Federal Home Loan Bank of San Francisco 10-K Cybersecurity GRC - 2024-03-08

Page last updated on April 11, 2024

Federal Home Loan Bank of San Francisco reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-08 07:34:05 EST.

Filings

10-K filed on 2024-03-08

Federal Home Loan Bank of San Francisco filed an 10-K at 2024-03-08 07:34:05 EST
Accession Number: 0001316944-24-000049

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy The Bank is subject to cybersecurity risks, which includes intentional and unintentional acts that may affect the availability, confidentiality, and integrity of our information systems, including any information residing therein, or services. The Bank has, in alignment with industry standards and Finance Agency regulatory guidance, implemented processes, as set forth in its cybersecurity risk management framework, for identifying, assessing, and managing material risks from cybersecurity incidents that may directly or indirectly impact the Bank s business strategy, results of operations, or financial condition. Please refer to Item 1.A Risk Factors - Operational Risks for a description of potential cybersecurity threat risks. The Bank s cybersecurity risk management framework is designed to protect the confidentiality, integrity, and availability of the Bank s information technology assets and data. The Bank utilizes the cybersecurity risk management concept of defense-in-depth and deploys multiple layers of controls across operations to manage the multi-faceted nature of cybersecurity risk. Cybersecurity risk management is part of the Bank s Enterprise Risk Management program which includes pre-established risk appetite statements that outline the various risk indicators and their respective risk tolerance levels for the monitoring, assessing, mitigation, and reporting associated with those risks. The Bank s Information Security program is designed to evaluate our cybersecurity infrastructure and performance on an on-going basis through regular control assessments, vulnerability scans and remediation, penetration tests, and threat intelligence feeds that enable the program to effectively identify, prioritize, and mitigate 22 Table of Contents cybersecurity risks. The Bank attempts to mitigate cybersecurity risk using an array of activities, including the Bank s Information Security Policy, information security training, periodic cybersecurity incident tabletop exercises, adequate cybersecurity insurance coverage levels, the Bank s Cybersecurity Incident Response Plan, and the Bank s business continuity management program focusing on the continuance of the Bank s operations in the event of a threat or incident. The Bank s Enterprise Risk Committee annually reviews and approves the Bank s Information Security Policy. The Bank s Information Security Policy establishes administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of Bank information in accordance with Finance Agency regulation, the Gramm-Leach-Bliley Act and the interagency guidelines issued thereunder, and applicable laws. The Bank develops mitigation plans, monitors tactical implementation of the policy, and engages in detailed risk assessments comprising the Bank s Information Security Program overseen by the Bank s Enterprise Risk and Technology & Operations Committees. The Bank s Enterprise Risk and Technology & Operations Committees report to the Board. The Bank s Cybersecurity Incident Response Plan determines how cybersecurity incidents are identified, classified, and escalated, including for the purposes of reporting, and providing relevant information to senior management and the Board. The Bank s Cybersecurity Incident Response Plan also stipulates management assess the materiality of the incident for the purposes of public disclosure. The business continuity management program is designed to oversee and implement resilience, continuity, and response capabilities to safeguard employees, customers, and products and services and minimize the financial loss to the Bank, ensure employee safety, and continue uninterrupted service to shareholders during a disruption event, which may include a cybersecurity related event. The business continuity management program provides for the restoration of facilities, communications, information technology systems, temporary relocation of personnel, and other components necessary for the continuity of critical Bank processes. The business continuity management program is overseen by the Board. The Bank retains external consultants to assist in the development and monitoring of those processes for identifying, assessing, and managing cybersecurity incidents and threat risks. The Bank s Cybersecurity Incident Response Plan also facilitates management of third-party cybersecurity incidents. As part of the Bank s vendor management process, the Bank undertakes due diligence of third-party systems that the Bank will interact with, including risk profiling and classification, in addition to requiring data protection covenants in its vendor agreements. The Bank s vendor risk management program includes regular reviews and oversight of all service providers in accordance with a risk profile classification. The Bank reviews performance, technologies utilized by vendors, and promotes escalation of any unsatisfactory reviews as part of Bank s continuous assessment of its vendors. During the period covered by this report, risks from cybersecurity threats did not have a material impact on the Bank s business strategy, results of operations, or financial condition. The Bank updated its information security strategy during the period covered by this report in response to the increasing volume of cybersecurity threats, both to the Bank and to third parties such as suppliers and vendors. The Bank has experienced cybersecurity incidents and threats in the past, though none have had a material effect on the Bank s financial condition or results of operations. Cybersecurity Governance The Board, through its Enterprise Risk and Technology & Operations Committees, oversees the Bank s Information Security and Enterprise Risk Management programs, which include the Information Security Policy. The Board receives reports from the Enterprise Risk and Technology & Operations Committees, which are management committees composed of members of the Bank s senior management responsible for management of risk and implementation of the cybersecurity risk management framework within the Risk Management Program as approved by the Board. The Board oversees management s approach to staffing, policies, processes, and practices to measure and address cybersecurity and information security risk. 23 Table of Contents The Enterprise Risk Committee is responsible for reviewing and recommending the approval of the Information Security Policy by the Board. The Enterprise Risk Committee provides independent and integrated oversight of the Bank s Information Security program and security exceptions and violations. The Bank s Technology & Operations Committee is responsible for reviewing the Bank s security awareness and physical security procedures and implementation reports, provides guidance and monitors progress on major information security projects, and regulatory changes. The Bank s dedicated Information Security Department, led by our Chief Information Security Officer, is comprised of specialized professionals responsible for the processes and procedures to design and implement protective, proactive and reactive measures to protect the Bank against cybersecurity risks, and for developing, documenting, and approving the Bank s technical information security control standards, guidelines, and procedures designed to preserve the confidentiality, integrity, and availability of the Bank s information technology assets and data under the Bank s control. The Chief Information Security Officer s expertise in cybersecurity includes holding a Bachelor of Science degree in Computer Engineering, a Master of Business Administration degree in Technology Management, and Information Systems Security Professional certification, along with decades of experience in information technology and cybersecurity. The Bank s Enterprise Risk and Technology & Operations Committees receive regular, prompt, and periodic information from the Information Security Department, which in turn provides periodic, regular, and prompt reporting to the Enterprise Risk and Technology & Operations Committees of the Board on topics such as threat intelligence, major cybersecurity risk areas, technologies and best practices, and any cybersecurity incidents that may have impacted the Bank, as well as risk assessment, management, and monitoring updates, as applicable and as needed. Bank policies and processes are designed such that the Board would receive prompt and timely information from the Information Security Department or the Enterprise Risk Committee on any cybersecurity or information security incident or threat that may pose significant risk to the Bank and would continue to receive regular reports on any incident until its conclusion. At least quarterly, or more often, as necessary, the Board discusses cybersecurity and information security risks with the Bank s Chief Information Security Officer.

Company Information