Federal Home Loan Bank of Des Moines 10-K Cybersecurity GRC - 2024-03-07

Page last updated on April 11, 2024

Federal Home Loan Bank of Des Moines reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-07 17:15:12 EST.

Filings

10-K filed on 2024-03-07

Federal Home Loan Bank of Des Moines filed an 10-K at 2024-03-07 17:15:12 EST
Accession Number: 0001325814-24-000046

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity for additional information on our information security risk management. 20 Table of Contents RELIANCE ON THIRD PARTIES COULD HAVE A NEGATIVE IMPACT ON OUR BUSINESS As part of our business, we rely on third parties for certain services essential to ongoing operations, including but not limited to, IT infrastructure and software services, administration of our mortgage loan program, and servicing of our consolidated obligations, and could be adversely impacted by disruptions in those services. In addition, we utilize professional and contractual services to support certain strategic initiatives. The success or timing of those initiatives could be adversely impacted if services are not performed or executed as expected. We participate in the MPF program with the FHLBank of Chicago. In its role as MPF Provider, the FHLBank of Chicago provides the infrastructure and operational support for the MPF program and is responsible for publishing and maintaining the MPF Guides, which detail the requirements PFIs must follow in originating, selling, and servicing MPF loans. If the FHLBank of Chicago changes its MPF Provider role, ceases to operate the MPF program, or experiences a failure or interruption in its information systems and other technology, our mortgage purchase business could be adversely affected, and we could experience a related decrease in our net interest margin and profitability. In the same way, we could be adversely affected if any of the FHLBank of Chicago s third-party vendors supporting the operation of the MPF program were to experience operational or technical difficulties. We also rely on the Office of Finance for, among other things, the issuance of consolidated obligations, servicing of all outstanding debt, and managing the FHLBank System s relationship with the rating agencies with respect to consolidated obligations. A disruption in any of these services due to events such as IT or operational failures, including cyber-attacks, civil unrest, climate change, or other natural disasters, could affect our ability to access funding, and could negatively impact our business operations, financial condition, and results of operations. THE IMPACT OF FINANCIAL MODELS AND THE UNDERLYING ASSUMPTIONS USED TO VALUE FINANCIAL INSTRUMENTS AND COLLATERAL MAY HAVE AN ADVERSE IMPACT ON OUR FINANCIAL CONDITION AND RESULTS OF OPERATIONS The degree of management judgment involved in determining the fair value of financial instruments or collateral is dependent upon the availability of quoted market prices or observable market parameters. For financial instruments and collateral that are actively traded and have quoted market prices or parameters readily available, there is little to no subjectivity in determining fair value. If market quotes are not available, fair values are based on discounted cash flows using market estimates of interest rates and volatility or on dealer prices or prices of similar instruments. We utilize external and internal pricing models to determine the fair value of certain financial instruments and collateral. For prices obtained externally, as per our established procedure, we review the prices and compare them to other vendors for reasonableness. In addition, on an annual basis, we conduct reviews of our pricing vendors to confirm and further augment our understanding of the vendors pricing processes, methodologies, and control procedures for investment securities. For prices determined by internal pricing models, the underlying assumptions are based on management s best estimates for discount rates, prepayments, market volatility, and other factors. The assumptions used in both external and internal pricing models could have a significant effect on the reported fair values of assets and liabilities or collateral, the related income and expense, and the expected future behavior of assets and liabilities or collateral. While models we use to value financial instruments and collateral are subject to periodic validation by independent parties, rapid changes in market conditions could impact the value of our financial instruments and collateral. The use of different models and assumptions, as well as changes in market conditions, could impact our financial condition and results of operations as well as the amount of collateral we require from borrowers and counterparties. The information provided by our internal financial models is also used in making business decisions relating to strategies, initiatives, transactions, and products. We have adopted controls, procedures, and policies to monitor and manage assumptions used in our internal models. However, models are inherently imperfect predictors of actual results because they are based on assumptions about future performance or activities. Changes in any models or in any of the assumptions, judgments, or estimates used in the models may cause the results generated by the model to be materially different. If the results are not reliable due to inaccurate assumptions, we could make poor business decisions, including asset and liability management, or other decisions, which could result in an adverse financial impact. 