Page last updated on March 7, 2025
Federal Home Loan Bank of Atlanta reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-07 14:29:58 EST.
Filings
10-K filed on 2025-03-07
Federal Home Loan Bank of Atlanta filed a 10-K at 2025-03-07 14:29:58 EST
Accession Number: 0001331465-25-000051
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C. Cybersecurity for further discussion of the Bank’s cybersecurity risk management and strategy and governance. The Bank’s controls and procedures may fail or be circumvented, and risk management policies and procedures may be inadequate. The Bank may fail to identify and manage risks related to a variety of aspects of its business, including operational risk, legal and compliance risk, interest-rate risk, liquidity risk, market risk, and credit risk. The Bank has adopted controls, procedures, policies, and systems to monitor and manage these risks. The Bank’s management cannot provide complete assurance that those controls, procedures, policies, and systems are adequate to identify and manage the risks inherent in the Bank’s business, at all times. In addition, because the Bank’s business continues to evolve, the Bank may fail to fully understand the implications of changes in the business, and therefore, it may fail to enhance the Bank’s risk governance framework to timely or adequately address those changes. Failed or inadequate controls and risk management practices could have an adverse effect on the Bank’s financial condition and results of operations. Natural disasters, including those resulting from climate change, in the Bank’s region could adversely affect the Bank’s operations, profitability and financial condition. Portions of the Bank’s district, member and collateral locations are subject to risks from hurricanes, tornadoes, floods, wildfires, drought and other natural disasters. The Bank’s district, member and collateral locations include areas designated as Special Flood Hazard Areas (SFHAs) which are deemed particularly vulnerable. Climate change contributes to the increasing unpredictability, occurrence and intensity of major natural disasters, which could negatively affect the Bank’s ability to predict losses from such events. Natural disasters could disrupt, damage or dislocate the facilities or the underlying business of the Bank or Bank’s members, may damage or destroy collateral that members have pledged to secure advances or the mortgages the Bank holds for portfolio, may impact the livelihood of borrowers of the Bank’s members, or otherwise could cause significant economic dislocation in the affected areas. These disasters can also create imbalances on insurance such as inadequate insurance, insurance shortfalls, premium increases, and insurance availability. Natural disasters could disrupt the Bank’s operations or the operations of third parties on which the Bank relies. Steps to address the risk of more frequent or severe weather events resulting from climate change could result in a potentially disruptive transition away from carbon-intense industries and create additional transitional risks and costs that include those to adapt to new regulation to address climate change risks. Such a transition could negatively impact certain regions and regional economies, affecting the members’ businesses and impacting the ability of borrowers in those industries or regions to pay their mortgage loans. Legal or regulatory changes to address concerns about global climate change may lead to higher costs of compliance and increasing direct and indirect expenses and lending costs for the Bank’s members. The inability to attract and retain skilled key personnel could adversely affect the Bank’s business and financial result. The Bank relies on key personnel for many of its functions and has a relatively small workforce, given the size and complexity of its business. The Bank’s ability to attract and retain such personnel is important for it to conduct its operations and measure and maintain risk and financial controls. Additionally, the Bank must continue to recruit, retain and motivate a qualified and diverse pool of employees, both to maintain the Bank’s current business and to execute its strategic initiatives, including succession planning. Like many organizations, the Bank has experienced increased competition in its recruitment and retention of employees. If the Bank is unable to recruit, retain and motivate such employees, its business and financial performance may be adversely affected. Each FHLBank’s board of directors has the statutory authority and responsibility to select, employ and fix the compensation of its officers and employees in order to help ensure the hiring and retention of qualified staff. However, as the regulator of the FHLBanks, the Finance Agency has the authority to determine whether compensation paid to any executive officer or director is in its view not reasonable and comparable with compensation for such services in other similar businesses involving similar duties and responsibilities. Depending on how such authority is exercised, the Bank’s ability to recruit and retain qualified executive officers and directors could be adversely affected. Item 1B. Unresolved Staff Comments. None. Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy The Bank has implemented processes for assessing, identifying, and managing risks from cybersecurity threats or incidents that may directly or indirectly impact the Bank’s business strategy, results of operations, or financial condition. Please refer to Item 1A. Risk Factors for a description of cybersecurity incident and threat risk. The Bank’s cybersecurity risk management framework for assessing, identifying, and managing risks from cybersecurity threats is designed to protect the confidentiality, integrity, and availability of the Bank’s information technology assets and data and include specific controls for the monitoring, mitigation, and reporting on cybersecurity risk management. Those processes include information security policies, incident response and business continuity plans focusing on the Bank’s appropriate response to threats and incidents and operations and business continuance. The Bank’s board annually reviews and approves the Bank’s risk management policies. The Bank develops mitigation plans, monitors tactical implementation, and engages in detailed gap analysis, risk assessments and monitors remediation plans to close any outstanding gaps, all of which