FEDERAL AGRICULTURAL MORTGAGE CORP - (AGM)
10-K Filing Date: February 23, 2024
Item 1C.Cybersecurity
Risk Management and Strategy
Farmer Mac recognizes the importance of assessing, identifying, and managing risks associated with cybersecurity threats. These risks include the potential for:
•unauthorized access to or acquisition, destruction, alteration, release, theft, or loss of confidential, proprietary, or personal data;
•fraud or extortion;
•financial and economic loss or costs;
•errors in Farmer Mac’s financial statements;
•impairment of Farmer Mac’s liquidity;
•harm to employees, customers, or vendors;
•liability or service interruptions to customers;
•loss of customers or vendors;
•violation of data protection laws and other litigation and legal risk;
•increased regulatory or legislative scrutiny; and
•reputational damage.
Farmer Mac’s process to identify and assess material risks from cybersecurity threats operates alongside Farmer Mac’s broader overall risk assessment process that contemplates all company risks. As part of this process, appropriate personnel collaborate with subject matter specialists, as necessary, to gather information to identify and assess material cybersecurity threat risks, their severity, and potential mitigations.
Farmer Mac has implemented a variety of processes, technologies, and controls to aid in its efforts to identify, assess, and manage cybersecurity risks. Farmer Mac’s approach includes:
•an enterprise risk management program that includes cybersecurity risk assessment and management and is periodically refreshed;
•security reviews designed to identify risks from many new features, software, and vendors, including a security operations center to monitor our systems;
•a team of trained and experienced security professionals to investigate and remediate cybersecurity incidents;
•regular cybersecurity training for all employees and network users to raise and maintain awareness of cybersecurity risks and best practices;
•a vulnerability management program designed to identify vulnerabilities in the systems and software Farmer Mac uses;
•regular cybersecurity testing, including penetration testing on a periodic basis to allow security researchers to help identify vulnerabilities in Farmer Mac’s systems before they mature into real-world cybersecurity threats;
•a third-party service provider risk management program designed to identify and mitigate risks associated with third-party vendors and business partners, which includes pre-engagement diligence, contractual security and notification provisions, and ongoing monitoring, as appropriate;
•a threat intelligence program designed to model and research potential cybersecurity threat actors to identify vulnerabilities and anticipate attack vectors before they are exploited;
49
•cybersecurity controls designed to segment access to systems and to limit access to sensitive data; and
•patch management controls aimed at reducing system vulnerabilities.
These processes vary in maturity across the business, and Farmer Mac works continually to improve them.
Farmer Mac also maintains a privacy and security incident response program to prepare for, detect, respond to, and recover from cybersecurity incidents. That program includes processes to triage, assess severity for, escalate, contain, investigate, and remediate any cybersecurity incident, as well as to comply with any applicable legal obligations and to mitigate brand and reputational damage. Farmer Mac also conducts regular tabletop exercises to test and fortify the controls of its cybersecurity incident response program. Farmer Mac’s security operations center and incident response team assesses the severity and priority of incidents on a rolling basis, with escalations of cybersecurity incidents provided to Farmer Mac’s management team. If a cybersecurity incident is determined to be a material cybersecurity incident, Farmer Mac’s incident response plan defines the process for any required regulatory disclosures.
Farmer Mac’s risk management approach is supplemented by external and internal enterprise risk management audits, which are designed to test the effectiveness of Farmer Mac’s security controls. Prior cybersecurity incidents have not materially affected Farmer Mac's business strategy, results of operations, or financial condition. Farmer Mac does not believe that there are currently any known risks from cybersecurity threats that are reasonably likely to materially affect its business strategy, results of operations, or financial condition, although the occurrence of both intentional and unintentional incidents could cause a variety of adverse business impacts in the future. For more information on Farmer's Mac's cybersecurity risks see "Operational Risks" in "Risk Factors" in Part I, Item 1A of this report. Those disclosures are incorporated by reference in this section.
Governance
Farmer Mac’s board of directors is actively involved in overseeing the company's cybersecurity risk management. At least once a year, the full board of directors meets with Farmer Mac’s Chief Information Security Officer (“CISO”) to discuss Farmer Mac’s programs and policies related to cybersecurity and risk initiatives and considers them closely both from a risk management perspective and as part of Farmer Mac’s business strategy.
The board has created a dedicated cybersecurity subcommittee of the enterprise risk committee to oversee Farmer Mac’s cybersecurity programs and practices, including the identification and mitigation of security and privacy risks. The cybersecurity subcommittee consists of three members of the enterprise risk committee. Two members of that subcommittee have successfully completed the National Association of Corporate Directors (“NACD”) certificate in cyber-risk oversight program. The other member of the subcommittee is the CEO of an energy company and has direct experience managing cyber risk and cybersecurity incidents in that capacity. The chair of the board audit committee has also successfully completed the NACD certificate in cyber-risk oversight program (but is not a member of the cybersecurity subcommittee). The cybersecurity subcommittee typically meets on a monthly basis with the CISO and other members of Farmer Mac's management team to discuss the performance and effectiveness of Farmer Mac's cyber program and to receive updates on cybersecurity risks, any cybersecurity incidents, and major cybersecurity initiatives.
50
The materials provided to Farmer Mac’s cybersecurity subcommittee and discussed in the meetings include:
•updates on Farmer Mac’s data security posture;
•results from third-party assessments and testing;
•progress towards predetermined risk-mitigation-related goals;
•Farmer Mac’s incident response plan; and
•information about cybersecurity threat risks or incidents and developments, as well as the steps management has taken to respond to those risks or incidents.
At each regular quarterly meeting of the board enterprise risk committee, the cybersecurity subcommittee reviews a summary of the information discussed in the most recent cybersecurity subcommittee meetings. The board of directors has determined that cybersecurity is a priority area of focus and regularly engages with the CISO and other members of senior management in substantial discussions in board and committee meetings to address cybersecurity topics relating to risk management, compliance, strategy, innovation, and governance. Material cybersecurity threat risks are also considered during separate board and committee meeting discussions of important matters like enterprise risk management, operational budgeting, business continuity planning, business transactions and acquisitions, and brand management.
Farmer Mac’s CISO manages Farmer Mac’s cybersecurity program, including the identification, evaluation, and prioritization of security risks, as well as the company’s response to security incidents. The CISO has more than 19 years of experience in cybersecurity and information technology and holds a Master’s degree in Business Administration with a focus on Information Technology. The CISO also holds a Certified Information Security Manager (CISM) certification, which is an advanced certification indicating that an individual possesses the knowledge and experience required to develop and manage an enterprise information security program. The CISO reports to Farmer Mac's Senior Vice President – Enterprise Risk Officer, who in turn reports to the Chief Executive Officer.
Members of senior management have regular meetings with the CISO and other members of Farmer Mac's information technology team to discuss and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents. The participants in these meetings also discuss their management of, and participation in, the cybersecurity risk management and strategy processes described in this report, including the operation of Farmer Mac’s incident response plan. Farmer Mac provides quarterly cybersecurity training to all employees, board members, and users of Farmer Mac's technology assets. Employees with elevated privileges within the computing environment also receive specialized training tailored to their job responsibilities. Farmer Mac tracks the metrics from the cybersecurity training program and includes the results in dashboard reports shared and discussed with senior management, the board enterprise risk committee, and the board cybersecurity subcommittee.