FEDERAL AGRICULTURAL MORTGAGE CORP 10-K Cybersecurity GRC - 2025-02-21

Page last updated on February 21, 2025

FEDERAL AGRICULTURAL MORTGAGE CORP reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-02-21 07:04:01 EST.

Filings

10-K filed on 2025-02-21

FEDERAL AGRICULTURAL MORTGAGE CORP filed a 10-K at 2025-02-21 07:04:01 EST
Accession Number: 0000845877-25-000033

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity Risk Management and Strategy Farmer Mac recognizes the importance of assessing, identifying, and managing risks associated with cybersecurity threats. Farmer Mac’s process to identify and assess material risks from cybersecurity threats operates alongside Farmer Mac’s broader overall risk assessment process that contemplates all company risks. As part of this process, appropriate personnel collaborate with subject matter specialists, as necessary, to gather information to identify and assess material cybersecurity threat risks, their severity, and potential mitigations. Farmer Mac has implemented a variety of processes, technologies, and controls to aid in its efforts to identify, assess, and manage cybersecurity risks. Farmer Mac’s approach includes: - an enterprise risk management program that includes an annual cybersecurity risk assessment and management and is periodically refreshed; - security reviews designed to identify risks from many new features, software, and vendors, including a security operations center to monitor our systems; - a team of trained and experienced security professionals to investigate and remediate cybersecurity incidents; - regular cybersecurity training for all employees and network users to raise and maintain awareness of cybersecurity risks and best practices; - a vulnerability management program designed to identify vulnerabilities in the systems and software Farmer Mac uses; - regular cybersecurity testing, including third-party penetration testing on a periodic basis to allow security researchers to help identify vulnerabilities in Farmer Mac’s systems before they mature into real-world cybersecurity threats; - a third-party service provider risk management program designed to identify and mitigate risks associated with third-party vendors and business partners, which includes pre-engagement diligence, risk assessments, contractual security and notification provisions, and ongoing monitoring, as appropriate; - a threat intelligence program designed to model and research potential cybersecurity threat actors to identify vulnerabilities and anticipate attack vectors before they are exploited; 49 - cybersecurity controls designed to segment access to systems and to limit access to sensitive data, which controls are tested and updated regularly; - patch management controls aimed at reducing system vulnerabilities; and - a generative artificial intelligence policy that describes how users may utilize generative artificial intelligence tools in alignment with Farmer Mac’s values, ethical standards, and legal requirements, while also safeguarding sensitive information. These processes vary in maturity across the business, and Farmer Mac works continually to improve them. Farmer Mac also maintains a privacy and security incident response program to prepare for, detect, respond to, and recover from cybersecurity incidents. That program includes processes to triage, assess severity for, escalate, contain, investigate, and remediate any cybersecurity incident, as well as to comply with any applicable legal obligations (including to preserve evidence) and to mitigate brand and reputational damage. Farmer Mac also conducts regular tabletop exercises to test and fortify the controls of its cybersecurity incident response program. Farmer Mac’s security operations center and incident response team assesses the severity and priority of incidents on a rolling basis, with escalations of cybersecurity incidents provided to Farmer Mac’s management team and board as appropriate. If a cybersecurity incident is determined to be a material cybersecurity incident, Farmer Mac’s incident response plan defines the process for any required regulatory disclosures. Farmer Mac’s risk management approach is supplemented by external and internal enterprise risk management audits, which are designed to test the effectiveness of Farmer Mac’s security controls. Prior cybersecurity incidents have not materially affected Farmer Mac’s business strategy, results of operations, or financial condition. Farmer Mac does not believe that there are currently any known risks from cybersecurity threats that are reasonably likely to materially affect its business strategy, results of operations, or financial condition, although the occurrence of both intentional and unintentional incidents could cause a variety of adverse business impacts in the future. For more information on Farmer’s Mac’s cybersecurity risks see “Operational Risks” in “Risk Factors” in Part I, Item 1A of this report. Those disclosures are incorporated by reference in this section. Governance Farmer Mac’s board of directors is actively involved in overseeing the company’s cybersecurity risk management. At least once a year, the full board of directors meets with Farmer Mac’s Chief Information Security Officer (“CISO”) to discuss and approve Farmer Mac’s programs and policies related to cybersecurity and risk initiatives and considers them closely both from a risk management perspective and as part of Farmer Mac’s business strategy. The board has created a dedicated cybersecurity subcommittee of the enterprise risk committee to oversee Farmer Mac’s cybersecurity programs and practices, including the identification and mitigation of security and privacy risks. The cybersecurity subcommittee consists of three members of the enterprise risk committee. The cybersecurity subcommittee typically meets on a monthly basis with the CISO and other members of Farmer Mac’s management team to discuss the performance and effectiveness of Farmer Mac’s cyber program and to receive updates on cybersecurity risks, any cybersecurity incidents, and major cybersecurity initiatives. The materials provided to Farmer Mac’s cybersecurity subcommittee and discussed in the meetings may include updates about cybersecurity risks, controls, and assessments, including those from third parties. At each regular quarterly meeting of the board enterprise risk 50 committee, the cybersecurity subcommittee reviews a summary of the information discussed in the most recent cybersecurity subcommittee meetings. Farmer Mac’s CISO manages Farmer Mac’s cybersecurity program, which aligns to industry standards and is reviewed by the cybersecurity subcommittee and approved by the board enterprise risk committee annually, and which includes the identification, evaluation, and prioritization of security risks, as well as the company’s response to security incidents. The CISO has more than 20 years of experience in cybersecurity and information technology and holds a Master’s degree in Business Administration with a focus on Information Technology. The CISO also holds a Certified Information Security Manager (CISM) certification, which is an advanced certification indicating that an individual possesses the knowledge and experience required to develop and manage an enterprise information security program. The CISO reports to Farmer Mac’s Senior Vice President - Enterprise Risk Officer, who in turn reports to the Chief Executive Officer . Members of senior management have regular meetings with the CISO and other members of Farmer Mac’s information technology team to discuss and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents. The participants in these meetings also discuss their management of, and participation in, the cybersecurity risk management and strategy processes described in this report, including the operation of Farmer Mac’s incident response plan.

Company Information