are overseen by the Bank’s Security Governance Committee. Cybersecurity risk management is integrated with the Bank’s overall risk management framework overseen by the Bank’s board. Bank policies establish administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of Bank information in accordance with Finance Agency regulations and applicable laws. The Bank’s cyber incident response plan determines how cybersecurity threats and incidents are identified, classified, escalated, and reported to senior management and the board. The cyber incident response plan also stipulates management’s materiality assessment of the threat or incident for the purposes of public disclosure. The Bank’s cyber incident response plan includes third party cybersecurity incidents and threats. The business continuity management program is designed to oversee and implement resilience, continuity, and response capabilities to safeguard employees, products and services, minimize financial losses and the impact to service to members during a disruption event. A disruption event includes the unavailability of information technology assets due to cybersecurity threats or incidents and other unintentional events like fire, power loss, and other technical incidents such as hardware failures. The business continuity management program provides planning for the restoration of facilities, communications, information technology systems, personnel, and other components necessary for the continuity of critical Bank processes. The business continuity management policy is overseen by the board. The Bank retains external consultants to assist in the development and monitoring processes for assessing, identifying, and managing cybersecurity incident and threat risk . The Bank engages third-party services to conduct evaluations of security controls, whether through penetration testing, independent audits or consulting on practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. The Bank also requires subcontractors to report on cybersecurity incidents so the Bank can assess their impact. As part of the Bank’s vendor management process, the Bank undertakes due diligence of third-party systems with whom the Bank will interact, including risk profiling and classification, in addition to requiring data protection covenants in its vendor agreements. The Bank’s vendor risk management program includes regular reviews and oversight of all service providers in accordance with a risk profile classification. The Bank reviews vendor performance, relevant technologies utilized by vendors and promotes escalation of any unsatisfactory reviews, as part of Bank’s continuous assessment of its vendors . During the period covered by this report, risks from cybersecurity incidents or threats did not have a material impact on the Bank’s strategy, results of operations, or financial condition. The Bank has experienced cybersecurity incidents and threats in the past, none of which have had a material effect on the Bank’s financial condition or results of operations. Cybersecurity incidents may occur in the future and any such cybersecurity incident could result in significant adverse impact to the Bank, the Bank’s members, and their customers. The Bank is prepared to assess materiality of any such cybersecurity incident from several perspectives including, but not limited to, the Bank’s ability to continue to service its members and protect the privacy of their data entrusted to the Bank, lost revenue, disruption of business operations, increased operating costs, litigation, and reputational harm. Cybersecurity Governance The Bank’s board of directors devotes significant time and attention to data and systems protection, including cybersecurity and information security risk. The board of directors Enterprise Risk and Operations Committee (EROC) oversees the Bank’s information security program through setting of policies and the Bank’s risk management framework and has oversight of the cybersecurity risk management efforts which include risks from cybersecurity threats and has assigned specific controls for the mitigation, monitoring and reporting associated with those risks . The board also oversees management’s approach to staffing, and processes and practices to gauge and address cybersecurity and information security risk. The board receives reports on management of cybersecurity risk and implementation of cybersecurity risk management as well as presentations and reports on cybersecurity effectiveness assessments and monitoring updates, along with management’s recommendations regarding Bank’s information security policies. The Bank’s Security Governance Committee is led by the chief information security officer and has a cross-functional membership comprised of representatives from the Bank’s operational risk, information security, information technology, legal, operations, and other departments that provide both operational, specialized, technical and multidisciplinary expertise to the committee. The committee has integrated oversight of the information security program, the physical security program, and is responsible for reviewing security policies and procedures, security exceptions and violations, the processes and standards to implement the policies and procedures defined in the cybersecurity risk management program, the Bank’s cyber incident response plan, the security awareness program and implementation reports, and for providing guidance and monitor progress on major information security projects, and regulatory changes and requirements. The Bank has a dedicated Information Security Department comprised of specialized professionals responsible for the day-to-day, hands-on management of cybersecurity risk and that handle the processes and procedures to mitigate and implement protective, proactive and reactive measures to protect the Bank against those risks, responsible for developing, documenting, and approving the Bank’s technical information security control standards, guidelines, and procedures designed to preserve the confidentiality, integrity, and availability of the Bank’s information technology assets and data under the Bank’s control. The combined expertise of the Bank’s chief information officer and the chief information security officer in cybersecurity include graduation in Computer Science, Certification in Risk and Information Systems Control (CRISC), Certification in Information Systems Security Professional (CISSP), and