Federal Home Loan Bank of Pittsburgh 10-K Cybersecurity GRC - 2024-03-06

Page last updated on April 11, 2024

Federal Home Loan Bank of Pittsburgh reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-06 09:44:39 EST.

Filings

10-K filed on 2024-03-06

Federal Home Loan Bank of Pittsburgh filed an 10-K at 2024-03-06 09:44:39 EST
Accession Number: 0001330399-24-000008

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C: Cybersecurity Cybersecurity Risk Management and Strategy The Bank is subject to cybersecurity incident and threat risk. A cybersecurity incident is an unauthorized occurrence, or a series of related unauthorized occurrences, through information systems that jeopardizes the confidentiality, integrity, or availability of the Bank s information systems or any information residing therein. Cybersecurity threats are potential unauthorized occurrences on or conducted through information systems that may result in adverse effects on the confidentiality, integrity, or availability of information systems or any information residing therein. Information systems are any electronic information resources, owned or used by the Bank, including physical or virtual infrastructure controlled by such information resources, or their components, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the Bank s information to maintain or support the Bank s operations. Refer to Item 1A. Risk Factors Operational Risk for a description of the cybersecurity risk. The Bank has implemented processes for assessing, identifying, and managing material risks from cybersecurity threats or incidents that may directly or indirectly impact the Bank s business strategy, results of operations, or financial condition. The Bank s cybersecurity risk management framework for assessing, identifying, and managing material risks from cybersecurity threats is intended to protect the confidentiality, integrity, and availability of the Bank s information technology assets and data. Broadly, the Bank manages its risks from cybersecurity threats by its policies, standards and procedures, layers of preventative and detective controls, skilled resources, employee training and oversight of third-party vendors that may increase the Bank s cybersecurity risk. The Bank s cybersecurity risk management framework is part of the Bank s risk governance framework. Refer to Item 7. Management s Discussion and Analysis of Financial Condition and Results of Operations Risk Management for more detail on that risk governance framework. The Bank s Security Management Policy and the Bank s Information Technology Management Policy are the management policies that address the risks of cybersecurity threats and incidents. The Security Management Policy defines the principal elements of the Bank s security management program and compliance requirements. It applies to all Bank employees, contractors and consultants that have access to Bank systems. Among other things, it contains rules and procedures regarding the access, classification, use and protection of the Bank s information assets; detection of cybersecurity threats and incidents; and escalation requirements in the event of a cybersecurity threat or incident. The Information Technology Management Policy contains rules and procedures for the maintenance (e.g., patching, updating, upgrading, etc.) of the Bank s information technology systems and the management of vulnerabilities in the Bank s network, systems and software. The Bank has a security incident response plan, which determines how cybersecurity threats and incidents are identified, classified, and escalated including, as appropriate, to the Board of Directors Operational Risk Committee. The security incident response plan also provides guidance on management s assessment of significance of the threat or incident. The Bank leverages audits and assessments to assist in the development and monitoring of those processes for assessing, identifying and managing cybersecurity incident and threat risk. These reviews consist of internal and external penetration assessments as well as assessments of the maturity of the Bank s information security program in accordance with the National Institute of Standards and Technology Cybersecurity Framework. These assessments serve to benchmark the Bank s cybersecurity risk management program with the aim of continuously improving the Bank s cybersecurity control environment. The Bank s security incident response plan also addresses third-party cybersecurity incidents and threats. As part of the Bank s vendor management process, the Bank undertakes due diligence of third-party systems with which the Bank will interact, including review of System and Organization Controls reports, as available, and responses to cybersecurity questionnaires, determination of risk classification, in addition to requiring vendors to agree to contractual obligations related to data protection and information security in the Bank s vendor agreements. The Bank s vendor risk management program includes regular reviews and oversight of these third-party service providers, including performance and technological reviews and escalation to Bank management of any unsatisfactory reviews. 26 During the period covered by this report, risks from cybersecurity threats did not have a material impact on the Bank s strategy, results of operations, or financial condition. The Bank has experienced low impact cybersecurity incidents in the past though none that have had a material effect on the Bank s financial condition or results of operations. Cybersecurity incidents may occur in the future, and any such cybersecurity incident could result in significantly harmful consequences to the Bank, the Bank s members, and their customers. The Bank is prepared to assess the materiality of any such cybersecurity incident from several perspectives, including, but not limited to, the Bank s ability to continue to service the Bank s members and protect the privacy of the data their customers have entrusted to the Bank through its members, lost revenue, disruption of business operation, increased operating costs, litigation, and reputational harm. Cybersecurity Governance The Bank s Board of Directors provides oversight of risks from cybersecurity threats principally via its Operational Risk Committee. This committee reviews and makes recommendations to the Board regarding the Bank s Security Policy, which policy is contained within the Bank s Risk Governance Policy. The Risk Governance Policy is