S&T BANCORP INC (STBA) Business

Item 1. BUSINESS

General

S&T Bancorp, Inc. was incorporated on March 17, 1983 under the laws of the Commonwealth of Pennsylvania as a bank holding company and is registered with the Board of Governors of the Federal Reserve System, or the Federal Reserve Board, under the Bank Holding Company Act of 1956, as amended, or the BHCA, as a bank holding company and a financial holding company. S&T Bancorp, Inc. has four active direct wholly-owned subsidiaries including S&T Bank, 9th Street Holdings, Inc., STBA Capital Trust I and DNB Capital Trust II, and owns a 50 percent interest in Commonwealth Trust Credit Life Insurance Company, or CTCLIC. When used in this Report, “S&T,” “we,” “us” or “our” may refer to S&T Bancorp, Inc. individually, S&T Bancorp, Inc. and its consolidated subsidiaries or certain of S&T Bancorp, Inc.’s subsidiaries or affiliates, depending on the context. As of December 31, 2025, we had approximately $9.9 billion in assets, $8.1 billion in total loans, $8.0 billion in deposits and $1.5 billion in shareholders’ equity.

S&T Bank is a full-service Pennsylvania chartered bank that is headquartered in Indiana, Pennsylvania. S&T Bank operates in Pennsylvania and Ohio through it's 72 branches. S&T Bank's primary regulators are the Federal Deposit Insurance Corporation, or FDIC, and the Pennsylvania Department of Banking and Securities, or PA DOBS. S&T Bank deposits are insured by the FDIC to the maximum extent provided by law. S&T Bank has three active wholly-owned operating subsidiaries including S&T Insurance Group, LLC, S&T Bancholdings, Inc. and DN Acquisition Company, Inc.

Through S&T Bank and our non-bank subsidiaries, we offer consumer, commercial and small business banking services, which include accepting time and demand deposits and originating commercial and consumer loans, brokerage services and trust services including serving as executor and trustee under wills and deeds and as guardian of employee benefits. We also manage private investment accounts for individuals and institutions through a registered financial services entity. Total Wealth Management assets under administration, which are not accounted for as part of our assets, were $2.1 billion at December 31, 2025.

The main office of both S&T Bancorp, Inc. and S&T Bank is located at 800 Philadelphia Street, Indiana, Pennsylvania, and our phone number is (800) 325-2265.

Human Capital Management

Our commitment to our customers starts with a talented team. To attract and retain our talented team, we strive to make S&T an inclusive workplace that provides our employees with opportunities to develop and grow. The S&T mindset is to encourage, develop and inspire all employees to achieve their best, motivated by their own personal progress and development. Our commitment is to foster a workplace where everyone utilizes their knowledge, skills, abilities and unique interests to help each other find success and drive positive results. S&T fosters a work culture where employees work together to better our company, products and services and community. We are committed to promoting a workplace that develops all people through ensuring fairness in all aspects of employment, educating our employees and fostering a culture to address employees’ and customers’ needs. As of December 31, 2025, we had approximately 1,209 full-time-equivalent employees.

Our Team and Culture

Our purpose is building a better future together through people-forward banking. We believe that all banking should be personal. We cultivate relationships rooted in trust, strengthened by going above and beyond and renewed with every interaction. We move banking forward, building better lives together by always putting people first.

Our team strives to embody values to encourage a culture that has enabled us to be named a top workplace. The following five core values support our purpose:

Make People our Purpose

Humility, empathy and a sincere desire to uplift each other and our community guide our actions every day. We are people in service of people, committed to constantly improving our communication and connection and delivering the right solutions.

Do the Right Thing

We are built on trust and following through on our promises. We hold ourselves accountable by delivering results, continuously learning and striving for better every day.

2

Table of Contents

S&T BANCORP, INC. AND SUBSIDIARIES

Go Above and Beyond

We go as far as we possibly can to help advance the cause of our colleagues, customers and communities. In every case, we seek the right solutions based on a holistic understanding of the opportunities ahead of us.

Value Every Voice

We stand for inclusivity, accessibility and opportunity. We listen for forward-looking ideas to better ourselves and improve our experience. And we always welcome an honest and open dialogue with our colleagues, customers and the community at large.

Win as One Team

We function as one connected team working together to deliver a seamless experience. We communicate, collaborate and care enough to go the extra mile for the colleagues we work alongside, the customers we serve and the communities where we live.

Talent Development and Training

S&T strives to provide our employees with access to comprehensive training to enhance all job positions. Our corporate training department maintains oversight of training to ensure it is implemented and monitored properly and encourages career development for our employees. Our training programs offer a blended learning approach comprised of classroom, asynchronous online learning and synchronous online sessions. Our learning management systems, supported by vendor partnerships provide employees regulatory, compliance, skill-based, technology, leadership and career development trainings.

We encourage all employees to develop their skill sets and careers through a variety of internal and external training opportunities to align our organization for long-term success. We are dedicated to investing in and developing our managers, supervisors and future leaders of S&T. Our multi-tier succession plan includes replacement planning of vacancies, ongoing talent development and career path design of current employees. Additional resources that support these initiatives include S&T's annual training and recruitment plans that identify specific actionable programs and efforts. In 2025, our employees logged approximately 71,798 training hours, on average 59 hours per employee.

Safety, Health and Wellness

The safety, health and well-being of our employees is a top priority. We offer our employees and their families access to a variety of flexible and convenient health and welfare programs that provide resources to help them maintain and/or improve their physical and mental health. We also have a financial wellness program that assists our employees and their families with budgeting and various personal financial content consisting of an online personal financial program and internally produced webinars. We believe in the education and offering of programs and initiatives that make lasting positive impacts in the lives of our employees.

Access to United States Securities and Exchange Commission Filings

All of our reports filed electronically with the United States Securities and Exchange Commission, or the SEC, including this Annual Report on Form 10-K for the fiscal year ended December 31, 2025, our prior annual reports on Form 10-K, quarterly reports on Form 10-Q, current reports on Form 8-K and our annual proxy statements, as well as any amendments to those reports, are accessible at no cost on our website at www.stbancorp.com under Financials, SEC Filings. These filings are also accessible on the SEC’s website at www.sec.gov. The charters of the Audit Committee, the Compensation and Benefits Committee, the Credit Risk Committee, the Executive Committee, the Nominating and Corporate Governance Committee and the Risk Committee as well as the Complaints Regarding Accounting, Internal Accounting Controls or Auditing Matters ("Whistleblower Policy"), the Code of Conduct for the Chief Executive Officer, or CEO, and Chief Financial Officer, or CFO, the General Code of Conduct, the Shareholder Communications Policy and the Corporate Governance Guidelines are also available at www.stbancorp.com under Governance.

