complicated process and is based on numerous assumptions. This allowance represents management’s best estimate of probable losses that may exist within our existing loan portfolio.

If we experience disruption in our business, unexpected significant declines in our operating results, or sustained market capitalization declines, it could result in goodwill impairment charges in the future, which would be recorded as charges against earnings. We performed an annual goodwill impairment assessment as of October 1, 2023.

As of December 31, 2023, we had approximately $108 million in junior subordinated debentures outstanding that were purchased by our statutory trusts using the proceeds from the sale of trust preferred securities to third party investors. The junior subordinated debentures are senior to our shares of common stock.

As of December 31, 2024, we had approximately $108 million in junior subordinated debentures outstanding that were purchased by our statutory trusts using the proceeds from the sale of trust preferred securities to third party investors. The junior subordinated debentures are senior to our shares of common stock.

Failure to comply with laws, regulations, or policies could result in sanctions by regulatory agencies, civil money penalties and/or reputation damage, which could have a material adverse effect on our business, financial condition, and results of operations. 30 Table of Contents The Dodd-Frank Act, the powers of the CFPB, and the FDIC Overdraft Payment Supervisory Guidance may increase the likelihood of lawsuits against financial institutions.

Failure to comply with laws, regulations, or policies could result in sanctions by regulatory agencies, civil money penalties and/or reputation damage, which could have a material adverse effect on our business, financial condition, and results of operations. The Dodd-Frank Act, the powers of the CFPB, and the FDIC Overdraft Payment Supervisory Guidance may increase the likelihood of lawsuits against financial institutions.

Although we have amplified our efforts to promote deposit insurance coverage with our customers, to proactively communicate with our customers in order to address any depository fears they may be experiencing as a result of the unrelated bank failures, and to implement policies for effectively managing our liquidity, deposit portfolio retention and other related matters, our financial condition, results of operation and stock price may be adversely affected by future negative events within the banking industry and negative customer or investor responses to such events. Recent volatility in the banking industry could prompt new legislation, regulations, and policy changes that could cause us to be subjected to additional regulatory oversight and supervision. Negative developments in the banking industry during the past year, culminating in the failures of five banks, have prompted responses by the FDIC, the Federal Reserve, and the U.S.

Although we have amplified our efforts to promote deposit insurance coverage with our customers, to proactively communicate with our customers in order to address any depository fears they may be experiencing as a result of the unrelated bank failures, and to implement policies for effectively managing our liquidity, deposit portfolio retention and other related matters, our financial condition, results of operation and stock price may be adversely affected by future negative events within the banking industry and negative customer or investor responses to such events. Recent volatility in the banking industry could prompt new legislation, regulations, and policy changes that could cause us to be subjected to additional regulatory oversight and supervision. Negative developments in the banking industry during 2023 and 2024, culminating in the failures of seven banks, prompted responses by the FDIC, the Federal Reserve, and the U.S.

Depending on the future actions of the CFPB, the likelihood of lawsuits against financial institutions related to allegedly “unfair,” “deceptive” and “abusive” acts and practices could increase. Moreover, the costs related to such lawsuits would be significantly increased if the CFPB restricts the use of arbitration and/or class action waivers in consumer banking contracts.

Depending on the future actions of the CFPB, the likelihood of lawsuits against financial institutions related to allegedly “unfair,” “deceptive” and “abusive” acts 32 Table of Contents and practices could increase. Moreover, the costs related to such lawsuits would be significantly increased if the CFPB restricts the use of arbitration and/or class action waivers in consumer banking contracts.

New lines of business or new products and services may subject us to additional risks. From time to time, we may implement new lines of business or offer new products and services within existing lines of business. In developing and marketing new lines of business and/or new products and services, we may invest significant time and resources.

Payments of the principal and interest on the trust preferred securities are conditionally guaranteed by us to the extent not paid or made by each trust. We must make payments on the junior subordinated debentures (and the related trust preferred securities) before any dividends can be paid on our common stock.

Payments of the principal and interest on 33 Table of Contents the trust preferred securities are conditionally guaranteed by us to the extent not paid or made by each trust. We must make payments on the junior subordinated debentures (and the related trust preferred securities) before any dividends can be paid on our common stock.

Banking and other financial services companies, including us and our Subsidiary Banks, rely on technology companies to provide information technology products and services necessary to support our day-to-day operations. Technology companies frequently enter into litigation based on allegations of patent infringement or other violations of intellectual property rights.

These tools and models reflect assumptions that may not be accurate, particularly in times of market stress or other unforeseen 28 Table of Contents circumstances. Even if these assumptions are adequate, the tools or models may prove to be inadequate or inaccurate because of other flaws in their design or their implementation.

These tools and models reflect assumptions that may not be accurate, particularly in times of market stress or other unforeseen circumstances. Even if these assumptions are adequate, the tools or models may prove to be inadequate or inaccurate because of other flaws in their design or their implementation.

