Federal Home Loan Bank of Topeka 10-K Cybersecurity GRC - 2024-03-11

Page last updated on April 11, 2024

Federal Home Loan Bank of Topeka reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-11 16:21:15 EDT.

Filings

10-K filed on 2024-03-11

Federal Home Loan Bank of Topeka filed an 10-K at 2024-03-11 16:21:15 EDT
Accession Number: 0001325878-24-000063

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C: Cybersecurity FHLBank is subject to cybersecurity incident and threat risk. A cybersecurity incident is an unauthorized occurrence, or a series of related unauthorized occurrences, through information systems that jeopardizes the confidentiality, integrity, or availability of our information systems or any information residing therein. Cybersecurity threats are potential unauthorized occurrences on or conducted through information systems that may result in adverse effects on the confidentiality, integrity, or availability of information systems or any information residing therein. Information systems are any electronic information resources, owned or used by FHLBank, including physical or virtual infrastructure controlled by such information resources, or their components, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of our information to maintain or support our operations. Please refer to Item 1A Risk Factors for a description of cybersecurity incident and threat risk. We have implemented processes for assessing, identifying, and managing material risks from cybersecurity threats or incidents that may directly or indirectly impact our business strategy, results of operations, or financial condition. Our cybersecurity risk management framework for assessing, identifying, and managing material risks from cybersecurity threats is designed to protect the confidentiality, integrity, and availability of the information technology assets and data under our control. Cybersecurity risk management is part of our Enterprise Risk Management (ERM) Program, which includes specific controls and processes for mitigation, monitoring and reporting associated with those risks. Those controls and processes include the Enterprise Security Policy, the Security Incident Response Plan, and the Business Resiliency Management Policy. The Risk Oversight committee of the board of directors oversees and annually reviews and recommends for approval and the full board of directors annually reviews and approves our Enterprise Security Policy, Security Incident Response Plan, and Business Resiliency Management Policy. The Enterprise Security Policy establishes administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of FHLBank physical and information assets in accordance with the GLB Act and the interagency guidelines issued thereunder, and applicable laws. The Security Incident Response Plan determines how cybersecurity threats and incidents are identified, classified, and escalated, including for the purposes of reporting, and providing relevant information to the Risk Oversight committee and the full board of directors. The Security Incident Response Plan also requires assessment of materiality of the threat or incident for the purposes of public disclosure. The Business Resiliency Management Policy is designed to ensure our critical business functions remain available during business disruptions and to minimize the impact of such disruptions, including the unavailability of information technology assets due to unintentional events like fire, power loss, and other technical incidents such as hardware failures. The Business Resiliency Management Policy includes, among other items, business impact analysis for developing effective plans and a disaster recovery plan to respond, recover, resume, and restore technology assets critical for FHLBank to operate. We regularly engage with third parties to assist in the testing, maintenance, and development of our cybersecurity risk management practices and to assess, identify, and manage cybersecurity incident and threat risk. 27 Our cyber incident response plan includes third-party cybersecurity incidents and threats. Through our vendor management program, we undertake due diligence of third-party systems with which we will interact and vendors with whom we will interact, including regular reviews and oversight of these service providers through performance and technological reviews and escalation of any unsatisfactory reviews. During the period covered by this report, risks from cybersecurity threats did not have a material impact on our strategy, results of operations, or financial condition. We have experienced cybersecurity incidents in the past, though none have had a material effect on our financial condition or results of operations. Additional cybersecurity incidents may occur in the future and any such cybersecurity incident could result in significantly harmful consequences to us, our members, and their customers. We assess the materiality of any such cybersecurity incident from several perspectives including, but not limited to, our ability to continue to service our members and protect the privacy of the data their customers have entrusted to us, lost revenue, disruption of business operation, increased operating costs, litigation, and reputational harm. Cybersecurity Governance Our board of directors devotes significant time and attention to data and systems protection, including cybersecurity and information security risk. Our board of directors oversees the Enterprise Risk Management (ERM) Program, the Enterprise Security Program and Information Security through policies and principles including the Enterprise Security Policy, the Security Incident Response Plan, and the Business Resiliency Management Policy. The board of directors oversees management s approach to staffing, policies, processes, and practices to gauge and address cybersecurity and information security risk. Our board of directors has oversight of our ERM Program, the Enterprise Security Program, and Information Security areas which include risks from cybersecurity threats and has approved specific controls for the mitigation, monitoring and reporting associated with those risks. The Risk Oversight Committee and Operations Committee of the board of directors receive regular reporting (at least quarterly) on the risks and are responsible for overseeing the risks, including receiving Enterprise