3

Table of Contents

S&T BANCORP, INC. AND SUBSIDIARIES

Supervision and Regulation

General

S&T and its bank and non-bank subsidiaries are extensively regulated under federal and state law. Regulation of bank holding companies and banks is intended primarily for the protection of consumers, depositors, borrowers, the Federal Deposit Insurance Fund, or DIF, and the banking system as a whole, and not for the protection of shareholders or creditors. The following describes certain aspects of that regulation and does not purport to be a complete description of all regulations that affect S&T, or all aspects of any regulation discussed here. To the extent statutory or regulatory provisions are described, the description is qualified in its entirety by reference to the particular statutory or regulatory provisions. The discussion of the regulations applicable to S&T provided below is based on our status as an institution with less than $10 billion in assets. If S&T’s assets cross the $10 billion threshold, we will be subject to different and additional regulations than those described below.

In addition, proposals to change the laws and regulations governing the banking industry are frequently raised in Congress, in state legislatures and before the various bank regulatory agencies that may impact S&T. Bank regulatory agencies may issue policy statements, interpretive letters and similar written guidance applicable to S&T or S&T Bank. Such initiatives to change the laws and regulations may include proposals to expand or contract the powers of bank holding companies and depository institutions or proposals to substantially change the financial institution regulatory system. Any such legislation could change bank statutes and our operating environment in substantial and unpredictable ways. If enacted, such legislation could affect how S&T and S&T Bank operate and could significantly increase costs, impede the efficiency of internal business processes, limit our ability to pursue business opportunities in an efficient manner or affect the competitive balance among banks, credit unions and other financial institutions, any of which could materially and adversely affect our business, financial condition and results of operations. The likelihood and timing of any changes and the impact such changes might have on S&T is impossible to determine with any certainty.

Regulation of S&T

We are a bank holding company subject to regulation under the BHCA and the examination and reporting requirements of the Federal Reserve and have elected to be a financial holding company. Under the BHCA, a financial holding company is restricted in the types of activities in which it may engage and subject to a range of supervisory requirements and activities, including regulatory enforcement actions for violations of laws and regulations.

In general, the BHCA limits the business of bank holding companies to banking, managing, or controlling banks and other activities that the Federal Reserve has determined to be closely related to banking. Bank holding companies that qualify and elect to become financial holding companies, such as S&T, may engage in any activity, or acquire and retain the shares of a company engaged in any activity, that is either financial in nature or incidental to such financial activity (as determined by the Federal Reserve in consultation with the Secretary of the Treasury), or complementary to a financial activity, and that does not pose a substantial risk to the safety and soundness of depository institutions or the financial system (as solely determined by the Federal Reserve). The BHCA identifies several activities as “financial in nature” including, among others, securities underwriting; dealing and market making; sponsoring mutual funds and investment companies; insurance underwriting and sales agency; investment advisory activities; merchant banking activities and activities that the Federal Reserve has determined to be closely related to banking. Banks may also engage in, subject to limitations on investment, activities that are financial in nature, other than insurance underwriting, insurance company portfolio investment, real estate development and real estate investment, through a financial subsidiary of the bank, if the bank is “well-capitalized,” “well-managed” and has at least a “satisfactory” Community Reinvestment Act, or CRA, rating.

4

Table of Contents

S&T BANCORP, INC. AND SUBSIDIARIES

In order to maintain our status as a financial holding company, we must remain “well-capitalized” and “well-managed” and the depository institutions controlled by us must remain “well-capitalized,” “well-managed” (as defined in federal law) and have at least a “satisfactory” CRA rating. Refer to Note 23. Regulatory Matters to the consolidated financial statements contained in Part II, Item 8 of this Report for information concerning the current capital ratios of S&T and S&T Bank. If S&T or S&T Bank fail to continue to meet these requirements, we could be subject to restrictions on new activities and acquisitions, and/or be required to cease and possibly divest operations that conduct existing activities that are not permissible for a bank holding company that is not a financial holding company. Additionally, the Federal Reserve could impose corrective capital and managerial requirements and activity restrictions on us if we cease to be “well-capitalized” or “well managed.”

As a financial holding company, we are expected under statutory and regulatory provisions to serve as a source of financial and managerial strength to our subsidiary bank. A financial holding company is also expected to commit resources, including capital and other funds, to support its subsidiary bank. The Federal Reserve may require a bank holding company to make capital injections into a troubled subsidiary bank and may charge the bank holding company with engaging in unsafe and unsound practices if it fails to commit resources to such a subsidiary bank, or if it undertakes actions that the Federal Reserve believes might jeopardize the bank holding company’s ability to commit resources to such subsidiary bank. Capital loans by banking holding companies to its subsidiary banks would be subordinate in right of payment to deposits and certain other debts of the subsidiary bank. In the event of bankruptcy, any commitment by a bank holding company to a federal bank regulatory agency to maintain the capital of a subsidiary bank would be assumed by the bankruptcy trustee and entitled to a priority of payment.

The BHCA requires that a financial holding company obtain the prior approval of the Federal Reserve before (i) acquiring direct or indirect ownership or control of more than 5 percent of the voting shares of any additional bank or bank holding company, (ii) taking any action that causes an additional bank or bank holding company to become a subsidiary of the financial holding company, or (iii) merging or consolidating with any other bank holding company. No prior regulatory approval is required for a financial holding company to acquire a company, other than a bank or savings association, engaged in activities that are financial in nature or incidental to activities that are financial in nature, as determined by the Federal Reserve, unless the total consolidated assets to be acquired exceed $10 billion. Federal law restricts the amount of voting stock of a bank holding company and a bank that a person may acquire without the prior approval of banking regulators. Federal law also imposes restrictions on acquisitions of stock in a bank holding company. Under the federal Change in Bank Control Act and the regulations thereunder, a person or group must give advance notice to the Federal Reserve before acquiring control of any bank holding company, such as S&T, and the FDIC before acquiring control of any state-chartered non-member bank, such as S&T Bank. Upon receipt of such notice, the bank regulatory agencies may approve or disapprove the acquisition. The Change in Bank Control Act creates a rebuttable presumption of control if a member or group acquires a certain percentage or more of a bank holding company’s or bank’s voting stock, or if one or more other control factors set forth in the Act are present. As a result, a person or entity generally must provide prior notice to the Federal Reserve before acquiring the power to vote 10 percent or more of S&T’s outstanding common stock.

S&T Bank

As a Pennsylvania-chartered, FDIC-insured non-member commercial bank, S&T Bank is subject to the supervision and regulation of the PA DOBS and the FDIC. We are also subject to various requirements and restrictions under federal and state law, including requirements to maintain reserves against deposits, restrictions on the types, amount and terms and conditions of loans that may be granted and limits on the types of other activities in which S&T Bank may engage and the investments it may make.

