Quiver Quantitative

Risk Factors Dashboard

Once a year, publicly traded companies issue a comprehensive report of their business, called a 10-K. A component mandated in the 10-K is the ‘Risk Factors’ section, where companies disclose any major potential risks that they may face. This dashboard highlights all major changes and additions in new 10K reports, allowing investors to quickly identify new potential risks and opportunities.

View risk factors by ticker

Search filings by term

Risk Factors - TSBK

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Item 1A. Risk Factors – Our investment securities portfolio may be negatively impacted by fluctuations in market value and interest rates and result in losses” and "Note 3-Investment Securities" of the Notes to the Consolidated Financial Statements contained in Item 8 of this report.

Deposit Activities and Other Sources of Funds

General. Deposits and loan repayments are the major sources of the Bank's funds for lending and other investment purposes. Scheduled loan repayments are a relatively stable source of funds, while deposit inflows and outflows and loan prepayments are influenced significantly by general interest rates and money market conditions. Borrowings through the FHLB and the Federal Reserve Bank of San Francisco ("FRB") may be used to compensate for reductions in the availability of funds from other sources.

Deposit Accounts. Deposits are attracted from within the Bank's market area through the offering of a broad selection of deposit instruments, including money market deposit accounts, checking accounts, regular savings accounts and certificates of deposit. Deposit account terms vary, according to the minimum balance required, the time periods the funds must remain on deposit and the interest rate, among other factors. The Bank actively seeks consumer and commercial checking accounts through checking account acquisition marketing programs.

The Bank maintains checking accounts owned by businesses associated with the cannabis industry (or Initiative-502) in Washington State. The Bank generally services these accounts in compliance with applicable federal and state regulatory guidance and monitors associated regulatory and compliance risks. See "Item 1A. Risk Factors" - We operate in a highly regulated environment and may be adversely affected by changes in federal and state laws and regulations that could increase our costs of operations.

At September 30, 2025, the Bank's deposits included $142.81 million of jumbo certificates of deposit of $250,000 or more, $68.90 million in reciprocal negotiable order of withdrawal NOW checking deposits, $18.59 million in reciprocal money market deposits, and $43.11 million in brokered certificates of deposit.

The following table sets forth information concerning the Bank's deposits at September 30, 2025:

______________________

(1)Based on remaining maturity of certificates.

The following table indicates the amount of the Bank's jumbo certificates of deposit by time remaining until maturity as of September 30, 2025. Jumbo certificates of deposit have principal balances of $250,000 or more, and the rates paid on these accounts are generally negotiable.

As of September 30, 2025, 2024 and 2023 approximately $491.19 million, $471.08 million and $407.61 million, respectively, of the Bank’s deposit portfolio was uninsured. These amounts are estimates based on methodologies and assumptions used for regulatory reporting purposes. The Bank is an approved public funds deposit institution in Washington, where applicable laws require public funds to be secured by qualified investment securities. As of September 30, 2025, $154.67 million of the Bank's uninsured deposits were public funds, all of which were fully secured by qualified investment securities.

The following table sets forth the portion of our time deposits that are in excess of the FDIC insurance limit, by remaining time until maturity, as of September 30, 2025 (dollars in thousands).

Deposit Flow. The following table sets forth the balances of deposits in the various types of accounts offered by the Bank at the dates indicated:

Certificates of Deposit by Rates. The following table sets forth the certificates of deposit in the Bank classified by rates as of the dates indicated:

Certificates of Deposit by Maturities. The following table sets forth the amount and maturities of certificates of deposit by rate at September 30, 2025:

Deposit Activities. The following table sets forth the deposit activities of the Bank for the years indicated:

For additional information regarding our deposits, see "Note 10 - Deposits" of the Notes to Consolidated Financial Statements contained in Item 8 of this report.

Borrowings. The Bank may use borrowings from the FHLB to supplement its supply of lendable funds and to meet deposit withdrawal requirements. The FHLB functions as a central reserve bank providing credit for member financial institutions. As a member of the FHLB, the Bank is required to own capital stock in the FHLB and is authorized to apply for borrowings on the security of such stock and certain mortgage loans and other assets (principally securities which are obligations of, or guaranteed by, the U.S. government) provided certain creditworthiness standards have been met. Borrowings are made pursuant to several different credit programs. Each credit program has its own interest rate and range of maturities. Depending on the program, limitations on the amount of borrowings are based on the financial condition of the member institution and the adequacy of collateral pledged to secure the credit. At September 30, 2025, the Bank maintained a credit facility with the FHLB that provided for immediately available borrowings up to an aggregate amount to 45% of the Bank’s total assets, limited by available collateral, under which short-term borrowings totaling $20.00 million and no long-term borrowings were outstanding at September 30, 2025. The Bank maintains one short-term borrowing line with the FRB with total credit based on eligible collateral. At September 30, 2025, the Bank had no outstanding balance on this line, with $70.57 million available for future borrowings. A short-term borrowing line of credit of $50.00 million is also maintained at Pacific Coast Bankers' Bank ("PCBB"). The Bank had no outstanding balance on this borrowing line of credit at September 30, 2025.

For additional information regarding our borrowings, see "Note 11 - FHLB Borrowings and Other Borrowings" of the Notes to Consolidated Financial Statements contained in Item 8 of this report.

Bank Owned Life Insurance

The Bank has purchased life insurance policies covering certain officers. These policies are recorded at their cash surrender value, net of any cash surrender charges. Increases in cash surrender value, net of policy premiums, and proceeds from death benefits are recorded in non-interest income. At September 30, 2025, the cash surrender value of bank owned life insurance (“BOLI”) was $21.83 million.

How We Are Regulated

General. As a bank holding company, Timberland Bancorp is subject to examination and supervision by, and is required to file certain reports with, the Federal Reserve. Timberland Bancorp is also subject to the rules and regulations of the SEC under the federal securities laws. As a state-chartered savings bank, the Bank is subject to regulation and oversight by the DFI and the applicable provisions of Washington law and regulations of the DFI adopted thereunder. The Bank also is subject to regulation and examination by the FDIC, which insures the deposits of the Bank to the maximum extent permitted by law, and requirements established by the Federal Reserve. State law and regulations govern the Bank's ability to take deposits and pay interest thereon, to make loans on or invest in residential and other real estate, to make consumer loans, to invest in securities, to offer various banking services to its customers and to establish branch offices. Under state law, savings banks in Washington also generally have all the powers that federal savings banks have under federal laws and regulations.

The following is a brief description of certain laws and regulations applicable to Timberland Bancorp and the Bank. Descriptions of laws and regulations here and elsewhere in this report do not purport to be complete and are qualified in their entirety by reference to the actual laws and regulations. Legislation is introduced from time to time in the U.S. Congress or the Washington State Legislature that may affect the operations of Timberland Bancorp and the Bank. In addition, the regulations governing the Company and the Bank may be amended from time to time by the FDIC, DFI, Federal Reserve and the Consumer Financial Protection Bureau ("CFPB"). Any such legislation or regulatory changes in the future could adversely affect the Company's and the Bank's operations and financial condition. We cannot predict whether any such changes may occur.

The DFI and FDIC have extensive enforcement authority over all Washington state-chartered savings banks, including the Bank. The Federal Reserve has the same type of authority over Timberland Bancorp. This enforcement authority includes, among other things, the ability to assess civil money penalties, issue cease-and-desist orders and removal orders and initiate injunctive actions. In general, these enforcement actions may be initiated for violations of laws and regulations and unsafe or unsound practices. Other actions or inactions may provide the basis for enforcement action, including misleading or untimely reports filed with the regulators.

Regulation of the Bank

The Bank, as a state-chartered savings bank, is subject to regulation and oversight by the FDIC and the DFI extending to all aspects of its operations.

Insurance of Accounts and Regulation by the FDIC. The Bank’s deposits are insured up to $250,000 per separately insured deposit ownership right or category by the Deposit Insurance Fund (‘DIF”) of the FDIC. As insurer, the FDIC imposes deposit insurance premiums and is authorized to conduct examinations of, and to require reporting by, FDIC-insured institutions. The FDIC assesses deposit insurance premiums quarterly on each FDIC-insured institution applied to its deposit base, which is their average consolidated total assets minus its Tier 1 capital. No institution may pay a dividend if it is in default on its federal deposit insurance assessment. Total base assessment rates currently range from 2.5 to 32 basis points subject to certain adjustments.

In October 2022, the FDIC finalized a rule that increased the initial base deposit insurance assessment rates by 2 basis points, beginning with the first quarterly assessment period of 2023 to support the DIF's Amended Restoration Plan. The FDIC determined that without the increase, the DIF reserve ratio might not reach the statutory 1.35% minimum requirement by the September 30, 2028, deadline. Progressively lower assessment rate schedules will take effect when the reserve ratio reaches 2%, and again when it reaches 2.5%.

In a banking industry emergency, the FDIC may also impose a special assessment. As insurer, the FDIC is authorized to conduct examinations of and to require reporting by FDIC-insured institutions. The FDIC also may prohibit any insured institution from engaging in any activity the FDIC determines by regulation or order to pose a serious risk to the DIF. The FDIC also has the authority to take enforcement actions against banks and savings associations. Management is not aware of any existing circumstances which would result in termination of the Bank's deposit insurance.

Capital Requirements. Federally insured financial institutions, such as the Bank, and their holding companies, are required to maintain a minimum level of regulatory capital. The Bank is subject to capital regulations adopted by the FDIC, which establish minimum required ratios for a common equity Tier 1 (“CET1”) capital to risk-based assets ratio, a Tier 1 capital to risk-based assets ratio, a total capital to risk-based assets ratio and a Tier 1 capital to total assets leverage ratio. The capital standards require the maintenance of the following minimum capital ratios: (i) a CET1 capital ratio of 4.5%; (ii) a Tier 1 capital ratio of 6%; (iii) a total capital ratio of 8%; and (iv) a Tier 1 leverage ratio of 4%. Consolidated regulatory capital requirements identical to those applicable to subsidiary banks generally apply to bank holding companies. However, the Federal Reserve has provided a “Small Bank Holding Company” exception to its consolidated capital requirements, and bank holding companies with less than $3.0 billion of consolidated assets are not subject to the consolidated holding company capital requirements unless otherwise directed by the Federal Reserve.