Any such failure in our analytical or forecasting tools or models could have a material adverse effect on our business, financial condition, and results of operations. We may be adversely affected by declining crude oil prices.

Any such failure in our analytical or forecasting tools or models could have a material adverse effect on our business, financial condition, and results of operations. 30 Table of Contents We may be adversely affected by declining crude oil prices.

There can be no assurance, given the fast pace of change and innovation, that our technology will meet or continue to meet our operational needs and the needs of our customers. 29 Table of Contents We are subject to claims and litigation pertaining to intellectual property.

There can be no assurance, given the fast pace of change and innovation, that our technology will meet or continue to meet our operational needs and the needs of our customers. We are subject to claims and litigation pertaining to intellectual property.

Since March 2022, the Federal Reserve has increased interest rates a total of eleven times, with the last hike occurring in July 2023 when target interest rates reached their current range of 5.25% to 5.50%, with a benchmark rate at about 5.4%, the highest level in more than two decades.

From March 2022 to July 2023, the Federal Reserve increased interest rates a total of eleven times, with the last hike occurring in July 2023 when target interest rates reached a range of 5.25% to 5.50%, with a benchmark rate at about 5.4%, the highest level in more than two decades.

Acquisitions of other financial institutions and new branches must be approved by bank regulators and such approvals are dependent on many factors, including the results of regulatory examinations and CRA ratings. 26 Table of Contents We rely heavily on our chief executive officer. We have experienced substantial growth in assets and deposits, particularly since Dennis E.

Acquisitions of other financial institutions and new branches must be approved by bank regulators and such approvals are dependent on many factors, including the results of regulatory examinations and CRA ratings. We rely heavily on our chief executive officer. We have experienced substantial growth in assets and deposits, particularly since Dennis E. Nixon became our President in 1979.

Nixon became our President in 1979. We do not have an employment agreement with Mr. Nixon and the loss of his services could have a material adverse effect on our business and prospects. Our information systems may experience an interruption or breach in security. We rely heavily on communications and information systems to conduct our business.

We do not have an employment agreement with Mr. Nixon and the loss of his services could have a material adverse effect on our business and prospects. 28 Table of Contents Our information systems may experience an interruption or breach in security. We rely heavily on communications and information systems to conduct our business.

Also, technology and other changes are allowing parties to complete financial transactions that historically have involved banks through alternative methods. The process of eliminating banks as intermediaries could result in the loss of fee income, as well as the loss of customer deposits and related income.

Further compounding the competition we face, technology and other changes are allowing parties to complete financial transactions that historically have involved banks through alternative, non-banking methods. The process of eliminating banks as intermediaries could result in the loss of fee income, as well as the loss of customer deposits and 25 Table of Contents related income.

Removed

Although the Federal Reserve has held rates steady since then and indicated that rate reductions would occur sometime in 2024, the timing and extent of those rate cuts are uncertain. Volatility in interest rates may impact our net interest income and the valuation of our assets and liabilities.

Added

In addition to the rise in fintechs, the financial-services industry has rapidly evolved with the rise of other alternative financial providers, including blockchain-based financial products and banking-as-a-service (BaaS) platforms, which offer digital banking products, mobile payment services, and decentralized financial services that compete with the services traditionally provided by banks.

Added

The regulatory landscape for cryptocurrencies, decentralized finance, and fintech services remains uncertain and may create additional competitive challenges for traditional banks like ours.

Added

The new presidential administration under President Donald Trump has embraced the adoption of digital assets and signaled more favorable federal regulation of cryptocurrencies and blockchain technologies aimed at ensuring the United States remains a global innovator in these areas.

Added

In his first week in office, President Trump signed an executive order entitled Strengthening American Leadership in Digital Financial Technology, which aims to “support the responsible growth and use of digital assets, blockchain technology, and related technologies across all sectors of the economy.” In alignment with the new executive order, the SEC announced a “Crypto 2.0” dedicated to developing a clear regulatory framework for crypto assets.

Added

If new regulations favor alternative financial products, we may face operational challenges and increased costs to remain competitive.

Added

Furthermore, if BaaS models continue to be more widely utilized by fintech companies to allow non-bank entities to expand into financial-service offerings, the need for traditional banking institutions may be reduced, which could cause us to experience a decline in customer acquisition and retention and increased pricing pressure in the financial-services industry, Additionally, as use of cryptocurrencies, blockchain technologies, and decentralized financial services gain broader regulatory approval, become more widely adopted by consumers, and become integrated into mainstream financial systems, we may be subject to additional competitive pressures from these alternative financial providers. which could reduce demand for the traditional banking services that we provide and draw customers away from traditional banking institutions like ours.

Added

Customers, especially younger demographics, are increasingly embracing the use of digital wallets, crypto-based financial solutions, and peer-to-peer payment platforms as alternatives to traditional banking.