described in Item 7. Management s Discussion and Analysis of Financial Condition and Results of Operations Risk Management. The Security Policy, among other things: defines the Bank s commitment to and management of security practices and controls to protect physical and information assets; establishes accountability, including via its application to anyone with authorization to access or use Bank information systems or services; establishes administrative, technical, and physical safeguards which are intended to protect the security, confidentiality, and integrity of Bank information; mandates the implementation of security practices including advancing security program maturity, vendor security assessments, vulnerability and penetration testing, security awareness training, independent assessment of security requirements and implementation planning; accents the active identification, management and mitigation of relevant risks, including via the maintenance of a security incident response plan and the mandatory escalation of cybersecurity threats and incidents; provides that the Bank provide adequate resources in attending to cybersecurity threats proportionate to the Bank s overall risk tolerance; and establishes that the Bank s Chief Information Security Officer (CISO) is responsible for the information security program and that the CISO reports directly to the Bank s Chief Technology and Operations Officer (CTOO) with a dotted line reporting relationship to the Bank s Chief Risk Officer (CRO) so that information technology risk, including cybersecurity threat risk, is given appropriate priority. Management has implemented policies and procedures to implement the Security Policy which include, among others, the Security Management Policy, the Information Technology Management Policy and the security incident response plan, each of which is discussed above under Cybersecurity Risk Management and Strategy. In addition to its oversight of the risks of cybersecurity threats, the Operational Risk Committee provides oversight of the Bank s information technology planning, business continuity, vendor risk and modeling risk. The breadth of this oversight supplements the Operational Risk Committee s oversight of cybersecurity threat risk due to these functions nexuses with such risk and its mitigation. The Operational Risk Committee provides relevant reports to the Bank s Board, which reports may include, as potential examples, information regarding: management s implementation of the Security Policy and related directives; material emerging cybersecurity threats; and material cybersecurity incidents and their remediation. The CISO and the CTOO are responsible for reporting sufficient and timely information on any cybersecurity threat or incident that may pose a significant risk to the Bank to the Operational Risk Committee. The CISO and the CTOO are also responsible for providing regular reports to the Operational Risk Committee until any cybersecurity incident s conclusion. They also arrange for the Board and the Operational Risk Committee to receive regular presentations and reports throughout the year on cybersecurity and information security addressing a broad range of topics, including updates on technology trends, regulatory developments, legal issues, policies and practices, information security resources and organization, the threat environment and vulnerability assessments, and specific and ongoing efforts to prevent, detect, and respond to potential gaps, internal and external incidents and critical threats. Further, on no less than a quarterly basis, or more often as deemed necessary, the Operational Risk Committee discusses cybersecurity and information security risks with the CISO and the CTOO. The CISO and the CTOO are responsible for assessing and managing the Bank s material risks from cybersecurity threats. The CISO leads the Bank s Information Security Department and, consistent with the Security Policy, reports directly to the CTOO and has a dotted line reporting relationship to the CRO. The CISO is the policy owner of the Security Management Policy, and the CTOO is the policy owner of the Information Technology Management Policy. As policy owners, each is 27 responsible for implementing and administering their relevant policy. In addition, each is responsible for reviewing, updating and presenting the policies for approval on no less than an annual basis. In addition to their reporting responsibilities to the Operational Risk Committee, the CISO and the CTOO also report to the Bank s Risk Management Committee, which is a management committee that reports separately to the Bank s President and Chief Executive Officer. The Risk Management Committee is discussed in Item 7. Management s Discussion and Analysis of Financial Condition and Results of Operations Risk Management Risk Governance. The CISO has more than 20 years of experience in cybersecurity matters, including over 12 years within the Bank s information technology department, in successively more responsible roles, and has led teams to design, secure, and implement numerous cybersecurity and technology solutions. The CISO holds a Bachelor of Science (BS) degree in Computer Science and several technology certifications, including Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA). The CTOO has more than 35 years of experience in information technology fields, including over 12 years leading the Bank s information technology department, including information security. In addition to a BS degree in Computer Science, the CTOO holds an MBA with a focus on Information Technology. The CISO and the CTOO are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents with the support of the Bank s Information Security Department using the processes described above under Cybersecurity Risk Management and Strategy. The Bank s Information Security Department is comprised of specialized professionals responsible for the day-to-day, hands-on management of the cybersecurity risk and that handle the processes and procedures to mitigate and implement protective, proactive and reactive measures to protect the Bank against those risks. The Bank s Information Security Department is responsible for developing, documenting, and approving the Bank s technical information security control standards, guidelines, and procedures intended to preserve the confidentiality, integrity, and availability of the Bank s information technology assets and data under the Bank s control.

Company Information