21 Table of Contents GENERAL RISK FACTORS THE INABILITY TO ATTRACT AND RETAIN KEY PERSONNEL COULD ADVERSELY IMPACT OUR BUSINESS We rely heavily upon our employees in order to successfully execute our business and strategies. The success of our business mission depends, in large part, on our ability to attract and retain key personnel with required talents and skills. We may be unable to hire or retain key personnel with the needed talents or skills if we fail to offer a competitive employment package and work arrangements, which is increasingly important during periods in which economic conditions drive labor shortages and/or high rates of employee turnover. In addition, if we lack a diverse, equitable, and inclusive working environment, or fail to develop and execute a succession plan, our business operations could be adversely impacted. NATURAL DISASTERS, INCLUDING THOSE FROM SIGNIFICANT CLIMATE CHANGE, COULD ADVERSELY AFFECT OUR MEMBERS AND OUR BUSINESS, FINANCIAL CONDITION, AND RESULTS OF OPERATIONS The occurrence of weather-related events and other natural or environmental disasters, especially ones affecting our district, could negatively impact our members and business, financial condition, and results of operations. The frequency, intensity, and duration of extreme weather and climate-related disaster events have increased. These natural disasters, including those resulting from significant climate change, could destroy or damage our facilities or other properties of our members (such as collateral that members have pledged to secure advances or mortgages), disrupt business, increase the probability of power or other outages, negatively affect the livelihood of borrowers of members, or otherwise cause significant economic dislocation in the affected regions. Any of these situations may adversely affect our financial condition and results of operations. There is also an increasing focus from investors, policy makers, regulators, and other stakeholders on climate change and other ESG matters. Enhanced governmental, regulatory, and societal attention to climate change and other ESG matters, including expanding mandatory and voluntary reporting, diligence, and disclosure, could expand the nature, scope, complexity, and cost of matters that we are required to control, assess, and report. ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 1C. CYBERSECURITY RISK MANAGEMENT AND STRATEGY Information security risk includes the risk that cyber incidents and threats could result in a failure or interruption of our business operations. A cybersecurity incident is an unauthorized occurrence, or a series of related unauthorized occurrences, through information systems that jeopardizes the confidentiality, integrity, or availability of our information systems or any information residing therein. Cybersecurity threats are potential unauthorized occurrences on or conducted through information systems that may result in adverse effects on the confidentiality, integrity, or availability of information systems or any information residing therein. Information systems are any electronic information resources, owned or used by us, including physical or virtual infrastructure controlled by such information resources, or their components, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of our information to maintain or support our operations. We have implemented processes to identify, assess, and manage material risks from cybersecurity incidents or threats that may directly or indirectly impact our business strategy, results of operations, or financial condition. Please refer to Item 1 A . Risk Factors for additional information on our operational risk, which includes the risk of failures or interruptions in information systems resulting from cybersecurity threats or incidents. Our cybersecurity program is designed to identify, assess, and manage material risks from cybersecurity threats and to protect the confidentiality, integrity, and availability of our IT assets and data. We utilize a widely adopted industry framework to guide and benchmark the activities of our information security program in alignment with our risk appetite statement. Our cybersecurity program includes specific controls and processes for the monitoring, mitigation, and reporting associated with cybersecurity risks. For example, administrative, physical, and logical controls are in place for identifying, monitoring, and controlling system access, sensitive data, and system changes. In addition, we employ an information security training program that includes security training lessons and phishing exercises for all employees as well as mandatory staff training on cyber risks. We also regularly engage with third-parties to test, maintain, and enhance our cybersecurity risk management practices and threat monitoring. These engagements include, among other things, penetration testing, detection and response services, cybersecurity tabletops, and cybersecurity framework assessments. We also maintain cyber insurance coverage in an effort to reduce financial losses stemming from a security incident. 22 To ensure the continuance of our operations in the event of a cybersecurity incident or threat, we have established an Information Security Policy and Security Incident Response Plan, and have adopted a business continuity management program. Our Information Security Policy establishes administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of Bank information in accordance with Finance Agency regulations, the Gramm-Leach-Bliley Act and the interagency guidelines issued thereunder, and applicable laws. Our Security Incident Response Plan determines how cybersecurity threats and incidents are identified, classified, and escalated, including for the purposes of reporting, and providing relevant information to senior management and the Board of Directors. The Security Incident Response Plan requires management to assess materiality of the threat or incident for purposes of public disclosure. Our Security Incident Response Plan includes third-party cybersecurity incidents and threats, as we do rely on third-party information systems and other technologies. As part of our vendor risk management process, we undertake due diligence of third-party systems with whom we interact, including risk profiling and classification, in addition to requiring data protection covenants in our vendor agreements. Our vendor risk management program includes regular reviews and oversight of service providers, including performance and technology reviews, and escalation of any unsatisfactory reviews. Our business continuity management program is designed to ensure that necessary resources are in place to protect us from potential loss during a disruption, which includes the unavailability of IT assets due to unintentional events like fire, power loss, and other technical incidents, such as hardware failures. During the period covered by this report, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, did not have a material impact on our business strategy, results of operations, or financial condition. Cybersecurity incidents may occur in the future and any such cybersecurity incident could result in significantly harmful consequences to us, our members, and their customers. We are prepared to assess materiality of any such cybersecurity incident from several perspectives including, but not limited to, our ability to