Added

A shift in customer preferences away from traditional deposit accounts and lending products may lead to a reduction in deposits, income generated through banking fees, and loan-origination opportunities, all of which could negatively impact our operations and ability to compete in the evolving financial-services industry.

Added

Failure to successfully invest in, adapt to, integrate, and compete with technological developments, including new services and products that incorporate artificial intelligence (“AI”) into banking services and products, could impair our competitive position and adversely affect our business, revenue, and profitability. The financial-services industry is experiencing rapid technological change driven by the advancement of AI.

Added

We may face a competitive disadvantage if we are unable to adopt and adapt to developing AI-driven technologies as quickly or effectively as our peers, larger financial institutions, and fintech companies, who are becoming increasingly involved in the banking and financial-services sectors.

Added

As customers grow to expect greater accessibility to AI banking solutions, including personalized financial-management tools, automated underwriting, and advanced fraud detection, failure to successfully invest in and incorporate AI into our banking offerings may cause us to fall short of meeting customer expectations for modernized, AI-powered financial services.

Added

To stay competitively relevant, we must leverage AI to enhance efficiency, risk management, and customer satisfaction. An inability to integrate AI solutions into our business and operations may make us unable to compete with institutions that can offer more sophisticated, technologically advanced financial products and services, which may hinder our rates of retaining and expanding our customer base.

Added

Furthermore, our revenue and profitability could be negatively impacted by the costs associated with enhancing our 26 Table of Contents existing systems, upgrading our existing technologies and product offerings, and integrating AI tools into our business and operational structure.

Added

The development, adoption, and integration of AI in our banking services, processes, and products may subject us to increased technological risks, costs, uncertainties, and unpredictable outcomes while increasing our compliance costs and exposing us to new operational challenges. AI-driven technologies are rapidly evolving and complex, and successfully integrating AI tools requires substantial investment, expertise, and continuous monitoring.

Added

Our adoption and implementation of AI tools into our banking services, processes, and products presents significant technological risks, uncertainties, and unpredictable outcomes that could result from errors or biases in AI models, data inconsistencies, compliance violations, unforeseen system failures, or operational disruptions.

Added

Flaws in our introduction and use of AI technologies could create unintended consequences, amplify our costs, and inadvertently expose us to security vulnerabilities and technological inefficiencies that could hamper the customer experience, negatively impact transaction processing, and undermine our risk-management processes.

Added

Furthermore, as the use of AI continues to evolve in the banking industry, so too will the AI-related regulations governing the banking and financial-services sectors.

Added

Regulators may impose new compliance requirements concerning AI governance, model validation, ethical use of AI, cybersecurity, data privacy, and automated decision-making, which may increase our costs and administrative burdens and restrict our ability to utilize AI for banking services, such as customer engagement, credit underwriting, fraud detection, and other banking functions.

Added

Our ability to adopt new forms of technologies and AI may be thwarted by the emergence of complex industry-wide standards, uncertainties in the legislative and regulatory environment governing AI in banking, and difficulties in establishing proper governance and controls related to new AI technologies that are compliant with evolving regulatory requirements.

Added

Incorporating AI solutions and complying with emerging regulatory frameworks may require significant resources, time, and technological investment. Additionally, any errors in AI-based models that generate biased or inaccurate results could cause us to make uninformed business decisions based on faulty data, potentially leading to financial losses and operational inefficiencies, and to face regulatory scrutiny, reputational damage, or legal liability.

Added

Failure to comply with AI-related regulations or to effectively manage AI-related risks could adversely affect our business, financial condition, and results of operations. External funding which we rely on, in part, to provide liquidity may not be available to us on favorable terms or at all.

Added

Although the Federal Reserve enacted three consecutive rate cuts in late 2024, reducing target interest rates to their current range of 4.25% to 4.50% by December 2024, the timing and extent of additional rate cuts remains uncertain.

Added

The Federal Reserve declined to implement additional rate cuts in January 2025 and tempered rate-cut expectations by lowering the projected number of rate cuts anticipated in 2025 from four to two rate cuts. Volatility in interest rates may impact our net interest income and the 27 Table of Contents valuation of our assets and liabilities.

Added

The imposition of new or increased international tariffs may have a material adverse effect on our business, financial condition, and results of operations. We do a significant amount of business for customers domiciled in Mexico, with an emphasis in Northern Mexico.

Added

Deposits from persons and entities domiciled in Mexico comprise a large and stable portion of the deposit base of our Subsidiary Banks, and some of our Subsidiary Banks are highly active in facilitating international trade along the United States border with Mexico and elsewhere.

Added

The imposition of tariffs and trade restrictions by the United States on Mexico may weaken the Mexican economy, reduce cross-border trade, and ultimately negatively impact the financial wellbeing of our customer base in Mexico, potentially leading to lower deposit balances or increased withdrawals from our depositors domiciled in Mexico.

Added

In turn, a decline in our deposit base and liquidity could strain our ability to compete with other financial institutions that are less reliant on cross-border deposits.

