Federal Home Loan Bank of Dallas 10-K Cybersecurity GRC - 2024-03-21

Page last updated on April 11, 2024

Federal Home Loan Bank of Dallas reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-21 16:17:42 EDT.

Filings

10-K filed on 2024-03-21

Federal Home Loan Bank of Dallas filed an 10-K at 2024-03-21 16:17:42 EDT
Accession Number: 0001331757-24-000057

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

ITEM 1C. CYBERSECURITY The Bank relies heavily on its information systems and other technology to conduct and manage its business and, as a result, it is subject to cybersecurity threat risk. Cybersecurity threats include potential unauthorized occurrences on or conducted through the Bank s information systems that may result in adverse effects on the confidentiality, integrity, or availability of its information systems or any information residing therein. Cybersecurity threat risks include, but are not limited to, malicious software or the exploitation of vulnerabilities, social engineering (e.g., phishing), denial-of-service attacks, viruses, and/or malware. As further described below, the Bank has implemented processes for assessing, identifying, and managing material risks from cybersecurity threats that are designed to protect the confidentiality, integrity, and availability of its information technology assets and data. Cybersecurity Risk Management and Strategy The Bank s approach to cybersecurity risk management relies upon having the right people, processes, and technology in place to identify, protect, detect, respond, and recover from cybersecurity threats/incidents. The Bank s cybersecurity program aligns with industry standards, specifically the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework and the NIST 800-53 control framework. The effectiveness of the Bank s cybersecurity program is measured through internal and external audits, Finance Agency regulatory oversight and other third-party control and compromise assessments such as periodic penetration tests and various security assessments. In addition, the Bank s cybersecurity program includes processes and technologies that enhance its ability to detect and respond to cybersecurity threats, including the use of automation, threat intelligence feeds, robust incident response procedures and frequent vulnerability scans and remediation. The Bank s Vulnerability Management Group, which is comprised of members from Information Technology ( IT ) Security, IT Infrastructure and Operational Risk Management, meets regularly to discuss details of the Bank s vulnerability management program including, but not limited to, current threats and vulnerabilities, patching status, upcoming technology changes, and current issues or concerns, if any. The Bank s IT Security Program and policies establish safeguards to protect data and information that is used by the Bank s employees, independent contractors, and vendors. The goal of the Bank s cybersecurity risk management processes is to maintain and safeguard the confidentiality and integrity of the Bank s data, and to ensure system availability to protect against cybersecurity threats and vulnerabilities. The Bank maintains IT security policies that are reviewed at least annually and approved by the Bank s Chief Information Officer ( CIO ), appropriate management committees and, for its critical policies, the Bank s Board of Directors. To help ensure the effectiveness of the Bank s IT security policies, all employees are required to participate in annual IT security training and to review and acknowledge the Bank s IT security policies. The Bank maintains an Enterprise Risk Management Framework which is updated and approved at least annually by its Board of Directors. The framework outlines the methodology and elements that are used to manage Bank-wide risks, including cybersecurity risks, and it assigns responsibilities for the Bank s enterprise risk management. The Bank s IT Security department measures cybersecurity risks by way of risk assessments that utilize a scale which includes both the likelihood and impact of risk occurrence. The scale used to measure likelihood and impact is tied to the criteria contained in the Bank s Enterprise Risk Management Framework. The Bank also maintains Incident Response policies and procedures that are invoked in the event of a security breach or incident and which provide, among other things, guidance for the purpose of managing and executing the appropriate level of communication to executive management, the Board of Directors, government agencies, and/or the Finance Agency. The Bank has a Business Continuity Program that sets forth the actions that would be taken to recover business processes in a timely manner in the event of a disruption. The Bank regularly tests its Business Continuity Plan to ensure its relevance and viability. Representatives from the Bank s Business Continuity team work closely with the Bank s business units and IT to help ensure that critical resources are available in the event of an interruption. To ensure its preparedness, the Bank updates its 30 Business Continuity Plan semiannually. In addition, the Bank evaluates and analyzes threat scenarios, and it conducts periodic exercises to demonstrate the Bank s ability to run production systems from an alternate location and to seamlessly return to using production systems at its primary operations centers. The Bank s vendors are subject to a formal vendor management process which includes an assessment of vendor risks (including cybersecurity risks) and ongoing monitoring. When warranted, the Bank seeks independent third-party reports related to the performance of its vendors, such as System and Organization Controls (“SOC”) reports that are issued in accordance with Statement on Standards for Attestation Engagements No. 18. While risks from cybersecurity threats have not materially affected nor are they currently expected to materially affect the Bank s business strategy, financial condition or results of operations, the Bank has invested and expects to continue to invest significant resources to maintain and enhance its cybersecurity program. Cybersecurity Governance The Bank s cybersecurity program is managed by its Chief Information Security Officer ( CISO ) with oversight from executive management and the Bank s Board of Directors. The CISO reports to both the Bank s CIO and its Chief Risk Officer ( CRO ). The Bank s CISO has over 20 years of experience serving in various IT roles, and he maintains a number of technology and cloud certifications, including the Certified Information Systems Security Professional certification. The Bank s IT Infrastructure team, led by the Director of Cloud Infrastructure, is responsible for the hands-on configuration and patch management of the Bank s information systems to ensure the security, reliability, and availability of those systems. The team is comprised of information system and cloud professionals that hold various certifications in systems administration and cloud computing. The Bank s Operational Risk Oversight Committee ( OROC ), led by the CRO, provides oversight of the Bank s operational risk, including cybersecurity risk. OROC meets quarterly and is comprised of senior leaders from the IT (including Security), Legal, Accounting, and Operational Risk Management departments, among others. In addition, matters of cybersecurity importance relating to specific IT projects are discussed and addressed in the Bank s Information Technology Steering Committee, which is led by the CIO and is comprised of senior leaders from across the Bank. The Bank s CISO provides quarterly reports to OROC which include vulnerability management and security incident metrics, the status of security awareness training (including phish-testing results), and the status of any risk-accepted items and remediations. The quarterly reports also include any significant findings from audits, third-party security assessments, and penetration tests. Monthly, the CISO briefs the CRO, CIO, and the Bank s Chief Executive Officer regarding any significant IT security items. The Bank s CISO periodically updates the Board of Directors regarding the Bank s cybersecurity program, including current risks and metrics, the evolving external threat landscape and the results of the Bank s security awareness training. The Risk Management Committee of the Board of Directors, the Board committee that is primarily responsible for the oversight of risks from cybersecurity threats, is briefed quarterly on cybersecurity risks and receives information and metrics that are similar to the information and metrics provided to OROC. In addition, the Board s Strategic Planning, Operations and Technology Committee is briefed, as needed, on security matters relating to specific IT projects. Monthly, the Board of Directors receives an IT status dashboard which includes, among other things, IT security metrics regarding phish-training and vulnerability management. Annually, the CISO prepares the Bank s Annual State of Security report which is provided to executive management, OROC, and the Board of Directors. The report provides data on, and insights into, the top security concerns facing the Bank, such as shifts in the threat landscape, high-priority threats, and trends affecting the banking industry, in addition to security-specific technology changes which have occurred during the current year that could impact the overall risk to the Bank. The report also includes an assessment of the upcoming threats that the Bank could potentially face over the course of the next year and includes recommendations designed to mitigate those threats.

Company Information