FEDERAL HOME LOAN MORTGAGE CORP 10-K Cybersecurity GRC - 2024-02-14

Page last updated on April 11, 2024

FEDERAL HOME LOAN MORTGAGE CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-14 07:54:29 EST.

Filings

10-K filed on 2024-02-14

FEDERAL HOME LOAN MORTGAGE CORP filed an 10-K at 2024-02-14 07:54:29 EST
Accession Number: 0001026214-24-000025

Item 1C. Cybersecurity.

Cybersecurity Risk Management and Strategy

We manage cybersecurity risk using a three lines risk management model and governance structure that is integrated into our enterprise-wide risk framework with oversight by the Board of Directors and its committees and senior management positions, including our EVP - EO&T and Chief Information Security Officer (who reports to our EVP - EO&T). For additional information on our enterprise risk framework, see Risk Management - Overview, Risk Management - Enterprise Risk Framework, and Risk Management - Enterprise Risk Governance Structure. Our cybersecurity program also aligns with the National Institute of Standards and Technology 800-53 control framework.

We continue to invest in cybersecurity to strengthen our capabilities to identify, prevent, detect, respond to, recover, and mitigate risk, and protect our systems, networks, and other technology assets against unauthorized attempts to access confidential or other information (including personal information) or other incidents that may disrupt or degrade our business operations. We require annual training regarding the use of information for new and existing employees as well as contractors and consultants who have access to Freddie Mac technology assets. Our training covers protecting Freddie Mac information, privacy, policy and standards, security best practices, and identifying and reporting potential cyber threats. We use third-party vendors and service providers to help enhance our cybersecurity capabilities and to assist us with cybersecurity program assessments and penetration testing.

We have strengthened our diligence, onboarding, and monitoring capabilities over our third parties. However, our control over the security posture of our third-party vendors and service providers and their supply chain connections remains limited. There can be no assurance that we can prevent, mitigate, or remediate the risk of any compromise or failure in the systems, networks, and other technology assets owned or controlled by our third-party vendors and service providers.

Material Effects from Cybersecurity Incidents

Our operations rely on the secure, accurate and timely receipt, storage, transmission, use, disclosure, and other processing of confidential and other information (including personal information) in our systems and networks. We also rely on the secure, accurate and timely receipt, storage, transmission, use, disclosure, and other processing of confidential and other information in the systems and networks of our customers and third parties, including suppliers, sellers and servicers, financial market utilities, and other third parties. Cybersecurity risks for companies like ours continue to increase. Like many companies and government entities, from time to time we have been, and expect to continue to be, the target of attempted cybersecurity incidents and other information security threats, including those from nation-state and nation-state supported actors.

Although to date we have not experienced any cybersecurity incidents resulting, or reasonably likely to result in, a material impact to our company, including to our business, financial condition, and results of operations, there is no assurance that our cybersecurity risk management program will prevent cybersecurity incidents from having such impacts in the future.

Additionally, insider threats also remain a risk given our workforce diversification to include contractors, remote workers, part-time employees, and full-time employees. As referenced above, our third-party vendors and service providers and their supply chain connections remain a potential source of risk.

For additional information, see Risk Factors - Operational Risks - Potential cybersecurity threats are changing rapidly and advancing in sophistication. We may not be able to protect our systems and networks, or the confidentiality of our confidential or other information (including personal information), from cybersecurity incidents and other unauthorized access, disclosure, and disruption.

Cybersecurity Governance

The Board of Directors and two of its committees, the Operations and Technology and Risk Committees, oversee the company’s information and cybersecurity operations by receiving periodic reports from our EVP - EO&T, the Chief Information Security Officer, and other members of management.

Management

Our management is responsible for assessing and managing cybersecurity risks by establishing and maintaining processes and programs designed to prevent, detect, respond to, and mitigate potential cybersecurity risks. Senior management is regularly informed by our cybersecurity personnel on cybersecurity matters. Our management also engages in periodic cybersecurity exercises and internal cybersecurity incident simulations, including tabletop exercises relating to cyberattacks, ransomware, and other security events. Escalation of specific incidents from our cybersecurity personnel to senior management follow written, risk-based procedures. Our management periodically reports to the Board of Directors, and its committees. These reports include information regarding management’s ongoing efforts to manage cybersecurity risk and the steps management has taken towards addressing and mitigating the evolving cybersecurity threat environment. Management discusses cybersecurity developments with the Chairs of the Operations and Technology Committee and the Risk Committee and other Board members between Board and committee meetings, as necessary. Our cybersecurity personnel, and those senior managers who oversee them, including our EVP - EO&T and Chief Information Security Officer, possess demonstrated expertise with cybersecurity matters. For example, our Chief Information Security Officer and members of the Chief Information Security Officer’s leadership team have, on average, over 19 years of work experience in information security or cybersecurity fields and achieved such professional certifications as Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Factor Analysis of Information Risk (FAIR). For additional information on the background of our EVP - EO&T, see Directors, Corporate Governance, and Executive Officers - Executive Officers.

Board of Directors

Members of the Board of Directors also receive reports from management regarding certain internal and industry-wide trends and exercises relating to these matters to assist with their oversight responsibilities. The company has written, risk-based procedures to escalate information regarding certain cybersecurity incidents to the appropriate Board members in a timely fashion. Additionally, certain Board members are informed of, and have an opportunity to provide feedback on management’s internal cybersecurity incident simulations referenced above.

The Board of Directors and its committees also have authority, as they deem appropriate, to fulfill Board or committee responsibilities, to engage outside consultants or advisors, including technology and cybersecurity experts, and oversee the company’s information security program. See MD&A - Risk Management - Overview for additional information on the Board of Directors’ role in risk oversight.

Operations and Technology Committee

The Operations and Technology Committee consists entirely of independent directors, has responsibility for overseeing the development and execution of our enterprise information, operations, and technology strategies and the information, operational resiliency and enterprise third-party governance programs. Specifically, the Operations and Technology Committee: (1) oversees our information, operations, and technology strategies and planning, and the implementation of technology initiatives critical to the achievement of our mission, strategy, and business objectives; (2) oversees, in conjunction with the Risk Committee, our management of information (including cybersecurity), technology, operational resiliency, and enterprise third-party governance risk, including the possibility that these risks will adversely affect the achievement of our mission and business objectives; (3) oversees our information (including cybersecurity and information security), operational resiliency and enterprise third-party governance programs, including risk and controls; (4) receives reports related to our technology strategy, practices, and management and potential for innovation from both EO&T and the business areas, as appropriate; and (5) reviews and recommends to the Board for approval the annual EO&T business plan, including relevant performance indicators, and evaluating EO&T against the plan. The Operations and Technology Committee also reviews capabilities for and adequacy of resources allocated to operations and technology enterprise-wide and monitors and evaluates trends in technology that may affect our strategy and business objectives.

Risk Committee

The Risk Committee, which consists entirely of independent directors, oversees on an enterprise-wide basis the company’s risk management framework, including credit risk, market risk, liquidity risk, operational risk (including cybersecurity), compliance risk, climate risk, and strategic risk. The Risk Committee reviews and recommends the company’s enterprise risk policy and Board-level risk-appetite to the Board of Directors for approval, oversees management’s adherence to Board risk limits and approves any exceptions thereto with notice to the Board, and, among other responsibilities, reviews significant: (1) enterprise risk exposures; (2) risk management strategies; (3) results of risk management reviews and assessments; and (4) emerging risks. The Risk Committee also approves all decisions regarding the appointment or removal of the CRO, and the CRO reports independently to the Risk Committee.

Company Information