Added

Furthermore, in response to any increase in geopolitical tensions or strained U.S.–Mexico relations, depositors from Mexico may seek alternative financial institutions that they consider to be more integrated within the Mexican financial industry, which could cause us to face increased competition.

Added

Declined economic activity in Mexico and cross-border trade resulting from the imposition of tariffs and trade restrictions may lead to lower deposit balances, increase the likelihood of loan defaults, and reduce the demand for the banking products and services that our Subsidiary Banks provide to customers domiciled in Mexico, reducing the circulating of money in our border communities as well as the major cities in Texas.

Added

Macroeconomic conditions could have a material adverse effect on our business, results of operations, and financial condition.

Added

Unfavorable macroeconomic conditions, including low productivity growth, declining business investment, inflationary pressures, fluctuating interests rates, concerns regarding the imposition of tariffs (including retaliatory tariffs in response to tariffs imposed by the United States), concerns regarding the level of U.S. debt, shifts in monetary and fiscal policy, strained international trade relations, and heightened geopolitical pressures, could negatively impact our business, results of operations, and financial condition.

Added

Economic downturns may cause reduced consumer and business banking activity, lower loan demand, increased credit risk, and higher loan deficiencies. Trade policies like tariffs and retaliatory measures, as well as geopolitical tensions in the U.S. and global markets, may cause disruptions to economic stability, affect businesses that participate in international trade, and increase market volatility.

Added

Economic and inflationary pressure on consumers and prolonged uncertainty in the macroeconomic environment could result in changes in the spending, borrowing, and savings habits of consumers and businesses and may also weaken investor confidence, reduce capital markets activity, and increase regulatory scrutiny, all of which could have a material adverse effect on our business, financial condition, and results of operations.

Item 1C. Cybersecurity

Cybersecurity — threats and controls disclosure

15 edited+2 added−1 removed23 unchanged

2023 filing

2024 filing

Biggest changeSome of the steps we have taken and processes we have implemented to assess, identify, and manage material risks from cybersecurity threats include the following: · Forming an IT Cybersecurity Committee (ITCC), which consists primarily of members of our management team and IT department, to develop and oversee our cybersecurity policies and infrastructure and establishing a multi-tiered reporting and governance system pursuant to which our ITCC reports to our Service Center Board, which reports to our Risk Committee, which reports to our Board; · Implementing heightened safety measures, physical-security controls, and controlled-access requirements to protect the Service Center that houses the hardware and infrastructure used to store and transmit sensitive and confidential bank, customer, and employee information in accordance with the FFIEC IT Examination Handbook on Information Security and designating a specialized Service Center Board within the Service Center Department to oversee the protection of the Service Center’s physical integrity; 32 Table of Contents · Maintaining a clearly defined ISSP, which prescribes measures to establish and enforce our security program, addresses each component of our information security (IS) position, and advances our objectives of protecting and managing risks to our data and security systems by establishing policies, standards, controls, procedures, and guidelines that address topics such as security and privacy governance, statutory, regulatory, and contractual compliance, business and disaster recovery, change management, identification and authentication processes, expectations for continuous monitoring, asset management, third-party provider management, endpoint security, and incident responses, among others; ● Conducting an annual self-assessment using the Cyber Risk Institute (based on the NIST Cybersecurity Framework) to review our cyber risk-management strategy and framework, assess the effectiveness and legal and regulatory compliance of our organizational cybersecurity policy, and evaluate our policies and procedures for identifying risks, protecting information, detecting security threats, responding to cyber incidents, executing recovery plans, and managing levels of external dependence and resiliency; · Conducting regular cybersecurity training for our employees regarding security awareness, the proper use and handling of sensitive information, and the protocols in place to identify, assess, and manage any cybersecurity threats and periodically testing employees’ cybersecurity knowledge, policy compliance, and response rates by engaging with third-party providers to conduct internal social engineering campaigns; · Engaging in security-incident preparedness simulations and completing disaster recovery and resilience tests designed to test and strengthen any vulnerabilities in our cybersecurity infrastructure; · Employing robust encryption and anonymization technologies and other cybersecurity monitoring and auditing systems to fortify our cybersecurity framework, including through our Online Banking Enhanced Security Program, which requires the authorized users on a customer’s account to be validated and employs multi-factor authentication (MFA), which requires each of our retail and commercial customers to authenticate their identities by entering a secure access code that our MFA system automatically generates and sends to the customer each time there is an attempted login to the customer’s online banking account; · Implementing MFA protections for our treasury customers by prohibiting their initiation of ACH transactions or wire transfers until they authenticate their identities using a security token that is generated and sent by our online-banking MFA system; ● Monitoring electronic mail and other network intrusion attempts with various tools to identify and stop intrusion and malware threats; ● Scanning and assessing vulnerabilities arising from software and hardware on our network infrastructure, ATMs, software applications, computers, copiers and other electronic assets to ensure that vulnerabilities are identified and resolved timely; · Establishing a risk-appetite profile, which we review at least annually to regularly assess our cybersecurity infrastructure and software systems in a manner that ensures we capture their current state and identify emerging risks that would require changes in our cyber environment; · Leveraging internal and external auditors as well as security consultants to review the procedures, systems, and controls that comprise our ISSP to evaluate their design and operational effectiveness and to address any operational deficiencies or security weaknesses; and · Maintaining an Incident Response Plan that establishes our procedures and standards for responding to actual or potential cybersecurity threats or incidents, which we review at least annually. 33 Table of Contents Furthermore, our IT security infrastructure and cybersecurity policies are designed to monitor and manage security risks associated with any third-party service providers, suppliers, software and hardware vendors, contractors, and consultants we collaborate with (hereinafter, collectively, Vendors) who might store, process, collect, share, create, transmit, destroy, or access any of our sensitive data.

