FEDERAL NATIONAL MORTGAGE ASSOCIATION FANNIE MAE 10-K Cybersecurity GRC - 2025-02-14

Page last updated on February 14, 2025

FEDERAL NATIONAL MORTGAGE ASSOCIATION FANNIE MAE reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-14 06:46:14 EST.

Filings

10-K filed on 2025-02-14

FEDERAL NATIONAL MORTGAGE ASSOCIATION FANNIE MAE filed a 10-K at 2025-02-14 06:46:14 EST
Accession Number: 0000310522-25-000199

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Cybersecurity Risk Management and Strategy Overview Cybersecurity risk is a key operational risk that we face; therefore, managing cybersecurity risk is an inherent part of our business activities. We describe the material cybersecurity risks we face in " Risk Factors - Operational and Model Risk ." Cybersecurity Risk Management Program We have developed and continue to enhance our cybersecurity risk management program as we seek to protect the security of our information systems, software, networks and other technology assets against unauthorized attempts to access confidential information and data or to disrupt or degrade business operations. Our cybersecurity risk management program has evolved, and continues to evolve, based on the changing needs of our business, the evolving threat environment and FHFA regulatory guidance. We design and assess our cybersecurity risk management program based on the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (the “NIST Cybersecurity Framework”). While we generally consult the NIST Cybersecurity Framework when designing and assessing our cybersecurity risk management program, we have not implemented and do not plan to implement all categories and subcategories included in the framework. We use the framework as a guide to help us identify, assess and manage cybersecurity risks relevant to our business based on our current understanding of the cybersecurity threat environment. Integration into Enterprise Risk Management Framework Our cybersecurity risk management program is integrated into our overall Enterprise Risk Management framework, which is described in “MD&A-Risk Management-Overview.” Our Enterprise Response Framework establishes the reporting structure and escalation process for managing all enterprise incidents, including cybersecurity-related incidents. The framework defines the relationship and notification steps among the various crisis management Fannie Mae 2024 Form 10-K 47 Cybersecurity | Cybersecurity Risk Management and Strategy stakeholders, including the Board of Directors, the Management Committee, the President and CEO, other members of the executive leadership team, the crisis manager and crisis management coordinators. See “Cybersecurity Governance-Management Role” for a description of the oversight role of the Corporate Risk & Compliance division, Internal Audit and the management-level Technology Risk Committee and Enterprise Risk Committee relating to cybersecurity risk management. Cybersecurity Risk Management Strategy Overview and Goal. Fannie Mae has a multilayered cybersecurity defense strategy. We take a risk-based approach that prioritizes the highest impact events. Our cybersecurity threat operations operate with the goal of identifying, preventing, and mitigating cybersecurity threats and responding to cybersecurity incidents in accordance with incident response and recovery plans. Tools and Safeguards. As part of our cybersecurity defense strategy, we employ tools and systems safeguards intended to help secure our networks, applications, data and infrastructure, and to manage cybersecurity vulnerabilities. These safeguards include network and perimeter defense, infrastructure security, cloud security, endpoint protection, data protection, identity management and network segmentation. We work to evaluate and improve on these tools and safeguards through periodic cybersecurity assessments and the integration of cybersecurity threat intelligence. Backup Data Storage. We have both internal and external third-party backup data storage to help protect our data from cybersecurity incidents. We test our backup restoration process on a regular basis. Response Plans and Procedures. We maintain cybersecurity incident response procedures that identify the activities and escalation processes to be implemented upon detection of a cybersecurity incident, and we routinely practice these activities and processes. We also have business and technology continuity plans and a crisis management plan, which we test on a regular basis. Training. We provide mandatory cybersecurity training to employees and contractors on an annual basis. We test our employees’ response to simulated phishing scenarios on a regular basis. We also conduct enhanced training for certain groups of employees that may pose higher risk. Assessments. We examine the effectiveness of our cyber defenses through various means, including internal audits, targeted testing, vulnerability testing, maturity assessments, incident response exercises and industry benchmarking. Insurance Coverage. We maintain insurance coverage relating to cybersecurity risks. As described in " Risk Factors - Operational and Model Risk ," our insurance may not be sufficient to provide adequate loss coverage. Role of External Consultants, Vendors and Other Third Parties We regularly use external consultants and vendors to assist in our assessment and management of cybersecurity risks, including employing third parties to evaluate the security of our networks and our approach to cybersecurity risk management, such as external vendors that conduct penetration testing against our network on at least an annual basis and an external vendor that reviews and tests our cybersecurity incident response plan on at least an annual basis. We also have external vendors on retainer to assist with cybersecurity incident response activities if requested. We are also focused on building and maintaining relationships with the appropriate government and law enforcement agencies and with other businesses, industry groups and cybersecurity services to better understand the cybersecurity risks in our environment, enhance our defenses and improve our resiliency against cybersecurity threats. Third-Party Cybersecurity Risk Oversight Our cybersecurity risk management program extends to oversight of third parties that pose a cybersecurity risk to us, including lenders that use our systems and third-party service providers. In alignment with the NIST Cybersecurity Framework and FHFA regulatory guidance, we have established a risk-based framework for managing third-party risk that defines specified triggers for assessing and reporting cyber-related third-party risks and events. Pursuant to this framework, we have implemented both preventive and detective controls to mitigate cybersecurity risks posed by third parties. We have identified certain third parties that we believe pose a higher cybersecurity risk to us because they have significant access to our systems or data. For these higher-risk third parties, we have implemented additional requirements, including: - We assess these higher-risk third parties’ cybersecurity controls through a cybersecurity questionnaire and a review of their cybersecurity controls, either through independent audits or by direct review of their cybersecurity policies and practices. - We use third-party cybersecurity monitoring and alert services to monitor these higher-risk third