FEDERAL NATIONAL MORTGAGE ASSOCIATION FANNIE MAE - (FNMA)

10-K Filing Date: February 15, 2024
Item 1C.  Cybersecurity
Cybersecurity Risk Management and Strategy
Overview
Cybersecurity risk management represents a critical component of our overall approach to risk management.
Information security risks for large institutions like us have continued to significantly increase and we and the third
parties with which we do business have been, and we expect will continue to be, the target of cyber attacks and other
information security threats. These risks are an unavoidable result of conducting our business, and managing these
risks is an inherent part of our business activities. We describe the cybersecurity risks we face inRisk Factors
Operational and Model Risk.”
Cybersecurity Risk Management Program
We have developed and continue to enhance our cybersecurity risk management program as we seek to protect the
security of our computer systems, software, networks and other technology assets against unauthorized attempts to
access confidential information and data or to disrupt or degrade business operations. Our cybersecurity risk
management program has evolved based on the changing needs of our business, the evolving threat environment and
FHFA regulatory guidance.
We design and assess our cybersecurity risk management program based on the National Institute of Standards and
Technology Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Cybersecurity Framework”). While
we generally consult the NIST Cybersecurity Framework when designing and assessing our cybersecurity risk
management program, we have not implemented and do not plan to implement all categories and subcategories
included in the framework. We use the framework as a guide to help us identify, assess and manage cybersecurity risks
relevant to our business based on our current understanding of the cybersecurity threat environment.
In 2023, we conducted our most recent maturity assessment of our use of the NIST Cybersecurity Framework to
manage our cybersecurity risk. These assessments measure the extent to which we have implemented the framework’s
categories and subcategories, but do not specifically assess the effectiveness of our cybersecurity program. Based on
these assessments, we develop select improvements to our cybersecurity risk management program to help ensure we
maintain a program designed to align to industry benchmarks and financial services peers.
Integration into Enterprise Risk Management Framework
Our cybersecurity risk management program is integrated into our overall Enterprise Risk Management framework. Our
Enterprise Response Framework establishes the reporting structure and escalation process for managing all enterprise
incidents, including cybersecurity-related incidents. The framework defines the relationship and notification steps among
the various crisis management stakeholders, including the Board of Directors, the Management Committee, the CEO,
other members of the executive leadership team, the crisis manager and crisis management coordinators. See
“Cybersecurity Governance—Management Role” for a description of the oversight role of the Enterprise Risk
Management division, Internal Audit and the management-level Technology Risk Committee and Enterprise Risk
Committee relating to cybersecurity risk management.
Cybersecurity Risk Management Strategy
Overview and Goal. Fannie Mae has a multilayered cybersecurity defense strategy. We take a risk-based approach that
prioritizes and attempts to plan for the highest impact events first. Our cybersecurity threat operations operate with the
goal of identifying, preventing, and mitigating cybersecurity threats and responding to cybersecurity incidents in
accordance with incident response and recovery plans.
Tools and Safeguards. As part of our cybersecurity defense strategy, we employ tools and systems safeguards intended
to help secure our networks, applications, data and infrastructure, and to manage cybersecurity vulnerabilities. These
Risk Factors | General Risk
Fannie Mae 2023 Form 10-K
45
safeguards include network and perimeter defense, infrastructure security, endpoint protection, data protection, identity
management and network segmentation. We work to evaluate and improve on these tools and safeguards through
periodic cybersecurity assessments and the integration of cybersecurity threat intelligence.
Backup Data Storage. We have both internal and external third-party backup data storage to help protect our data from
cybersecurity incidents. We test our backup restoration process on a regular basis.
Response Plans and Procedures. We maintain cybersecurity incident response procedures that identify the activities
and escalation processes to be implemented upon detection of a cybersecurity incident, and we routinely practice these
activities and processes. We also have business and technology continuity plans and a crisis management plan, which
we test on a regular basis.
Training. We provide mandatory cybersecurity training to employees and contractors on an annual basis. Employees
also have access to supplemental online cybersecurity training. We test our employees’ response to simulated phishing
scenarios on a regular basis.
Assessments. We examine the effectiveness of our cyber defenses through various means, including internal audits,
targeted testing, maturity assessments, incident response exercises and industry benchmarking.
Insurance Coverage. We maintain insurance coverage relating to cybersecurity risks. As described in Risk Factors
Operational and Model Risk,” our insurance may not be sufficient to provide adequate loss coverage in all
circumstances.
Role of External Consultants, Vendors and Other Third Parties
We regularly use external consultants and vendors to assist in our management of cybersecurity risks:
We regularly employ third parties to evaluate the security of our networks, including engaging an external
vendor to conduct penetration testing against our network.