Biggest changeSome of the steps we have taken and processes we have implemented to assess, identify, and manage material risks from cybersecurity threats include the following: · Forming a Security Council Committee (SCC), which consists primarily of members of our management team and IT department, to develop and oversee our cybersecurity policies and infrastructure and establishing a multi-tiered reporting and governance system pursuant to which our SCC reports to our Service Center Board, which reports to our Risk Committee, which reports to our Board; · Implementing heightened safety measures, physical-security controls, and controlled-access requirements to protect the Service Center that houses the hardware and infrastructure used to store and transmit sensitive and confidential bank, customer, and employee information in accordance with the FFIEC IT Examination Handbook on Information Security and designating a specialized Service Center Board within the Service Center Department to oversee the protection of the Service Center’s physical integrity; · Maintaining a clearly defined ISSP, which prescribes measures to establish and enforce our security program, addresses each component of our information security (IS) position, and advances our objectives of protecting and managing risks to our data and security systems by establishing policies, standards, controls, procedures, and guidelines that address topics such as security and privacy governance, statutory, regulatory, and contractual compliance, business and disaster recovery, change management, identification and authentication processes, expectations for continuous monitoring, asset management, third-party provider management, endpoint security, and incident responses, among others; ● Conducting an annual self-assessment using the Cyber Risk Institute (based on the NIST Cybersecurity Framework) to review our cyber risk-management strategy and framework, assess the effectiveness and legal and regulatory compliance of our organizational cybersecurity policy, and evaluate our policies and procedures for identifying risks, protecting information, detecting security threats, responding to cyber incidents, executing recovery plans, and managing levels of external dependence and resiliency; · Conducting regular cybersecurity training for our employees regarding security awareness, the proper use and handling of sensitive information, and the protocols in place to identify, assess, and manage any cybersecurity threats and periodically testing employees’ cybersecurity knowledge, policy compliance, and response rates by engaging with third-party providers to conduct internal social engineering campaigns; · Engaging in security-incident preparedness simulations and completing disaster recovery and resilience tests designed to test and strengthen any vulnerabilities in our cybersecurity infrastructure; · Employing robust encryption and anonymization technologies and other cybersecurity monitoring and auditing systems to fortify our cybersecurity framework, including through our Online Banking Enhanced Security Program, which requires the authorized users on a customer’s account to be validated and employs multi-factor authentication (MFA), which requires each of our retail and commercial customers to authenticate their identities by entering a secure access code that our MFA system automatically generates and sends to the customer each 35 Table of Contents time there is an attempted login to the customer’s online banking account; · Implementing MFA protections for our treasury customers by prohibiting their initiation of ACH transactions or wire transfers until they authenticate their identities using a security token that is generated and sent by our online-banking MFA system; ● Communicating awareness and education of security risks, social engineering and scams affecting our customers through targeted marketing and social media messaging strategies and campaigns; ● Monitoring electronic mail and other network intrusion attempts with various tools to identify and stop intrusion and malware threats; ● Scanning and assessing vulnerabilities arising from software and hardware on our network infrastructure, ATMs, software applications, computers, copiers and other electronic assets to ensure that vulnerabilities are identified and resolved timely; · Establishing a risk-appetite profile, which we review at least annually to regularly assess our cybersecurity infrastructure and software systems in a manner that ensures we capture their current state and identify emerging risks that would require changes in our cyber environment; · Leveraging internal and external auditors as well as security consultants to review the procedures, systems, and controls that comprise our ISSP to evaluate their design and operational effectiveness and to address any operational deficiencies or security weaknesses; and · Maintaining an Incident Response Plan that establishes our procedures and standards for responding to actual or potential cybersecurity threats or incidents, which we review at least annually.

