Federal Home Loan Bank of Cincinnati 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

Federal Home Loan Bank of Cincinnati reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 14:00:31 EDT.

Filings

10-K filed on 2024-03-21

Federal Home Loan Bank of Cincinnati filed an 10-K at 2024-03-21 14:00:31 EDT
Accession Number: 0001326771-24-000052

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. CYBERSECURITY RISK MANAGEMENT AND STRATEGY We are subject to cybersecurity risk, which includes intentional and unintentional acts that may jeopardize the confidentiality, integrity, or availability of our information technology assets and data under our control. Cybersecurity risk can take the form of a variety of circumstances that cause harm to us, our members, our service providers, and the economy in general. These circumstances include malicious software or exploited vulnerabilities, social engineering, such as phishing, denial-of-service attacks, viruses, malware, and natural or other disasters. See Item 1A. Risk Factors for additional description of cybersecurity and other operational risks. In alignment with industry standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and Finance Agency regulatory guidance, we have implemented processes for assessing, identifying, and managing cybersecurity risk through a layered approach throughout our environment and in our service provider arrangements, including software-as-a-service and infrastructure-as-a-service engagements. We continuously evaluate and update our policies and practices to mitigate our exposure to cybersecurity risks given, among other things, the evolving natures of these risks, the involvement of uncontrollable circumstances, such as fires or flooding, and our role in the financial services industry and the broader economy. Our cybersecurity risk-mitigating processes include the implementation of firewalls, anti-virus software, real-time network monitoring, various forms of testing, and the deployment of software updates to address security vulnerabilities, as well as annual and periodic employee training to educate employees on how to identify and avoid various forms of social engineering. Our security incident response plan determines how cybersecurity threats and incidents are identified, classified, and escalated, including for the purposes of reporting and providing relevant information to senior management and the Board of Directors. The security incident response plan also requires management to assess materiality of the threat or incident for the purposes of public disclosure. We also maintain a business continuity program designed to ensure that resources and plans are in place to protect us from potential loss during a disruption, which includes the unavailability of our information technology assets due to unintentional events like fire, power loss, and other technical incidents such as hardware failures. These business continuity resources and plans include maintaining business continuity sites to ensure continued operations, regular backing up of data and systems on offsite facilities, testing our ability to operate on disaster recovery systems, and annually reviewing department level business continuity procedures. We regularly engage third parties to test, maintain, and enhance our cybersecurity risk management practices and threat monitoring. These engagements include incident response exercises, penetration testing, constant managed detection and response services, and intrusion prevention and detection applications. Our vendor risk management program includes regular reviews and oversight of these third parties, including performance and technological reviews and escalation of any unsatisfactory performance, in order to identify, prioritize, assess, mitigate and remediate third party risks. However, we rely on the third parties we use to implement security programs commensurate with their risk, and we cannot ensure in all circumstances that their efforts will be successful. 26 Table of Contents During the period covered by this report, the risk from cybersecurity threats or incidents did not have a material impact on our strategy, results of operations, or financial condition. We expect that cybersecurity threats and incidents will continue to occur and any such cybersecurity incident impacting us could result in significantly harmful consequences to us, our members, and their customers. We assess the materiality of any such cybersecurity incident from several perspectives including our ability to continue to service our members, any loss of or unauthorized access to data, lost revenue, increased operating costs, litigation, and reputational harm. CYBERSECURITY GOVERNANCE Our chief information officer and chief information security officer provide regular reports (at least quarterly) to the Risk Committee of our Board and management committees on topics such as threat intelligence, major cybersecurity risk areas and threats, technologies and best practices, and any cybersecurity incidents that may have impacted us, and more frequently if there was an ongoing cybersecurity incident. Our Board oversees our information security program through regular review of policies, including our information security policy designed to establish clear management direction and commitment to preserve the confidentiality, integrity, and availability of all information technology assets and data. Our Enterprise Risk Management Committee a management level committee, including senior management and other leadership representatives from our operational risk, information security, information technology, legal, operations, and other departments is responsible for approving policies to support the management and implementation of the cybersecurity program and recommending the annual information technology strategic plan to senior management prior to Board review and approval. This committee receives regular reporting from our chief information security officer similar to what is provided to the Board, and more detailed reporting regarding the availability of information technology assets and cybersecurity threats being monitored. Our chief information security officer, who reports both to our chief risk officer and our chief information officer, manages the cybersecurity governance framework designed to protect the confidentiality, integrity, and availability of our information technology assets and data under our control. Our chief information security officer and assistant chief information security officer collectively have approximately 20 years of experience with the FHLB in successively more responsible roles and have led teams to design, secure, implement, and audit numerous technology solutions. Our information security group is responsible for developing, documenting, and approving our information security control standards, guidelines, and procedures, in line with the policies and standards set forth by the Board and management committee. They are experienced and knowledgeable in both technology and cybersecurity and maintain industry recognized security certifications. The business continuity program is overseen by the Business and Operations Committee of the Board and includes business impact analysis for developing effective plans and a disaster recovery plan to respond, recover, resume, and restore technology assets critical for us to operate. Our Enterprise Risk Management Committee is responsible for oversight of operational risk and oversees the implementation of the business continuity program as approved by the Board.

Company Information