continue to service our members and protect the privacy of the data they or their customers have entrusted to us, lost revenue, disruption of business operations, increased operating costs, litigation, and reputational harm. GOVERNANCE Our Information Security Department is led by the CIO, who reports to the President and CEO. Our CIO establishes our strategic direction and provides executive support for our information security program, and has significant experience in information systems and information security. Refer to Item 10. Directors, Executive Officers and Corporate Governance for more information. Our dedicated Information Security Department is comprised of specialized professionals responsible for the day-to-day, hands-on management of cybersecurity risk, including the processes and procedures to mitigate and implement protective, proactive, and reactive measures to protect us against this risk. Personnel in this department hold a variety of technical certifications relevant to their job functions and engage in continuing education . This department is also responsible for developing, documenting, and approving our technical information security control standards, guidelines, and procedures designed to preserve the confidentiality, integrity, and availability of our IT assets and data under our control. Our Technology and Operations Committee provides independent and integrated oversight over our information security program, physical security program, business continuity program, security policies and procedures, and security exceptions and violations. This committee is comprised of leadership representatives from our operational risk, information security, IT, and legal departments, as well as other departments that provide both specific, technical and multidisciplinary expertise to the committee. This committee is responsible for reviewing and approving our Information Security Policy. It also receives regular, prompt, and periodic information from the Information Security Department, which in turn provides periodic, regular and prompt reporting to the Technology Committee of the Board of Directors on topics such as threat intelligence, major cybersecurity risk areas, technologies and best practices, and any cybersecurity incidents that may have impacted us, as well risk assessment, management, and monitoring updates, as applicable or needed. 23 Our Board of Directors is responsible for the oversight of our information security program and establishes our information security risk appetite. The Technology Committee of our Board approves certain Bank-wide governing policies, including our Information Security Policy, as well as other standards, guidelines, and procedures for IT and information security. It also oversees the development of mitigation plans, monitors the tactical implementation of policy, and engages in detailed risk assessments. Our Board of Directors receives regular presentations and reports throughout the year on cybersecurity and information security addressing a broad range of topics. These topics include, but are not limited to, updates on technology trends, regulatory developments, legal issues, policies and practices, information security resources, environmental threats and vulnerability assessments, and efforts to prevent, detect, and respond to potential gaps, internal and external incidents and critical threats. At least quarterly, our Board of Directors discusses cybersecurity and information security risks with our CIO. Our Board of Directors is also required to complete cybersecurity training and participate in a cloud computing education session annually. Our policies and processes are designed such that the Board of Directors would receive prompt and timely information from Bank management on any cybersecurity or information security incident or threat that may pose significant risk to us and would continue to receive regular reports on any incident until its conclusion.
ITEM 1C. CYBERSECURITY RISK MANAGEMENT AND STRATEGY Information security risk includes the risk that cyber incidents and threats could result in a failure or interruption of our business operations. A cybersecurity incident is an unauthorized occurrence, or a series of related unauthorized occurrences, through information systems that jeopardizes the confidentiality, integrity, or availability of our information systems or any information residing therein. Cybersecurity threats are potential unauthorized occurrences on or conducted through information systems that may result in adverse effects on the confidentiality, integrity, or availability of information systems or any information residing therein. Information systems are any electronic information resources, owned or used by us, including physical or virtual infrastructure controlled by such information resources, or their components, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of our information to maintain or support our operations. We have implemented processes to identify, assess, and manage material risks from cybersecurity incidents or threats that may directly or indirectly impact our business strategy, results of operations, or financial condition. Please refer to Item 1 A . Risk Factors for additional information on our operational risk, which includes the risk of failures or interruptions in information systems resulting from cybersecurity threats or incidents. Our cybersecurity program is designed to identify, assess, and manage material risks from cybersecurity threats and to protect the confidentiality, integrity, and availability of our IT assets and data. We utilize a widely adopted industry framework to guide and benchmark the activities of our information security program in alignment with our risk appetite statement. Our cybersecurity program includes specific controls and processes for the monitoring, mitigation, and reporting associated with cybersecurity risks. For example, administrative, physical, and logical controls are in place for identifying, monitoring, and controlling system access, sensitive data, and system changes. In addition, we employ an information security training program that includes security training lessons and phishing exercises for all employees as well as mandatory staff training on cyber risks. We also regularly engage with third-parties to test, maintain, and enhance our cybersecurity risk management practices and threat monitoring. These engagements include, among other things, penetration testing, detection and response services, cybersecurity tabletops, and cybersecurity framework assessments. We also maintain cyber insurance coverage in an effort to reduce financial losses stemming from a security incident. 