As part of our ISSP and strategy for managing cybersecurity risks, we have adopted the following cybersecurity policies: · Enterprise Information Systems Security Policy, which, among other objectives, prescribes a comprehensive framework for creating a practice-based Information Security Management System; protecting the confidentiality, integrity, and availability of our data and systems; providing for the development, review, maintenance, and ability to ensure the effectiveness of minimum security controls required to protect our data and systems; and recognizing the highly-networked nature of the current computing environment to provide effective company-wide management and oversight of related cybersecurity risks; · Corporate Account Takeover Policy, which serves to mitigate the risks of corporate account takeover crimes and to document our compliance with the Texas Department of Banking’s Supervisory Memorandum 1029 on “Risk Management of Account Takeovers,” dated September 30, 2019, and the FFIEC’s guidance on “Authentication and Access to Financial Institution Services and Systems,” dated August 11, 2021; · Vendor Management Policy, which provides a risk-based process for identifying, measuring, monitoring, and managing third-party relationships with new and existing vendors by requiring an assessment, categorization, and ranking of the risks associated with each third-party vendor and implements a third-party risk-management process that focuses on risk assessment, due diligence in selecting third-party vendors, contract structuring and review, and ongoing oversight of the operational and financial performance of the third-party vendor’s products and services; · Service Center Physical Security for Data and Computing Equipment Policy, which provides directives for implementing appropriate physical security controls to protect the hardware, infrastructure, and systems that store and transmit our sensitive information and data from damage, unauthorized access, and loss of availability; to monitor, analyze, and properly disclose security alerts and information; and to administer other administrative and technical operational security procedures; and · Security Incident Response Policy, which establishes the steps necessary to ensure a timely and adequate response to security incidents impacting our security systems or infrastructure.

As part of our ISSP and strategy for managing cybersecurity risks, we have adopted the following cybersecurity policies: · Enterprise Information Systems Security Policy, which, among other objectives, prescribes a comprehensive framework for creating a practice-based Information Security Management System; protecting the confidentiality, integrity, and availability of our data and systems; providing for the development, review, maintenance, and ability to ensure the effectiveness of minimum security controls required to protect our data and systems; and recognizing the highly-networked nature of the current computing environment to provide effective company-wide management and oversight of related cybersecurity risks; · Corporate Account Takeover Policy, which serves to mitigate the risks of corporate account takeover crimes and to document our compliance with the Texas Department of Banking’s Supervisory Memorandum 1029 on “Risk Management of Account Takeovers,” dated September 30, 2019, and the FFIEC’s guidance on “Authentication and Access to Financial Institution Services and Systems,” dated August 11, 2021; · Vendor Management Policy, which provides a risk-based process for identifying, measuring, monitoring, and managing third-party relationships with new and existing vendors by requiring an assessment, categorization, and ranking of the risks associated with each third-party vendor and implements a third-party risk-management 34 Table of Contents process that focuses on risk assessment, due diligence in selecting third-party vendors, contract structuring and review, and ongoing oversight of the operational and financial performance of the third-party vendor’s products and services; · Service Center Physical Security for Data and Computing Equipment Policy, which provides directives for implementing appropriate physical security controls to protect the hardware, infrastructure, and systems that store and transmit our sensitive information and data from damage, unauthorized access, and loss of availability; to monitor, analyze, and properly disclose security alerts and information; and to administer other administrative and technical operational security procedures; and · Security Incident Response Policy, which establishes the steps necessary to ensure a timely and adequate response to security incidents impacting our security systems or infrastructure.

For example, our network engineers analyze network traffic for external attacks, search for signs of a firewall breach, and take action to block a suspected intruder’s network traffic; our security analysts and engineers look for indications of an attack or suspicious activity by monitoring and reviewing the network activity of our business applications and the audit logs of our mission-critical servers; and our systems administrators examine system logs of our critical systems for any abnormal activity, confirm our mission-critical computers are up to date on all service packs and patches, and ensure backups have been created for our critical systems. · The CISO reports the incident to our executive management team, Service Center Board, and ITCC. · Our CISO, executive management team, Service Center Board, and ITCC evaluate the type and severity of the incident, review applicable legal and regulatory requirements for disclosing cybersecurity incidents, and determine whether, when, and to whom the incident must be reported.

For example, our network engineers analyze network traffic for external attacks, search for signs of a firewall breach, and take action to block a suspected intruder’s network traffic; our security analysts and engineers look for indications of an attack or suspicious activity by monitoring and reviewing the network activity of our business applications and the audit logs of our mission-critical servers; and our systems administrators examine system logs of our critical systems for any abnormal activity, confirm our mission-critical computers are up to date on all service packs and patches, and ensure backups have been created for our critical systems. · The CISO reports the incident to our executive management team, Service Center Board, and SCC. · Our CISO, executive management team, Service Center Board, and SCC evaluate the type and severity of the incident, review applicable legal and regulatory requirements for disclosing cybersecurity incidents, and determine whether, when, and to whom the incident must be reported.