The Economic Growth, Regulatory Relief and Consumer Protection Act (“EGRRCPA”), enacted in May 2018, required the federal banking agencies, including the FDIC, to establish for institutions with assets of less than $10 billion a “community bank leverage ratio” or “CBLR” of between 8 to 10%. Institutions with capital meeting or exceeding the ratio and otherwise complying with the specified requirements (including off-balance sheet exposures of 25% or less of total assets and trading assets and liabilities of 5% or less of total assets) and electing the alternative framework are considered to comply with the applicable regulatory capital requirements, including the risk-based requirements. The CBLR was established at 9% Tier 1 capital to total average assets, effective January 1, 2020. A qualifying institution may opt in and out of the community bank leverage ratio framework on its quarterly call report. An institution that temporarily ceases to meet any qualifying criteria is provided with a two-quarter grace period to again achieve compliance. Failure to meet the qualifying criteria within the grace period or maintain a leverage ratio of greater than 8% requires the institution to comply with the generally applicable capital requirements. . On November 25, 2025, federal banking regulators including the FDIC, issued a proposed rule that would lower the CBLR from 9% to 8% and extend the grace period for falling below the threshold from two to four quarters, reducing compliance pressure on smaller community banks, like the Bank. No assurance can be made as to when and in what form the final rule will be adopted. The Bank has not elected to use the CBLR framework as of September 30, 2025.

To be considered well-capitalized under the prompt corrective action regulations, the Bank must maintain a CET1 risk-based ratio of 6.5%, a Tier 1 risk-based ratio of 8%, a total risk-based capital ratio of 10% and a leverage ratio of 5%, and the Bank must not be subject to an individualized order, directive or agreement under which its primary federal banking regulator requires it to maintain a specific capital level.

In addition to the minimum capital requirements, the Bank must maintain a capital conservation buffer that consists of additional CET1 capital greater than 2.5% of risk-weighted assets above the required minimum risk-based capital ratios to avoid limitations on paying dividends, repurchasing shares and paying certain discretionary bonuses. At September 30, 2025, the Bank met the requirements to be "well capitalized," and the Bank's CET1 capital exceeded the required conservation buffer.

For additional information regarding the Bank's regulatory capital requirements, see "Note 17-Regulatory Matters" of the Notes to the Consolidated Financial Statements contained in Item 8 of this report.

Prompt Corrective Action. Federal statutes establish a supervisory framework based on five capital categories: well capitalized, adequately capitalized, undercapitalized, significantly undercapitalized and critically undercapitalized. An institution’s category depends upon where its capital levels are in relation to relevant capital measures, which include a risk-based capital measure, a leverage ratio capital measure and certain other factors. An institution that is not well capitalized is subject to certain restrictions on brokered deposits, including restrictions on the rates it can offer on its deposits generally. Any institution which is neither well capitalized nor adequately capitalized is considered undercapitalized. The final rule establishing an elective "community bank leverage ratio" regulatory capital framework provides that a qualifying institution whose capital exceeds the CBLR and opts to use the framework will be considered "well capitalized" for purposes of prompt corrective action.

Undercapitalized institutions are subject to certain prompt corrective action requirements, regulatory controls and restrictions which become more extensive as an institution becomes more severely undercapitalized. Failure by an institution to comply with applicable capital requirements would, if unremedied, result in progressively more severe restrictions on its activities and

lead to enforcement actions, including, but not limited to, the issuance of a capital directive to ensure the maintenance of required capital levels and, ultimately, the appointment of the FDIC as receiver or conservator. Banking regulators will take prompt corrective action with respect to depository institutions that do not meet minimum capital requirements. Additionally, approval of any regulatory application filed for their review may be dependent on compliance with capital requirements.

At September 30, 2025, the Bank was categorized as “well capitalized” under the prompt corrective action regulations of the FDIC. For additional information regarding the Bank's minimum regulatory capital requirements, see "Capital Requirements" above and "Note 17 - Regulatory Matters" of the Notes to the Consolidated Financial Statements contained in Item 8 of this report.

Federal Home Loan Bank System. The Bank is a member of the FHLB, one of 11 regional Federal Home Loan Banks that administer the home financing credit function of savings institutions, each serving as a reserve or central bank for its members within its assigned region. The FHLB is funded primarily from proceeds derived from the sale of consolidated obligations of the FHLB System. It makes loans to members in accordance with policies and procedures established by the Board of Directors of the FHLB, which are subject to the oversight of the Federal Housing Finance Board. All borrowings from the FHLB are required to be fully secured by sufficient collateral as determined by the FHLB. In addition, all long-term borrowings are required to provide funds for residential home financing. See “Deposit Activities and Other Sources of Funds – Borrowings" above.

As a member, the Bank is required to purchase and maintain stock in the FHLB based on the Bank's asset size and level of borrowings from the FHLB. At September 30, 2025, the Bank had $2.05 million in FHLB stock, which was in compliance with this requirement. The FHLB pays dividends quarterly, and the Bank received $156,000 in dividends during the year ended September 30, 2025.

The Federal Home Loan Banks continue to contribute to low- and moderately- priced housing programs through direct loans or interest subsidies on borrowings targeted for community investment and low- and moderate-income housing projects. These contributions have adversely affected the level of FHLB dividends paid and could continue to do so in the future. These contributions could also have an adverse effect on the value of FHLB stock in the future. A reduction in value of the Bank's FHLB stock may result in a decrease in net income and possibly capital.

Standards for Safety and Soundness. Each federal banking agency, including the FDIC, has adopted guidelines establishing general standards relating to internal controls, information and internal audit systems; loan documentation; credit underwriting; interest rate risk exposure; asset growth; asset quality; earnings; and compensation, fees and benefits. In general, the guidelines require, among other things, appropriate systems and practices to identify and manage the risks and exposures specified in the guidelines. The guidelines prohibit excessive compensation as an unsafe and unsound practice and describe compensation as excessive when the amounts paid are unreasonable or disproportionate to the services performed by an executive officer, employee, director, or principal shareholder. If the FDIC determines that an institution fails to meet any of these guidelines, it may require an institution to submit to the FDIC an acceptable plan to achieve compliance. Management of the Bank is not aware of any conditions relating to these safety and soundness standards which would require submission of a plan of compliance.

Commercial Real Estate Lending Concentrations. The federal banking agencies have issued guidance on sound risk management practices for concentrations in commercial real estate lending. The particular focus is on exposure to commercial real estate loans that are dependent on the cash flow from the real estate held as collateral and that are likely to be sensitive to conditions in the commercial real estate market (as opposed to real estate collateral held as a secondary source of repayment or as an abundance of caution). The purpose of the guidance is not to limit a bank’s commercial real estate lending but to guide banks in developing risk management practices and capital levels commensurate with the level and nature of real estate concentrations. The guidance directs the FDIC and other federal bank regulatory agencies to focus their supervisory resources on institutions that may have significant commercial real estate loan concentration risk. A bank that has experienced rapid growth in commercial real estate lending has notable exposure to a specific type of commercial real estate loan, or is approaching or exceeding the following supervisory criteria may be identified for further supervisory analysis with respect to real estate concentration risk:

•Total reported loans for construction, land development and other land represent 100% or more of the bank’s total regulatory capital; or

•Total commercial real estate loans (as defined in the guidance) represent 300% or more of the bank’s total regulatory capital and the outstanding balance of the bank’s commercial real estate loan portfolio has increased 50% or more during the prior 36 months.

The guidance provides that the strength of an institution’s lending and risk management practices with respect to such concentrations will be taken into account in supervisory guidance on evaluation of capital adequacy. As of September 30, 2025, the Bank’s aggregate recorded loan balances for construction, land development and land loans were 66.20% of regulatory capital. In addition, at September 30, 2025 the Bank’s loans on commercial real estate, as defined by the FDIC, were 283.05% of regulatory capital.

Activities and Investments of Insured State-Chartered Financial Institutions. Federal law generally limits the activities and equity investments of FDIC-insured state-chartered banks to those that are permissible for national banks. An insured state bank is not prohibited from, among other things, (i) acquiring or retaining a majority interest in a subsidiary, (ii) investing as a limited partner in a partnership, the sole purpose of which is direct or indirect investment in the acquisition, rehabilitation or new construction of a qualified housing project, provided that such limited partnership investments may not exceed 2% of the bank's total assets, (iii) acquiring up to 10% of the voting stock of a company that solely provides or reinsures directors' and officers' liability insurance coverage or bankers' blanket bond group insurance coverage for insured depository institutions, and (iv) acquiring or retaining the voting shares of a depository institution owned by another FDIC-insured institution if certain requirements are met.

Under the laws of Washington State, Washington-chartered savings banks may exercise any of the powers of Washington-chartered commercial banks, national banks and federally-chartered savings banks, subject to the approval of the DFI in certain situations. In addition, Washington-chartered savings banks may charge the maximum interest rate allowable for loans and other extensions of credit by federally-chartered financial institutions to Washington residents.

Environmental Issues Associated with Real Estate Lending. The Comprehensive Environmental Response, Compensation and Liability Act (“CERCLA”) is a federal statute that generally imposes strict liability on all prior and present "owners and operators" of sites containing hazardous waste. However, Congress acted to protect secured creditors by providing that the term “owner and operator” excludes a person whose ownership is limited to protecting its security interest in the site. Since the enactment of the CERCLA, this “secured creditor exemption” has been the subject of judicial interpretations which have left open the possibility that lenders could be liable for cleanup costs on contaminated property that they hold as collateral for a loan.

Federal Reserve System. The Federal Reserve requires all depository institutions to maintain reserves at specified levels against their transaction accounts, primarily checking accounts.

Transactions with Affiliates. Timberland Bancorp, Inc. and the Bank are separate and distinct legal entities. The Bank is an affiliate of Timberland Bancorp, Inc. Federal laws strictly limit the ability of banks to engage in certain transactions with their affiliates. Transactions deemed to be a “covered transaction” under Section 23A of the Federal Reserve Act between a bank and an affiliate are limited to 10% of the bank's capital and surplus and, with respect to all affiliates, to an aggregate of 20% of the bank's capital and surplus. Further, covered transactions that are loans and extensions of credit generally are required to be secured by eligible collateral in specified amounts. Federal law also requires that covered transactions and certain other transactions listed in Section 23B of the Federal Reserve Act between a bank and its affiliates be on terms as favorable to the bank as transactions with non-affiliates.