S&T Bank is subject to affiliate transaction rules in Sections 23A and 23B of the Federal Reserve Act as implemented by the Federal Reserve's Regulation W, that limit the amount of transactions between itself and S&T or any other company or entity that controls or is under common control with any company or entity that controls S&T Bank, including for most purposes any financial or depository institution subsidiary of S&T Bank. Under these provisions, “covered” transactions, including making loans, purchasing assets, issuing guarantees and other similar transactions, between a bank and its parent company or any other affiliate, generally are limited to 10 percent of the bank subsidiary’s capital and surplus, and with respect to all transactions with affiliates, are limited to 20 percent of the bank subsidiary’s capital and surplus. Loans and extensions of credit from a bank to an affiliate generally are required to be secured by eligible collateral in specified amounts, and in general all affiliated transactions must be on terms consistent with safe and sound banking practices. Furthermore, in general, transactions between a bank and its affiliates must be on terms and conditions that are at least as favorable to the bank as the terms that would apply in comparable transactions between the bank and a third party. Dodd-Frank Wall Street Reform and Consumer Protection Act, or Dodd-Frank Act, expanded the affiliate transaction rules to broaden the definition of "covered transactions" to include securities, borrowing or lending, repurchase and reverse repurchase agreements and certain derivative transactions. The Act also strengthened collateral requirements and significantly limited the Federal Reserve's authority to grant exemptions from these rules.

5

Table of Contents

S&T BANCORP, INC. AND SUBSIDIARIES

Federal law also constrains the types and amounts of loans that S&T Bank may make to its executive officers, directors and principal shareholders. Among other things, these loans are limited in amount, must be approved by S&T Bank’s board of directors in advance and must be on terms and conditions as favorable to the bank as those available to an unrelated person. The Dodd-Frank Act strengthened restrictions on loans to insiders and expanded the types of transactions subject to the various limits to include credit exposure arising from a derivative transaction, a repurchase or reverse repurchase agreement and a securities lending or borrowing transaction. The Dodd-Frank Act also placed restrictions on certain asset sales to and from an insider to an institution, including requirements that such sales be on market terms and, in certain circumstances, approved by the institution’s board of directors.

Pursuant to Section 18(c) of the FDIA, more commonly known as the Bank Merger Act, or BMA, prior written approval from a bank’s primary federal regulator is required before any insured depository institution may consummate a merger transaction which includes a merger, consolidation, assumption of deposit liabilities and certain asset transfers between or among two or more institutions. Prior written approval of a bank’s primary federal regulator is also required for merger transactions between or among affiliated institutions, as well as for merger transactions between or among non-affiliated institutions. Transactions that do not involve a transfer of deposit liabilities typically do not require prior approval under the BMA, unless the transaction involves the acquisition of all or substantially all of an institution’s assets. In September 2024, the FDIC adopted a final rule amending its procedures for reviewing applications under the BMA and adding a policy statement on the FDIC’s substantive approach to evaluating bank mergers under the BMA, which, among other things, eliminated certain expedited review procedures and streamlined application processes. However, on May 20, 2025, the FDIC approved the rescission of its 2024 policy statement and reinstated its 2008 policy statement while it conducts a broader reevaluation of its bank merger review process. These actions reflect regulatory efforts to reduce procedural uncertainty and burden in the bank merger review process. The statutory framework underlying the BMA has not been materially changed by recent legislation, and agencies continue to exercise broad discretion in merger evaluation on a case-by-case basis. Proposed changes to bank merger policy, including oversight and application procedures, may arise from regulatory proposals or Congressional interest and could affect the timing, complexity or conditions of merger approvals.

In September 2024, the Department of Justice, or DOJ, withdrew its 1995 Bank Merger Guidelines and issued the 2024 Banking Addendum to 2023 Merger Guidelines, or the 2024 Banking Addendum. The DOJ clarified that it would assess competition considerations in connection with bank and bank holding company mergers using its 2023 Merger Guidelines which is the general merger review framework the DOJ now uses to evaluate transactions in all segments of the economy, and 2024 Banking Addendum. The 2024 Banking Addendum provides guidance on how the DOJ will assess competition in the context of bank and bank holding company mergers. An analysis under the 2023 Merger Guidelines and 2024 Banking Addendum may include consideration of theories of harm and relevant markets not considered under the 1995 Bank Merger Guidelines which focused primarily on concentrations of deposits and branches. Notwithstanding the actions of the FDIC in 2025, transactions that satisfy traditional banking regulator approval standards may nonetheless face extended DOJ review, additional information requests, conditions or challenges.

Supervision, Examination and Enforcement

The Federal Reserve and FDIC have broad supervisory, examination and enforcement authority with regard to bank holding companies and banks, including the power to impose nonpublic supervisory agreements, issue cease and desist or removal orders, impose fines and other civil and criminal penalties, initiate injunctive actions, terminate deposit insurance and appoint a conservator or receiver. In general, these actions may be initiated for violations of laws and regulations, as well as engagement in unsafe and unsound practices, and some of these actions also may be taken against an “institution affiliated party” as defined in the law. Specifically, the regulators may direct a bank holding company or bank to, among other things, increase its capital, sell subsidiaries or other assets, limit its dividends and distributions, restrict its growth or remove officers and directors. Supervision and examinations are confidential, and the outcomes of these actions may not be made public. In addition, if our total consolidated assets exceed $10 billion, we may be subject to additional supervision by the Consumer Financial Protection Bureau, or CFPB, with respect to consumer protection laws and regulations.

On August 7, 2025, Executive Order 14331,“Guaranteeing Fair Banking Access for All Americans,” was issued directing federal banking agencies to identify and address “politicized or unlawful” denial of financial services based on constitutionally or statutorily protected beliefs, affiliations, or political views. In response, the Small Business Administration, or SBA, required certain certifications from SBA lending program participants, and the FDIC conducted supervisory reviews of policies and practices at certain FDIC-supervised institutions.

6

Table of Contents

S&T BANCORP, INC. AND SUBSIDIARIES

In October 2025, the federal bank regulators issued a proposed rule to limit reputation risk as a factor in their supervisory frameworks. Under the proposed rule, the agencies would be prohibited from criticizing or taking adverse action against a financial institution based on reputation risk. Certain states have also enacted or proposed “fair access” laws that may affect how financial institutions approach account opening, account termination and related relationship decisions. These developments may result in evolving supervisory expectations, examination practices or compliance requirements applicable to S&T and its affiliates and could increase operational, compliance or legal complexity, including where requirements overlap with or potentially conflict with other legal or risk-management obligations.

Insurance of Accounts; Depositor Preference

The deposits of S&T Bank are insured up to applicable limits per insured depositor by the DIF, as administered by the FDIC. The Dodd-Frank Act codified FDIC deposit insurance coverage per separately insured depositor for all account types at $250,000.

The DIF is funded mainly through quarterly assessments on insured depository institutions, such as S&T Bank, and provides insurance coverage for certain deposits up to this maximum amount. As an FDIC-insured bank, S&T Bank is subject to FDIC insurance assessments which are imposed based upon the calculated risk the institution poses to the DIF. S&T Bank’s assessment is determined each quarter in accordance with the FDIC’s standardized risk-based methodology by multiplying its assessment rate by its assessment base. The assessment base is calculated as a percentage of average consolidated total assets less average tangible equity during the assessment period. Under the current assessment system, for an institution with less than $10 billion in assets, assessment rates are determined based on a combination of financial ratios and CAMELS (capital adequacy, asset quality, management, earnings, liquidity and sensitivity) composite ratings. The assessment rate schedule can change from time to time, at the discretion of the FDIC, subject to certain limits. Under the current system, premiums are assessed quarterly.