Certification in Information Systems Auditor (CISA), along with decades of experience in computer science, information and records security, business continuity, technology governance and compliance, technology risk services, cyber risk assessments, security operations monitoring and response, incident response, security strategy and architecture, awareness training, threat intelligence, identity and access management, vulnerability and penetration testing, maturity assessment, impact analysis, disaster events, recovery response, business resiliency, third party systems due diligence, deep knowledge of software systems and platforms, implementation methodologies, and various technology systems servicing internal and external customers. T he Security Governance Committee meets regularly and receives prompt and periodic information, as needed or applicable pursuant to Bank policies and plans, from the Information Security Department which in turn provides periodic, regular and prompt reporting to senior management. Reports include topics such as threat intelligence, major cybersecurity risk areas, technologies and best practices, project development and implementation, any cybersecurity incidents or threats occurred, as well risk assessment, management and monitoring updates, as applicable and as needed. Bank policies and processes are designed such that the board would receive prompt and periodic information from management or the Security Governance Committee on any cybersecurity or information security incident or threat that may pose significant risk to the Bank and would continue to receive regular reports on any incident or threat until its conclusion. The Bank’s Enterprise Risk and Operations Committee also receives regular presentations and reports throughout the year on cybersecurity and information security addressing a broad range of topics, including updates on technology trends, regulatory developments, legal issues, policies and practices, information security resources and organization, the threat environment and vulnerability assessments, and specific and ongoing efforts to prevent, detect, and respond to potential gaps, internal and external incidents and critical threats. At least quarterly, or more often, as necessary, the Enterprise Risk and Operations Committee discusses cybersecurity and information security risks with the Bank’s chief information officer and chief information security officer.
Item 1C. Cybersecurity. Cybersecurity Risk Management and Strategy The Bank has implemented processes for assessing, identifying, and managing risks from cybersecurity threats or incidents that may directly or indirectly impact the Bank’s business strategy, results of operations, or financial condition. Please refer to Item 1A. Risk Factors for a description of cybersecurity incident and threat risk. The Bank’s cybersecurity risk management framework for assessing, identifying, and managing risks from cybersecurity threats is designed to protect the confidentiality, integrity, and availability of the Bank’s information technology assets and data and include specific controls for the monitoring, mitigation, and reporting on cybersecurity risk management. Those processes include information security policies, incident response and business continuity plans focusing on the Bank’s appropriate response to threats and incidents and operations and business continuance. The Bank’s board annually reviews and approves the Bank’s risk management policies. The Bank develops mitigation plans, monitors tactical implementation, and engages in detailed gap analysis, risk assessments and monitors remediation plans to close any outstanding gaps, all of which are overseen by the Bank’s Security Governance Committee. Cybersecurity risk management is integrated with the Bank’s overall risk management framework overseen by the Bank’s board. Bank policies establish administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of Bank information in accordance with Finance Agency regulations and applicable laws. The Bank’s cyber incident response plan determines how cybersecurity threats and incidents are identified, classified, escalated, and reported to senior management and the board. The cyber incident response plan also stipulates management’s materiality assessment of the threat or incident for the purposes of public disclosure. The Bank’s cyber incident response plan includes third party cybersecurity incidents and threats. The business continuity management program is designed to oversee and implement resilience, continuity, and response capabilities to safeguard employees, products and services, minimize financial losses and the impact to service to members during a disruption event. A disruption event includes the unavailability of information technology assets due to cybersecurity threats or incidents and other unintentional events like fire, power loss, and other technical incidents such as hardware failures. The business continuity management program provides planning for the restoration of facilities, communications, information technology systems, personnel, and other components necessary for the continuity of critical Bank processes. The business continuity management policy is overseen by the board. The Bank retains external consultants to assist in the development and monitoring processes for assessing, identifying, and managing cybersecurity incident and threat risk . The Bank engages third-party services to conduct evaluations of security controls, whether through penetration testing, independent audits or consulting on practices to address new challenges. These evaluations include testing both the design and operational effectiveness of security controls. The Bank also requires subcontractors to report on cybersecurity incidents so the Bank can assess their impact. As part of the Bank’s vendor management process, the Bank undertakes due diligence of third-party systems with whom the Bank will interact, including risk profiling and classification, in addition to requiring data protection covenants in its vendor agreements. The Bank’s vendor risk management program includes regular reviews and oversight of all service providers in accordance with a risk profile classification. The Bank reviews vendor performance, relevant technologies utilized by vendors and promotes escalation of any unsatisfactory reviews, as part of Bank’s continuous assessment of its vendors . During the period