Community Reinvestment Act. Banks are also subject to the provisions of the Community Reinvestment Act of 1977 (“CRA”), which requires the appropriate federal bank regulatory agency to assess a bank’s performance under the CRA in meeting the credit needs of the community serviced by the bank, including low- and moderate-income neighborhoods. The regulatory agency’s assessment of the bank’s record is made available to the public. Further, a bank’s performance must be considered in connection with a bank’s application to, among other things, establish a new branch office that will accept deposits, relocate an existing office or merge or consolidate with, or acquire the assets or assume the liabilities of, a federally regulated financial institution. The Bank received a “satisfactory” rating during its most recent examination.

Dividends. Dividends from the Bank constitute the major source of funds available for dividends which may be paid to Company shareholders. The amount of dividends payable by the Bank to the Company depends upon the Bank's earnings and capital position, and is limited by federal and state laws, regulations and policies. According to Washington law, the Bank may not declare or pay a cash dividend on its capital stock if it would cause its net worth to be reduced below (i) the amount

required for liquidation accounts or (ii) the net worth requirements, if any, imposed by the Director of the DFI. In addition, dividends on the Bank's capital stock may not be paid in an aggregate amount greater than the aggregate retained earnings of the Bank, without the approval of the Director of the DFI. Dividends payable by the Bank can be limited or prohibited if the Bank does not meet the capital conservation buffer requirement.

The amount of dividends actually paid during any one period will be strongly affected by the Bank's management policy of maintaining a strong capital position. Federal law further provides that no insured depository institution may pay a cash dividend if it would cause the institution to be “undercapitalized,” as defined in the prompt corrective action regulations. Moreover, the federal bank regulatory agencies also have the general authority to limit the dividends paid by insured banks if such payments should be deemed to constitute an unsafe and unsound practice.

Anti-Money Laundering, Bank Secrecy and Customer Identification. The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA Patriot Act) was signed into law on October 26, 2001. The USA PATRIOT Act and the Bank Secrecy Act requires financial institutions to develop programs to prevent financial institutions from being used for money laundering and terrorist activities. If such activities are detected, financial institutions are obligated to file suspicious activity reports with the U.S. Treasury’s Office of Financial Crimes Enforcement Network. These rules require financial institutions to establish procedures for identifying and verifying the identity of customers seeking to open new financial accounts, and, effective in 2018, the beneficial owners of accounts. Bank regulators are directed to consider a holding company’s effectiveness in combating money laundering when ruling on Bank Holding Company Act and Bank Merger Act applications.

Privacy Standards and Cybersecurity. The Gramm-Leach-Bliley Financial Services Modernization Act of 1999 modernized the financial services industry by establishing a comprehensive framework to permit affiliations among commercial banks, insurance companies, securities firms and other financial service providers. Federal banking agencies, including the FDIC, have adopted guidelines for establishing information security standards and cybersecurity programs for implementing safeguards under the supervision of the board of directors. These guidelines, along with related regulatory materials, increasingly focus on risk management and processes related to information technology and the use of third parties in the provision of financial services. These regulations require the Bank to disclose its privacy policy, including informing consumers of its information sharing practices and informing consumers of their rights to opt out of certain practices. In addition, Washington and other federal and state cybersecurity and data privacy laws and regulations may expose the Bank to risk and result in certain risk management costs. In addition, on November 18, 2021, the federal banking agencies announced the adoption of a final rule providing for new notification requirements for banking organizations and their service providers for significant cybersecurity incidents. Specifically, the new rule requires a banking organization to notify its primary federal regulator as soon as possible, and no later than 36 hours after, the banking organization determines that a “computer-security incident” rising to the level of a “notification incident” has occurred. Notification is required for incidents that have materially affected or are reasonably likely to materially affect the viability of a banking organization’s operations, its ability to deliver banking products and services, or the stability of the financial sector. Service providers are required under the rule to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially affected or is reasonably likely to materially affect the banking organization’s customers for four or more hours. Compliance with the new rule was required by May 1, 2022. Non-compliance with federal or similar state privacy and cybersecurity laws and regulations could lead to substantial regulatory imposed fines and penalties, damages from private causes of action and/or reputational harm. Please see "Item 1C. Cybersecurity".

Further, on July 26, 2023, the SEC adopted final rules that require public companies to promptly disclose material cybersecurity incidents in a Current Report on Form 8-K (“Form 8-K”) and detailed information regarding their cybersecurity risk management and governance on an annual basis in an Annual Report on Form 10-K (Form 10-K”). Companies will be required to report on Form 8-K any cybersecurity incident they determine to be material within four business days of making that determination. Smaller reporting companies, such as the Company, must begin complying with incident reporting on Form 8-K no later than June 15, 2024. Companies must provide the annual disclosures about cybersecurity risk management and governance beginning with their Form 10-K for fiscal years ending on or after December 15, 2023.

Other Consumer Protection Laws and Regulations. The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the "Dodd-Frank Act") established the CFPB as an independent bureau of the Federal Reserve with responsibility for the implementation of federal financial consumer protection and fair lending laws and regulations. The Bank is subject to consumer protection regulations issued by the CFPB, but as a smaller financial institution is subject to supervision and enforcement by the FDIC and DFI with respect to its compliance with federal and state consumer financial protection laws and regulations.

The Bank is subject to a broad array of federal and state consumer protection laws and regulations that govern almost every aspect of its business relationships with consumers. While the list set forth below is not exhaustive, these include the Truth-in-Lending Act, the Truth in Savings Act, the Electronic Fund Transfer Act, the Expedited Funds Availability Act, the Equal Credit Opportunity Act, the Fair Housing Act, the Real Estate Settlement Procedures Act, the Home Mortgage Disclosure Act,

the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, the Right to Financial Privacy Act, the Home Ownership and Equity Protection Act, the Consumer Leasing Act, the Fair Credit Billing Act, the Homeowners Protection Act, the Check Clearing for the 21st Century Act, laws governing flood insurance, laws governing consumer protections in connection with the sale of insurance, federal and state laws prohibiting unfair and deceptive business practices, and various regulations that implement some or all of the foregoing. These laws and regulations mandate certain disclosure requirements and regulate the manner in which financial institutions must deal with customers when taking deposits, making loans, collecting loans, and providing other services. Failure to comply with these laws and regulations can subject the Bank to various penalties, including but not limited to, enforcement actions, injunctions, fines, civil liability, criminal penalties, punitive damages, and the loss of certain contractual rights.

Regulation of the Company

General. The Company, as the sole shareholder of the Bank, is a bank holding company registered with the Federal Reserve. Bank holding companies are subject to comprehensive regulation by the Federal Reserve under the Bank Holding Company Act of 1956, as amended (“BHCA”), and the regulations promulgated thereunder. This regulation and oversight are generally intended to ensure that the Company limits its activities to those allowed by law and that it operates in a safe and sound manner without endangering the financial health of the Bank.

As a bank holding company, the Company is required to file semi-annual reports with the Federal Reserve and any additional information required by the Federal Reserve and is subject to regular examinations by the Federal Reserve. The Federal Reserve also has extensive enforcement authority over bank holding companies, including the ability to assess civil money penalties, to issue cease and desist or removal orders and to require that a holding company divest subsidiaries (including its bank subsidiaries). In general, enforcement actions may be initiated for violations of laws and regulations and unsafe or unsound practices.

BHCA. The Company is supervised by the Federal Reserve under the BHCA. The Federal Reserve has a policy that a bank holding company is required to serve as a source of financial and managerial strength to its subsidiary bank and may not conduct its operations in an unsafe or unsound manner. In addition, the Dodd-Frank Act and earlier Federal Reserve policy provide that a bank holding company should serve as a source of strength to its subsidiary bank by having the ability to provide financial assistance to its subsidiary bank during periods of financial distress to the bank. A bank holding company’s failure to meet its obligation to serve as a source of strength to its subsidiary bank will generally be considered by the Federal Reserve to be an unsafe and unsound banking practice or a violation of the Federal Reserve’s regulations or both. No regulations have yet been proposed by the Federal Reserve to implement the source of strength provisions required by the Dodd-Frank Act. Timberland Bancorp, Inc. and any subsidiaries that it may control are considered “affiliates” within the meaning of the Federal Reserve Act, and transactions between the Bank and affiliates are subject to numerous restrictions. With some exceptions, Timberland Bancorp, Inc. and its subsidiaries are prohibited from tying the provision of various services, such as extensions of credit, to other services offered by Timberland Bancorp, Inc. or by its affiliates.

Acquisitions. The BHCA prohibits a bank holding company, with certain exceptions, from acquiring ownership or control of more than 5% of the voting shares of any company that is not a bank or bank holding company and from engaging in activities other than those of banking, managing or controlling banks, or providing services for its subsidiaries. Under the BHCA, the Federal Reserve may approve the ownership of shares by a bank holding company in any company, the activities of which the Federal Reserve has determined to be so closely related to the business of banking or managing or controlling banks as to be a proper incident thereto. These activities include: operating a savings institution, mortgage company, finance company, credit card company or factoring company; performing certain data processing operations; providing certain investment and financial advice; underwriting and acting as an insurance agent for certain types of credit-related insurance; leasing property on a full-payout, non-operating basis; selling money orders, travelers’ checks and U.S. Savings Bonds; real estate and personal property appraising; providing tax planning and preparation services; and, subject to certain limitations, providing securities brokerage services for customers. The Federal Reserve must approve the acquisition (or acquisition of control) of a bank or other FDIC-insured depository institution by a bank holding company, and the appropriate federal banking regulator must approve a bank’s acquisition (or acquisition of control) of another bank or other FDIC-insured institution.

Acquisition of Control of a Bank Holding Company. Under federal law, a notice or application must be submitted to the appropriate federal banking regulator if any person (including a company), or group acting in concert, seeks to acquire “control” of a bank holding company. An acquisition of control can occur upon the acquisition of 10% or more of the voting stock of a bank holding company or as otherwise defined by federal regulations. In considering such a notice or application, the Federal Reserve takes into consideration certain factors, including the financial and managerial resources of the acquirer and the anti-trust effects of the acquisition. Any company that acquires control becomes subject to regulation as a bank holding company. Depending on circumstances, a notice or application may be required to be filed with appropriate state banking regulators and may be subject to their approval or non-objection.

