{"url_path":"/sec/nwfl/10-q/2026/item-1","section_key":"item-1","section_title":"Item 1 Legal Proceedings","topic":"sec","document":{"doc_type":"10-Q","doc_date":"2026-05-08","source_url":"https://www.sec.gov/Archives/edgar/data/1013272/0001013272-26-000005-index.html","accession_number":"0001013272-26-000005","cik":"0001013272","ticker":"NWFL","issuer_name":"NORWOOD FINANCIAL CORP","edgar_url":"https://www.sec.gov/Archives/edgar/data/1013272/0001013272-26-000005-index.html","primary_entity_key":"0001013272","primary_entity_name":"NORWOOD FINANCIAL CORP"},"word_count":473,"has_tables":true,"body_markdown":"Item 1. Legal Proceedings\n\nOn February 20, 2024, the Company was notified of a Complaint (the “Complaint”) entitled Ian Werkmeister vs. Wayne Bank, filed on February 12, 2024 in the United States District Court for the Middle District of Pennsylvania seeking class action status. The Plaintiff is seeking monetary recovery and other relief on behalf of themselves and one or more putative classes of other individuals similarly situated. The Complaint arises out of a widely reported data security incident involving MOVEit, a file sharing software used globally by government agencies, enterprise corporations, and financial institutions. In October of 2023, Wayne Bank was notified by its third-party information service provider of a cyber-incident that involved unauthorized access to Wayne Bank customer information in one of the vendor’s file transfer applications. The incident involved vulnerabilities discovered in MOVEit Transfer, a file transfer software used by the Bank’s vendor to support services provided by the vendor to Wayne Bank and its related institutions. MOVEit is a commonly used secure Managed File Transfer software, which supports file transfer activities used by thousands of organizations around the world, including government agencies and major financial firms. The vulnerability discovered in MOVEit did not involve any of Wayne Bank’s internal systems and did not impact the Bank’s ability to service its customers.\n\nThe MOVEit cases have since been transferred and consolidated in the United States District Court for the District of Massachusetts (the “Court”) and are now entitled MOVEit Customer Data Security Breach Litigation. On July 23, 2024, on behalf of all of the Defendants (including the Company) in this case, an omnibus Motion to Dismiss the cases for lack of Article III standing pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure was filed with the Court. A hearing on this motion was held on October 9, 2024. On December 12, 2024, Judge Burroughs denied the defendants’ Rule 12(b)(1) motion in large part. The Court has ordered that a bellwether process be used to test claims and defenses. Because Wayne Bank is not a bellwether defendant, its obligations will be much lessened but will include, among other things, modest discovery.\n\nThe Company believes it has meritorious defenses to the claims asserted in the Complaint and intends to vigorously defend itself against such Complaint. While we continue to measure the impact of this cyber-incident, including certain remediation expenses and other potential liabilities, we do not currently believe this incident will have a material adverse effect on our business, operations, or financial results.\n\nOther than the foregoing, neither the Company nor its subsidiaries are involved in any other pending legal proceedings, other than routine legal matters occurring in the ordinary course of business, which in the aggregate involve amounts which are believed by management to be immaterial to the consolidated financial condition or results of operations of the Company."}