22 To ensure the continuance of our operations in the event of a cybersecurity incident or threat, we have established an Information Security Policy and Security Incident Response Plan, and have adopted a business continuity management program. Our Information Security Policy establishes administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of Bank information in accordance with Finance Agency regulations, the Gramm-Leach-Bliley Act and the interagency guidelines issued thereunder, and applicable laws. Our Security Incident Response Plan determines how cybersecurity threats and incidents are identified, classified, and escalated, including for the purposes of reporting, and providing relevant information to senior management and the Board of Directors. The Security Incident Response Plan requires management to assess materiality of the threat or incident for purposes of public disclosure. Our Security Incident Response Plan includes third-party cybersecurity incidents and threats, as we do rely on third-party information systems and other technologies. As part of our vendor risk management process, we undertake due diligence of third-party systems with whom we interact, including risk profiling and classification, in addition to requiring data protection covenants in our vendor agreements. Our vendor risk management program includes regular reviews and oversight of service providers, including performance and technology reviews, and escalation of any unsatisfactory reviews. Our business continuity management program is designed to ensure that necessary resources are in place to protect us from potential loss during a disruption, which includes the unavailability of IT assets due to unintentional events like fire, power loss, and other technical incidents, such as hardware failures. During the period covered by this report, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, did not have a material impact on our business strategy, results of operations, or financial condition. Cybersecurity incidents may occur in the future and any such cybersecurity incident could result in significantly harmful consequences to us, our members, and their customers. We are prepared to assess materiality of any such cybersecurity incident from several perspectives including, but not limited to, our ability to continue to service our members and protect the privacy of the data they or their customers have entrusted to us, lost revenue, disruption of business operations, increased operating costs, litigation, and reputational harm. GOVERNANCE Our Information Security Department is led by the CIO, who reports to the President and CEO. Our CIO establishes our strategic direction and provides executive support for our information security program, and has significant experience in information systems and information security. Refer to Item 10. Directors, Executive Officers and Corporate Governance for more information. Our dedicated Information Security Department is comprised of specialized professionals responsible for the day-to-day, hands-on management of cybersecurity risk, including the processes and procedures to mitigate and implement protective, proactive, and reactive measures to protect us against this risk. Personnel in this department hold a variety of technical certifications relevant to their job functions and engage in continuing education . This department is also responsible for developing, documenting, and approving our technical information security control standards, guidelines, and procedures designed to preserve the confidentiality, integrity, and availability of our IT assets and data under our control. Our Technology and Operations Committee provides independent and integrated oversight over our information security program, physical security program, business continuity program, security policies and procedures, and security exceptions and violations. This committee is comprised of leadership representatives from our operational risk, information security, IT, and legal departments, as well as other departments that provide both specific, technical and multidisciplinary expertise to the committee. This committee is responsible for reviewing and approving our Information Security Policy. It also receives regular, prompt, and periodic information from the Information Security Department, which in turn provides periodic, regular and prompt reporting to the Technology Committee of the Board of Directors on topics such as threat intelligence, major cybersecurity risk areas, technologies and best practices, and any cybersecurity incidents that may have impacted us, as well risk assessment, management, and monitoring updates, as applicable or needed. 23 Our Board of Directors is responsible for the oversight of our information security program and establishes our information security risk appetite. The Technology Committee of our Board approves certain Bank-wide governing policies, including our Information Security Policy, as well as other standards, guidelines, and procedures for IT and information security. It also oversees the development of mitigation plans, monitors the tactical implementation of policy, and engages in detailed risk assessments. Our Board of Directors receives regular presentations and reports throughout the year on cybersecurity and information security addressing a broad range of topics. These topics include, but are not limited to, updates on technology trends, regulatory developments, legal issues, policies and practices, information security resources, environmental threats and vulnerability assessments, and efforts to prevent, detect, and respond to potential gaps, internal and external incidents and critical threats. At least quarterly, our Board of Directors discusses cybersecurity and information security risks with our CIO. Our Board of Directors is also required to complete cybersecurity training and participate in a cloud computing education session annually. Our policies and processes are designed such that the Board of Directors would receive prompt and timely information from Bank management on any cybersecurity or information security incident or threat that may pose significant risk to us and would continue to receive regular reports on any incident until its conclusion.

Company Information