Types of incidents that would generally require the activation of our IRT include but are not limited to a breach of personal information, a denial-of-service (DoS) or distributed DoS attack, excessive port scans, a firewall breach, or a virus or malware outbreak. · If the type of incident or the threat created by the incident necessitates a full-scale response by the IRT, the CISO notifies a team of network and security engineers, security analysts, and Windows / Unix / Linux systems administrators (collectively, the IT Security and Engineering Teams). · At the CISO’s direction, the IT Security and Engineering Teams gather intel regarding the incident and take pre-planned steps to mitigate harm, address system weaknesses, and block ongoing threats.

Types of incidents that would generally require the activation of our IRT include but are not limited to a breach of personal information, a denial-of-service (DoS) or distributed DoS attack, excessive port scans, a firewall breach, or a virus or malware outbreak. 37 Table of Contents · If the type of incident or the threat created by the incident necessitates a full-scale response by the IRT, the CISO notifies a team of network and security engineers, security analysts, and Windows / Unix / Linux systems administrators (collectively, the IT Security and Engineering Teams). · At the CISO’s direction, the IT Security and Engineering Teams gather intel regarding the incident and take pre-planned steps to mitigate harm, address system weaknesses, and block ongoing threats.

The ITCC meets at least quarterly to discuss its oversight of our cybersecurity policies and procedures, risk-management practices and controls, and efforts to mitigate and prevent cybersecurity risks. The ITCC may meet more frequently if required by our Incident Response Plan to facilitate timely response, monitoring, risk-management, and recovery efforts.

The SCC meets at least quarterly to discuss its oversight of our cybersecurity policies and procedures, risk-management practices and controls, and efforts to mitigate and prevent cybersecurity risks. The SCC may meet more frequently if required by our Incident Response Plan to facilitate timely response, monitoring, risk-management, and recovery efforts.

In addition to the ITCC and Risk Committees, we have established a Technology Committee, a Senior Management Committee, and a Business Continuity and Disaster Recovery (BC/DR) Committee. Each oversees aspects of our ISSP and coordinates with the ITCC to implement various cybersecurity procedures. Chief Information Security Officer.

In addition to the SCC and Risk Committees, we have established a Technology Committee, a Senior Management Committee, and a Business Continuity and Disaster Recovery (BC/DR) Committee. Each oversees aspects of our ISSP and coordinates with the SCC to implement various cybersecurity procedures. Chief Information Security Officer .

Commensurate with the risks we face and the sensitivity of the data and systems we are protecting, our Information Systems Security Program (ISSP) includes layers of administrative and technical safeguards designed to protect the confidentiality and integrity of sensitive information belonging to us and our employees, partners, and 31 Table of Contents customers, to guard against the unauthorized access, alteration, disclosure, or destruction of that information, and to defend that information from potential, known, emerging, and evolving security risks.

Commensurate with the risks we face and the sensitivity of the data and systems we are protecting, our Information Systems Security Program (ISSP) includes layers of administrative and technical safeguards designed to protect the confidentiality and integrity of sensitive information belonging to us and our employees, partners, and customers, to guard against the unauthorized access, alteration, disclosure, or destruction of that information, and to defend that information from potential, known, emerging, and evolving security risks.

The ITCC is also charged with periodically reporting to management, the Board, and the Risk Committee, the status and results of our compliance with our security program, results of security assessments, and effectiveness of remediation activities. Other Committees.

The SCC is also charged with periodically reporting to management, the Board, and the Risk Committee, the status, and results of our compliance with our security program, results of security assessments, and effectiveness of remediation activities. Other Committees.

Having an integrated team for incident response facilitates information sharing, which allows organizational personnel, including developers, implementers, and operators, to leverage the team knowledge of the threat in order to implement defensive measures that 34 Table of Contents will deter intrusions more effectively.

Governance IT Cybersecurity Committee. As part of our cybersecurity governance framework and for purposes of establishing and maintaining our ISSP, we have established an IT Cybersecurity Committee (ITCC), which consists predominantly of members of our management team and IT department. The ITCC is subject to oversight by the Service Center Board, the Risk Committee, and the Board.

As part of our cybersecurity governance framework and for purposes of establishing and maintaining our ISSP, we have established an SCC, which consists of members of our management team and IT department. The SCC is subject to oversight by the Service Center Board, the Risk Committee, and the Board.

In addition to establishing the ITCC and other committees, we designated a Chief Information Security Officer (CISO) to oversee all aspects of our IS policies, procedures, and controls. Our CISO reports to our Senior Management Committee, the ITCC, the Risk Committee, and the Chairman of the Board.

In addition to establishing the SCC and other committees, we designated a Chief Information Security Officer (CISO) to oversee all aspects of our IS policies, procedures, and controls. Our CISO reports to our Senior and Executive Management Committee, the SCC, the Risk Committee, and the Chairman of the Board.

Our Board reviews our CATO Policy for 35 Table of Contents compliance with the Texas Department of Banking standards for the risk management of CATOs and charges our EBS Management Team with the responsibility of determining necessary courses of action to ensure adherence to applicable guidance and regulations.