As part of its semiannual update of the restoration plan established by the FDIC to facilitate restoration of the reserve ratio of the DIF to the statutory minimum in the mandated time frame, the FDIC adopted a final rule in October 2022. The new rule, applicable to all insured depository institutions, increased the initial base deposit insurance assessment rate schedules uniformly by 2 basis points, beginning in the first quarterly assessment period of 2023 (January 1 through March 31, 2023). The increase in assessment rate schedules was intended to increase the likelihood that the reserve ratio of the DIF reaches the statutory minimum of 1.35 percent by the statutory deadline of September 30, 2028. The change in assessment rates was further intended to support the growth of the DIF in progressing toward the 2 percent Designated Reserve Ratio, or DRR, established by the FDIC. The FDIC has indicated that the new assessment rate schedules will remain in effect unless and until the DRR meets or exceeds 2 percent, absent further FDIC action. Under the new rule, the total base assessment rates on an annualized basis range from 2.5 basis points for certain “well-capitalized,” “well-managed” banks, with the highest ratings, to 42 basis points for complex institutions posing the most risk to the DIF compared to the 2022 rates that ranged from 1.5 to 40.

In addition to regular assessments, the FDIC has authority to impose special assessments on insured depository institutions, including to recover losses to the DIF associated with bank failures. In November 2023, the FDIC finalized a special assessment to recover DIF losses related to the closures of Silicon Valley Bank and Signature Bank. The assessment applies only to institutions with more than $5 billion in uninsured deposits as of December 31, 2022. Because S&T Bank’s uninsured deposits were below this threshold, the assessment does not apply to S&T.

The FDIC may terminate the deposit insurance of any insured depository institution if it determines, after hearing that the institution has engaged in unsafe or unsound practices, that the institution is in an unsafe or unsound condition to continue operations or has violated any applicable law, regulation, rule, order or condition imposed by the FDIC or the Federal Reserve. It also may suspend deposit insurance temporarily during the hearing process if the institution has no tangible capital. If insurance of accounts is terminated, the accounts at the institution at the time of termination, less subsequent withdrawals, will continue to be insured for a period of six months to two years, as determined by the FDIC.

Under federal law, deposits and certain claims for administrative expenses and employee compensation against insured depository institutions are afforded a priority over other general unsecured claims against such an institution, including federal funds and letters of credit, in the liquidation or other resolution of such an institution by a receiver. Such priority creditors would include the FDIC.

7

Table of Contents

S&T BANCORP, INC. AND SUBSIDIARIES

Capital

S&T and S&T Bank are required under federal law to maintain certain minimum capital levels based on ratios of capital to total assets and capital to risk-weighted assets. The Federal Reserve and the FDIC have issued substantially similar minimum risk-based and leverage capital rules applicable to the banking organizations they supervise. These capital ratios represent regulatory minimums, and the Federal Reserve and FDIC may determine that a banking organization, based on its size, complexity, risk profile, growth plans or overall condition, must maintain capital levels in excess of the minimum requirements in order to operate in a safe and sound manner. In assessing capital adequacy, banking regulators consider a variety of qualitative and quantitative factors, including concentrations of credit risk, exposure to interest rate risk, liquidity risk, operational and market risks, risks arising from non-traditional activities and management’s ability to identify, measure, monitor and control those risks.

Under the applicable capital rules, S&T and S&T Bank are subject to the following risk-based capital ratios: a common equity tier 1, or CET1, risk-based capital ratio, a Tier 1 risk-based capital ratio, which includes CET1 and additional Tier 1 capital and a total capital ratio which includes Tier 1 and Tier 2 capital. CET1 is primarily comprised of the sum of common stock instruments and related surplus net of treasury stock, retained earnings and certain qualifying minority interests, less certain adjustments and deductions, including with respect to goodwill, intangible assets, mortgage servicing assets and deferred tax assets subject to temporary timing differences. Additional Tier 1 capital is primarily comprised of noncumulative perpetual preferred stock, tier 1 minority interests and grandfathered trust preferred securities, if applicable. Tier 2 capital consists of instruments disqualified from Tier 1 capital, including qualifying subordinated debt, certain trust preferred securities, other preferred stock and certain hybrid capital instruments and a limited amount of loan loss reserves up to a maximum of 1.25 percent of risk-weighted assets, subject to certain eligibility criteria.

The capital rules require a minimum CET1 risk-based capital ratio of 4.5 percent, a minimum overall Tier 1 risk based capital ratio of 6.0 percent, and a total risk-based capital ratio of 8.0 percent. In addition, the capital rules require a capital conservation buffer of 2.5 percent above each of the minimum capital ratio requirements (CET1, Tier 1, and total risk-based capital), which must be met for a bank or bank holding company to be able to pay dividends, engage in share buybacks or make discretionary bonus payments to executive management without automatic restrictions. The capital conservation buffer is 2.50 percent, so a banking organization needs to maintain a CET1 capital ratio of at least 7 percent, a total Tier 1 capital ratio of at least 8.5 percent and a total risk-based capital ratio of at least 10.5 percent or it would be subject to restrictions on capital distributions and discretionary bonus payments to its executive management.

The leverage capital ratio, which serves as a minimum capital standard, is the ratio of Tier 1 capital to quarterly average total assets, less goodwill and other disallowed intangible assets. The required minimum leverage ratio for all banks and bank holding companies is 4 percent.

To be well-capitalized, we must maintain the following capital ratios:

● CET1 risk-based capital ratio of 6.5 percent or greater;

● Tier 1 risk-based capital ratio of 8.0 percent or greater;

● Total risk-based capital ratio of 10.0 percent or greater; and

● Tier 1 leverage ratio of 5.0 percent or greater.

Failure to be well-capitalized or to meet minimum capital requirements could result in certain mandatory and possible additional discretionary actions by regulators that, if undertaken, could have an adverse material effect on our operations or financial condition. For example, only a well-capitalized depository institution may accept brokered deposits without prior regulatory approval. Failure to be well-capitalized or to meet minimum capital requirements could also result in restrictions on S&T’s or S&T Bank’s ability to pay dividends or otherwise distribute capital or to receive regulatory approval of applications or other restrictions on its growth.

On December 31, 2025, S&T’s and S&T Bank’s regulatory capital ratios were above the well-capitalized standards and met the fully phased-in capital conservation buffer.

