CASH 2018 Special Proxy Statement

In March 2015, federal regulators issued two related statements regarding cybersecurity. One statement indicates that financial institutions should design multiple layers of security controls to establish lines of defense and to ensure that their risk management processes also address the risk posed by compromised customer credentials, including security measures to reliably authenticate customers accessing internet-based services of the financial institution. The other statement indicates that a financial institution’s management is expected to maintain sufficient business continuity planning processes to ensure the rapid recovery, resumption and maintenance of the institution’s operations after a cyber-attack involving destructive malware. A financial institution is also expected to develop appropriate processes to enable recovery of data and business operations and address rebuilding network capabilities and restoring data if the institution or its critical service providers fall victim to this type of cyber-attack. If Crestmark fails to observe the regulatory guidance, Crestmark could be subject to various regulatory sanctions, including financial penalties. Damage to Crestmark’s reputation could materially harm its business. Crestmark’s relationship with many of its clients is predicated upon its reputation as a fiduciary and a service provider that adheres to the highest standards of ethics, service quality and regulatory compliance. Adverse publicity, regulatory actions, litigation, operational failures, the failure to meet client expectations and other issues with respect to one or more of Crestmark’s businesses could materially and adversely affect its reputation, its ability to attract and retain clients or its sources of funding for the same or other businesses. Preserving and enhancing Crestmark’s reputation also depends on maintaining systems and procedures that address known risks and regulatory requirements, as well as Crestmark’s ability to identify and mitigate additional risks that arise due to changes in its businesses and the marketplaces in which it operates, the regulatory environment and client expectations. If any of these developments has a material effect on Crestmark’s reputation, Crestmark’s business will suffer. 29