Federal Home Loan Bank of New York - (FHLBNY)
10-K Filing Date: March 21, 2024
Cybersecurity Risk Management and Strategy
The Bank is subject to cybersecurity incident and threat risk. A cybersecurity incident is an unauthorized occurrence, or a series of related unauthorized occurrences, through information systems that jeopardizes the confidentiality, integrity, or availability of the Bank’s information systems or any information residing therein. Cybersecurity threats are potential unauthorized occurrences on or conducted through information systems that may result in adverse effects on the confidentiality, integrity, or availability of information systems or any information residing therein. Information systems are any electronic information resources, owned or used by the Bank, including physical or virtual infrastructure controlled by such information resources, or their components, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of the Bank’s information to maintain or support the Bank’s operations. Please refer to Item 1A. Risk Factors for a description of cybersecurity incident and threat risk. The Bank has implemented processes for assessing, identifying, and managing material risks from cybersecurity threats or incidents that may directly or indirectly impact the Bank’s business strategy, results of operations, or financial condition.
The Bank’s cybersecurity risk management framework for assessing, identifying, and managing material risks from cybersecurity threats is designed to protect the confidentiality, integrity, and availability of the Bank’s information technology assets and data under the Bank’s control.
25
Cybersecurity risk management is part of the Bank’s Enterprise Risk Management program which includes specific controls for the mitigation, monitoring and reporting associated with those risks. The program is supported by a robust set of policies and procedures, skilled staff, layered technical defenses, employee training, and oversight of third parties.
The Technology Committee of the Board of Directors (“Board”) also annually reviews and approves the Bank’s Information Security Policy.
The Bank’s Information Security Policy establishes administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of Bank information in accordance with the Gramm-Leach-Bliley Act and the interagency guidelines issued thereunder, and applicable laws.
The Bank’s cyber incident response plan determines how cybersecurity threats and incidents are identified, classified, and escalated, including for the purposes of reporting, and providing relevant information to the Board. The cyber incident response plan also stipulates management assessment materiality of the threat or incident for the purposes of public disclosure.
The Bank’s business continuity program is designed to ensure that necessary resources are in place to protect the Bank from potential loss during a disruption, which includes the unavailability of information technology assets due to unintentional events like weather-related events, fire, power loss, and other technical incidents such as hardware failures. The business continuity program is overseen by the Technology Committee of the Board and includes, among other items, business impact analysis for developing effective plans and a disaster recovery plan to respond, recover, resume, and restore technology assets critical for us to operate. Elements of this plan may be leveraged in support of the recovery from a cyber incident that disables critical infrastructure.
The Bank leverages audits and external reviews to strengthen its program. Those reviews include internal audits and reviews by the Bank’s Risk Management function, SOX audits, penetration tests, and external benchmarking reviews based on the National Institute of Standards and Technology (“NIST”) and the International Organization for Standardization (“ISO”) standards. Those reviews assist the Bank in assessing, identifying, and managing cybersecurity incident and threat risk.
The Bank’s cyber incident response plan includes third party cybersecurity incidents and threats. The Bank undertakes due diligence of third-party systems with whom the Bank will interact with, in addition to requiring data protection covenants in its vendor agreements. The Bank’s vendor risk management program includes regular reviews and oversight of these service providers, including performance and technological reviews and escalation of any unsatisfactory reviews.
During the period covered by this report, risks from cybersecurity threats did not have a material impact on the Bank’s strategy, results of operations, or financial condition. The Bank has experienced minor cybersecurity incidents in the past though none that have had a material effect on the Bank’s financial condition or results of operations.
It is inevitable that additional cybersecurity incidents will occur in the future and any such cybersecurity incident could result in significantly harmful consequences to the Bank, the Bank’s members, and their customers. We assess the materiality of any such cybersecurity incident from several perspectives including, but not limited to, the Bank’s ability to continue to service the Bank’s members and protect the privacy of the data their customers have entrusted to us, lost revenue, disruption of business operation, increased operating costs, litigation, and reputational harm.
Cybersecurity Governance
The Bank’s Board devotes significant time and attention to data and systems protection, including cybersecurity and information security risk. The Bank’s Board oversees the Bank’s information security program through setting of policies and principles including the Bank’s Information Security Policy and Enterprise Risk Management program. The Board oversees management’s approach to staffing, policies, processes, and practices to gauge and address cybersecurity and information security risk.
The Risk Committee of the Board has oversight of the Bank’s Risk Management Program which includes risks from cybersecurity threats within cybersecurity risk management. The Technology Committee of the Board has responsibility for the strategic design, direction and oversight of the Bank’s information and cybersecurity program.
The Bank’s Information Security Department is led by the Bank’s Chief Information Security Officer (“CISO”). The CISO reports to the Chief Information Officer (“CIO”), with an open line of communication to the Bank President. The Bank also has an internal cross functional committee – the internal Technology and Operations Committee –which is responsible for, among other activities, overseeing Information and cyber security risks and the steps taken by management to understand and mitigate such risk. This Committee reports to the Bank’s Management Committee.
26
The Bank’s Technology and Operations Committee is responsible for approving the Bank’s cyber incident response plan and other technical processes and standards to implement the policies and procedures defined in the Cybersecurity risk management program. The Risk Management function is responsible for management of operational risk and implementation of the cybersecurity risk management framework within the Risk Management Program as approved by the Board.
The Bank’s Technology and Operations Committee membership consists of members of the Bank’s leadership including the Bank’s CIO, CISO, other information technology and information security leadership, and leadership representatives from the Bank’s operational risk, information security, information technology, operations, and other departments throughout the Bank.
The Bank has an Information Security Department comprised of specialized professionals that is responsible for the day-to-day, hands-on management of the cybersecurity risk and that handles the processes and procedures to mitigate and implement protective, proactive and reactive measures to protect the Bank against those risks. The Bank’s Information Security Department is responsible for developing, documenting, and approving the Bank’s technical information security control standards, guidelines, and procedures designed to preserve the confidentiality, integrity, and availability of the Bank’s information technology assets and data under the Bank’s control.
The Bank’s CIO has over 35 years of experience in Financial IT and has overseen Information Security programs in large financial institutions since 2003.
The Bank’s CISO has held that position at the Bank since 2020 and has 30 years of experience in IT, including 18 years of experience in building and overseeing Information Security and Cybersecurity programs.
The Technology and Operations Committee receives regular and prompt information from the Information Security Department as reported by the CISO which in turn provides periodic, regular and prompt reporting to the Management Committee on topics such as threat intelligence, major cybersecurity risk areas, technologies and best practices, and any cybersecurity incidents that may have impacted the Bank, as applicable and needed.
The Board receives prompt and timely information from the Bank’s CISO on any cybersecurity or information security incident that may pose significant risk to the Bank and continues to receive regular reports on the incident until its conclusion. The Bank’s Board receives regular presentations and reports throughout the year on cybersecurity and information security risk. These presentations and reports address a broad range of topics, including updates on technology trends, regulatory developments, legal issues, policies and practices, information security resources and organization, the threat environment and vulnerability assessments, and specific and ongoing efforts to prevent, detect, and respond to internal and external incidents and critical threats. At least quarterly, the Board discusses cybersecurity and information security risks with the Bank’s CIO and the Bank’s CISO.