AMERICAN RIVER BANKSHARES

The FDIC is an independent federal agency that insures deposits, up to prescribed statutory limits, of federally insured banks and savings institutions and safeguards the safety and soundness of the banking and savings industries. The FDIC insures our customer deposits through the Deposit Insurance Fund (“DIF”) up to prescribed limits for each depositor. The Dodd-Frank Act revised the FDIC’s DIF management authority by setting requirements for the Designated Reserve Ratio (the DIF balance divided by estimated insured deposits) and redefining the assessment base, which is used to calculate banks’ quarterly assessments. The amount of FDIC assessments paid by each DIF member institution is based on its asset size and relative risk of default as measured by regulatory capital ratios and other supervisory factors. The FDIC may terminate a depository institution’s deposit insurance upon a finding that the institution’s financial condition is unsafe or unsound or that the institution has engaged in unsafe or unsound practices that pose a risk to the DIF or that may prejudice the interest of the bank’s depositors. The termination of deposit insurance for a bank would also result in the revocation of the bank’s charter by the DBO.

Federal regulators have issued multiple statements regarding cybersecurity and that financial institutions need to design multiple layers of security controls to establish lines of defense and to ensure that their risk management processes also address the risk posed by compromised customer credentials, including security measures to reliably authenticate customers accessing internet-based services of the financial institution. In addition, a financial institution’s management is expected to maintain sufficient business continuity planning processes to ensure the rapid recovery, resumption and maintenance of the institution’s operations in the event of a cyber-attack. A financial institution is also expected to develop appropriate processes to enable recovery of data and business operations and address rebuilding network capabilities and restoring data if the institution or its critical service providers fall victim to a cyber-attack. If we fail to observe the regulatory guidance, we could be subject to various regulatory sanctions, including financial penalties.

State regulators have also been increasingly active in implementing privacy and cybersecurity standards and regulations. Recently, several states, notably including California where we conduct substantially all our banking business, have adopted laws and/or regulations requiring certain financial institutions to implement cybersecurity programs and providing detailed requirements with respect to these programs, including data encryption requirements. Many such states (including California) have also recently implemented or modified their data breach notification and data privacy requirements, including in California with the adoption of the California Consumer Privacy Act. We expect this trend of state-level activity in those areas to continue, and we continue to monitor relevant legislative and regulatory developments in California where nearly all our customers are located. Failure to comply with the applicable requirements of these laws and failure to protect our customers information could result in enforcement actions and litigation against us, any of which could have a material adverse effect on our business, financial condition or results of operations.

In the ordinary course of business, we rely on electronic communications and information systems to conduct our operations and to store sensitive data. We employ a layered, defensive approach that leverages people, processes and technology to manage and maintain cybersecurity controls. We employ a variety of preventative and detective tools to monitor, block, and provide alerts regarding suspicious activity, as well as to report on any suspected advanced persistent threats. Notwithstanding the strength of our defensive measures, the threat from cyber-attacks is severe, attacks are sophisticated and increasing in volume, and attackers respond rapidly to changes in defensive measures. While to date we have not detected a significant compromise, significant data loss or any material financial losses related to cybersecurity attacks, our systems and those of our customers and third-party service providers are under constant threat and it is possible that we could experience a significant event in the future. Risks and exposures related to cybersecurity attacks are expected to remain high for the foreseeable future due to the rapidly evolving nature and sophistication of these threats, as well as due to the expanding use of Internet banking, mobile banking and other technology-based products and services by us and our customers. See Item 1A. Risk Factors for a further discussion of risks related to cybersecurity.

The Bank has entered into numerous arrangements with third parties with respect to the operations of its business. Upon the expiration of the then-current term, any such agreements may not be renewed by the third party or may be renewed on terms less favorable to the Bank. In some cases, such agreements may permit the third party to unilaterally prescribe certain business practices and procedures with respect to the Bank. To the extent any agreement with a service provider is terminated, we may not be able to secure alternate service providers, and, even if we do, the terms with alternate providers may not be as favorable as those currently in place. In addition, were we to lose any of our significant third-party providers, it could cause a material disruption in our ability to service our customers, which also could have an adverse material impact on us. Moreover, significant disruptions in our ability to provide services could negatively affect the perception of our business, which could result in a loss of confidence and other adverse effects on our business. In addition, if any of our counterparties is unable to or otherwise does not fulfill (or does not timely fulfill) its obligations to us for any reason (including, but not limited to, bankruptcy, computer or other technological interruptions or failures, personnel loss, negative regulatory actions, or acts of God) or engages in fraud or other misconduct during the course of such relationship, we may need to seek alternative third party service providers, or discontinue certain products or programs in their entirety. We may experience situations where we could be held directly or indirectly responsible, or were otherwise subject to liability, for the inability of our third party service providers to perform services for our customers on a timely basis or at all or for actions of third parties undertaken on behalf of the Bank or otherwise in connection with the Bank’s arrangement with such third parties. Any such responsibility or liability in the future may have a material adverse effect on our business, including the operations of the Bank and its divisions, and financial results.