Dividends. Federal Reserve policy limits the payment of cash dividends by bank holding companies, which expresses the Federal Reserve's view that a bank holding company should pay cash dividends only to the extent that the company's net income for the past year is sufficient to cover both the cash dividends and a rate of earnings retention that is consistent with the company's capital needs, asset quality and overall financial condition, and that it is inappropriate for a company experiencing serious financial problems to borrow funds to pay dividends. Under Washington corporate law, the Company generally may not pay dividends if after that payment it would not be able to pay its liabilities as they become due in the usual course of business, or its total assets would be less than its total liabilities. The capital conservation buffer requirement can also limit dividends.

Stock Repurchases. Bank holding companies, except for certain “well-capitalized” and highly rated bank holding companies, are required to give the Federal Reserve prior written notice of any purchase or redemption of its outstanding equity securities if the consideration for the purchase or redemption, when combined with the net consideration paid for all such purchases or redemptions during the preceding 12 months, is equal to 10% or more of their consolidated net worth. The Federal Reserve may disapprove a purchase or redemption if it determines that the proposal would constitute an unsafe or unsound practice or would violate any law, regulation, Federal Reserve order, or any condition imposed by, or written agreement with, the Federal Reserve.

Capital Requirements. As discussed above, pursuant to the “Small Bank Holding Company” exception, effective August 30, 2018, bank holding companies with less than $3.0 billion in consolidated assets were generally no longer subject to the Federal Reserve’s capital regulations, which are generally the same as the capital regulations applicable to the Bank. At the time of this change, Timberland Bancorp, Inc. was considered “well capitalized” as defined for a bank holding company with a total risk-based capital ratio of 10.0% or more and a Tier 1 risk-based capital ratio of 8.0% or more, and was not subject to an individualized order, directive or agreement under which the Federal Reserve requires it to maintain a specific capital level. If the Company were subject to regulatory guidelines for bank holding companies with $3.0 billion or more in assets, at September 30, 2025, the Company would have exceeded all regulatory requirements.

For additional information, see "Note 17 - Regulatory Matters" of the Notes to the Consolidated Financial Statements contained in Item 8 of this report.

Federal Securities Laws. Timberland Bancorp, Inc.’s common stock is registered with the SEC under Section 12(b) of the Securities Exchange Act of 1934, as amended (“Exchange Act”). The Company is subject to information, proxy solicitation, insider trading restrictions and other requirements under the Exchange Act.

Taxation

Federal Taxation

General. The Company and the Bank report their operations on a fiscal year basis using the accrual method of accounting and are subject to federal income taxation in the same manner as other corporations. The following discussion of tax matters is intended only as a summary and does not purport to be a comprehensive description of the tax rules applicable to the Bank or the Company.

Dividends-Received Deduction. The Company may exclude from its income 100.0% of dividends received from the Bank as a member of the same affiliated group of corporations. The corporate dividends-received deduction is generally 50.0% in the case of dividends received from unaffiliated corporations with which the Company and the Bank will not file a consolidated tax return, except that if the Company or the Bank owns more than 20.0% and less than 80% of the stock of a corporation distributing a dividend, then 65.0% of any dividends received may be deducted.

Audits. The Company is no longer subject to U.S. federal tax examination by tax authorities for years ended on or before September 30, 2021.

For additional information regarding our federal income taxes, see "Note 13-Income Taxes" of the Notes to Consolidated Financial Statements contained in Item 8 of this report.

Washington Taxation

The Company and the Bank are subject to a business and occupation tax imposed under Washington law at the rate of 1.8% of gross receipts at September 30, 2025. In addition, various municipalities also assess business and occupation taxes at differing rates. Interest received on loans secured by mortgages or deeds of trust on residential properties, certain residential mortgage-backed securities, and certain U.S. government and agency securities is not subject to this tax.

Competition

The Bank operates in an intensely competitive market for the attraction of deposits and the origination of loans. It competes with other commercial banks, thrift institutions, credit unions, mortgage bankers, finance companies, insurance companies, mutual funds, and, increasingly, financial technology (“FinTech”) firms, including digital-only banks, online lending platforms, mobile wallets, and other technology-driven financial service providers. Many competitors have substantially greater financial, technological, and operational resources than the Bank, and some offer nationwide products at lower cost. The Bank competes for loans primarily through the range and quality of services provided, pricing and loan fees, and convenient delivery channels, including branch offices, digital banking, mobile applications, and online platforms.

Subsidiary Activities

The Company has one wholly- owned subsidiary, the Bank. The Bank has one wholly-owned subsidiary, Timberland Service Corp. (“Timberland Service”), whose primary function is to provide escrow services.

Employees and Human Capital Resources

In line with our dedication to transparency and excellence, we are pleased to present an overview of the Company’s human capital strategies and achievements. Our emphasis on nurturing a dynamic, engaged, and resilient workforce remains central to our success. Our efforts reflect our commitment to fostering a robust and engaged workforce, highlighting our focus on talent, well-being, development, and strategic alignment. We are proud of the progress made in enhancing our human capital, recognizing it as a fundamental driver of the Company’s sustained growth. These initiatives collectively underscore our commitment to fostering a workforce deeply connected to the needs and values of our community. We are dedicated to continued growth, guided by the principles of service, integrity, and community stewardship.

Workforce Representation. As of September 30, 2025, the Company had 271 full-time employees and 9 part-time and on-call employees. The employees are not represented by a collective bargaining unit, and the Company believes that its relationship with its employees is positive. We recognize that our ability to attract and retain employees is a key to our success, and we strive to offer competitive salaries and benefits while staying aligned with market standards. Management tenure averaged 14 years. The workforce's ethnic composition was 77% White, 9% Hispanic or Latinx, 4% Asian, 4% two or more races, 2% Native Hawaiian or Pacific Islander, 2% American Indian or Alaska Native, and 1% African American or Black. The Company's Board of Directors is comprised of the Company's Chief Executive Officer and seven non-employee directors, four of whom identify as female and one as a member of a minority community.

Talent Acquisition and Attrition. Our strategic talent acquisition efforts have strengthened our workforce by bringing in diverse skill sets aligned with our goals. We remain focused on managing attrition and fostering a retention-driven culture by working closely with leaders to maintain stability within our teams. Our recruitment strategy prioritizes hiring local talent, enhancing our teams with individuals who have strong connections to the communities we serve. To promote diversity, we continue to refine our approach by advertising open positions on platforms that reach diverse audiences. We are committed to a fair and equitable hiring process, ensuring roles are posted both internally and externally.

Corporate Citizenship. The Company values the unique identities, perspectives, and contributions of its employees. This program is overseen by our Human Resources Director and focuses on education, training, recruitment, and hiring practices.

Benefits. The Company provides competitive and comprehensive benefits to its employees. We are committed to maintaining a safe and healthy workplace, implementing proactive measures to protect our team. Benefit programs available to eligible employees may include 401(k) savings plan, employee stock ownership plan, health and life insurance, health savings accounts

and flexible spending accounts, employee assistance program, paid holidays, paid time off, paid volunteer time, paid time off for the employee’s birthday and other leave as applicable. To further promote wellness, we provide initiatives through the programs and benefits administration that emphasize self-care, nutrition, work-life balance, and financial education. This sustained focus on health and safety reflects our dedication to fostering a secure and supportive work environment.

Total Rewards (Compensation and Benefits). We are committed to offering competitive and equitable total rewards packages that recognize and reinforce the dedication and contributions of our employees. Our total rewards program reflects this commitment through transparent wage and benefit information for posted positions, a 401(k) plan, an employee stock ownership plan, healthcare and insurance benefits, profit sharing for eligible employees, annual merit-based performance increases, organizational celebrations, wellness campaigns, recognition events, and opportunities for career development within the organization.

Employee Engagement and Training. Our community-focused approach has significantly boosted employee engagement, fostering a strong sense of belonging and purpose. The Company’s strategy is to create long term, productive relationships with employees by supporting their developmental growth. To this end, we provide continuous training opportunities throughout their careers using a variety of methods, including third-party resources, in-house programs, and computer-based training. Managers and supervisors participate in monthly training sessions on topics such as performance coaching and employee development, which are designed and delivered in-house and offered virtually. To further support career development, employees are encouraged to shadow and observe other areas of the Company.

Additionally, we conduct an annual Employee Survey to gather feedback, with results informing ongoing engagement strategies.

The Company’s culture is built on values of integrity, honesty, hard work, and community. Employees are encouraged to share their ideas and are supported in their professional growth and contributions to the organization. To attract new talent, the Company offers an employee referral incentive. We also reward employees for performance, tenure, process improvements, and efficiencies. Vacation leave accruals increase with length of service, recognizing employees' commitment to the Company.

Talent Development and Succession Planning. The Company recognizes that the skills and knowledge of its employees are critical to the success of the organization and actively supports training and continuing education as an ongoing priority. The Company’s compliance training program provides annual courses to ensure employees and officers are well-versed in the rules and regulations applicable to their jobs. For certain positions, additional training and testing programs are available to enhance skills and recognize mastery within those positions. Employees are encouraged to attend external education opportunities in the form of training, conferences, and networking events. The Company’s comprehensive talent development programs are tailored to meet the unique needs of our employees, fostering growth that aligns with our core values. Succession planning and targeted training initiatives further support a pipeline of capable individuals ready to lead the Company into the future.

Volunteerism. The Company embraces social responsibility, with our workforce actively participating in volunteer initiatives that make a positive impact on our communities. Volunteerism remains a cornerstone of our culture, reflecting our commitment to giving back. To support this, eligible employees are provided with 20 hours of paid time annually to volunteer with non-profit organizations within the Company’s geographic footprint, directly benefiting the communities we serve.

Executive Officers of the Registrant

The following table sets forth certain information with respect to the executive officers of the Company and the Bank:

Executive Officers of the Company and Bank

Biographical Information.

Dean J. Brydon has been affiliated with the Bank since 1994 and has served as Chief Executive Officer of the Bank and the Company since February 1, 2023. Prior to his promotion to Chief Executive Officer Mr. Brydon served as President of the Bank and Company from January 2022 to January 2023. Mr. Brydon also served as the Chief Financial Officer of the Company and the Bank from January 2000 to January 2023. Mr. Brydon also served as Secretary of the Company and the Bank from January 2004 to January 2022. Mr. Brydon is a Certified Public Accountant.

Jonathan A. Fischer has been affiliated with the Bank since October 1997 and was promoted to President of the Bank and the Company on February 1, 2023. Mr. Fischer has served as Chief Operating Officer since August 23, 2012 and as Secretary of the Bank and the Company since January 2022. Prior to that, Mr. Fischer served as the Compliance Officer from January 2000 to October 2012 and the Chief Risk Officer from October 2010 to January 2014.

