367 added · 343 removed between the two most recent 10-Ks. The risks a company starts — or stops — disclosing are often the story.
Newly disclosed
For example, the Cyber Incident Reporting for Critical Infrastructure Act (“CIRCIA”), will—once rulemaking is finalized—require certain companies to report significant cyber incidents to the Cybersecurity and Infrastructure Agency (“CISA”) within 72 hours of reasonably determining that an incident has occurred, and within 24 hours of making any ransom payment resulting from a ransomware attack.
The FRB’s reduction of the federal funds rate in 2025, for example, introduced additional uncertainty into market expectations and contributed to heightened volatility in asset pricing, funding costs, and customer behavior.
On April 4, 2024, the CISA proposed a rule under the CIRCIA to clarify the scope of reportable cyber incidents and to define covered entities, expressly including financial services companies that are already required to report cyber incidents to their primary federal regulators.
Concurrently, a growing number of states—including those in which we operate—have enacted or are considering legislation, such as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, which enhances consumer privacy rights, mandates data breach notifications, and requires certain financial institutions to establish robust and prescriptive cybersecurity programs.
For example, the Bank's investment advisory subsidiary, our broker-dealer operations, and certain capital markets activities are subject to regulation by the SEC.
For example, recent executive orders issued by the current administration aim to restrict or prohibit certain corporate diversity initiatives and limit the consideration of environmental and social factors by financial institutions in customer‑related decisions.
For example, we recently incurred significant credit losses in connection with revolving lines of credit extended to two related commercial borrowers to finance the origination and purchase of commercial and residential mortgages.
In addition, federal banking regulators, the SEC, 10 Table of Contents ZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIES and related self-regulatory organizations regularly issue guidance intended to strengthen cybersecurity risk management across financial institutions.
These include requirements related to deferral, risk-balancing, governance, and clawback provisions—such as those under the SEC’s pay versus performance 12 Table of Contents ZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIES disclosure rules.
The website is not incorporated by reference into this Form 10-K. 13 Table of Contents ZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIES HUMAN CAPITAL MANAGEMENT We are committed to providing our employees with opportunities for growth, development, and leadership, while recognizing and rewarding their contributions to our collective success.
The growing experimentation with and adoption of advanced technologies—such as AI, quantum computing, tokenized deposits, blockchain, stablecoins, and other digital currencies, including the potential issuance, acceptance, and integration of central bank digital currencies—has the potential to fundamentally reshape the financial services landscape.
AI models may also reflect biases inherent in their training data, which could lead to inaccurate outputs, inadvertent disclosure of confidential information, infringement of intellectual property rights, lack of transparency, or other adverse outcomes.
No longer disclosed
For example, the state of California has enacted comprehensive climate-related disclosure laws that will require large entities doing business in the state, including the Bank, to measure and disclose greenhouse gas (“GHG”) emissions and publish biennial reports beginning in January 2026.
For example, due to the prominent bank closures in 2023, customer deposit behavior deviated from modeled behaviors, prompting us to redevelop our deposit models, which are currently used by management.
For example, SEC rules require timely disclosure of material cybersecurity incidents and description of cybersecurity risk management, strategy, and governance.
For example, we, like many other banks, experienced heightened volatility in deposit levels and funding costs following the notable bank closures in 2023.
For example, the CFPB recently extended certain truth in lending requirements to overdraft fees and has proposed placing other restrictions on various fees routinely charged by banks related to providing financial services to customers. 11 Table of Contents ZIONS BANCORPORATION, NATIONAL ASSOCIATION AND SUBSIDIARIES • Community Reinvestment Act (“CRA”) — The CRA requires that banks address the credit needs of their communities, including providing credit to low- and moderate-income individuals.
For example, we use models to inform our estimate of the allowance for credit losses, manage interest rate and liquidity risk, project stress losses in various segments of our loan and investment portfolios, and forecast net revenue under stress.
For example, these conflicts have affected and could continue to affect the availability and price of commodities and products, adversely affecting supply chains and increasing inflationary pressures; the value of currencies, interest rates, and other components of financial markets; and lead to increased risks of events such as cyberattacks that could result in severe costs and disruptions to governmental entities and companies and their operations.
For example, the new administration has issued executive orders designed to prohibit or limit certain activities often referred to as “diversity, equity, and inclusion” by government agencies, federal contractors, and others.
Insider Activity
Date
Insider
Action
Shares
Price
Value
Feb 24, 2026
Simmons Harris HChairman & CEO
Buy
4,500
$59.03
$266K
Feb 20, 2026
Arbuckle Jason D.SVP - Controller
Sell
190
$61.77
$12K
Feb 18, 2026
Smith Jennifer AnneExecutive Vice President
Sell
1,890
$62.48
$118K
Feb 18, 2026
Smith Jennifer Anne
For example, some states have recently enacted or considered laws prohibiting financial institutions from limiting services to specific types of businesses if they also engage with governmental entities in those states.
The recovery plan, subject to annual testing to validate its effectiveness, should consider both financial and non-financial risks and include elements such as: (1) a range of credible options to restore financial strength and viability, allowing the bank to continue operating as a going concern, and (2) an analysis of how each recovery option might affect capital, liquidity, and funding.
Additionally, in recent years, a growing number of states, including those in which we conduct business, have enacted, or are considering enacting, laws and regulations that grant consumers enhanced privacy rights and control over personal information, establish or modify data breach notification requirements, and require certain financial institutions to implement detailed and prescriptive cybersecurity programs.
See Note 15 of the Notes to Consolidated Financial Statements for additional information. • Safety and Soundness Standards — Prescribed in FDICIA, these standards relate to internal controls, information systems, internal audit, loan documentation, credit underwriting, interest rate exposure, asset growth, compensation, and other operational and management standards deemed appropriate by federal banking regulators. • Approval of Acquisitions and Restrictions on Other Activities — The National Bank Act requires regulatory and shareholder approval of all mergers between a national bank and another national or state bank and does not allow for the direct merger into a national bank of an unaffiliated nonbank.