FEDERAL NATIONAL MORTGAGE ASSOCIATION FANNIE MAE 10-K Cybersecurity GRC - 2024-02-15

Page last updated on April 11, 2024

FEDERAL NATIONAL MORTGAGE ASSOCIATION FANNIE MAE reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-02-15 07:22:56 EST.

Filings

10-K filed on 2024-02-15

FEDERAL NATIONAL MORTGAGE ASSOCIATION FANNIE MAE filed an 10-K at 2024-02-15 07:22:56 EST
Accession Number: 0000310522-24-000184

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Overview Cybersecurity risk management represents a critical component of our overall approach to risk management. Information security risks for large institutions like us have continued to significantly increase and we and the third parties with which we do business have been, and we expect will continue to be, the target of cyber attacks and other information security threats. These risks are an unavoidable result of conducting our business, and managing these risks is an inherent part of our business activities. We describe the cybersecurity risks we face in Risk Factors Operational and Model Risk . Cybersecurity Risk Management Program We have developed and continue to enhance our cybersecurity risk management program as we seek to protect the security of our computer systems, software, networks and other technology assets against unauthorized attempts to access confidential information and data or to disrupt or degrade business operations. Our cybersecurity risk management program has evolved based on the changing needs of our business, the evolving threat environment and FHFA regulatory guidance. We design and assess our cybersecurity risk management program based on the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (the NIST Cybersecurity Framework ). While we generally consult the NIST Cybersecurity Framework when designing and assessing our cybersecurity risk management program, we have not implemented and do not plan to implement all categories and subcategories included in the framework. We use the framework as a guide to help us identify, assess and manage cybersecurity risks relevant to our business based on our current understanding of the cybersecurity threat environment. In 2023, we conducted our most recent maturity assessment of our use of the NIST Cybersecurity Framework to manage our cybersecurity risk. These assessments measure the extent to which we have implemented the framework s categories and subcategories, but do not specifically assess the effectiveness of our cybersecurity program. Based on these assessments, we develop select improvements to our cybersecurity risk management program to help ensure we maintain a program designed to align to industry benchmarks and financial services peers. Integration into Enterprise Risk Management Framework Our cybersecurity risk management program is integrated into our overall Enterprise Risk Management framework. Our Enterprise Response Framework establishes the reporting structure and escalation process for managing all enterprise incidents, including cybersecurity-related incidents. The framework defines the relationship and notification steps among the various crisis management stakeholders, including the Board of Directors, the Management Committee, the CEO, other members of the executive leadership team, the crisis manager and crisis management coordinators. See Cybersecurity Governance Management Role for a description of the oversight role of the Enterprise Risk Management division, Internal Audit and the management-level Technology Risk Committee and Enterprise Risk Committee relating to cybersecurity risk management. Cybersecurity Risk Management Strategy Overview and Goal. Fannie Mae has a multilayered cybersecurity defense strategy. We take a risk-based approach that prioritizes and attempts to plan for the highest impact events first. Our cybersecurity threat operations operate with the goal of identifying, preventing, and mitigating cybersecurity threats and responding to cybersecurity incidents in accordance with incident response and recovery plans. Tools and Safeguards. As part of our cybersecurity defense strategy, we employ tools and systems safeguards intended to help secure our networks, applications, data and infrastructure, and to manage cybersecurity vulnerabilities. These Risk Factors | General Risk Fannie Mae 2023 Form 10-K 45 safeguards include network and perimeter defense, infrastructure security, endpoint protection, data protection, identity management and network segmentation. We work to evaluate and improve on these tools and safeguards through periodic cybersecurity assessments and the integration of cybersecurity threat intelligence. Backup Data Storage. We have both internal and external third-party backup data storage to help protect our data from cybersecurity incidents. We test our backup restoration process on a regular basis. Response Plans and Procedures. We maintain cybersecurity incident response procedures that identify the activities and escalation processes to be implemented upon detection of a cybersecurity incident, and we routinely practice these activities and processes. We also have business and technology continuity plans and a crisis management plan, which we test on a regular basis. Training. We provide mandatory cybersecurity training to employees and contractors on an annual basis. Employees also have access to supplemental online cybersecurity training. We test our employees response to simulated phishing scenarios on a regular basis. Assessments. We examine the effectiveness of our cyber defenses through various means, including internal audits, targeted testing, maturity assessments, incident response exercises and industry benchmarking. Insurance Coverage. We maintain insurance coverage relating to cybersecurity risks. As described in Risk Factors Operational and Model Risk , our insurance may not be sufficient to provide adequate loss coverage in all circumstances. Role of External