8

Table of Contents

S&T BANCORP, INC. AND SUBSIDIARIES

The following table summarizes the leverage and risk-based capital ratios for S&T and S&T Bank:

Payment of Dividends

S&T is a legal entity separate and distinct from its banking and other subsidiaries. A substantial portion of our revenues consist of dividend payments we receive from S&T Bank. The payment of common dividends by S&T is subject to certain requirements and limitations of Pennsylvania law. S&T Bank, in turn, is subject to federal and state laws and regulations that limit the amount of dividends it can pay to S&T. In addition, both S&T and S&T Bank are subject to various general regulatory policies relating to the payment of dividends, including requirements to maintain adequate capital above regulatory minimums. The Federal Reserve has indicated that banking organizations should generally pay dividends only if (i) the organization’s net income available to common shareholders over the past year has been sufficient to fully fund the dividends, (ii) the prospective rate of earnings retention appears consistent with the organization’s capital needs, asset quality and overall financial condition and (iii) the organization will continue to meet minimum capital adequacy ratios. The policy also provides that a banking organization should inform the Federal Reserve reasonably in advance of declaring or paying a dividend that exceeds earnings for the period for which the dividend is being paid or that could result in a material adverse change to the bank holding company’s capital structure. Bank holding companies also are required to consult with the Federal Reserve before redeeming or repurchasing capital instruments when the bank holding company is experiencing financial weaknesses. Additionally, the Federal Reserve could prohibit or limit the payment of dividends by a bank holding company if it determines that payment of the dividend would constitute an unsafe or unsound practice.

Thus, under certain circumstances based upon our financial condition, our ability to declare and pay quarterly dividends may require consultation with the Federal Reserve and may be prohibited by applicable Federal Reserve guidance.

9

Table of Contents

S&T BANCORP, INC. AND SUBSIDIARIES

Safety and Soundness Regulations

There are a number of obligations and restrictions imposed on bank holding companies such as us and our depository institution subsidiary by federal law and regulatory policy. These obligations and restrictions relate to internal controls, risk management, information systems, internal audit systems, loan documentation, credit underwriting, interest rate exposure, asset growth and compensation, fees and benefits. These guidelines in general require appropriate systems and practices to identify and manage specified risks and exposures. These obligations and restrictions are designed to reduce potential loss exposure to the FDIC’s DIF in the event an insured depository institution becomes in danger of default or is in default. Under current federal law, for example, the federal banking agencies possess broad powers to take prompt corrective action to resolve problems of insured depository institutions. The extent of these powers depends upon whether the institution in question is “well-capitalized,” “adequately capitalized,” “undercapitalized,” “significantly undercapitalized” or “critically undercapitalized,” as defined by the law. As of December 31, 2025, S&T Bank was classified as “well-capitalized.” Refer to the above section titled Capital within this Item 1. Business section for capital requirements. The classification of depository institutions is primarily for the purpose of applying the federal banking agencies’ prompt corrective action provisions and is not intended to be and should not be interpreted as a representation of overall financial condition or prospects of any financial institution.

Lending Standards and Guidance

The federal banking agencies have adopted uniform regulations prescribing standards for extensions of credit that are secured by liens on, or interests in, real estate or made for the purpose of financing permanent improvements to real estate. Under these regulations, all insured depository institutions, including S&T Bank, are required to adopt and maintain written policies that establish appropriate limits and standards for such extensions of credit. These policies must address, among other things, loan portfolio diversification standards, prudent underwriting standards (including clear and measurable loan-to-value limits), loan administration procedures and documentation, approval and reporting requirements. S&T Bank’s real estate lending policies are required to reflect consideration of the federal banking regulators’ Interagency Guidelines for Real Estate Lending Policies.

The federal banking agencies have also jointly issued supervisory guidance on Concentrations in Commercial Real Estate Lending (the “Guidance”). The Guidance defines commercial real estate loans to include exposures secured by raw land, land development and construction (including one-to-four family residential construction), multifamily property and non-farm nonresidential property where the primary or a significant source of repayment is derived from rental income associated with the property (generally defined as loans for which 50 percent or more of the source of repayment is derived from third-party, non-affiliated rental income) or from the proceeds of the sale, refinancing or permanent financing of the property.

The Guidance provides that insured depository institutions should maintain appropriate processes to identify, monitor and control risks associated with concentrations in commercial real estate lending. Where concentrations are present, management is expected to employ heightened risk management practices which may include enhanced board and management oversight and strategic planning, portfolio management, underwriting standards, risk assessment and monitoring through market analysis and stress testing and the maintenance of capital levels appropriate to support the level of commercial real estate lending. These heightened risk management practices may also include enhanced internal controls, portfolio stress testing, risk exposure limits, compensation and incentive programs and, where appropriate, higher allowances for credit losses.

10

Table of Contents

S&T BANCORP, INC. AND SUBSIDIARIES

Prompt Corrective Action

The federal banking agencies’ prompt corrective action powers, which increase depending upon the degree to which an institution is undercapitalized, can include, among other things, requiring an insured depository institution to adopt a capital restoration plan which cannot be approved unless guaranteed by the institution’s parent company; placing limits on asset growth and restrictions on activities, including restrictions on transactions with affiliates; restricting the interest rates the institution may pay on deposits; restricting the institution from accepting brokered deposits; prohibiting the payment of principal or interest on subordinated debt; prohibiting the holding company from making capital distributions, including payment of dividends, without prior regulatory approval; and, ultimately, appointing a receiver for the institution.

The federal banking agencies have also adopted guidelines prescribing safety and soundness standards relating to internal controls and information systems, internal audit systems, loan documentation, credit underwriting, interest rate exposure, asset growth, fees and compensation and benefits. In general, the guidelines require appropriate systems and practices to identify and manage specified risks and exposures. The guidelines prohibit excessive compensation as an unsafe and unsound practice and characterize compensation as excessive when the amounts paid are unreasonable or disproportionate to the services performed by an executive officer, employee, director or principal shareholder. In addition, the agencies have adopted regulations that authorize, but do not require, an agency to order an institution that has been given notice by an agency that it is not in compliance with any of such safety and soundness standards to submit a compliance plan. If, after being so notified, an institution fails to submit an acceptable compliance plan, the agency must issue an order directing action to correct the deficiency and may issue an order directing other actions of the types to which an “undercapitalized” institution is subject under the prompt corrective action provisions described above.

Regulatory Enforcement Authority

The enforcement powers available to federal banking agencies are substantial and include, among other things and in addition to other powers described herein, the ability to assess civil money penalties and impose other civil and criminal penalties, to issue cease-and-desist or removal orders, to appoint a conservator to conserve the assets of an institution for the benefit of its depositors and creditors and to initiate injunctive actions against banks and bank holding companies and “institution affiliated parties,” as defined in the Federal Deposit Insurance Act, or FDIA. In general, these enforcement actions may be initiated for violations of laws and regulations, and engagement in unsafe or unsound practices. Other actions or inactions may provide the basis for enforcement action, including misleading or untimely reports filed with regulatory authorities. At the state level, the PA DOBS also has broad enforcement powers over S&T Bank, including the power to impose fines and other penalties and to appoint a conservator or receiver.

Interstate Banking and Branching

The BHCA currently permits bank holding companies from any state to acquire banks and bank holding companies located in any other state, subject to certain conditions, including certain nationwide and state-imposed deposit concentration limits. In addition, because of changes to law made by the Dodd-Frank Act, S&T Bank may now establish de novo branches in any state to the same extent that a bank chartered in that state could establish a branch.

