Federal Home Loan Bank of Atlanta 10-K Cybersecurity GRC - 2024-03-08

Page last updated on April 11, 2024

Federal Home Loan Bank of Atlanta reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-08 13:08:07 EST.

Filings

10-K filed on 2024-03-08

Federal Home Loan Bank of Atlanta filed an 10-K at 2024-03-08 13:08:07 EST
Accession Number: 0001331465-24-000046

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy The Bank has implemented processes for assessing, identifying, and managing risks from cybersecurity threats or incidents that may directly or indirectly impact the Bank s business strategy, results of operations, or financial condition. Please refer to Item 1 A . Risk Factors for a description of cybersecurity incident and threat risk. The Bank s cybersecurity risk management framework for assessing, identifying, and managing risks from cybersecurity threats is designed to protect the confidentiality, integrity, and availability of the Bank s information technology assets and data and include specific controls for the monitoring, mitigation, and reporting on cybersecurity risk management. Those processes include information security policies, incident response and business continuity plans focusing on the Bank s appropriate response to threats and incidents and operations and business continuance. The Bank s board annually reviews and approves the Bank s risk management policies. The Bank develops mitigation plans, monitors tactical implementation, and engages in detailed gap analysis, risk assessments and monitors remediation plans to close any outstanding gaps, all of which are overseen by the Bank s Security Governance Committee, and reported to the board. Cybersecurity risk management is integrated with the Bank s overall risk management framework overseen by the Bank s board. Bank policies establish administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of Bank information in accordance with Finance Agency regulations and applicable laws. The Bank s cyber incident response plan determines how cybersecurity threats and incidents are identified, classified, escalated, and reported to senior management and the board. The cyber incident response plan also stipulates management s materiality assessment of the threat or incident for the purposes of public disclosure. The Bank s cyber incident response plan includes third party cybersecurity incidents and threats. The business continuity management program is designed to oversee and implement resilience, continuity, and response capabilities to safeguard employees, products and services, minimize financial losses, and minimize the impact to service to members during a disruption event, which includes the unavailability of information technology assets due to cybersecurity threats or incidents and other unintentional events like fire, power loss, and other technical incidents such as hardware failures. The business continuity management program provides planning for the restoration of facilities, communications, information technology systems, personnel, and other components necessary for the continuity of critical Bank processes. The business continuity management policy is overseen by the board. The Bank retains external consultants to assist in the development and monitoring processes for assessing, identifying, and managing cybersecurity incident and threat risk. The Bank engages third-party services to conduct evaluations of security controls, whether through penetration testing, independent audits or consulting on practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. The Bank also requires subcontractors to report on cybersecurity incidents so the Bank can assess their impact. As part of the Bank s vendor management process, the Bank undertakes due diligence of third-party systems with whom the Bank will interact with, including risk profiling and classification, in addition to requiring data protection covenants in its vendor agreements. The Bank s vendor risk management program includes regular reviews and oversight of all service providers in accordance with a risk profile classification. The Bank reviews vendor performance, relevant technologies utilized by vendors and promotes escalation of any unsatisfactory reviews, as part of Bank s continuous assessment of its vendors. 28 Table of Contents During the period covered by this report, risks from cybersecurity incidents or threats did not have a material impact on the Bank s strategy, results of operations, or financial condition. The Bank has experienced minor cybersecurity incidents and threats in the past, none of which have had a material effect on the Bank s financial condition or results of operations. Cybersecurity incidents may occur in the future and any such cybersecurity incident could result in significant adverse impact to the Bank, the Bank s members, and their customers. The Bank is prepared to assess materiality of any such cybersecurity incident from several perspectives including, but not limited to, the Bank s ability to continue to service the Bank s members and protect the privacy of their data entrusted to us, lost revenue, disruption of business operations, increased operating costs, litigation, and reputational harm. Cybersecurity Governance The Bank s board of directors devotes significant time and attention to data and systems protection, including cybersecurity and information security risk. The board s Enterprise Risk and Operations Committee oversees the Bank s information security program through setting of policies and the Bank s risk management framework and has oversight of the cybersecurity risk management efforts which include risks from cybersecurity threats and has assigned specific controls for the mitigation, monitoring and reporting associated with those risks. The board also oversees management s approach to staffing, and processes and practices to gauge and address cybersecurity and information security risk. The board receives reports on management of cybersecurity risk and implementation of cybersecurity risk management as well presentations and reports on cybersecurity effectiveness assessments and monitoring updates, along with management s recommendations regarding Bank s information security policies. The Bank s Security Governance Committee is led by the chief information security officer and has a cross-functional membership comprised of representatives from the Bank s operational risk, information security, information technology, legal, operations, and other departments that provide both specific, technical and multidisciplinary expertise to the committee. The committee has integrated oversight of the information security program, the physical security program, and is responsible for reviewing security policies and procedures, security exceptions and violations, the processes and standards to implement the policies and procedures defined in the cybersecurity risk management program, the Bank s cyber incident response plan, the security awareness program and implementation reports, and for providing guidance and monitor progress on major information security projects, and regulatory changes and requirements. The Bank has a dedicated Information Security Department comprised of specialized professionals responsible for the day-to-day, hands-on management of cybersecurity risk and that handle the processes and procedures to mitigate and implement protective, proactive and reactive measures to protect the Bank against those risks, responsible for developing, documenting, and approving the Bank s technical information security control standards, guidelines, and procedures designed to preserve the confidentiality, integrity, and availability of the Bank s information technology assets and data under the Bank s control. The combined expertise of the Bank s chief information officer and the chief information security officer in cybersecurity include graduation in Computer Science, Certification in Risk and Information Systems Control (CRISC), Certification in Information Systems Security Professional (CISSP), and Certification in Information Systems Auditor (CISA), along with decades of experience in computer science, information and records security, business continuity, technology governance and compliance, technology risk services, cyber risk assessments, security operations monitoring and response, incident response, security strategy and architecture, awareness training, threat intelligence, identity and access management, vulnerability and penetration testing, maturity assessment, impact analysis, disaster events, recovery response, business resiliency, third party systems due diligence, deep knowledge of software systems and platforms, implementation methodologies, and various technology systems servicing internal and external customers. The Security Governance Committee meets regularly and receives prompt and periodic information, as needed or applicable pursuant to Bank policies and plans, from the Information Security Department which in turn provides periodic, regular and prompt reporting to senior management. Reports include topics such as threat intelligence, major cybersecurity risk areas, technologies and best practices, project development and implementation, any cybersecurity incidents or threats occurred, as well risk assessment, management and monitoring updates, as applicable and as needed. Bank policies and processes are designed such that the board would receive prompt and periodic information from management or the Security Governance Committee on any cybersecurity or information security incident or threat that may pose significant risk to the Bank and would continue to receive regular reports on any incident or threat until its conclusion. The Bank s Enterprise Risk and Operations Committee also receives regular presentations and reports throughout the year on cybersecurity and information security addressing a broad range of topics, including updates on technology trends, regulatory developments, legal issues, policies and practices, information security resources and organization, the threat environment and vulnerability 29 Table of Contents assessments, and specific and ongoing efforts to prevent, detect, and respond to potential gaps, internal and external incidents and critical threats. At least quarterly, or more often, as necessary, the Enterprise Risk and Operations Committee discusses cybersecurity and information security risks with the Bank s chief information officer and chief information security officer.

Company Information