Consultants, Vendors and Other Third Parties We regularly use external consultants and vendors to assist in our management of cybersecurity risks: We regularly employ third parties to evaluate the security of our networks, including engaging an external vendor to conduct penetration testing against our network. We engage an external vendor to review and test our cybersecurity incident response plan on at least an annual basis, including to assist with incident response exercises. We engage a third party to assess the design of our cybersecurity controls and control environment, including assisting with our 2023 NIST Cybersecurity Framework maturity assessment. We have external vendors on retainer to assist with cybersecurity incident response activities. External assessments have identified gaps and suggested enhancements that we consider when making changes to our cybersecurity risk management program. We are also focused on building strong relationships with the appropriate government and law enforcement agencies and with other businesses, industry groups and cybersecurity services to better understand the cybersecurity risks in our environment, enhance our defenses and improve our resiliency against cybersecurity threats. Third-Party Cybersecurity Risk Oversight Our cybersecurity risk management program extends to oversight of third parties that pose a cybersecurity risk to us, including lenders that use our systems and third-party service providers. In alignment with the NIST Cybersecurity Framework and FHFA regulatory guidance, we have established a risk-based framework for managing third-party risk that defines specified triggers for assessing and reporting cyber-related third-party risks and events. Pursuant to this framework, we have implemented both preventive and detective controls to mitigate cybersecurity risks posed by third parties. We have identified certain third parties that pose a higher cybersecurity risk to us because they have significant access to our systems or data. For these higher-risk third parties, we have implemented additional requirements, including: We assess these higher-risk third parties cybersecurity controls through a cybersecurity questionnaire and a review of their cybersecurity controls, either through independent audits or by direct review of their cybersecurity policies and practices. We use third-party cybersecurity monitoring and alert services to monitor these higher-risk third parties. We conduct periodic monitoring reviews of these higher-risk third parties cybersecurity policies and practices. Cybersecurity Governance Overview We follow a cross-functional approach to addressing the risk from cybersecurity threats, involving management personnel from our technology, operations, legal, enterprise risk management, internal audit and other key business Cybersecurity | Cybersecurity Risk Management and Strategy Fannie Mae 2023 Form 10-K 46 functions in an ongoing dialogue regarding cybersecurity threats and incidents. As described in Board Oversight below, we also regularly report to the Board and the Risk Policy and Capital Committee of the Board on cybersecurity risk matters. We have implemented controls and procedures for the escalation of cybersecurity incidents so that decisions regarding the disclosure and reporting of such incidents can be made in a timely manner. Board Oversight Cybersecurity risk management is overseen by the full Board of Directors and by the Risk Policy and Capital Committee of the Board. While the Board maintains oversight of cybersecurity risk, the Board has delegated oversight authority at the management level for risk-related matters, including cybersecurity risk matters, to the Enterprise Risk Committee, as described under Management Role below. The Board and the Risk Policy and Capital Committee generally engage in discussions throughout the year with management on cybersecurity risk matters. The Chief Information Security Officer and other members of the management team provide reports to the Board and the Risk Policy and Capital Committee on cybersecurity risk matters on a regular basis, including updates on our cybersecurity risk management program, recent developments in cybersecurity and privacy regulation, evolving standards, third-party reviews, general technological trends, information security considerations with respect to the company s peers and third parties, the external threat environment, and the steps the company is taking to address and mitigate the risks associated with the evolving cybersecurity threat environment. Management also discusses cybersecurity developments with the Chair of the Risk Policy and Capital Committee and other Board members between Board and committee meetings, as appropriate. The company has procedures to escalate information regarding certain cybersecurity incidents to the Board Chair. At least annually, the Board reviews and approves the company s Cybersecurity Risk Policy and Operational Risk Policy. Management Role Our Information Security organization, which is headed by our Chief Information Security Officer, has primary responsibility for assessing and managing our cybersecurity risks. Our Chief Information Security Officer is the member of our management team who is principally responsible for overseeing the company s cybersecurity risk management program. The Information Security organization works collaboratively across the company to protect the company s information systems from cybersecurity threats and to respond to cybersecurity threats and incidents. The Information Security organization monitors information systems to detect anomalies, including attempted cyber attacks, as well as user activity for access controls and risks of insider threat. The Information Security organization also monitors and investigates cybersecurity incidents through detection tools, reports from end-users, and other cybersecurity threat and vulnerability intelligence. The