We engage an external vendor to review and test our cybersecurity incident response plan on at least an
annual basis, including to assist with incident response exercises.
We engage a third party to assess the design of our cybersecurity controls and control environment, including
assisting with our 2023 NIST Cybersecurity Framework maturity assessment.
We have external vendors on retainer to assist with cybersecurity incident response activities.
External assessments have identified gaps and suggested enhancements that we consider when making changes to
our cybersecurity risk management program.
We are also focused on building strong relationships with the appropriate government and law enforcement agencies
and with other businesses, industry groups and cybersecurity services to better understand the cybersecurity risks in
our environment, enhance our defenses and improve our resiliency against cybersecurity threats.
Third-Party Cybersecurity Risk Oversight
Our cybersecurity risk management program extends to oversight of third parties that pose a cybersecurity risk to us,
including lenders that use our systems and third-party service providers. In alignment with the NIST Cybersecurity
Framework and FHFA regulatory guidance, we have established a risk-based framework for managing third-party risk
that defines specified triggers for assessing and reporting cyber-related third-party risks and events. Pursuant to this
framework, we have implemented both preventive and detective controls to mitigate cybersecurity risks posed by third
parties.
We have identified certain third parties that pose a higher cybersecurity risk to us because they have significant access
to our systems or data. For these higher-risk third parties, we have implemented additional requirements, including:
We assess these higher-risk third parties’ cybersecurity controls through a cybersecurity questionnaire and a
review of their cybersecurity controls, either through independent audits or by direct review of their
cybersecurity policies and practices.
We use third-party cybersecurity monitoring and alert services to monitor these higher-risk third parties.
We conduct periodic monitoring reviews of these higher-risk third parties’ cybersecurity policies and practices.
Cybersecurity Governance
Overview
We follow a cross-functional approach to addressing the risk from cybersecurity threats, involving management
personnel from our technology, operations, legal, enterprise risk management, internal audit and other key business
Cybersecurity | Cybersecurity Risk Management and Strategy
Fannie Mae 2023 Form 10-K
46
functions in an ongoing dialogue regarding cybersecurity threats and incidents. As described in “Board Oversight”
below, we also regularly report to the Board and the Risk Policy and Capital Committee of the Board on cybersecurity
risk matters. We have implemented controls and procedures for the escalation of cybersecurity incidents so that
decisions regarding the disclosure and reporting of such incidents can be made in a timely manner.
Board Oversight
Cybersecurity risk management is overseen by the full Board of Directors and by the Risk Policy and Capital Committee
of the Board. While the Board maintains oversight of cybersecurity risk, the Board has delegated oversight authority at
the management level for risk-related matters, including cybersecurity risk matters, to the Enterprise Risk Committee, as
described under “Management Role” below.
The Board and the Risk Policy and Capital Committee generally engage in discussions throughout the year with
management on cybersecurity risk matters. The Chief Information Security Officer and other members of the
management team provide reports to the Board and the Risk Policy and Capital Committee on cybersecurity risk
matters on a regular basis, including updates on our cybersecurity risk management program, recent developments in
cybersecurity and privacy regulation, evolving standards, third-party reviews, general technological trends, information
security considerations with respect to the company’s peers and third parties, the external threat environment, and the
steps the company is taking to address and mitigate the risks associated with the evolving cybersecurity threat
environment. Management also discusses cybersecurity developments with the Chair of the Risk Policy and Capital
Committee and other Board members between Board and committee meetings, as appropriate. The company has
procedures to escalate information regarding certain cybersecurity incidents to the Board Chair. At least annually, the
Board reviews and approves the company’s Cybersecurity Risk Policy and Operational Risk Policy.
Management Role
Our Information Security organization, which is headed by our Chief Information Security Officer, has primary
responsibility for assessing and managing our cybersecurity risks. Our Chief Information Security Officer is the member
of our management team who is principally responsible for overseeing the company’s cybersecurity risk management
program.
The Information Security organization works collaboratively across the company to protect the company’s information
systems from cybersecurity threats and to respond to cybersecurity threats and incidents. The Information Security
organization monitors information systems to detect anomalies, including attempted cyber attacks, as well as user
activity for access controls and risks of insider threat. The Information Security organization also monitors and
investigates cybersecurity incidents through detection tools, reports from end-users, and other cybersecurity threat and
vulnerability intelligence. The Information Security organization also shares and obtains information on cybersecurity
threats through participation in the Financial Services Information Sharing and Analysis Center, referred to as FS-ISAC,
a member-driven organization that advances cybersecurity and resilience in the global financial system.