Our Board reviews our CATO Policy for compliance with the Texas Department of Banking standards for the risk management of CATOs and charges our EBS Management Team with the responsibility of determining necessary courses of action to ensure adherence to applicable guidance and regulations.

The Risk Committee of the Board works directly with the ITCC to develop and implement our policies and procedures concerning cybersecurity and data protection.

The Risk Committee of the Board works directly with the SCC to develop and implement our policies and procedures concerning cybersecurity and data protection.

Our CISO is responsible for ensuring appropriate security controls are implemented to prevent, detect, and respond to CATOs, establishing incident-response procedures to be employed if a CATO threat is in progress, and timely notifying our primary federal regulator of any CATO incidents that are required to be disclosed to comply with applicable laws, regulations, and CATO Policy procedures. 38 Table of Contents Notwithstanding the robust nature of our defensive measures and security processes and the multi-layered governance system that we have established to mitigate, monitor, analyze, and respond to incidents, cybersecurity threats are increasingly difficult to detect, and the risk of a data breach or cyber-attack is pervasive and severe.

Our Vendor Management Policy establishes clearly defined requirements of engagements with Vendors and requires them to uphold similar security standards to those we internally require. Depending on their risk level, we may subject certain Vendors to heightened security requirements, such as enhanced risk assessments, ongoing monitoring, or additional contractual controls to restrict their levels of information access.

Depending on their risk level, we may subject certain Vendors to heightened security requirements, such as enhanced risk assessments, ongoing monitoring, or additional contractual controls to restrict their levels of information access. 36 Table of Contents Governance Security Council Committee .

Removed

Notwithstanding the robust nature of our defensive measures and security processes and the multi-layered governance system that we have established to mitigate, monitor, analyze, and respond to incidents, cybersecurity threats are increasingly difficult to detect, and the risk of a data breach or cyber-attack is pervasive and severe.

Added

Furthermore, our IT security infrastructure and cybersecurity policies are designed to monitor and manage security risks associated with any third-party service providers, suppliers, software and hardware vendors, contractors, and consultants we collaborate with (hereinafter, collectively, Vendors) who might store, process, collect, share, create, transmit, destroy, or access any of our sensitive data.

Added

Our Vendor Management Policy establishes clearly defined requirements of engagements with Vendors and requires them to uphold similar security standards to those we internally require.

Item 3. Legal Proceedings

Legal Proceedings — active lawsuits and investigations

1 edited+0 added−0 removed3 unchanged

2023 filing

2024 filing

Biggest changeFurther information regarding legal proceedings has been provided in Note 16 of the Notes to Consolidated Financial Statements located on page 65 of the 2023 Annual Report to Shareholders, which is filed as Exhibit 13 hereto and incorporated herein by reference. Item 4. Mine Safety Disclosures None 36 Table of Contents

Biggest changeFurther information regarding legal proceedings has been provided in Note 15 of the Notes to Consolidated Financial Statements located on page 66 of the 2024 Annual Report to Shareholders, which is filed as Exhibit 13 hereto and incorporated herein by reference.

Item 5. Market for Registrant's Common Equity

Market for Common Equity — stock, dividends, buybacks

1 edited+0 added−0 removed0 unchanged

2023 filing

2024 filing

Biggest changeItem 5. Market for the Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities The information set forth under the caption “Common Stock and Dividends,” “Stock Repurchase Program,” and “Equity Compensation Plan Information” located on pages 22 and 23 of our 2023 Annual Report is incorporated herein by reference.

Biggest changeItem 5. Market for the Registrant’s Common Equity, Related Stockholder Matters and Issuer Purchases of Equity Securities The information set forth under the caption “Common Stock and Dividends,” “Stock Repurchase Program,” and “Equity Compensation Plan Information” located on pages 24 and 25 of our 2024 Annual Report is incorporated herein by reference.

Item 7. Management's Discussion & Analysis

Management's Discussion & Analysis (MD&A) — revenue / margin commentary

1 edited+0 added−0 removed0 unchanged

2023 filing

2024 filing

Biggest changeItem 7. Management’s Discussion and Analysis of Financial Condition and Results of Operation s The information set forth under the caption “Management’s Discussion and Analysis of Financial Condition and Results of Operations” located on pages 2 through 24 of our 2023 Annual Report is incorporated herein by reference.

Biggest changeItem 7. Management’s Discussion and Analysis of Financial Condition and Results of Operation s The information set forth under the caption “Management’s Discussion and Analysis of Financial Condition and Results of Operations” located on pages 2 through 24 of our 2024 Annual Report is incorporated herein by reference.

Top changes in INTERNATIONAL BANCSHARES CORP's 2024 10-K

Item 1. Business

Item 1A. Risk Factors

Item 1C. Cybersecurity

Item 3. Legal Proceedings

Item 5. Market for Registrant's Common Equity

Item 7. Management's Discussion & Analysis

Other IBOC 10-K year-over-year comparisons