Fair Lending and Consumer Protection Laws

In connection with its lending activities, S&T Bank is subject to a number of state and federal laws and regulations designed to protect consumers and promote lending to various sectors of the economy and population. The federal laws include, among others, the Equal Credit Opportunity Act, the Truth-in-Lending Act, the Truth-in-Savings Act, the Home Mortgage Disclosure Act, the Real Estate Settlement Procedures Act, the Fair Credit Reporting Act, Fair Housing Act and the Community Reinvestment Act, or CRA. In addition, federal rules require disclosure of privacy policies to consumers.

Fair lending laws prohibit discrimination in the lending practices, and include the Equal Credit Opportunity Act and the Fair Housing Act which outlaw discrimination in credit transactions and residential real estate on the basis of prohibited factors including, among others, race, color, national origin, sex and religion. If a pattern or practice of lending discrimination is alleged by a regulator, then that agency is required to refer the matter to the DOJ for investigation. S&T Bank is required to have a fair lending program that is of sufficient scope to monitor the inherent fair lending risk of the institution and ensure compliance with all applicable fair lending laws and regulations.

11

Table of Contents

S&T BANCORP, INC. AND SUBSIDIARIES

In addition, the Dodd-Frank Act provides that the amount of any interchange fee charged for electronic debit transactions by debit card issuers having assets over $10 billion must be reasonable and proportional to the actual cost of a transaction to the issuer. The Federal Reserve has adopted a rule, Regulation II, which limits the maximum permissible interchange fees that such issuers can receive for an electronic debit transaction. Regulation II was effective on October 1, 2011 and amended on October 3, 2022 to require debit card issuers to provide at least two unaffiliated payment card networks to process card-not-present debit card transactions. Regulation II does not apply to a bank that, together with its affiliates, has less than $10 billion in assets, which includes S&T. In addition, their future application is subject to uncertainty. Ongoing litigation has challenged the Federal Reserve’s implementation of the interchange fee cap, and while no statutory changes have been enacted, adverse judicial outcomes or future regulatory action could modify or invalidate the current framework. The Federal Reserve has not finalized any amendments to Regulation II, and institutions below $10 billion in consolidated assets continue to qualify for the small-issuer exemption. However, as S&T grows, it may become subject to Regulation II, depending on the outcome of ongoing litigation and any applicable rule changes. Additionally, in February of 2026, a federal court in Illinois partially upheld a first-of-its-kind state law restricting interchange fees. This Illinois Interchange Fee Prohibition Act goes into effect on July 1, 2026. The majority of our customers are not located in Illinois, however, there may be similar state laws promulgated over time.

In March 2023, the CFPB issued the “Small Business Lending Rule” to implement Section 1071 of the Dodd-Frank Act for the stated purpose of increasing transparency in small business lending, promoting economic development, and combating unlawful discrimination. Under the Small Business Lending Rule, covered lenders, including S&T Bank, are required to collect and report information about the small business credit applications they receive, including geographic and demographic data, lending decisions and the price of credit. The Small Business Lending Rule has been subject to extensive litigation and court stays have extended the compliance deadlines for certain entities involved in the litigation. As a result, the CFPB announced on April 30, 2025, that it will not prioritize enforcement or supervision of the Small Business Lending Rule for entities not covered by the stay. On June 18, 2025, the CFPB issued an interim final rule to extend compliance deadlines by approximately one year which was finalized on October 2, 2025. In addition, on November 13, 2025, the CFPB proposed significant changes to the Small Business Lending Rule that would exclude certain credit from the definition of covered credit transaction, increase loan origination thresholds for covered companies, change revenue thresholds for the definition of small businesses, remove certain data points from reporting and further extend the compliance date to January 1, 2028 for all covered financial institutions.

In October 2024, the CFPB finalized its “Open Banking Rule” to implement Section 1033 of the Dodd-Frank Act, which would require certain entities, including S&T and S&T Bank, to, among other things, make available to a consumer, upon request, information in its control or possession concerning the consumer financial product or service that the consumer obtained from that entity. The Open Banking Rule has been subject to extensive litigation since its adoption. As part of that litigation, on May 23, 2025, the CFPB stated in a litigation status report that the Open Banking Rule is unlawful. As a result, litigation was stayed while the CFPB conducted new rulemaking process. On August 22, 2025, the CFPB released an advanced notice of proposed rulemaking soliciting public comment to the Open Banking Rule.

S&T Bank is continuing to monitor and evaluate the impact of the Small Business Lending Rule and Open Banking Rule, though compliance may require operational, technology and policy changes, may increase S&T Bank’s compliance costs and could subject S&T Bank to heightened litigation and enforcement risk.

12

Table of Contents

S&T BANCORP, INC. AND SUBSIDIARIES

Community Reinvestment Act

The CRA requires the appropriate federal banking agency, in connection with its examination of a bank, to assess the bank’s record in meeting the credit needs of the communities served by the institution, including low- and moderate-income, or LMI, borrowers and neighborhoods. The CRA is designed to encourage regulated banks to help meet the credit needs of the local communities in which they are chartered. The Federal Reserve, the FDIC and the OCC implement the CRA through their CRA regulations which establish the framework for how the agencies assess a bank’s record of helping to meet the credit needs of the communities that they serve, including LMI neighborhoods, consistent with safe and sound operations. Furthermore, such assessment is required of any bank that has applied, among other things, to merge or consolidate with or acquire the assets or assume the liabilities of an insured depository institution, or to open or relocate a branch office. In the case of a bank holding company, including a financial holding company, applying for approval to acquire a bank or bank holding company, the Federal Reserve will assess the record of each subsidiary bank of the applicant bank holding company in considering the application. Under the CRA, institutions are assigned a rating of “outstanding,” “satisfactory,” “needs to improve” or “unsatisfactory.” S&T Bank was rated “satisfactory” in its most recent CRA performance evaluation.

On October 24, 2023, the FDIC, OCC and Federal Reserve jointly issued a final rule to the CRA designed to strengthen and modernize the regulations implementing the CRA. The changes are designed to encourage banks to expand access to credit, investment and banking services in LMI communities, adapt to changes in the banking industry, including mobile and internet banking, provide greater clarity and consistency in the application of the CRA regulations and tailor CRA evaluations and data collection to bank size and type. Most of the final rule’s requirements were applicable beginning in January 2026, while the remaining requirements, including data reporting requirements, will be applicable in January 2027. The 2023 CRA final rule has been subject to legal challenge, and its effectiveness and implementation have been enjoined by a federal court. In light of the foregoing, FDIC, OCC and Federal Reserve jointly issued a proposal on July 16, 2025, to rescind the final CRA final rule issued in October 2023 and replace it with the prior CRA regulations that were originally adopted by the agencies in 1995, with certain technical amendments. Until any new CRA rule becomes effective, we expect to continue to be evaluated under the CRA regulations currently in effect. Any future changes to the CRA framework (including changes to assessment areas, evaluation methods, data collection or reporting requirements and the standards applied in connection with regulatory applications) could increase our compliance costs and may affect our ability to obtain regulatory approvals.

