Federal Home Loan Bank of Chicago 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

Federal Home Loan Bank of Chicago reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 15:55:33 EST.

Filings

10-K filed on 2024-03-07

Federal Home Loan Bank of Chicago filed an 10-K at 2024-03-07 15:55:33 EST
Accession Number: 0001331451-24-000050

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy We are subject to cybersecurity risks, which include intentional and unintentional acts that may jeopardize the confidentiality, integrity, or availability of our information technology assets and data under our control. Cybersecurity risks can take the form of a variety of circumstances to cause harm to us, our members, our service providers, and the economy in general. These circumstances include, but are not limited to, malicious software or exploited vulnerabilities, social engineering such as phishing, denial-of-service attacks, viruses, malware, and natural disasters. For a discussion of cybersecurity and related risks impacting our Bank, see Risk Factors starting on page 21. In alignment with industry standards, such as the National Institute of Standards of Technology (NIST) Cybersecurity Framework, and FHFA regulatory guidance, we have implemented processes for assessing, identifying, and managing cybersecurity risks through a layered approach throughout our environment and in our service provider arrangements, including software-as-a-service and infrastructure-as-a-service engagements. We look to continuously improve our policies and practices to mitigate our exposure to cybersecurity risks given, among other things, the evolving natures of these risks, the involvement of uncontrollable circumstances, such as fires or flooding, and our role in the financial services industry and the broader economy. Our cybersecurity risk management program, which works in tandem with the Bank s Enterprise Risk Management program, includes risk management practices, procedures, and technology solutions aimed at addressing potential cybersecurity threats faced by the Bank in alignment with the Bank s strategic plans, risks tolerance, and enterprise operational risk policy. Cybersecurity risk-mitigation processes include, but are not limited to, performing regular risk assessments to identify, understand and prioritize risks from cybersecurity threats; the implementation of firewalls, anti-virus software, real-time network monitoring; on-going employee training to educate employees on how to identify and avoid various forms of social engineering; performing routine threat monitoring (including use of a third party service provider monitoring) and controls testing; and maintaining a vulnerability management program to timely identify and remediate cybersecurity risks. The Bank also maintains a Cyber Security Incident Response Plan (CSIRP) to determine how cybersecurity threats and incidents are identified, classified, escalated, mitigated and remedied. The CSIRP is implemented and maintained by the Bank s threat and incident response team and overseen by our Chief Information Security Officer (CISO). Additionally, the Bank maintains a business resiliency management program to mitigate and respond to critical disruptive events (such as fire, cybersecurity incidents, and power loss). Our business resiliency management program (as further discussed below) includes, but is not limited to, testing our disaster recovery plans and reviewing department level business continuity procedures. We regularly engage with third parties, including cybersecurity experts, to test, maintain, and enhance our cybersecurity risk management practices and threat monitoring. These engagements include, among other things, penetration testing, constant managed detection and response services, and intrusion prevention and detection applications. Our vendor risk management program includes regular reviews and oversight of these third parties, including performance and technological reviews and escalation of any unsatisfactory reviews. Additionally, the Bank seeks to identify, monitor and prioritize substantial risks from cybersecurity threats associated with our use of critical third parties. As part of its risk assessment, the Bank endeavors to use the information obtained from these efforts to reach a reasonable conclusion as to that third party s cyber risk management protocols. During the period covered by this report, the risk from cybersecurity threats or incidents did not have a material impact on our strategy, results of operations, or financial condition. It is inevitable that cybersecurity incidents will occur in the future and any such cybersecurity incident may result in significantly harmful consequences to us, our members, and their customers. We assess the materiality of any such cybersecurity incident from several perspectives including, but not limited to, our ability to continue to service our members and protect the privacy of data, as well as the likely extent and effect of lost revenue, increased operating costs, litigation, and reputational harm. Cybersecurity Governance Our CISO provides reporting to the Risk Management Committee and Operations and Technology Committee of our Board of Directors on topics such as threat intelligence, major cybersecurity risk areas and threats, technologies and best practices, and any cybersecurity incidents that may have impacted us, as needed when there are status updates or changes. Our CISO reports annually (or more often as needed) to the full Board of Directors on the Bank s cybersecurity risk management program. The Bank s Enterprise Risk Management team, which is part of the Bank s risk management function, provides quarterly reports to the Risk Management Committee (and ultimately, the Board of Directors) on the Bank s risk tolerance conditions, including reports on any cybersecurity matters that may fall outside of the Bank risk tolerance conditions. Our Board of Directors provides oversight for information security and cyber security risk management activities and approval of the overall cybersecurity risk management program, and the Bank s overall risk management program at large. In addition to full Board oversight, the Risk Management Committee oversees the Bank s cybersecurity risks in accordance with the Bank s risks tolerance. Additionally, the Operations and Technology Committee oversees the Bank s cybersecurity risk management program, and reviews and validates that the direction of the program is in support the Bank s objectives. The Audit Committee of the Board is also involved with ensuring that the internal audit team has an audit plan and resources adequate to evaluate the Bank s cybersecurity risks and 32 Table of Contents Federal Home Loan Bank of Chicago (Dollars in tables in millions except per share amounts unless otherwise indicated) controls. Our Bank Operational Risk Oversight Committee (OROC) (a management level committee, consisting of members of our senior leadership) and its subcommittee, the Technology Risk Sub-Committee (TRSC) (consisting of representatives across the Bank, including from the Risk Management and Information Technology groups), are responsible for reviewing our cybersecurity risk management program s efforts and activities to track the progress of the program s support of the Bank s objectives. TRSC (and to the extent necessary, OROC) receives regular reporting from our CISO including information security metrics, material technology changes and cybersecurity threats being monitored. The Bank s Executive Team is the primary management committee for the Bank across all functions and receives reports from the OROC, Technology Risk Sub-Committee, and the CISO as appropriate on matters impacting cybersecurity risks. Our CISO, who reports both to our Chief Risk Officer and our Chief Information Officer, manages the Bank s information security and cybersecurity risk management program designed to protect the confidentiality, integrity, and availability of the Bank s information technology assets and data under our control. Our CISO has more than 15 years of experience in cyber security matters, including over 13 years in information technology with the Bank in roles of increased responsibilities. Our information security department executes our cybersecurity risk management program, and is responsible for developing, documenting, and approving our information security control standards, guidelines, and procedures, in line with the policies and standards set forth by our Board of Directors. Our threat and incident response team, a subset of our information security department, is responsible for responding to potential threats that may require a system change, modifications and other methods to maintain business continuity to minimize cybersecurity threats. Personnel in the security program hold a variety of technical certifications relevant to their job functions and engage in continuing education. Our business resiliency management program is overseen by our Board of Directors and its Operations and Technology Committee, which provides oversight of the Bank s implementation of the program and maintenance of the plans that reflect the Bank s current operating environment and risk tolerance. The implementation of our business resiliency management program is delegated to our Executive Team and their designees, and the Bank s OROC is responsible for the direct governance, oversight and monitoring of the program.

Company Information