Marci A. Basich has been affiliated with the Bank since 1999 and was promoted to Executive Vice President and Chief Financial Officer of the Bank and Company on February 1, 2023. Previously Ms. Basich served as Treasurer of the Bank and Company from January 2002 to January 2023. Ms. Basich is a Certified Public Accountant.

Matthew J. DeBord has been affiliated with the Bank since 2012 and was promoted to Executive Vice President and Chief Lending Officer on April 1, 2023. Prior to being promoted to Chief Lending Officer, Mr. DeBord served as a Commercial Loan Officer and Commercial Lending Team Leader. Prior to joining the Bank, Mr. DeBord was employed by a national bank as a Commercial Resolution Officer from January 2010 to December 2012. Mr. DeBord was a Vice President and Portfolio Manager with a local savings bank from April 2006 to January 2010 and was employed by the DFI as a Financial Examiner from June of 2003 to April 2006.

Breanne D. Antich, has been affiliated with the Bank since 2007 and was promoted to Chief Technology Officer on January 25, 2022 and was promoted to Executive Vice President on February 1, 2023. Prior to this Ms. Antich served as our Information Technology Manager.

Item 1A. Risk Factors

We assume and manage a certain degree of risk in order to conduct our business. In addition to the risk factors described below, other risks and uncertainties not specifically mentioned, or that are currently known to, or deemed to be immaterial by management, also may materially and adversely affect our financial position, results of operations and/or cash flows. Before making an investment decision, you should carefully consider the risks described below together with all the other information included in this Form 10-K and our other filings with the SEC. If any of the circumstances described in the following risk factors actually occur to a significant degree, the value of our common stock could decline, and you could lose all or part of your investment. This report is qualified in its entirety by these risk factors.

Risks Related to Economic Conditions

Our business may be adversely affected by downturns in the national economy and in the economies in our market areas.

Substantially all our loans are to businesses and individuals in the state of Washington. A downturn in local or regional economic conditions, as a result of inflation, rising interest rates, unemployment, recessions, natural disasters, or other adverse events, could materially affect our business, financial condition, and results of operations. Adverse economic developments in our primary market areas of Grays Harbor, Pierce, Thurston, King, Kitsap, and Lewis counties Washington, could also slow our growth, impair our customers’ ability to repay loans, and otherwise negatively impact our business, financial condition, and results of operations.

Weakness in the global economy, disruptions in supply chains, and changes in U.S. trade or immigration policies could adversely affect businesses in our markets, particularly those reliant on international trade or key industries such as construction and manufacturing. These developments may exacerbate labor shortages, reduce productivity, impair borrowers’ repayment capacity, increase costs, delay supply chains, lower credit demand, and heighten operational and cybersecurity risks, thereby negatively impacting our business and financial performance.

A deterioration in economic conditions in the market areas we serve could result in:

•Higher loan delinquencies, problem assets and foreclosures;

•an increase in our ACL;

•the slowing of foreclosed asset sales;

•a decline in demand for our products and services;

•a decline in collateral values linked to our loans, thereby diminishing borrowing capacities and asset values tied to existing loans;

•a decline in the net worth and liquidity of loan guarantors, which may impair their ability to honor commitments to us; and

•a reduction in our low-cost or non-interest-bearing deposits.

Because our loan portfolio is more geographically concentrated than those of larger financial institutions, adverse changes in Washington’s economy, including those tied to immigration policy shifts, may have a greater impact on our earnings and capital. Any deterioration in real estate markets could significantly affect borrowers’ repayment capabilities and collateral values. Real estate values are affected by a range of factors, including economic conditions, regulatory changes, natural disasters, and trade-related issues affecting construction costs and material availability.

Monetary policy, inflation, deflation, and other external economic factors could adversely impact our financial performance and operations.

Our financial performance and operations are influenced by monetary, fiscal, and trade policies, including those of the Federal Reserve, the U.S. Treasury, and other governmental authorities. Actions by these authorities may lead to inflation, deflation, changes in interest rates, or other economic conditions that could materially adversely affect our results of operations. Tariffs, supply-chain disruptions, or rising costs could reduce the ability of our clients, particularly small- and medium-sized businesses, to repay loans, negatively affecting credit quality and financial performance. Interest rates may not move in alignment with inflation or deflation, adding uncertainty to the economic environment.

Risks Related to our Lending Activities

Our real estate construction and land loans expose us to significant risks.

These loans are often originated regardless of whether the collateral property is subject to a sales contract. As of September 30, 2025, our construction loans totaled $223.89 million, comprising 14.2% of our overall loan portfolio.

Construction lending is inherently risky due to the difficulty in accurately estimating project costs and values. Volatility in construction costs, market demand, and regulatory conditions can result in significant deviations from initial projections, complicating the assessment of total project funding needs and loan-to-value ratios. This type of lending often involves larger principal amounts and may be concentrated among a limited number of borrowers, increasing our exposure to individual credit relationships.

In cases where borrowers have multiple outstanding loans, financial distress on one project may adversely affect their ability to service other obligations. Additionally, certain construction loans do not require periodic payments during the construction phase, resulting in interest being capitalized into the loan balance. Repayment of these loans is therefore highly dependent on the borrower’s ability to sell, lease, or refinance the completed property.

If we misjudge the value of a project or the borrower’s ability to complete and monetize it, we may be left with insufficient collateral and incur losses. Construction lending also requires active monitoring, including cost tracking and site inspections, which increases operational complexity and expense. Rising interest rates may further impact the affordability of completed homes for end-purchasers, potentially reducing demand and impairing the borrower’s ability to repay.

Properties under construction are generally illiquid and may require completion before they can be sold, complicating resolution strategies for problem loans. In some cases, we may need to provide additional funding or engage alternative builders, which introduces further cost and market risk. Speculative construction loans, where no end-purchaser is identified at origination, present heightened risk. As of September 30, 2025, $10.75 million of our construction portfolio consisted of speculative one- to four-family construction loans.

These loans carry additional risks due to extended development timelines, susceptibility to real estate market fluctuations, potential delays from economic or political factors, and the generally illiquid nature of land as collateral.

As of September 30, 2025, one construction totaling $553,000 was on non-accrual.

Our emphasis on commercial real estate lending may expose us to increased lending risks.

Evaluating collateral and analyzing borrower financial information for commercial real estate loans requires more detailed underwriting and ongoing monitoring compared to residential lending.

These loans typically involve larger principal amounts and rely on income generated, or expected to be generated, by the underlying property to meet operating expenses and debt service. Any deterioration in economic conditions or local market conditions, such as reduced leasing activity or non-renewal of leases, may impair the borrower’s ability to repay the loan.

Commercial real estate loans also expose a lender to greater credit risk than loans secured by residential real estate due to the relative illiquidity of the collateral. Many of these loans are not fully amortizing and include large balloon payments at maturity, which may require the borrower to refinance or sell the property. If market conditions are unfavorable, the borrower may be unable to do so, increasing the risk of default.

Unlike residential mortgage loans, commercial real estate loans generally lack a robust secondary market, limiting our ability to mitigate credit risk through loan sales. In the event of foreclosure, the holding period for commercial properties is typically longer as a result ot fewer potential buyers, which may result in larger charge-offs relative to the principal amount outstanding.

Repayment of our commercial business loans is often dependent on the cash flows of the borrower, which may be unpredictable, and the collateral securing these loans may fluctuate in value.

At September 30, 2025, we had $127.0 million, or 8.1%, of total loans in commercial business loans. These loans are primarily underwritten based on the borrower’s projected cash flows, with collateral serving as a secondary source of repayment. This reliance on cash flow introduces significant risk, as borrower revenues may be volatile and subject to economic, industry-specific, or operational disruptions.

Collateral for these loans often consists of accounts receivable, inventory, or equipment, which may fluctuate in value, be difficult to appraise, lack liquidity, or depreciate over time.

Economic downturns, supply chain disruptions, inflationary pressures, or other adverse conditions may impair borrowers’ ability to generate sufficient cash flow to service their obligations. Compared to loans secured by real estate, commercial business loans may be more susceptible to rapid deterioration in credit quality, and recovery upon default may be more limited due to the nature of the collateral.

Our business may be adversely affected by credit risk associated with residential property.

A decline in residential real estate values, particularly in the Washington housing market, may reduce the value of collateral securing these loans and increase our risk of loss in the event of borrower default. Some of our residential mortgage loans are secured by properties with little or no borrower equity, either due to high loan-to-value ratios at origination or subsequent declines in property values. These loans are more vulnerable to default and loss in a declining market.

Additionally, home equity lines of credit secured by second mortgages present heightened risk. In the event of default, recovery of loan proceeds may be limited unless the first mortgage is repaid, which may not be economically justified based on the property’s current value. As a result, we may experience higher rates of delinquency, default, and credit losses within our residential loan portfolio, which could materially and adversely impact our financial performance.

Our allowance for credit losses on loans may not be sufficient to absorb losses in our loan portfolio.

Lending money is a substantial part of our business. Every loan carries a risk that it will not be repaid in accordance with its terms or that any underlying collateral will not be sufficient to assure repayment. This risk is affected by, among other things:

•the cash flow of the borrower and/or the project being financed;

•the changes and uncertainties as to the future value of the collateral, in the case of a collateralized loan;

•the duration of the loan;

•the credit history of a particular borrower; and

•changes in economic and industry conditions.

To address these risks, we maintain an ACL on loans, which is a reserve established through a provision for credit losses on loans charged against operating income. We believe the ACL is appropriate to provide for expected losses in our loan portfolio.

The ACL is an estimate of the expected credit losses on financial assets measured at amortized cost. The ACL is evaluated and calculated on a collective basis for those loans which share similar risk characteristics.

If our estimates are incorrect, the ACL for loans may not be sufficient to cover losses inherent in our loan portfolio, resulting in the need for increases in the ACL

through additional provisions, which would reduce income. Management also recognizes that significant growth in loan portfolios, new loan products and the refinancing of existing loans may result in unseasoned portfolios that do not perform in line with historical or projected trends, increasing the risk that our ACL may be insufficient.

Bank regulatory agencies also periodically review our ACL and may require us to increase the provision or recognize further charge-offs based on their judgment. If charge-offs exceed the ACL, we may need additional provisions, which would reduce net income and could materially and adversely affect our financial condition, results of operations, liquidity, and capital.

