FEDERAL NATIONAL MORTGAGE ASSOCIATION FANNIE MAE - (FNMA)
10-K Filing Date: February 15, 2024
Item 1C. Cybersecurity
Cybersecurity Risk Management and Strategy
Overview
Cybersecurity risk management represents a critical component of our overall approach to risk management.
Information security risks for large institutions like us have continued to significantly increase and we and the third
parties with which we do business have been, and we expect will continue to be, the target of cyber attacks and other
information security threats. These risks are an unavoidable result of conducting our business, and managing these
risks is an inherent part of our business activities. We describe the cybersecurity risks we face in “Risk Factors—
Operational and Model Risk.”
Cybersecurity Risk Management Program
We have developed and continue to enhance our cybersecurity risk management program as we seek to protect the
security of our computer systems, software, networks and other technology assets against unauthorized attempts to
access confidential information and data or to disrupt or degrade business operations. Our cybersecurity risk
management program has evolved based on the changing needs of our business, the evolving threat environment and
FHFA regulatory guidance.
We design and assess our cybersecurity risk management program based on the National Institute of Standards and
Technology Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Cybersecurity Framework”). While
we generally consult the NIST Cybersecurity Framework when designing and assessing our cybersecurity risk
management program, we have not implemented and do not plan to implement all categories and subcategories
included in the framework. We use the framework as a guide to help us identify, assess and manage cybersecurity risks
relevant to our business based on our current understanding of the cybersecurity threat environment.
In 2023, we conducted our most recent maturity assessment of our use of the NIST Cybersecurity Framework to
manage our cybersecurity risk. These assessments measure the extent to which we have implemented the framework’s
categories and subcategories, but do not specifically assess the effectiveness of our cybersecurity program. Based on
these assessments, we develop select improvements to our cybersecurity risk management program to help ensure we
maintain a program designed to align to industry benchmarks and financial services peers.
Integration into Enterprise Risk Management Framework
Our cybersecurity risk management program is integrated into our overall Enterprise Risk Management framework. Our
Enterprise Response Framework establishes the reporting structure and escalation process for managing all enterprise
incidents, including cybersecurity-related incidents. The framework defines the relationship and notification steps among
the various crisis management stakeholders, including the Board of Directors, the Management Committee, the CEO,
other members of the executive leadership team, the crisis manager and crisis management coordinators. See
“Cybersecurity Governance—Management Role” for a description of the oversight role of the Enterprise Risk
Management division, Internal Audit and the management-level Technology Risk Committee and Enterprise Risk
Committee relating to cybersecurity risk management.
Cybersecurity Risk Management Strategy
Overview and Goal. Fannie Mae has a multilayered cybersecurity defense strategy. We take a risk-based approach that
prioritizes and attempts to plan for the highest impact events first. Our cybersecurity threat operations operate with the
goal of identifying, preventing, and mitigating cybersecurity threats and responding to cybersecurity incidents in
accordance with incident response and recovery plans.
Tools and Safeguards. As part of our cybersecurity defense strategy, we employ tools and systems safeguards intended
to help secure our networks, applications, data and infrastructure, and to manage cybersecurity vulnerabilities. These
Risk Factors | General Risk |
Fannie Mae 2023 Form 10-K | 45 |