Federal Home Loan Bank of Boston 10-K Cybersecurity GRC - 2024-03-15

Page last updated on April 11, 2024

Federal Home Loan Bank of Boston reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-15 13:43:54 EDT.

Filings

10-K filed on 2024-03-15

Federal Home Loan Bank of Boston filed an 10-K at 2024-03-15 13:43:54 EDT
Accession Number: 0001331463-24-000054

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C Cybersecurity for additional information on our use of information systems and technology. Any failures or interruptions of these information systems or other technology could have a material adverse impact on our financial condition and results of operations. Moreover, cyber-attacks, in particular those on financial institutions and financial market infrastructures, have become more frequent, more sophisticated, and increasingly difficult to detect and prevent, including as a result of the increased capabilities of artificial intelligence and other emerging technologies, such as ransomware-as-a-service, that may be used maliciously. For example, most of our information systems have been co-located with a third-party service provider, or are hosted with infrastructure-as-a-service (IaaS) or software-as-a-services (SaaS) providers, on which we are reliant to provide a secure location and a stable operating environment for these systems. Any failure to provide such stability or security by the co-location third-party service provider, or IaaS or SaaS providers, could result in failures or interruptions in our ability to conduct business. As another example, our AHP, MPF, and certain collateral activities rely on the secure processing, storage, and transmission of private borrower information, which may include names, residential addresses, social security numbers, credit rating data, or other consumer financial information. As discussed in our quarterly report on Form 10-Q filed on November 9, 2023, in 2003 we experienced, and could experience in the future, an event where this information is exposed in several ways, including through unauthorized access to computer systems, computer viruses that attack our computer systems, software or networks, accidental delivery of information to an unauthorized party, loss of encrypted media containing this information, and similar circumstances at service providers with access to or possession of such information. For a further discussion of the event we experienced in 2023, see Item 2 Management’s Discussion and Analysis of Financial Condition and Results of Operations Executive Summary Cyber Incident in our quarterly report on Form 10-Q filed on November 9, 2023. Any of these events could result in significant financial losses, legal and regulatory sanctions, and reputational damage. We are maintaining a continuous strategy to ensure our mission critical applications and supporting infrastructure remain protected against evolving security threats. The pace of change to our information technology, including the incorporation of artificial intelligence, increases the risk of failures or interruptions of information systems or other technology, which could have a material adverse impact on our financial condition and results of operations. We rely on vendors and other third parties for certain important or critical services and could be adversely impacted by disruptions in those services. For example, in participating in the MPF program, we rely on the FHLBank of Chicago in its capacity as the MPF Provider. Our investments in mortgage loans through the MPF program account for 4.6 percent of our total assets as of December 31, 2023, and 2.7 percent of interest income for the year ended December 31, 2023. If the FHLBank of Chicago changes or ceases to operate the MPF program or experiences a failure or interruption in its information systems and other technology in its operation of the MPF program, our mortgage-investment activities could be adversely impacted, and we could experience a related decrease in net interest margin, financial condition, and profitability. In the same way, we could be adversely impacted if the FHLBank of Chicago’s third-party vendors engaged in the operation of the MPF program were to experience operational or technological difficulties. As another example, we rely on the Office of Finance for, among other things, the placement of COs, our primary source of funds. A disruption in this service would disrupt our access to these funds, as also discussed under Market and Liquidity Risks Any inability or curtailment of our ability to access the capital markets could adversely impact our business operations, financial condition, and results of operations. We rely on models for many of our business operations and changes in the assumptions used could have a significant effect on our financial position, results of operations, and assessments of risk exposure. For example, we use models to assist in our determination of the fair values of financial instruments. The degree of management judgment involved in determining the fair value of a financial instrument is dependent upon the availability of quoted market prices or observable market pricing parameters. For financial instruments that are actively traded and have quoted market prices or parameters readily available, there is little to no subjectivity in determining fair value. If market quotes are not available, fair values are based on discounted cash flows using market estimates of interest rates and volatility or on dealer prices or prices of similar instruments. Pricing models and changes in their underlying assumptions are based on our best estimates for discount rates, prepayments, market volatility, and other factors. These assumptions could have a significant effect on the reported fair values of assets and liabilities, including derivatives, the related income and expense, and the expected future behavior of assets and liabilities. While the models we use to value instruments and measure risk exposures are subject to 26 Table of Contents periodic validation by our staff and by independent parties, rapid changes in market conditions in the interim could impact our financial position. The use of different models and assumptions, as well as changes in market conditions, could significantly impact our financial condition and results of operations. GENERAL RISK FACTORS The inability to retain key personnel could adversely impact our operations . We rely on key personnel for many of our functions and have a relatively small workforce, relative to the size and complexity of our business. Our ability to retain such personnel is important for us to conduct our operations and measure and maintain risk and financial controls. Our ability to retain key personnel could be challenged because in the U.S., and the Boston area in particular, competition for talent remains high. ITEM 1B. UNRESOLVED STAFF COMMENTS None. ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We are subject to cybersecurity risk, which includes intentional and unintentional acts that may jeopardize the confidentiality, integrity, or availability of our information technology assets and data under our control. Cybersecurity risk can take the form of a variety of circumstances to cause harm to us, our members, our service providers, and the economy in general. These circumstances include, but are not limited to, malicious software or exploited vulnerabilities, social engineering, such as phishing, denial-of-service attacks, viruses, malware, and natural disasters. Refer to Item 1 A Risk Factors for a description of cybersecurity and other operational risks that may affect our information technology assets and data under our control. In alignment with industry standards, such as the NIST Cybersecurity Framework, and FHFA regulatory guidance, we have implemented processes for assessing, identifying, and managing cybersecurity risk through a layered approach throughout our environment and in our service provider arrangements, including SaaS and IaaS engagements. We endeavor to continuously develop our policies and practices to mitigate our exposure to cybersecurity risks given, among other things, the evolving natures of these risks, the involvement of uncontrollable circumstances, such as fires or flooding, and our role in the financial services industry and the broader economy. Our cybersecurity risk-mitigating processes include, but are not limited to the following: performing regular risk assessments to identify, understand, and prioritize risks from cybersecurity threats the implementation of firewalls, anti-virus software, and real-time network monitoring the deployment of software updates to address security vulnerabilities maintaining a vulnerability management program to timely identify and remediate cybersecurity risks, and periodic employee training to educate employees on how to identify and avoid various forms of social engineering. We also maintain a business continuity program designed to ensure that resources and plans are in place to protect the Bank from potential loss during a disruption, which includes the unavailability of our information technology assets due to unintentional events like fire, power loss, and other technical incidents such as hardware failures. These business continuity resources and plans include, but are not limited to, maintaining a business continuity site to ensure continued operations, regular backing up of data and systems, testing our ability to operate on disaster recovery systems, and annually reviewing department level business continuity procedures. We regularly engage with third parties to test, maintain, and enhance our cybersecurity risk management practices and threat monitoring. These engagements include, among other things, incident response exercises, penetration testing, constant managed detection and response services, and intrusion prevention and detection applications. Our vendor risk management program includes regular reviews and oversight of these third parties, including performance and technological reviews and escalation of any unsatisfactory reviews. Our results of operations and financial condition have not been materially affected by cybersecurity threats or incidents during the period covered by this report. However, to assess, identify, and manage risks from cybersecurity threats, including as a result of previous cybersecurity incidents, we have invested, and expect to continue to invest, significant resources to maintain and enhance our information security and business continuity programs designed to preserve the confidentiality, integrity, and availability of our information technology assets and data under our control. As a result, the risk of cybersecurity threats has materially affected our business strategy. It is inevitable that cybersecurity incidents will occur in the future and any such 27 Table of Contents cybersecurity incident could result in significantly harmful consequences to us, our members, and their customers. We assess the materiality of each cybersecurity incident from several perspectives including, but not limited to, our ability to continue to service our members, any loss of or unauthorized access to data, lost revenue, increased operating costs, litigation, and reputational harm. Cybersecurity Governance Our director of information security provides regular reporting (at least quarterly) to the Risk Committee and Technology Committee of our board of directors and our Management Committee, the Bank s highest-level governance, strategic planning, oversight, and policymaking group, on topics such as threat intelligence, major cybersecurity risk areas and threats, technologies and best practices, and any cybersecurity incidents that may have impacted us, and more frequently if there is an ongoing cybersecurity incident. Our board of directors oversees our information security program through regular review of policies and principles, including our information security policy designed to establish clear management direction and commitment to preserve the confidentiality, integrity, and availability of all information technology assets, including data. Our Bank Technology Governance Committee, a management level committee, consisting of members of our senior leadership, including our chief risk officer and chief information officer, is responsible for approving policies to support the management and implementation of the cybersecurity program. This committee receives regular reporting from our director of information security similar to what is provided to the board of directors, and more detailed reporting regarding the availability of information technology assets and cybersecurity threats being monitored. Our director of information security, who reports both to our chief risk officer and our chief information officer, manages the Bank s cybersecurity governance framework designed to protect the confidentiality, integrity, and availability of the Bank s information technology assets and data under our control. Our director of information security has more than 25 years of experience in information technology with the Bank in successively more responsible roles and has led teams to design, secure, and implement numerous technology solutions. Our information security department is responsible for developing, documenting, and approving our information security control standards, guidelines, and procedures, in line with the policies and standards set forth by our board of directors and the Bank Technology Governance Committee. The business continuity program is overseen by the Finance Committee of our board of directors and includes, among other items, business impact analysis for developing effective plans and a disaster recovery plan to respond, recover, resume, and restore technology assets critical for us to operate. Our Operational Risk Committee, a management level committee, including leadership representatives from our operational risk, information security, information technology, legal, operations, and other departments throughout the Bank, is responsible for oversight of operational risk and oversees the implementation of the business continuity program as approved by the board of directors.