If our non-performing assets increase, our earnings will be adversely affected.

At September 30, 2025, our non-performing assets (which consisted solely of non-accruing loans, non-accrual investment securities, and OREO) were $4.66 million, or 0.23% of total assets. Our non-performing assets adversely affect our net income in various ways:

•We do not record interest income on non-accrual loans or non-performing investment securities, except on a cash basis when the collectability of the principal is not in doubt.

•We must recognize expected credit losses through a current period charge to the provision for credit losses.

•Non-interest expense increases if we must write down the value of OREO properties to reflect market declines.

•Non-interest income decreases when we recognize other-than-temporary impairment on non-performing investment securities.

•There are legal fees and carrying costs (such as taxes, insurance, and maintenance) associated with OREO.

•Managing non-performing assets requires significant management attention, diverting resources from more profitable activities.

Risk Related to our Business Strategy

We may be adversely affected by risks associated with completed and potential acquisitions.

As part of our general growth strategy, on October 1, 2018, we completed the acquisition of South Sound Bank, a Washington-state chartered bank, headquartered in Olympia, Washington. There can be no assurance that we will successfully identify suitable acquisition candidates, complete acquisitions or successfully integrate acquired operations into our existing operations or expand into new markets.

The consummation of any future acquisitions may dilute shareholder value or adversely affect our operating results during the integration period. Once integrated, acquired operations may not achieve levels of profitability comparable to our existing operations or otherwise perform as expected. In addition, transaction-related expenses may reduce earnings.

Acquiring banks, bank branches or businesses involves risks commonly associated with acquisitions, including:

•We may be exposed to potential asset quality issues or unknown or contingent liabilities of the banks, businesses, assets, and liabilities we acquire. If these issues or liabilities exceed our estimates, our results of operations and financial condition may be materially and adversely affected;

•We could experience higher than expected deposit attrition, which could reduce funding sources and impact liquidity;

•The integration of systems, procedures, and personnel is complex and time-consuming, and may disrupt customer relationships and internal operations. If integration is not executed effectively, we may fail to realize anticipated synergies or economic benefits, and may lose customers or employees of the acquired business;

•To the extent that our acquisition costs exceed the fair value of net assets acquired, we will record goodwill. We are required to assess goodwill for impairment at least annually, and any impairment charge could materially and adversely affect our results of operations and financial condition; and

•While we expect acquisitions to contribute to net income , they may also increase general and administrative expenses, which could raise our efficiency ratio. If integration efforts are unsuccessful, acquisitions may not be accretive to earnings in the short or long term.

Risk Related to Market Interest Rates

Changes in interest rates may reduce our net interest income and may result in higher defaults in a rising rate environment.

Our earnings and cash flows are largely dependent upon our net interest income. Following a period of monetary easing that began in the second half of 2024, the Federal Open Market Committee (FOMC) of the Federal Reserve reduced the target range for the federal funds rate by a cumulative 125 basis points through September 2025, bringing the target range to 4.00% to 4.25%. On October 29, 2025, subsequent to quarter-end, the FOMC announced a further 25‑basis‑point cut, bringing the target range to 3.75% to 4.00%. These changes have modestly lowered funding costs but have also contributed to narrower loan yields and reinvestment risk within the investment securities portfolio. Further rate decreases could negatively impact our net interest income, although they may benefit the housing market by increasing refinancing activity and new home purchases.

Similarly, if rates earned decline more rapidly than rates paid, our margins may compress. In a volatile rate environment, we may not be able to manage this risk effectively, which could materially affect our business, financial condition, and results of operations.

Interest rate changes may also impair borrowers’ ability to repay existing obligations or reduce our margins and profitability. Our net interest margin, the difference between the yield on interest-earning assets and the cost of funding, may be negatively impacted if asset yields and funding costs move at different speeds. A flattening or inverted yield curve, where short-term rates approach or exceed long-term rates, may compress our margin due to the shorter duration of our liabilities relative to our assets. Also, falling interest rates may lead to increased prepayments of loans and mortgage-backed securities, requiring us to reinvest proceeds into lower-yielding assets, which could reduce income.

Retaining these deposits in a rising rate environment may require us to offer higher rates, increasing our cost of funds. In addition, a substantial amount of our residential mortgage loans and home equity lines of credit have adjustable interest rates. As a result, these loans may experience a higher rate of default in a rising interest rate environment.

Generally, fixed-rate securities decline in value when interest rates rise. Unrealized gains and losses on these securities are reported as a separate component of equity, net of tax, through accumulated other comprehensive income (loss) ("AOCI"). Rising rates may reduce the fair value of these securities and negatively impact shareholders’ equity.

Quantitative and Qualitative Disclosures About Market Risk" for additional information about our interest rate risk management.

Our securities portfolio may be negatively impacted by fluctuations in market value and interest rates.

These factors include, but are not limited to, rating agency actions in respect of the securities, defaults by, or other adverse events affecting, the issuer or with respect to the underlying securities, and changes in market interest rates and continued instability in the capital markets. We regularly analyze investment securities to determine whether there have been

any events or economic circumstances to indicate that a security has incurred a credit-related loss.

An increase in interest rates, change in the programs offered by Freddie Mac or our ability to qualify for their programs may reduce our mortgage revenues, which would negatively impact our non-interest income.

The sale of residential mortgage loans to Freddie Mac has historically provided a significant portion of our noninterest income. Any future changes in its program, including our eligibility to participate in such program, the criteria for loans to be accepted or laws that significantly affect the activity of Freddie Mac could, in turn, materially adversely affect our results of operations if we could not find other purchasers. Mortgage banking is generally considered a volatile source of income because it depends largely on the level of loan volume which, in turn, depends largely on prevailing market interest rates. In a rising or higher interest rate environment, the demand for mortgage loans, particularly refinancing of existing mortgage loans, tends to fall and our originations of mortgage loans may decrease, resulting in fewer loans that are available to be sold. This would result in a decrease in mortgage revenues and a corresponding decrease in non-interest income. In addition, our results of operations are affected by the amount of non-interest expense associated with our loan sale activities, such as salaries and employee benefits, occupancy, equipment and data processing expense and other operating costs. During periods of reduced loan demand, our results of operations may be adversely affected to the extent that we are unable to reduce expenses commensurate with the decline in loan originations. In addition, although we sell loans to Freddie Mac or into the secondary market without recourse, we are required to give customary representations and warranties about the loans we sell. If we breach those representations and warranties, we may be required to repurchase the loans and we may incur a loss on the repurchase.

Risks Related to Laws and Regulations

The level of our commercial real estate loan portfolio may subject us to additional regulatory scrutiny.

The FDIC, the Federal Reserve and the Office of the Comptroller of the Currency have promulgated joint guidance on sound risk management practices for financial institutions with concentrations in commercial real estate lending. Under this guidance, a financial institution that, like us, is actively involved in commercial real estate lending should perform a risk assessment to identify concentrations. A financial institution may have a concentration in commercial real estate lending if, among other factors (i) total reported loans for construction, land development and other land represent 100% or more of total capital, or (ii) total reported loans secured by multi-family and non-farm non-residential properties, loans for construction, land development and other land, and loans otherwise sensitive to the general commercial real estate market, including loans to commercial real estate related entities, represent 300% or more of total capital. The purpose of the guidance is to guide banks in developing risk management practices and capital levels commensurate with the level and nature of real estate concentrations. The guidance states that management should employ heightened risk management practices including board and management oversight and strategic planning, development of underwriting standards, risk assessment and monitoring through market analysis and stress testing. We have concluded that we do not have a concentration in commercial real estate lending because our balance in commercial real estate loans (including owner-occupied loans) at September 30, 2025 represented 283.05% of total capital. While we believe that we have implemented policies and procedures with respect to our commercial real estate loan portfolio consistent with this guidance, bank regulators could require us to implement additional policies and procedures consistent with their interpretation of the guidance that may result in additional costs to us.

We operate in a highly regulated environment and may be adversely affected by changes in federal and state laws and regulations that could increase our costs of operations.

The financial services industry is extensively regulated. These regulations may sometimes impose significant limitations on our operations.

Any new regulations or legislation, changes in existing regulations or oversight, or changes in regulatory interpretation could materially impact our operations, increase our costs of compliance and doing business, and adversely affect our profitability.

For example, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) published guidance in 2014, supplemented by subsequent updates, allowing financial institutions to serve cannabis-related businesses operating legally under state law, provided institutions comply with required regulatory oversight. Pending or proposed federal legislation, such as the SAFER Banking Act (formerly the SAFE Banking Act), has been reintroduced in Congress but has not been enacted as of September 30, 2025. If passed, it could provide additional protections to banks serving cannabis businesses in legal states. Recent Washington State regulatory developments, including limits on retail cannabis licenses per owner, updated reporting requirements, and ongoing rulemaking by the Washington Liquor & Cannabis Board, could affect the financial profile and operations of cannabis-related businesses. Any adverse change to FinCEN guidance, continued failure of federal legislation to pass, new regulatory requirements, or changes in federal or state regulatory policy or interpretation could negatively affect our non-interest income, increase our operating costs, and materially impact our profitability.

In addition, evolving regulatory expectations regarding anti-money laundering compliance, cybersecurity, and capital and liquidity requirements could further increase our costs of operations and compliance. State regulations governing financial institutions, including those related to cannabis banking and fintech activities, are also subject to change, which may have additional implications for our business.

Non-compliance with the USA PATRIOT Act, Bank Secrecy Act, or other laws and regulations could result in fines or sanctions and limit our ability to get regulatory approval of acquisitions.

Financial institutions must file suspicious activity reports with the U.S. Treasury’s Office of Financial Crimes Enforcement Network and establish procedures to verify the identity of customers seeking to open new financial accounts. Failure to maintain or implement effective anti-money laundering and counter-terrorist financing programs could result in fines, sanctions, regulatory investigations, limitations on strategic transactions, or reputational harm.

Climate change and related legislative and regulatory initiatives may materially affect our business and results of operations.

The effects of climate change continue to raise significant concerns about the state of the environment. However, under the current administration, federal policy has shifted to reduce emphasis on climate change initiatives and environmental regulations. This includes scaling back federal involvement in international agreements like the Paris Agreement and easing regulatory pressures on businesses, including banks, to address climate-related risks. Legislative and regulatory proposals aimed at combating climate change may face increased scrutiny or reduced priority under this administration.