Information Security organization also shares and obtains information on cybersecurity threats through participation in the Financial Services Information Sharing and Analysis Center, referred to as FS-ISAC, a member-driven organization that advances cybersecurity and resilience in the global financial system. As appropriate, multidisciplinary teams are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with the company s incident response processes. The Information Security organization and Enterprise Risk Management are informed about and monitor the prevention, detection and mitigation of cybersecurity incidents through risk and control assessments, targeted reviews, scenario analysis, and monitoring of risk metrics. The company s performance in managing cybersecurity risk is reported to the Technology Risk Committee, the Enterprise Risk Committee and the Board of Directors. As noted above, the Board has delegated oversight responsibility at the management level for risk-related matters to the Enterprise Risk Committee. The Enterprise Risk Committee has delegated primary responsibility for management-level oversight of cybersecurity risk management to the Technology Risk Committee. The Technology Risk Committee receives reports on cybersecurity risk matters on a regular basis from the company s Chief Information Security Officer. The Technology Risk Committee reviews and approves the company s management-level cybersecurity risk policies and standards. The Technology Risk Committee also reviews and monitors metrics relating to cybersecurity risk. The Technology Risk Committee escalates matters to the Enterprise Risk Committee as appropriate. The company s Enterprise Risk Management division provides risk-based independent oversight of cybersecurity risk management performed by the Information Security organization. The Technology Risk Committee and Enterprise Risk Committee are each chaired by a member of the Enterprise Risk Management division. The company s Internal Audit organization audits the Enterprise Risk Management division s oversight of cybersecurity risk management and also independently tests the effectiveness of the company s cybersecurity risk management and governance. Members of the Internal Audit organization participate as non-voting members of both the Technology Risk Committee and the Enterprise Risk Committee. Cybersecurity | Cybersecurity Governance Fannie Mae 2023 Form 10-K 47 Management Expertise CISO Our Chief Information Security Officer has nearly 20 years of professional experience in information security, including over 7 years as Fannie Mae s Chief Information Security Officer and 1 year as Fannie Mae s Deputy Chief Information Security Officer. Our Chief Information Security Officer holds a graduate degree in information technology management. Technology Risk Committee Members of the Technology Risk Committee include officers with expertise in cybersecurity risk oversight, such as the Chief Information Security Officer described above, the head of our Technology Risk Oversight department, and the Chief Technology Officer. As of December 2023, a pproximately three-quarters of the members of the Technology Risk Committee had prior work experience in cybersecurity, a relevant degree or certification, or other knowledge, skills or background in cybersecurity. Enterprise Risk Committee Members of the Enterprise Risk Committee include senior leaders throughout the company, i ncluding our Chief Risk Officer (who chairs the Committee and is the head of our Enterprise Risk Management division), Chief Executive Officer, Chief Financial Officer, General Counsel, Head of Multifamily Business, Head of Single-Family Business, and Chief Information Office r. In addition, our Chief Audit Executive is a non-voting member of the Enterprise Risk Committee. As of December 2023, more than half of the members of the Enterprise Risk Committee had prior work experience in cybersecurity or other knowledge, skills or background in cybersecurity. Impact of Risks from Cybersecurity Threats As noted above, we and the third parties with which we do business have been, and we expect will continue to be, the target of cyber attacks and other information security threats. To date, risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have not materially affected our business, including our business strategy, results of operations or financial condition. However, large-scale cyber attacks perpetrated against other companies in recent years suggest that the risk of damaging cyber attacks is increasing. As a result, we continue to invest in our cybersecurity infrastructure, including investment in prevention capabilities and response readiness. Notwithstanding our efforts to manage cybersecurity risks as described above, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on our business, including our business strategy, results of operations and financial condition. Cybersecurity threats are constantly evolving and we may not be able to anticipate, detect or recognize cybersecurity threats to our systems and assets, or to implement effective preventive measures against all cybersecurity threats, especially because the techniques used in cyber attacks are increasingly sophisticated, change frequently, are complex, and are often not recognized until launched. We routinely identify cybersecurity threats as well as vulnerabilities in our systems and work to address or mitigate those we have identified; however, some cybersecurity vulnerabilities take a substantial amount of time to resolve or mitigate and therefore we continue to have cybersecurity vulnerabilities that we have identified but not resolved or mitigated. As a result, we could experience a cybersecurity incident that materially affects our business in a quarterly or annual fiscal period. See Risk Factors Operational and Model Risk for additional discussion of cybersecurity risks to our business.

Company Information