With respect to consumer protection, the Dodd-Frank Act created the CFPB which took over rulemaking responsibility on July 21, 2011 for the principal federal consumer financial protection laws, such as those identified above. Institutions that have assets of $10 billion or less, such as S&T Bank, are subject to the rules established by the CFPB, but will continue to be supervised in this area by their state and primary federal regulators which in the case of S&T Bank is the FDIC. S&T Bank continues to comply with all applicable consumer protection laws and regulations.

Anti-Money Laundering Rules

S&T Bank is subject to the Bank Secrecy Act, or BSA, its implementing regulations and other anti-money laundering, or AML, laws and regulations, including the USA Patriot Act of 2001. Among other things, these laws and regulations require S&T Bank to take steps to prevent the bank from being used to facilitate the flow of illegal or illicit money, to report large currency transactions and to file suspicious activity reports. S&T Bank is also required to develop and implement a comprehensive AML/Countering The Financing Of Terrorism, or CFT, compliance program. Banks must also have in place appropriate “know your customer”, or KYC, policies and procedures which includes requirements to (1) identify and verify, subject to certain exceptions, the identity of the beneficial owners of all legal entity customers at the time a new account is opened, and (2) include in its AML/CFT program, risk-based procedures for conducting ongoing customer due diligence, which are to include procedures that (a) assist in understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile, and (b) require ongoing monitoring to identify and report suspicious transactions and, on a risk basis, to maintain and update customer information. Violations of these requirements can result in substantial civil and criminal sanctions. In addition, provisions of the USA Patriot Act of 2001 require the federal financial institution regulatory agencies to consider the effectiveness of a financial institution’s AML/CFT activities when considering applications for bank mergers and bank holding company acquisitions.

In June 2025, the federal bank regulators in coordination with the Financial Crimes Enforcement Network, or FinCEN, issued an exemption order from the customer identification program requirement for banks to collect Taxpayer Identification Numbers (TINs) directly from customers before opening accounts. The exemption allows banks to obtain TIN information from third-party sources, provided they still comply with other Customer Identification Program, or CIP, requirements, including risk-based procedures to verify customer identities. This exemption aims to address evolving customer interaction methods and privacy concerns, especially related to identity theft risks. Banks are not required to use this alternative collection method but may choose to do so if it aligns with their risk-based approach to customer verification.

13

Table of Contents

S&T BANCORP, INC. AND SUBSIDIARIES

The Anti-Money Laundering Act of 2020, enacted on January 1, 2021 as part of the National Defense Authorization Act, or AMLA, amends the BSA but does not directly impose new requirements on banks. However, AMLA requires the U.S. Treasury Department to, among other things, issue National Anti-Money Laundering and Countering the Financing of Terrorism Priorities and implementing regulations, and conduct studies and issue regulations that may, over the next few years, significantly alter certain due diligence, recordkeeping and reporting requirements that the BSA and its implementing regulations impose on banks. AMLA also contains provisions that increase penalties for violations of the BSA and includes whistleblower incentives, both of which could increase regulatory enforcement against banks. Implementation of AMLA is ongoing and is anticipated to impact S&T Bank’s AML compliance program.

In an effort to increase transparency in the U.S. financial system and prevent shell entities from being used to launder money or hide assets, AMLA includes the Corporate Transparency Act, or CTA, which requires the U.S. Treasury Department’s Financial Crimes Enforcement Network, or FinCEN, to, among other things, establish a national beneficial ownership information registry. In September 2022, FinCEN issued the final Beneficial Ownership Information Reporting Requirements rule, or BOI Reporting Rule, which effective January 1, 2024, requires certain “reporting companies” to file beneficial ownership information reports with FinCEN that will be stored in the national beneficial ownership registry and will detail the reporting company’s beneficial owners. In December 2023, FinCEN issued the final Beneficial Ownership Information Access and Safeguards rule - the second of three rulemakings that would implement the CTA - which governs access to the national beneficial ownership registry. The constitutionality of the CTA is subject to litigation, and on March 21, 2025, FinCEN issued an interim final rule that significantly revised the definition of “reporting company” in its implementing regulations to mean only those entities that are formed under the law of a foreign country and that have registered to do business in any U.S. State or Tribal jurisdiction by the filing of a document with a secretary of state or similar office (formerly known as “foreign reporting companies”). FinCEN also exempts entities previously known as “domestic reporting companies” from BOI reporting requirements. Thus, through this interim final rule, all entities created in the United States — including those previously known as “domestic reporting companies” — and their beneficial owners are exempt from the requirement to report BOI to FinCEN. Foreign entities that meet the new definition of a “reporting company” and do not qualify for an exemption from the reporting requirements must report their BOI to FinCEN under new deadlines, detailed below. These foreign entities, however, will not be required to report any U.S. persons as beneficial owners, and U.S. persons will not be required to report BOI with respect to any such entity for which they are a beneficial owner.

OFAC Regulation

The U.S. Treasury Department’s Office of Foreign Assets Control, or OFAC is responsible for administering U.S. economic sanctions which can prohibit certain transactions with designated foreign countries, nationals and others. OFAC-administered sanctions take on many different forms. For example, sanctions may include: (1) restrictions on trade with or investment in a sanctioned country, including prohibitions against direct or indirect imports from and exports to a sanctioned country and prohibitions on U.S. persons engaging in financial transactions relating to, making investments in, or providing investment-related advice or assistance to, a sanctioned country; and (2) blocking assets in which certain sanctioned foreign governments, entities or individuals have an interest, by prohibiting transfers of property subject to U.S. jurisdiction, including property in the possession or control of U.S. persons. OFAC also maintains a list of designated persons, groups or entities that are the target of sanctions, including the “Specially Designated Nationals and Blocked Persons List.” The assets of designated persons, groups or entities are blocked and U.S. persons are generally prohibited from dealing with any such persons. Moreover, blocked assets, for example property and bank deposits, cannot be paid out, withdrawn, set off or transferred in any manner without a license from OFAC. If we find a name on any transaction, account or wire transfer associated with a sanctioned person, we must freeze or block such account or transaction, file a blocked property report with OFAC and notify the appropriate authorities. Failure to comply with U.S. economic sanctions could have serious legal and regulatory consequences.

The Volcker Rule

In December 2013, federal regulators adopted final regulations regarding the Volcker Rule established in the Dodd-Frank Act. The Volcker Rule generally prohibits banks and their affiliates from engaging in proprietary trading and investing in and sponsoring certain unregistered investment companies generally covering hedge funds and private equity funds, subject to certain exemptions. Banking entities had until July 21, 2017 to conform their activities to the requirements of the rule. Since S&T generally does not engage in the activities prohibited by the Volcker Rule, the effectiveness of the rule has not had a material effect on S&T Bank or its affiliates.