The lack of empirical data regarding the financial and credit risks posed by climate change still makes it difficult to predict its specific impact on our financial condition and results of operations. However, the physical effects of climate change, such as more frequent and severe weather disasters, could directly affect us. For instance, such events may damage real property securing loans in our portfolios or reduce the value of that collateral. If our borrowers' insurance is insufficient to cover these losses or if insurance becomes unavailable, the value of the collateral securing our loans could be negatively affected, potentially impacting our financial condition and results of operations. Moreover, climate change may adversely affect regional and local economic activity, harming our customers and the communities in which we operate. Regardless of changes in federal policy, the effects of climate change and their unknown long-term impacts could still have a material adverse effect on our financial condition and results of operations.

Risks Related to Cybersecurity, Third Parties and Technology

As of September 30, 2025 there has not been any cybersecurity or related breach of the risk factors discussed below that would require disclosure.

The financial services market is undergoing rapid technological changes and, if we are unable to stay current with those changes, we may not be able to effectively compete.

The financial services market, including banking services, is undergoing rapid changes with frequent introductions of new technology-driven products and services. Our future success will depend, in part, on our ability to keep pace with technological innovation, including digital banking platforms, artificial intelligence, and data analytics, and to use technology to satisfy and grow customer demand for our products and services, enhance the customer experience, and to create additional efficiencies in

our operations. Some of our competitors have substantially greater resources to invest in technological improvements and will be able to invest more heavily in developing and adopting new technologies, which may put us at a competitive disadvantage. We may not be able to effectively implement emerging technologies or digital solutions, maintain cybersecurity, prevent system failures, or manage operational disruptions associated with technology, or successfully market these innovations to our customers.

We are subject to certain risks in connection with our use of technology.

Communications and information systems are essential to the conduct of our business, as we use such systems to manage our customer relationships, our general ledger and virtually all other aspects of our business. Our systems, software, and networks are vulnerable to breaches, fraudulent or unauthorized access, denial or degradation of service attacks, misuse, computer viruses, malware or other malicious code, artificial intelligence-driven attacks, and cyber-attacks. If any of these events occur, they could compromise our or our clients’ confidential information, disrupt operations, or harm our clients or counterparties.

Any compromise or breach of our security measures could result in losses to us or our customers, the loss of business and/or customers, damage to our reputation, additional expenses, disruptions to our operations, limitations on our ability to grow our online services or other businesses, increased regulatory scrutiny or penalties, or exposure to civil litigation and potential financial liability.

Our security measures may not protect us from system failures or interruptions. Our business depends on the continuous and reliable functioning of our information technology infrastructure, including systems used for data processing, transaction execution, customer communications, and other critical operations. Failures, interruptions, or delays, whether caused by hardware or software defects, human error, cyber-attacks, utility or telecommunications outages, or other disruptions, can impair our ability to process transactions, deliver products and services, and maintain accurate records. We also rely on third-party vendors for significant data processing and operational functions, and their systems and controls are outside our direct oversight. Breakdowns, service interruptions, capacity constraints, cyber-attacks, security breaches, or other operational failures at these providers, as well as failures in communication networks or connectivity, can disrupt our operations and limit our ability to serve customers. Identifying and transitioning to alternate vendors, if available, requires substantial cost, time, and operational effort. Processing customer information through additional vendors and their personnel further increases exposure to information-security, privacy, and operational risks. Any of these failures or interruptions may result in operational delays, financial losses, customer harm, regulatory scrutiny, penalties, reputational damage, and other adverse consequences that may materially affect our business, financial condition, and results of operations.

We may not be insured against all types of losses associated with these events, and available coverage may be inadequate. If a third-party service provider experiences financial, operational, or technological difficulties, or if there is any other disruption in our relationship with that provider, we may be required to identify alternative sources of service, which may not be available on comparable terms or without significant additional resources. Any such occurrence may damage our reputation, result in a loss of customers and business, increase regulatory scrutiny, or expose us to legal liability, any of which may have a material adverse effect on our business, financial condition, and results of operations.

Our business may be adversely affected by an increasing prevalence of fraud and other financial crimes.

Such fraudulent activity may take many forms, including check fraud, electronic fraud, wire fraud, phishing, social engineering and other dishonest acts. Nationally, reported incidents of fraud and other financial crimes have increased. We have also experienced losses due to apparent fraud and other financial crimes.

While we have policies and procedures designed to prevent such losses, there can be no assurance that such losses will not occur.

The increasing adoption of AI in financial services presents significant opportunities but also introduces a range of risks that could impact our operations, regulatory compliance, and customer trust. AI introduces model risk, where flawed algorithms or biased data could result in inaccurate credit decisions, compliance violations, or discriminatory outcomes in lending or customer service. Cybersecurity threats, such as data breaches, adversarial attacks, and data poisoning, pose significant challenges, particularly as these systems handle large volumes of sensitive customer information. Additionally, the opaque nature of some AI models, often referred to as "black-box" systems, raises regulatory compliance concerns, as regulators increasingly require transparency and explainability in AI-driven decision-making.

Operational risks also arise from potential system failures, over-reliance on AI, and integration challenges with existing infrastructure. Disruptions in AI systems could impact critical functions such as fraud detection, transaction monitoring, and customer support. Ethical and reputational risks, including unintended consequences or perceived unfairness in AI-driven decisions, may erode customer trust and expose us to regulatory scrutiny.

To mitigate these risks requires a robust governance framework, regularly testing and auditing of AI models, and strong human oversight. Investments in cybersecurity, data privacy protections, and employee training are critical to managing these risks.

Risks Related to Accounting Matters

The Company’s reported financial results depend on management’s selection of accounting methods and certain assumptions and estimates, which, if incorrect, could cause unexpected losses in the future.

The Company’s accounting policies and methods are fundamental to how the Company records and reports its financial condition and results of operations. The Company’s management must exercise judgment in selecting and applying many of these accounting policies and methods so they comply with GAAP and reflect management’s judgment regarding the most appropriate manner to report the Company’s financial condition and results of operations. In some cases, management must select the accounting policy or method to apply from two or more alternatives, any of which might be reasonable under the circumstances, yet might result in the Company’s reporting materially different results than would have been reported under a different alternative.

They require management to make difficult, subjective or complex judgments about matters that are uncertain. For more information, refer to “Management’s Discussion and Analysis of Financial Condition and Results of Operations - Critical Accounting Estimates” contained in this 2025 Form 10-K.

We may experience future goodwill impairment, which could reduce our earnings.

In accordance with GAAP, we record assets acquired and liabilities assumed in a business combination at their fair value with the excess of the purchase consideration over the net assets acquired resulting in the recognition of goodwill. As a result, acquisitions typically result in recording goodwill. We perform a goodwill evaluation at least annually to test for goodwill impairment. Our test of goodwill for potential impairment is based on a qualitative assessment by management that takes into consideration macroeconomic conditions, industry and market conditions, cost or margin factors, financial performance and share price. Our evaluation of the fair value of goodwill involves a substantial amount of judgment. If our judgment was incorrect, or if events or circumstances change, and an impairment of goodwill was deemed to exist, we would be required to record a non-cash charge to earnings in our financial statements during the period in which such impairment is determined to exist. Changes in market conditions, regulatory developments, or economic uncertainty could increase the likelihood of goodwill impairment. Any such charge could have a material adverse effect on our results of operations.

We are subject to an extensive body of accounting rules and best practices. Periodic changes to such rules may change the treatment and recognition of critical financial line items and affect our profitability.

Our business operations are significantly influenced by the extensive body of accounting regulations in the United States, which are subject to periodic updates and changes. Regulatory bodies, including the FASB and the SEC, periodically issue new guidance or alter existing accounting rules and reporting requirements, which can substantially impact the preparation and reporting of our financial statements. These changes may require us to adopt new accounting standards, leading to potential

adjustments in how we report our financial position, performance, and risk exposures. Additionally, such regulatory changes could necessitate retrospective application, which might result in the restatement of prior period financial statements.

One such significant change in fiscal 2024 was the implementation of the CECL model, which we adopted on October 1, 2023. Under the CECL model, financial assets carried at amortized cost, such as loans and held-to-maturity debt securities, are presented at the net amount expected to be collected. CECL mandates considering historical experience, current conditions, and reasonable forecasts affecting collectability, leading to periodic adjustments of financial asset values. The methodology incorporates macroeconomic forecasts and assumptions, including trends in interest rates, inflation, unemployment, and industry-specific factors. However, this forward-looking methodology, reliant on macroeconomic variables, introduces the potential for increased earnings volatility due to unexpected changes in these indicators between periods. An additional consequence of CECL is an accounting asymmetry between loan-related income, recognized periodically based on the effective interest method, and credit losses, recognized upfront at origination. This asymmetry might create the perception of reduced profitability during loan expansion periods due to the immediate recognition of expected credit losses. Conversely, periods with stable or declining loan levels might seem relatively more profitable as income accrues gradually for loans where losses had been previously recognized.

Future adjustments under CECL could materially impact our results of operations, financial condition, and reported profitability, particularly under volatile economic conditions or unexpected credit deterioration.

We may experience decreases in the fair value of our loan servicing rights, which could reduce our earnings.

Loan servicing rights are capitalized at estimated fair value when acquired through the origination of loans that are subsequently sold with servicing rights retained. At September 30, 2025, our loan servicing rights totaled $815,000. Loan servicing rights are amortized to servicing income on loans sold over the period of estimated net servicing income. On a quarterly basis, we evaluate the fair value of loan servicing rights for impairment by comparing actual cash flows and estimated cash flows from the loan servicing assets to those estimated at the time loan servicing assets were originated. Our methodology for estimating the fair value of loan servicing rights is highly sensitive to changes in assumptions, such as prepayment speeds, mortgage refinance activity, and housing market conditions. Conversely, slower-than-expected prepayments or rising interest rates may increase the fair value of these assets, but may also affect the timing of income recognition.

If our investments in real estate are not properly valued or sufficiently reserved to cover actual losses, or if we are required to increase our valuation allowances, our earnings could be reduced .

We obtain updated valuations in the form of appraisals and broker price opinions when a loan has been foreclosed and the property is taken in as OREO, and at certain other times during the asset's holding period. Our net book value (“NBV”) in the loan at the time of foreclosure and thereafter is compared to the updated estimated market value of the foreclosed property less estimated selling costs (fair value). A charge-off is recorded for any excess in the asset’s NBV over its fair value. If our valuation process is incorrect or if the property declines in value after foreclosure, the fair value of our OREO may not be sufficient to recover our NBV in such assets, resulting in the need for a valuation allowance.