Security Program updates from the information security officer (ISO), Information Technology status updates, and reviewing enterprise risk analysis and status information, and annually reviews the Business Resiliency Management Policy and Program. Our Enterprise Security Program is led by the ISO. The ISO reports to the Chief Risk Officer (CRO). FHLBank s Information Security area is led by the Director of Information Security, who reports to the Chief Information Officer. The Business Resiliency Management Program is led by the Director of Vendor Risk and Business Resiliency, who reports to the Associate CRO. We have a Technology Committee, which reviews and discusses all technology-related methodologies and initiatives related to information/cybersecurity, among other topics. The Technology Committee is a management committee and reports to the Strategic Operations Management Committee (SOMC). We also have an Operations Risk Committee (ORC), which is a management committee, and is the secondary venue for reviewing enterprise security initiatives. The ORC also serves as the primary governance venue for the Business Resiliency Management Program and escalates business resiliency concerns and risk issues, among other matters, to the Strategic Risk Management Committee (SRMC). The ORC, is responsible for annually reviewing and providing recommendations on FHLBank s Security Incident Response Plan and receives monthly updates on the Enterprise Security Program. The ISO is a required member of both the Technology Committee and the ORC. The SOMC and SRMC are comprised of senior leadership and executive-level officers, including FHLBank s CRO and Chief Information Officer. The SOMC is responsible for receiving reports on issues escalated from the Technology Committee. The SRMC is responsible for management of operational risk and implementation of the cybersecurity risk management framework within the ERM Program as approved by the board of directors and receives reports on issues escalated from the ORC. The Executive Team, comprised of chief-level officers, annually reviews and provides recommendations on the Enterprise Security Policy, Security Incident Response Plan, and the Business Resiliency Management Policy. The President and CEO annually approves each policy for submission to the board of directors for its consideration and ultimate approval. In addition to the board of directors and management committees, we have an Information Security Working Group (ISWG). Membership in the ISWG consists of leadership and business partners from a cross section of areas, including operational risk, information security, information technology, legal, operations, and others throughout FHLBank. The breadth and depth of experience of members of the ISWG allows for detailed discussions on information security trends and emerging risks which can be elevated to the Technology Committee for action or further discussion, as necessary and appropriate. 28 We have an Information Security area of the Information Technology department comprised of specialized professionals responsible for the day-to-day, hands-on management of cybersecurity risk. The area handles processes and procedures to mitigate and implement protective, proactive and reactive measures to protect FHLBank against cybersecurity risks and is responsible for the practices designed to prevent unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. Those responsible for assessing and managing FHLBank s material risks from cybersecurity threats have expertise and experience relevant to their roles. FHLBank s CIO has served in technology and leadership roles for over 30 years, including almost 26 years of experience with FHLBank. During the last 12 years, the CIO has provided oversight and strategic direction for the Information Security area of the Information Technology department. The ISO has more than 25 years of information technology experience, including 24 in the financial industry, and 22 years of experience managing information security. The ISO has a Bachelor of Science degree in Computer Science Information Systems. The Director of Information Security is a retired United States Air Force Lt. Colonel whose primary career focus was in intelligence analysis. The Director of Information Security also has 13 years experience building and leading cybersecurity programs, including cyber threat intelligence programs and cyber regulatory compliance 16 years of cyber intelligence analysis experience, including military and civilian five years of continuity of operations and business continuity program development and holds a Master of Arts degree in Strategic Intelligence Studies and is a Certified Information System Security Professional. The Technology Committee and ORC, as appropriate, receive regular and prompt information from the Information Security area as reported by the ISO, which in turn provide periodic, regular and prompt reporting to the SRMC and SOMC on topics such as threat intelligence, major cybersecurity risk areas, technologies and best practices, and any cybersecurity incidents that may have impacted FHLBank, as applicable and needed. The SRMC and SOMC may escalate reporting as applicable and needed to the Executive Team or board of directors. The board of directors receives prompt and timely information from the Security Incident Response Team, which includes the CRO, CIO, ISO, and Director of Information Security, among others, as set forth in the Security Incident Response Plan, on any cybersecurity or information security incident that may pose significant risk to FHLBank and continues to receive regular reports on the incident until its conclusion. The board of directors, Risk Oversight Committee and Operations Committee each receive regular presentations and reports throughout the year on cybersecurity and information security risk. These presentations and reports address a broad range of topics, including updates on technology trends, regulatory developments, legal issues, policies and practices, information security resources and organization, the threat environment and vulnerability assessments, and specific and ongoing efforts to prevent, detect, and respond to internal and external incidents and critical threats. At least quarterly, the board discusses cybersecurity and information security risks with the ISO and CRO.

Company Information