Federal Home Loan Bank of Indianapolis 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

Federal Home Loan Bank of Indianapolis reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 10:25:38 EDT.

Filings

10-K filed on 2024-03-12

Federal Home Loan Bank of Indianapolis filed an 10-K at 2024-03-12 10:25:38 EDT
Accession Number: 0001331754-24-000054

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We are subject to the risk of a cybersecurity incident. A cybersecurity incident is an unauthorized occurrence, or a series of related unauthorized occurrences, through information systems that jeopardizes the confidentiality, integrity, or availability of our information systems or any information residing therein. Information systems are any electronic information resources, owned or used by us, including physical or virtual infrastructure controlled by such information resources, or their components, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information to maintain or support our operations. For additional information, see Item 1A Risk Factors for a description of cybersecurity incident risk. We have a cybersecurity risk management framework for assessing, identifying, and managing material risks from cybersecurity incidents that is designed to protect the confidentiality, integrity, and availability of our information technology assets and data. Cybersecurity risk management is part of our enterprise risk management program. We have implemented processes for assessing, identifying, and managing material risks from cybersecurity incidents that may directly or indirectly impact our business strategy, results of operations, or financial condition. Those processes include the development, approval and implementation of our Enterprise Information Security Policy (“EISP”), Information Security Standards, Information Security Incident Response Plan (“ISIRP”) and Business Continuity Management Policy. The EISP is our core policy for assessing, identifying and managing cybersecurity risks, and it applies to all employees, contractors, temporary employees, and other parties doing business on behalf of or in support of the Bank who, by the nature of their work, have access to our information assets and systems. Broadly, it establishes the administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of Bank information in accordance with the applicable law. To do this, the EISP, among other provisions: allocates key responsibilities, including the responsibilities of our chief information security officer (“CISO”) and our Chief Risk Officer (“CRO”) related to cybersecurity risk management establishes a security education, training and awareness program, which is intended to influence development of skills and habits to safeguard our information assets establishes a risk-based vulnerability management program mandates and establishes standards for periodic penetration testing provides controls and minimum standards regarding physical security (e.g., systems are located behind locked doors) and operational security (e.g., monitoring existing and emerging threats) mandates the development, acquisition and maintenance of systems with appropriate security controls (e.g., maintaining appropriate configuration management and control processes and maintaining appropriate patch management processes) and mandates the adoption of industry standards to address business requirements within a cybersecurity framework that leverages both the National Institute of Standards and Technology framework and the Center for Information Security Controls in measuring the maturity of our information security program and its adoption of best practices. Our Information Security Standards provide rules for the implementation of the EISP. These standards provide greater granularity on the Bank’s requirements for the establishment, maintenance and continuous improvement of our information security program. The ISIRP determines how information security incidents are identified, classified, and escalated, including for the purposes of reporting, and providing relevant information to the board of directors. The ISIRP also supports management’s assessment of incident materiality. 31 Table of Contents The ISIRP also includes action plans for responding to third-party cybersecurity threats and incidents. We undertake due diligence of third-party systems with which we interact, in addition to requiring data protection covenants in the related third-party provider agreements, as appropriate. Our vendor management program includes ongoing monitoring and oversight of the third-party providers, including performance and information security reviews utilizing System and Organization Control reports, when available, and risk based re-assessment of high inherent-risk third-party providers on an annual basis. Any unsatisfactory reviews are escalated for consideration of appropriate steps to appropriately manage the related risk. We leverage certain third-party providers to support our security event monitoring. In addition, certain third parties support our vendor security due diligence process. We may retain assessors, consultants, auditors, etc. to assist in the development/creation/monitoring of those processes for assessing, identifying, and managing cybersecurity incident risk. Our business continuity program includes the maintenance of resources necessary to protect us from potential loss during a disruption, which includes the unavailability of information technology assets due to unintentional events like fire, power loss, and other technical incidents such as hardware failures. The business continuity program includes, among other items, business impact analysis for developing effective plans and a disaster recovery plan to respond, recover, resume, and restore technology assets critical for us to operate. During the period covered by this report, we have not experienced any cybersecurity incidents that have had a material effect on our financial condition or results of operations. We assess the materiality of any cybersecurity incident from several perspectives including, but not limited to, our ability to continue to service our members and protect private information, lost revenue, disruption of business operation, increased operating costs, litigation, and reputational harm. Cybersecurity Governance Our board provides oversight of our risk management program, which includes cybersecurity risk management, via its Risk Oversight Committee. Among its responsibilities, the Risk Oversight Committee reviews and discusses, from a risk oversight point of view, reports on the Bank’s current and emerging security risks, the metrics used to monitor security risks and management’s views on the acceptable and appropriate levels of security risk. The Risk Oversight Committee also reviews and makes recommendations to the board regarding the approval of the EISP. Our board’s Security and Technology Committee (“STC”) reviews the overall status of management’s information security program, including any significant issues, significant emerging risks, strategies, and other information to ensure that information security management practices appropriately address potential risks. It is also responsible for the exposure and containment of technology risks, including security risks. In addition, our board and/or the STC receives regular presentations and reports throughout the year on cybersecurity and information security risk. These presentations and reports address a broad range of topics, including updates on technology trends, regulatory developments, legal issues, policies and practices, information security resources and organization, the threat environment and vulnerability assessments, and specific and ongoing efforts to prevent, detect, and respond to internal and external incidents and critical threats. In addition, the CISO provides prompt and timely information on any cybersecurity or information security incident that may pose significant risk to us and continues to provide regular reports on any such incident until its conclusion. Under the management and direction of the Chief Information Officer, the CISO is responsible for assessing and managing our material risks from cybersecurity threats. The CISO also has a dotted line reporting relationship to the CRO for purposes of informing the CRO on related risks. The cybersecurity risk management function under the CRO is responsible for identifying, assessing and evaluating cybersecurity risks and monitoring and tracking cybersecurity risk mitigation strategies. The CISO leads an Information Security Steering Committee (“ISSC”) which convenes expertise from areas beyond the information security and technology departments, including risk, legal and operations, or other departments, as necessary. Accordingly, the ISSC provides for an interdisciplinary expertise in the implementation of our cybersecurity risk management framework. The CISO reports on behalf of the ISSC to management’s Risk Committee. These reports include information on topics such as threat intelligence, major cybersecurity risk areas, technologies and best practices, and any cybersecurity incidents. The CISO and the CRO are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents with the support of our information security department. 32 Table of Contents Our information security department, which is led by the CISO, is comprised of specialized professionals who are responsible for the day-to-day, hands-on management of the cybersecurity risk and who handle the processes and procedures to mitigate and implement protective, proactive and reactive measures to protect us against those risks. The department is responsible for developing, documenting, and approving our technical information security control standards, guidelines, and procedures designed to preserve the confidentiality, integrity, and availability of our information technology assets and data. Our CISO holds a degree in information systems design and analysis and advanced degrees in telecommunications and information technology management. He has over 24 years of experience leading Information Security teams and over a decade as a senior leader within Information Security. For additional information, see Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations - Risk Management .

Company Information