As appropriate, multidisciplinary teams are deployed to address cybersecurity threats and to respond to cybersecurity
incidents in accordance with the company’s incident response processes. The Information Security organization and
Enterprise Risk Management are informed about and monitor the prevention, detection and mitigation of cybersecurity
incidents through risk and control assessments, targeted reviews, scenario analysis, and monitoring of risk metrics. The
company’s performance in managing cybersecurity risk is reported to the Technology Risk Committee, the Enterprise
Risk Committee and the Board of Directors.
As noted above, the Board has delegated oversight responsibility at the management level for risk-related matters to the
Enterprise Risk Committee. The Enterprise Risk Committee has delegated primary responsibility for management-level
oversight of cybersecurity risk management to the Technology Risk Committee. The Technology Risk Committee
receives reports on cybersecurity risk matters on a regular basis from the company’s Chief Information Security Officer.
The Technology Risk Committee reviews and approves the company’s management-level cybersecurity risk policies
and standards. The Technology Risk Committee also reviews and monitors metrics relating to cybersecurity risk. The
Technology Risk Committee escalates matters to the Enterprise Risk Committee as appropriate.
The company’s Enterprise Risk Management division provides risk-based independent oversight of cybersecurity risk
management performed by the Information Security organization. The Technology Risk Committee and Enterprise Risk
Committee are each chaired by a member of the Enterprise Risk Management division.
The company’s Internal Audit organization audits the Enterprise Risk Management division’s oversight of cybersecurity
risk management and also independently tests the effectiveness of the company’s cybersecurity risk management and
governance. Members of the Internal Audit organization participate as non-voting members of both the Technology Risk
Committee and the Enterprise Risk Committee.
Cybersecurity | Cybersecurity Governance
Fannie Mae 2023 Form 10-K
47
Management Expertise
CISO
Our Chief Information Security Officer has nearly 20 years of professional experience in information security, including
over 7 years as Fannie Mae’s Chief Information Security Officer and 1 year as Fannie Mae’s Deputy Chief Information
Security Officer. Our Chief Information Security Officer holds a graduate degree in information technology management.
Technology Risk Committee
Members of the Technology Risk Committee include officers with expertise in cybersecurity risk oversight, such as the
Chief Information Security Officer described above, the head of our Technology Risk Oversight department, and the
Chief Technology Officer. As of December 2023, approximately three-quarters of the members of the Technology Risk
Committee had prior work experience in cybersecurity, a relevant degree or certification, or other knowledge, skills or
background in cybersecurity.
Enterprise Risk Committee
Members of the Enterprise Risk Committee include senior leaders throughout the company, including our Chief Risk
Officer (who chairs the Committee and is the head of our Enterprise Risk Management division), Chief Executive Officer,
Chief Financial Officer, General Counsel, Head of Multifamily Business, Head of Single-Family Business, and Chief
Information Officer. In addition, our Chief Audit Executive is a non-voting member of the Enterprise Risk Committee. As
of December 2023, more than half of the members of the Enterprise Risk Committee had prior work experience in
cybersecurity or other knowledge, skills or background in cybersecurity.
Impact of Risks from Cybersecurity Threats
As noted above, we and the third parties with which we do business have been, and we expect will continue to be, the
target of cyber attacks and other information security threats. To date, risks from cybersecurity threats, including as a
result of previous cybersecurity incidents, have not materially affected our business, including our business strategy,
results of operations or financial condition. However, large-scale cyber attacks perpetrated against other companies in
recent years suggest that the risk of damaging cyber attacks is increasing. As a result, we continue to invest in our
cybersecurity infrastructure, including investment in prevention capabilities and response readiness.
Notwithstanding our efforts to manage cybersecurity risks as described above, we may not be successful in preventing
or mitigating a cybersecurity incident that could have a material adverse effect on our business, including our business
strategy, results of operations and financial condition. Cybersecurity threats are constantly evolving and we may not be
able to anticipate, detect or recognize cybersecurity threats to our systems and assets, or to implement effective
preventive measures against all cybersecurity threats, especially because the techniques used in cyber attacks are
increasingly sophisticated, change frequently, are complex, and are often not recognized until launched. We routinely
identify cybersecurity threats as well as vulnerabilities in our systems and work to address or mitigate those we have
identified; however, some cybersecurity vulnerabilities take a substantial amount of time to resolve or mitigate and
therefore we continue to have cybersecurity vulnerabilities that we have identified but not resolved or mitigated. As a
result, we could experience a cybersecurity incident that materially affects our business in a quarterly or annual fiscal
period. See Risk FactorsOperational and Model Risk for additional discussion of cybersecurity risks to our business.