covered by this report, risks from cybersecurity incidents or threats did not have a material impact on the Bank’s strategy, results of operations, or financial condition. The Bank has experienced cybersecurity incidents and threats in the past, none of which have had a material effect on the Bank’s financial condition or results of operations. Cybersecurity incidents may occur in the future and any such cybersecurity incident could result in significant adverse impact to the Bank, the Bank’s members, and their customers. The Bank is prepared to assess materiality of any such cybersecurity incident from several perspectives including, but not limited to, the Bank’s ability to continue to service its members and protect the privacy of their data entrusted to the Bank, lost revenue, disruption of business operations, increased operating costs, litigation, and reputational harm. Cybersecurity Governance The Bank’s board of directors devotes significant time and attention to data and systems protection, including cybersecurity and information security risk. The board of directors Enterprise Risk and Operations Committee (EROC) oversees the Bank’s information security program through setting of policies and the Bank’s risk management framework and has oversight of the cybersecurity risk management efforts which include risks from cybersecurity threats and has assigned specific controls for the mitigation, monitoring and reporting associated with those risks . The board also oversees management’s approach to staffing, and processes and practices to gauge and address cybersecurity and information security risk. The board receives reports on management of cybersecurity risk and implementation of cybersecurity risk management as well as presentations and reports on cybersecurity effectiveness assessments and monitoring updates, along with management’s recommendations regarding Bank’s information security policies. The Bank’s Security Governance Committee is led by the chief information security officer and has a cross-functional membership comprised of representatives from the Bank’s operational risk, information security, information technology, legal, operations, and other departments that provide both operational, specialized, technical and multidisciplinary expertise to the committee. The committee has integrated oversight of the information security program, the physical security program, and is responsible for reviewing security policies and procedures, security exceptions and violations, the processes and standards to implement the policies and procedures defined in the cybersecurity risk management program, the Bank’s cyber incident response plan, the security awareness program and implementation reports, and for providing guidance and monitor progress on major information security projects, and regulatory changes and requirements. The Bank has a dedicated Information Security Department comprised of specialized professionals responsible for the day-to-day, hands-on management of cybersecurity risk and that handle the processes and procedures to mitigate and implement protective, proactive and reactive measures to protect the Bank against those risks, responsible for developing, documenting, and approving the Bank’s technical information security control standards, guidelines, and procedures designed to preserve the confidentiality, integrity, and availability of the Bank’s information technology assets and data under the Bank’s control. The combined expertise of the Bank’s chief information officer and the chief information security officer in cybersecurity include graduation in Computer Science, Certification in Risk and Information Systems Control (CRISC), Certification in Information Systems Security Professional (CISSP), and Certification in Information Systems Auditor (CISA), along with decades of experience in computer science, information and records security, business continuity, technology governance and compliance, technology risk services, cyber risk assessments, security operations monitoring and response, incident response, security strategy and architecture, awareness training, threat intelligence, identity and access management, vulnerability and penetration testing, maturity assessment, impact analysis, disaster events, recovery response, business resiliency, third party systems due diligence, deep knowledge of software systems and platforms, implementation methodologies, and various technology systems servicing internal and external customers. T he Security Governance Committee meets regularly and receives prompt and periodic information, as needed or applicable pursuant to Bank policies and plans, from the Information Security Department which in turn provides periodic, regular and prompt reporting to senior management. Reports include topics such as threat intelligence, major cybersecurity risk areas, technologies and best practices, project development and implementation, any cybersecurity incidents or threats occurred, as well risk assessment, management and monitoring updates, as applicable and as needed. Bank policies and processes are designed such that the board would receive prompt and periodic information from management or the Security Governance Committee on any cybersecurity or information security incident or threat that may pose significant risk to the Bank and would continue to receive regular reports on any incident or threat until its conclusion. The Bank’s Enterprise Risk and Operations Committee also receives regular presentations and reports throughout the year on cybersecurity and information security addressing a broad range of topics, including updates on technology trends, regulatory developments, legal issues, policies and practices, information security resources and organization, the threat environment and vulnerability assessments, and specific and ongoing efforts to prevent, detect, and respond to potential gaps, internal and external incidents and critical threats. At least quarterly, or more often, as necessary, the Enterprise Risk and Operations Committee discusses cybersecurity and information security risks with the Bank’s chief information officer and chief information security officer.
Company Information
| Name | Federal Home Loan Bank of Atlanta |
| CIK | 0001331465 |
| SIC Description | Federal & Federally-Sponsored Credit Agencies |
| Ticker | |
| Website | |
| Category | Non-accelerated filer |
| Fiscal Year End | December 30 |