NATIONAL RURAL UTILITIES COOPERATIVE FINANCE CORP /DC/ 10-K Cybersecurity GRC - 2025-08-05

Page last updated on August 5, 2025

NATIONAL RURAL UTILITIES COOPERATIVE FINANCE CORP /DC/ reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-08-05 14:01:08 EDT.

Filings

10-K filed on 2025-08-05

NATIONAL RURAL UTILITIES COOPERATIVE FINANCE CORP /DC/ filed a 10-K at 2025-08-05 14:01:08 EDT
Accession Number: 0000070502-25-000211

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Overview Cybersecurity risk management is a core component of our enterprise risk-management framework. Cybersecurity incidents and threats pose a risk to the disruption of our business operations, including the confidentiality, integrity and availability of data and information. CFC’s cybersecurity program is designed to manage operational risks associated with the ever-evolving nature of cybersecurity threats. Because these risks could have a material adverse impact on our operations and reputation, both management and the CFC Board of Directors are actively engaged in the oversight of the cybersecurity program and our continuous efforts in monitoring, measuring and managing the risks. Risk Management and Strategy The primary goal of CFC’s cybersecurity operations is to prevent, identify, mitigate and respond on a timely basis to cybersecurity threats in order to reduce operational risk and business impact. Our strategy encompasses technology, process and people. The technology components are designed to provide multiple layers of system security, controls and monitors for our infrastructure, data and applications. Our security infrastructure and resources are focused on the monitoring of threats and the defense of our external and internal networks, endpoints, data resources and identity management. We use risk-based processes to prioritize the resources that manage vulnerabilities, threats, incident responses and operational changes. The risk-based approach ensures we are taking action on the threats, events and incidents that have the highest likelihood of impacting our business and members. We maintain cybersecurity incident procedures that identify the activities, responses and escalation procedures to be executed upon detection of a potential cybersecurity incident. These procedures are a critical component of CFC’s Crisis Management Plan and business continuity efforts. We continue to invest in our cybersecurity program to help ensure that we have the necessary resources to execute our business operations and that our workforce is prepared to work in an active cyber-threat environment. These resources also include external service providers with experience in third-party risk monitoring and cybersecurity threat intelligence, detection and response. Mandatory training is required on a quarterly basis for all CFC employees to promote leading practices in protecting information, data and operations in a continually changing environment. We established requirements regarding the use of company-approved generative artificial intelligence tools to ensure that all employees utilize such tools in a manner that safeguards sensitive information and aligns with legal requirements and CFC’s ethical standards. The effectiveness of our cybersecurity operations is regularly examined and tested by third-party vendors who specialize in cybersecurity risk management. We regularly employ such vendors to test the effectiveness of our security controls, including penetration testing. External vendors are engaged at least on an annual basis to facilitate incident response exercises and training. We use external risk management services to assess and monitor cybersecurity risk associated with third-party service providers. Finally, we review the maturity of our program’s design and control environment’s effectiveness through regular internal assessments and examinations. Governance Our board of directors oversees the company’s cybersecurity risk-management program. Management reports at least quarterly to the board on matters related to CFC’s security operations, potential threats, industry-wide trends and any other related information requested by the board. The reports include information on significant cybersecurity incidents, if any, and management actions to protect CFC. We promptly notify the board of directors upon the occurrence of a significant cybersecurity incident so it may properly evaluate the incident, including management’s remediation plan. In addition to the regular cybersecurity program reports, the board monitors cybersecurity risk and program effectiveness through internal audit and our enterprise risk m anagement reporting framework. On an annual basis, members of our staff responsible for cybersecurity provide the board an overview of the company’s technology strategy and planned activities to continually improve the cybersecurity program, as well as threats and cybersecurity incidents. Furt her, on at least an annual basis, the board of directors reviews management reports concerning the disclosure controls and procedures in place to enable CFC to make accurate and timely disclosures about any material cybersecurity incidents. Role of Management Management is directly involved in steering the company’s cybersecurity program employing a multi-disciplinary approach that operates through a “three lines of defense " model. Management’s approach helps ensure the organization works collaboratively to monitor, assess and respond to cybersecurity incidents at all levels and functions consistent with our incident response procedures and corporate practices. Our first line of defense includes our cybersecurity team lead by our Director, Information Security , who work to ensure that the day-to-day execution of the company’s technology and security operations are in alignment with corporate policies and procedures. Our Director, Information Security, who reports to our Chief Operating Officer ( " COO”), has over a decade of information security management experience and is a Certified Information Systems Security Professional. Our COO and Director, Information Security are also responsible for information security policies, organizational readiness and the escalation of certain cybersecurity incidents from our cybersecurity personnel to senior management based on our incident response procedures. Our second line of defense includes our Cybersecurity Committee and the enterprise risk-management framework under the direction of the Chief Risk Officer to monitor cybersecurity functions and risk management. Our Cybersecurity Committee is composed of members of management including, but not limited to, the COO, Chief Risk Officer, General Counsel and Vice President, Internal Audit. The Cybersecurity Committee helps ensure corporate policy compliance and reports directly to the board of directors regarding material cybersecurity incidents and emerging threats. Our third line of defense is the internal audit function led by our Vice President, Internal Audit, which plays a crucial role by providing independent and objective assurances on the design and operating effectiveness of our cybersecurity risk management and internal controls through the performance of audits and reviews. Internal Audit engages external consultants and subject matter experts as appropriate to assist in the assessment of management’s cybersecurity program and reports the results directly to the b oard . We have not experienced any material cybersecurity incidents that have impacted our business, results of operations or financial condition to date. See “Item 1A. Risk Factors " for a discussion of our risks related to cybersecurity.

Company Information