parties. Fannie Mae 2024 Form 10-K 48 Cybersecurity | Cybersecurity Risk Management and Strategy - We conduct periodic monitoring reviews of these higher-risk third parties’ cybersecurity policies and practices. Cybersecurity Governance Overview We address the risk from cybersecurity threats using a cross-functional approach, involving management personnel from our technology, operations, legal, corporate risk & compliance, internal audit and other key business functions in an ongoing dialogue regarding cybersecurity threats and incidents. As described in “Board Oversight” below, we also regularly report to the Board and the Risk Policy and Capital Committee of the Board on cybersecurity risk matters. We have implemented controls and procedures for the escalation of cybersecurity incidents so that decisions regarding the disclosure and reporting of such incidents can be made in a timely manner. Board Oversight The full Board of Directors oversees the company’s cybersecurity risk management, assisted by the Risk Policy and Capital Committee of the Board. The Board has delegated management-level risk oversight, including for cybersecurity risk matters, to the Enterprise Risk Committee, as described under “Management Role” below. The Board and the Risk Policy and Capital Committee generally engage in discussions throughout the year with management on cybersecurity risk matters. The Chief Security Officer and other members of the management team provide reports to the Board and the Risk Policy and Capital Committee on cybersecurity risk matters on a regular basis, including updates on our cybersecurity risk management program, as well as external cybersecurity developments, threats and risks. Management also discusses cybersecurity developments with the Chair of the Risk Policy and Capital Committee and other Board members between Board and committee meetings, as appropriate. The company has procedures to escalate information regarding certain cybersecurity incidents to the Board Chair. At least annually, the Board reviews and approves the company’s Cybersecurity Risk Policy and Operational Risk Policy. Management Role Our Chief Security Officer leads our Information Security organization , which has primary responsibility for assessing and managing our cybersecurity risks. Our Chief Security Officer has principal management responsibility for overseeing the company’s cybersecurity risk management program . Our Chief Security Officer reports to o ur Chief Operating Officer. The Information Security o rganization works collaboratively across the company to help protect the company’s information systems from cybersecurity threats and to respond to cybersecurity threats and incidents. The Information Security organization monitors information systems to detect anomalies, including attempted cyber attacks, as well as user activity for access controls and risks of insider threat. The Information Security organization also monitors and investigates cybersecurity incidents through detection tools, reports from end users, and other cybersecurity threat and vulnerability intelligence. The Information Security organization also shares and obtains information on cybersecurity threats through participation in the Financial Services Information Sharing and Analysis Center, referred to as FS-ISAC, a member-driven organization that advances cybersecurity and resilience in the global financial system. As appropriate, multidisciplinary teams are deployed to address cybersecurity threats and to respond to cybersecurity incidents in accordance with the company’s incident response processes. The Information Security organization and Corporate Risk & Compliance division are informed about and monitor the prevention, detection and mitigation of cybersecurity incidents through risk and control assessments, targeted reviews, scenario analysis, and monitoring of risk metrics. The company’s performance in managing cybersecurity risk is reported to the Technology Risk Committee, the Enterprise Risk Committee and the Board of Directors. As noted above, the Board has delegated oversight responsibility at the management level for risk-related matters to the Enterprise Risk Committee, members of which include senior leaders throughout the company. The Enterprise Risk Committee has delegated primary responsibility for management-level oversight of cybersecurity risk management to the Technology Risk Committee. The Technology Risk Committee receives reports on cybersecurity risk matters on a regular basis from the company’s Chief Security Officer. The Technology Risk Committee reviews and approves the company’s management-level cybersecurity risk policies and standards. The Technology Risk Committee also reviews and monitors metrics relating to cybersecurity risk. The Technology Risk Committee escalates matters to the Enterprise Risk Committee as appropriate. The company’s Corporate Risk & Compliance division provides risk-based independent oversight of cybersecurity risk management performed by the Information Security organization. Members of the Corporate Risk & Compliance division chair the Technology Risk Committee and the Enterprise Risk Committee. The company’s Internal Audit organization audits the Corporate Risk & Compliance division’s oversight of cybersecurity risk management and also independently tests the effectiveness of the company’s cybersecurity risk management and Fannie Mae 2024 Form 10-K 49 Cybersecurity | Cybersecurity Governance governance. Members of the Internal Audit organization participate as non-voting members of both the Technology Risk Committee and the Enterprise Risk Committee. Management Expertise Chief Security Officer Our Chief Security Officer has over 20 years of professional experience in information security, including over 8 years as Fannie Mae’s Chief Information Security Officer (2016-2024) and over 1 year as Fannie Mae’s Deputy Chief Information Security Officer. Our Chief Security Officer holds a graduate degree in information technology management. Technology Risk Committee Members of the Technology Risk Committee include officers with expertise in cybersecurity risk oversight, such as the Chief Security Officer described above and the head of our Technology Risk Oversight department. As of December 2024, several members of the Technology Risk Committee had prior work experience in cybersecurity and several had a relevant degree or certification, or other knowledge, skills or background in cybersecurity. Impact of Risks from Cybersecurity Threats We and the third parties with which we do business have been, and we expect will continue to be, the target of cyber attacks and other cybersecurity threats. To date, risks from cybersecurity threats, including as a result of previous cybersecurity incidents, have not materially affected our business, including our business strategy, results of operations or financial condition. However, large-scale cyber attacks perpetrated against other companies in recent years suggest that the risk of damaging cyber attacks is increasing. Notwithstanding our efforts to manage cybersecurity risks as described above, we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on our business, including our business strategy, results of operations and financial condition. See " Risk Factors - Operational and Model Risk " for additional discussion of cybersecurity risks to our business.

Company Information