ITEM 1C. CYBERSECURITY Cybersecurity Risk Management and Strategy We are subject to cybersecurity risk, which includes intentional and unintentional acts that may jeopardize the confidentiality, integrity, or availability of our information technology assets and data under our control. Cybersecurity risk can take the form of a variety of circumstances to cause harm to us, our members, our service providers, and the economy in general. These circumstances include, but are not limited to, malicious software or exploited vulnerabilities, social engineering, such as phishing, denial-of-service attacks, viruses, malware, and natural disasters. Refer to Item 1 A Risk Factors for a description of cybersecurity and other operational risks that may affect our information technology assets and data under our control. In alignment with industry standards, such as the NIST Cybersecurity Framework, and FHFA regulatory guidance, we have implemented processes for assessing, identifying, and managing cybersecurity risk through a layered approach throughout our environment and in our service provider arrangements, including SaaS and IaaS engagements. We endeavor to continuously develop our policies and practices to mitigate our exposure to cybersecurity risks given, among other things, the evolving natures of these risks, the involvement of uncontrollable circumstances, such as fires or flooding, and our role in the financial services industry and the broader economy. Our cybersecurity risk-mitigating processes include, but are not limited to the following: performing regular risk assessments to identify, understand, and prioritize risks from cybersecurity threats the implementation of firewalls, anti-virus software, and real-time network monitoring the deployment of software updates to address security vulnerabilities maintaining a vulnerability management program to timely identify and remediate cybersecurity risks, and periodic employee training to educate employees on how to identify and avoid various forms of social engineering. We also maintain a business continuity program designed to ensure that resources and plans are in place to protect the Bank from potential loss during a disruption, which includes the unavailability of our information technology assets due to unintentional events like fire, power loss, and other technical incidents such as hardware failures. These business continuity resources and plans include, but are not limited to, maintaining a business continuity site to ensure continued operations, regular backing up of data and systems, testing our ability to operate on disaster recovery systems, and annually reviewing department level business continuity procedures. We regularly engage with third parties to test, maintain, and enhance our cybersecurity risk management practices and threat monitoring. These engagements include, among other things, incident response exercises, penetration testing, constant managed detection and response services, and intrusion prevention and detection applications. Our vendor risk management program includes regular reviews and oversight of these third parties, including performance and technological reviews and escalation of any unsatisfactory reviews. Our results of operations and financial condition have not been materially affected by cybersecurity threats or incidents during the period covered by this report. However, to assess, identify, and manage risks from cybersecurity threats, including as a result of previous cybersecurity incidents, we have invested, and expect to continue to invest, significant resources to maintain and enhance our information security and business continuity programs designed to preserve the confidentiality, integrity, and availability of our information technology assets and data under our control. As a result, the risk of cybersecurity threats has materially affected our business strategy. It is inevitable that cybersecurity incidents will occur in the future and any such 27 Table of Contents cybersecurity incident could result in significantly harmful consequences to us, our members, and their customers. We assess the materiality of each cybersecurity incident from several perspectives including, but not limited to, our ability to continue to service our members, any loss of or unauthorized access to data, lost revenue, increased operating costs, litigation, and reputational harm. Cybersecurity Governance Our director of information security provides regular reporting (at least quarterly) to the Risk Committee and Technology Committee of our board of directors and our Management Committee, the Bank s highest-level governance, strategic planning, oversight, and policymaking group, on topics such as threat intelligence, major cybersecurity risk areas and threats, technologies and best practices, and any cybersecurity incidents that may have impacted us, and more frequently if there is an ongoing cybersecurity incident. Our board of directors oversees our information security program through regular review of policies and principles, including our information security policy designed to establish clear management direction and commitment to preserve the confidentiality, integrity, and availability of all information technology assets, including data. Our Bank Technology Governance Committee, a management level committee, consisting of members of our senior leadership, including our chief risk officer and chief information officer, is responsible for approving policies to support the management and implementation of the cybersecurity program. This committee receives regular reporting from our director of information security similar to what is provided to the board of directors, and more detailed reporting regarding the availability of information technology assets and cybersecurity threats being monitored. Our director of information security, who reports both to our chief risk officer and our chief information officer, manages the Bank s cybersecurity governance framework designed to protect the confidentiality, integrity, and availability of the Bank s information technology assets and data under our control. Our director of information security has more than 25 years of experience in information technology with the Bank in successively more responsible roles and has led teams to design, secure, and implement numerous technology solutions. Our information security department is responsible for developing, documenting, and approving our information security control standards, guidelines, and procedures, in line with the policies and standards set forth by our board of directors and the Bank Technology Governance Committee. The business continuity program is overseen by the Finance Committee of our board of directors and includes, among other items, business impact analysis for developing effective plans and a disaster recovery plan to respond, recover, resume, and restore technology assets critical for us to operate. Our Operational Risk Committee, a management level committee, including leadership representatives from our operational risk, information security, information technology, legal, operations, and other departments throughout the Bank, is responsible for oversight of operational risk and oversees the implementation of the business continuity program as approved by the board of directors.

Company Information