In addition, bank regulators periodically review any OREO we may have and may require us to recognize further valuation allowances. Significant charge-offs to our OREO may have an adverse effect on our financial condition and results of operations.

Other Risks Related to Our Business

Ineffective liquidity management could adversely affect our financial results and condition.

Liquidity is essential to our business. We rely on several sources to meet our liquidity needs, including deposits, cash flows from loan repayments, our securities portfolio, and borrowings. An inability to raise funds from these sources could have a

substantial negative effect on our liquidity. Replacing maturing deposits and borrowings may be challenging due to changes in our financial condition, the financial condition of the FHLB or FRB, or broader market conditions.

Any decline in available funding in amounts sufficient to finance our operations or on acceptable terms could impair our ability to originate loans, invest in securities, meet operating expenses, repay borrowings, or satisfy deposit withdrawal demands. These events could have a material adverse effect on our business, financial condition, and results of operations. See “Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations — Liquidity” of this Form 10-K.

Our growth or future losses may require us to raise additional capital in the future, but that capital may not be available when it is needed or the cost of that capital may be exceedingly high.

We are required by federal regulatory authorities to maintain adequate levels of capital to support our operations. Our ability to raise additional capital, if needed, will depend on conditions in the capital markets at that time, which are outside our control, and on our financial condition and performance. If we are able to raise capital, it may not be on terms that are acceptable to us. Accordingly, we cannot make assurances that we will be able to raise additional capital if needed on terms that are acceptable to us, or at all. If we cannot raise additional capital when needed, our ability to further expand our operations could be materially impaired and our financial condition and liquidity could be materially and adversely affected. In addition, any additional capital we obtain may dilute the interests of existing holders of our common stock. Further, if we are unable to raise additional capital when required by our bank regulators, we may be subject to adverse regulatory action.

Our framework for managing risks may not be effective in mitigating risk and loss to us.

Our business is exposed to a broad range of risks, including liquidity, credit, market, interest rate, operational, legal and compliance, reputation, and other risks. These risks may arise from internal factors, the actions of third parties, changes in economic conditions, or other unforeseen events. There may be risks that we have not anticipated or identified, and existing or emerging risks could result in substantial and unexpected losses.

We are dependent on key personnel, and the loss of one or more of those key personnel may materially and adversely affect our prospects.

Competition for qualified employees and personnel in the banking industry is intense, and there are a limited number of qualified persons with knowledge of, and experience in, the community banking industry where the Bank conducts its business. The process of recruiting personnel with the combination of skills and attributes required to carry out our strategies is often lengthy. Our success depends to a significant degree upon our ability to attract and retain qualified management, loan origination, finance, administrative, marketing and technical personnel and upon the continued contributions of our management and personnel. In particular, our success has been and continues to be highly dependent upon the abilities of key executives, including our Chief Executive Officer and certain other employees. In addition, our success has been and continues to be highly dependent upon the services of our directors, and we may not be able to identify and attract suitable candidates to replace such directors.

Item 1B. Unresolved Staff Comments

Not applicable.

Item 1C. Cybersecurity

Cyber Risk Management and Strategy

Safeguarding the confidentiality, integrity and availability of customer and sensitive financial data, records and transactions is essential to Timberland and Timberland Bank. Our risk management program is designed to identify, assess and mitigate risks across various aspects of the Bank, including financial, operational, regulatory, reputational and legal.

Cybersecurity is a critical component of our risk management program; thus, we have implemented a Cyber and Information Security Program to protect the confidentiality, integrity and availability of our information and information technology

environment. Our program aligns with applicable federal and state regulations, industry frameworks such as the Federal Financial Institutions Examination Council ("FFIEC") and best practices from the National Institute of Standards and Technology ("NIST"). The FFIEC framework offers a set of guidelines to help financial institutions effectively manage and mitigate cybersecurity risks. The framework focuses on ensuring the confidentiality, integrity and availability of sensitive information. NIST is part of the U.S. Department of Commerce, which develops cybersecurity standards, guidelines and other resources.

We have employed a multi-layered, risk-based approach to cyber and information security, incorporating a variety of tools and processes to aid in risk identification, assessment and management. The Bank conducts a variety of information security risk assessments throughout the year. We employ a defense in depth strategy that incorporates preventive, detective, and administrative safeguards including but not limited to, configuration hardening, robust patch management and vulnerability scanning, advanced anti-malware firewall technologies, anti-phishing and web filtering controls. These controls are tested annually by an independent third-party audit firm. Quarterly employee training is performed on cybersecurity, information security, identify theft prevention and data privacy.

The Bank has not experienced any material losses relating to cybersecurity threats or incidents as of September 30, 2025. Material cybersecurity incidents are escalated to the Board and evaluated for disclosure in accordance with SEC reporting requirements.

Incident Response

Response to cyber incidents is guided by the Bank’s Incident Response Policy. The Bank’s plan is based on the National Infrastructure Protection Center ("NIPC") guidelines, with the addition of specific reporting and notification requirements required by regulation. The Incident Response Policy prescribes points of escalation and mechanisms for collaboration should the need arise to engage outside partnerships such as external counsel, cybersecurity forensic examiners, cyber insurance vendors, government agencies and regulatory bodies. The Incident Response Policy also specifies that material incidents are promptly reported to the Board and considered for disclosure under applicable SEC rules.

Third Party Service Provider Monitoring

The Bank maintains a robust Vendor Management Program to appropriately measure, monitor and control risks associated with outsourcing products and services, including cybersecurity risks. Under the program, vendors are assigned a risk rating based on an assessment of the vendor and its access to network, systems and confidential information. Critical and high-risk vendors are reassessed at least annually, and remediation plans are implemented for identified deficiencies. The Bank’s Information Security Officer ("ISO")conducts regular periodic reviews of the adequacy of its oversight of controls over third party relationships.

Cybersecurity Governance

Timberland Bank’s Board of Directors (“Board”) recognizes the significance of cybersecurity risks and provides oversight of the Bank’s Cyber and Information Security Program. The Bank’s Board of Directors is currently comprised of the Chief Executive Officer and seven non-employee directors; one of which has completed and received Cybersecurity Oversight Certification from the National Association of Corporate Directors (“NACD”). The Board receives cybersecurity updates at least quarterly, including risk metrics, incident reports, and progress on mitigation strategies.

The Bank’s primary responsibility for managing cyber risk is vested in the Bank’s Information Security Officer ("ISO"). The Bank’s ISO, who reports to the Chief Risk Officer, has four years of experience in information security and risk management. The ISO is responsible for the day-to-day management of the Cyber and Information Security Program, including oversight of risk assessments, incident response, employee training, and third-party vendor cybersecurity controls.

The Chief Technology Officer ("CTO") has over 13 years of experience in IT and cybersecurity leadership, including managing enterprise IT operations and technology risk. The CTO also holds a Certified Community Bank Information Technology Officer designation from the ICBA, and a CompTIA Security+ certification and has completed the Graduate School of Banking at the University of Wisconsin's Bank Technology Management program. Members of the Technology Steering Committee bring substantial experience in IT operations, cybersecurity, and risk management, providing guidance on technology strategy, operational performance, and cybersecurity oversight.

The Technology Steering

Committee is comprised of numerous members of the management team, the CTO and the ISO. The Technology Steering committee reports to the Board of Directors through Committee minutes.

The Board Technology Committee assists the Board of Directors in fulfilling its oversight responsibilities with respect to the overall role of technology in executing the business strategy of the institution, including but not limited to major technology investments, technology strategy, operational performance and technology trends that may affect customers. The Board Technology Committee meets regularly and receives reports from the CTO and the ISO on cybersecurity and information technology risks. The Board Technology Committee reports to the Board of Directors through Committee minutes.

The Board’s Audit Committee also has oversight responsibility for audits related to information technology, security and information technology governance.

Recently Filed

Click on a ticker to see risk factors

Ticker *	File Date
NX	20 hours ago
FSFG	20 hours ago
EDSA	20 hours ago
PRKA	20 hours ago
ODRS	21 hours ago
AMAT	21 hours ago
JOUT	23 hours ago
CIEN	23 hours ago
PFX	1 day, 7 hours ago
CMP	1 day, 17 hours ago
FWDI	1 day, 21 hours ago
NGVC	1 day, 21 hours ago
MITK	1 day, 21 hours ago
HPQ	2 days, 20 hours ago
DLHC	2 days, 20 hours ago
ASYS	2 days, 21 hours ago
GNVR	3 days, 2 hours ago
REVG	3 days, 6 hours ago
GENC	3 days, 21 hours ago
TSBK	3 days, 23 hours ago
SGU	4 days, 19 hours ago
SRXH	1 week ago
JANL	1 week ago
COO	1 week ago
HRL	1 week ago
NOTV	1 week, 1 day ago
AZTA	1 week, 1 day ago
XRPN	1 week, 1 day ago
RGCO	1 week, 2 days ago
HNNA	1 week, 2 days ago
PAPL	1 week, 2 days ago
VSTS	1 week, 4 days ago
SLP	1 week, 4 days ago
JCTC	1 week, 4 days ago
ABQQ	1 week, 4 days ago
ESE	1 week, 4 days ago
CNBX	1 week, 5 days ago
SNEX	2 weeks ago
TMRC	2 weeks ago
ALTX	2 weeks ago
DBMM	2 weeks ago
LEDS	2 weeks, 1 day ago
LEXX	2 weeks, 2 days ago
JJSF	2 weeks, 2 days ago
UTI	2 weeks, 2 days ago
IMKTA	2 weeks, 2 days ago
MOG-A	2 weeks, 3 days ago
LEE	2 weeks, 3 days ago
CFFN	2 weeks, 3 days ago
CENT	2 weeks, 3 days ago

OTHER DATASETS

House Trading

Dashboard

Corporate Flights

Dashboard

App Ratings

Dashboard

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - TSBK

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

Strategies

Alerts

Browse Data

Risk Factors Dashboard

View risk factors by ticker

Search filings by term

Risk Factors - TSBK

-New additions in green-Changes in blue-Hover to see similar sentence in last filing

Recently Filed

OTHER DATASETS

House Trading

Corporate Flights

App Ratings

TRADE SMARTER

TRADE SMARTER

-New additions in green
-Changes in blue
-Hover to see similar sentence in last filing