14

Table of Contents

S&T BANCORP, INC. AND SUBSIDIARIES

Data Privacy and Cybersecurity

We are subject to a variety of regulatory requirements regarding data privacy, data security and cybersecurity. For example, current federal laws, rules, regulations and standards, including the Gramm-Leach-Bliley Act, or GLBA, require financial institutions to, among other things, periodically disclose their privacy policies and practices relating to sharing personal information and enable retail customers to opt out of our ability to share such personal information with unaffiliated third parties under certain circumstances. Such laws and regulations also require financial institutions to implement a comprehensive cybersecurity program that includes administrative, technical and physical safeguards to ensure the security and confidentiality of customer records and information. Other federal and state laws and regulations impact our ability to share certain information with affiliates and non-affiliates for marketing and/or non-marketing purposes, or to contact customers with marketing offers. Federal law also makes it a criminal offense, except in limited circumstances, to obtain or attempt to obtain customer information of a financial nature by fraudulent or deceptive means. S&T Bank is also subject to rules and regulations issued by the Federal Trade Commission which regulates unfair or deceptive acts or practices, including with respect to data privacy and cybersecurity. Additionally, like other lenders, S&T Bank uses credit bureau data in its underwriting activities. Use of such data is regulated under the Fair Credit Reporting Act which also regulates reporting information to credit bureaus, prescreening individuals for credit offers, sharing of information between affiliates, and using affiliate data for marketing purposes. Similar state laws may impose additional requirements on us and our subsidiaries. The federal government also is considering, and may pass, additional data privacy and cybersecurity legislation, to which we may become subject if passed.

Federal and state regulators of financial institutions have issued guidance regarding cybersecurity, addressing the scope of controls that financial institutions should implement and maintain and business continuity planning and recovery processes that should be in place. Additionally, the FDIC, OCC and Federal Reserve issued a final rule that became effective in May 2022, requiring banking organizations that experience a computer-security incident to notify certain entities and its federal regulator as soon as possible and no later than 36 hours after the bank determines a computer-security incident has occurred. This rule also requires banking organizations to notify their customers of a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours. In March of 2022, the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA, was enacted and once final rules are adopted, will require certain covered entities to report a covered cyber incident to the U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency, or CISA, within 72 hours after a covered entity reasonably believes an incident has occurred. Separate reporting to CISA will also be required within 24 hours if a ransom payment is made as a result of a ransomware attack. Furthermore, in September 2023, the SEC’s Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure rules went into effect requiring, among other disclosure obligations, companies to publicly disclose the occurrence of a material cybersecurity incident, including the material aspects of the nature, scope, timing and impact of the incident on the company's financial condition and results of operations and brand beginning with any material cybersecurity incidents that occur on or after December 18, 2023.

State regulators have also been increasingly active in implementing privacy and cybersecurity standards and regulations, including data access requests and breach notification requirements. We actively monitor developments regarding regulatory expectations and federal and state requirements with respect to cybersecurity, data access requests and data breach notifications.

Other Legislative and Regulatory Changes

Various legislative and regulatory proposals are being considered by the executive branch of the federal government, Congress and various state governments, including Pennsylvania, that would result in substantial changes in banking, the regulation of banks, thrifts and other financial institutions, compensation, the regulation of financial markets and their participants, financial instruments and securities and the regulators and taxation of these entities.

Throughout 2025, Congress and the federal bank regulators expanded the scope of permissible digital asset activities for banks. The Government Enabling New Innovative Unstoppable Systems Act, or GENIUS Act, enacted in July 2025 as a significant piece of legislation aimed at establishing a comprehensive regulatory framework for stablecoins and digital assets in the U.S. The GENIUS Act provides clarity on the treatment of digital currencies, including the framework for stablecoin issuances by bank and non-banking entities, custody, reserves and payments systems and adopts a supervisory framework for stablecoin issuers. Under the GENIUS Act, banks are allowed to engage in stablecoin issuances and hold related reserves, provided they comply with established AML, KYC and capital adequacy standards.

In addition, the FDIC and Federal Reserve issued revised guidance regarding their engagement in crypto-related activities. This guidance rescinds prior guidance which previously required banks to submit prior notifications to the FDIC before engaging in such activities. Under the new framework, banks may engage in permissible crypto-related services, including custody and stablecoin reserve management, without needing to receive prior FDIC approval. However, banks are still required to manage risks effectively, including market, liquidity, operational and cybersecurity risks, and to comply with all AML/CFT and consumer protection requirements.

15

Table of Contents

S&T BANCORP, INC. AND SUBSIDIARIES

While we are not yet directly involved in stablecoin issuance or similar digital asset services, we continue to monitor developments under the GENIUS Act and FDIC policy, particularly as they evolve in the areas of digital asset custody, payments systems and associated regulatory requirements. The FDIC’s recent approach signals that smaller banks have greater flexibility to explore these opportunities, provided they adhere to compliance standards designed to protect customers and ensure safety and soundness.

Competition

S&T Bank competes with other local, regional and national financial services providers, such as other financial holding companies, commercial banks, credit unions, finance companies, brokerage and insurance firms and financial technology companies, including competitors that provide their products and services online and through mobile devices. Some of our competitors are not subject to the same level of regulation and oversight that is required of banks and bank holding companies and are thus able to operate under lower cost structures. Our wealth management business competes with trust companies, mutual fund companies, investment advisory firms, law firms, brokerage firms and other financial services companies.

Changes in bank regulation, such as changes in the products and services banks can offer and permitted involvement in non-banking activities by bank holding companies, as well as bank mergers and acquisitions, can affect our ability to compete with other financial services providers. Our ability to do so will depend upon how successfully we can respond to the evolving competitive, regulatory, technological and demographic developments affecting our operations.

Our customers are primarily in Pennsylvania and the contiguous states of Ohio, New York, West Virginia, New Jersey, Delaware and Maryland. The majority of our commercial and consumer loans are made to businesses and individuals in these states resulting in geographic concentration. Our market area has a high density of financial institutions, some of which are significantly larger institutions with greater financial resources than us, and many of which are our competitors to varying degrees. Our competition for loans comes principally from commercial banks, mortgage banking companies, credit unions, online lenders and other financial service companies. Our most direct competition for deposits has historically come from commercial banks and credit unions. We face additional competition for deposits from non-depository competitors such as the mutual fund industry, securities and brokerage firms, insurance companies and financial technology companies. Since larger competitors have advantages in attracting business from larger corporations, we do not generally attempt to compete for that business. Instead, we concentrate our efforts on attracting the business of individuals, and small and medium-sized businesses. We consider our competitive advantages to be customer service and responsiveness to customer needs, the convenience of banking offices and hours, access to electronic banking services and the availability and pricing of our customized banking solutions. We emphasize personalized banking and the advantage of local decision-making in our banking business.

The financial services industry is likely to become more competitive as further technological advances enable more companies to provide financial services on a more efficient and convenient basis. Technological innovations have lowered traditional barriers to entry and enabled many companies to compete in financial services markets. Many customers now expect a choice of banking options for the delivery of services, including traditional banking offices, telephone, internet, mobile, ATMs, self-service branches, in-store branches and/or digital and technology-based solutions. These delivery channels are offered by traditional banks and savings associations, credit unions, brokerage firms, asset management groups, financial technology companies, finance and insurance companies, internet-based companies and mortgage banking firms.