Page last updated on March 14, 2025
Federal Home Loan Bank of Topeka reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-13 17:10:12 EDT.
Filings
10-K filed on 2025-03-13
Federal Home Loan Bank of Topeka filed a 10-K at 2025-03-13 17:10:12 EDT
Accession Number: 0001325878-25-000054
Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!
Item 1C. Cybersecurity.
Item 1C - “Cybersecurity.” 27 T able of Contents We are required to make significant judgments, assumptions and estimates in the preparation of our financial statements and our judgments, assumptions and estimates may not be accurate. The preparation of financial statements and related disclosures in conformity with GAAP requires us to make judgments, assumptions and estimates that affect the amounts reported in our consolidated financial statements and accompanying notes. Our critical accounting policies and estimates, which are included in the section captioned “Management’s Discussion and Analysis of Financial Condition and Results of Operations,” describe those significant accounting policies and estimates used in the preparation of our consolidated financial statements that we consider “critical” because they require judgments, assumptions and estimates that materially affect our consolidated financial statements and related disclosures. As a result, if future events or regulatory views concerning such analysis differ significantly from the judgments, assumptions and estimates in our critical accounting policies and estimates, those events or regulatory views could have a material impact on our consolidated financial statements and related disclosures, in each case resulting in our need to revise or restate prior period financial statements, cause damage to our reputation and the price of our common stock and adversely affect our business, financial condition and results of operations. Our risk management framework may not be effective in mitigating risks or losses to us, and we may incur losses due to ineffective risk management processes and strategies. Our risk management framework is comprised of various processes, systems and strategies designed to manage our risk exposure, including credit, liquidity, interest rate, price, operational, reputation, strategic and compliance risks. Our framework also includes financial or other modeling methodologies that involve highly subjective management assumptions and judgment. Our risk management framework may not be effective under all circumstances and may not adequately mitigate risks or losses, which could result in adverse regulatory consequences and unexpected losses and could have a material adverse effect on our business, financial condition and results of operations. For additional information on internal controls, see “Risk Management - Operations Risk Management” under Item 7. We may be unable to attract and retain a highly qualified and diverse workforce, including key management. Our success depends on the talents and efforts of our employees, and particularly our management. While turnover has remained low over the last eighteen months, it is critical that we continue to evaluate the market to ensure we are offering employment terms and total rewards that are competitive. If we are not competitive across these key components, we may be unable to retain key management or to attract other highly qualified and diverse employees. Also, failure to develop and implement an adequate succession plan for key members of management could adversely affect our financial condition and results of operations. Reliance on FHLBank Chicago as MPF Provider could have a material adverse effect on our business if FHLBank Chicago were to default on its contractual obligations owed to us. As part of our business, we participate in the MPF Program with FHLBank Chicago. In its role as MPF Provider, FHLBank Chicago provides the infrastructure, operational support, and maintenance of investor relations for the MPF Program and is also responsible for publishing and maintaining the MPF Guides, which include the requirements PFIs must follow in originating or selling and servicing MPF mortgage loans. If FHLBank Chicago changes its MPF Provider role, ceases to operate the MPF Program, or experiences a failure or interruption in its information systems and other technology, our mortgage loan assets could be adversely affected, and we could experience a related decrease in our net interest margin and profitability. In the same way, we could be adversely affected if any of FHLBank Chicago’s third-party vendors engaged in the operation of the MPF Program, or investors that purchase mortgages under the MPF Program, were to experience operational or other difficulties that prevent the fulfillment of their contractual obligations. Item 1B: Unresolved Staff Comments Not applicable. Item 1C: Cybersecurity FHLBank Topeka recognizes the critical importance of maintaining the trust and confidence of our members, business partners, employees and other stakeholders. We have implemented processes for assessing, identifying, and managing material risks from cybersecurity threats or incidents that may directly or indirectly impact our business strategy, results of operations, or financial condition. Our cybersecurity risk management framework for assessing, identifying, and managing material risks from cybersecurity threats seeks to protect the confidentiality, security and availability of the information that we collect and store by focusing on identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. 28 T able of Contents Cybersecurity risk management is part of our ERM Program, which includes specific controls and processes for mitigation, monitoring and reporting associated with cybersescurity and information risks. Specifically, cybersecurity controls and processes include the Enterprise Security Policy, the Security Incident Response Plan, and the Business Resiliency Management Policy. The Risk Oversight committee of the board of directors oversees these controls and processes and annually recommends each for approval. The full board of directors annually reviews and approves each of our Enterprise Security Policy, Security Incident Response Plan, and Business Resiliency Management Policy. The Enterprise Security Policy establishes administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of FHLBank physical and intangible information technology assets in accordance with the GLB Act and the interagency guidelines issued thereunder, and applicable laws. The Security Incident Response Plan determines how cybersecurity threats and incidents are identified, classified, and escalated, including for the purposes of reporting, and providing relevant information to the Risk Oversight committee and the full board of directors. The Security Incident Response Plan also requires assessment of materiality of the threat or incident for the purposes of public disclosure. The Business Resiliency Management Policy is designed to ensure our critical business functions remain available during business disruptions and to minimize the impact of such disruptions, including the unavailability of information technology assets due to unintentional events like fire, power loss, and other technical incidents such as hardware failures. The Business Resiliency Management Policy includes, among other items, business impact analysis for developing effective plans and a disaster recovery plan to respond, recover, resume, and restore technology assets critical for FHLBank to operate. We regularly engage with third parties to assist in the testing, maintenance, and development of our cybersecurity risk management practices and to assess, identify, and manage cybersecurity incident and threat risk. Our cyber incident response plan includes third-party cybersecurity incidents and threats. Through our vendor management program, we undertake due diligence of third-party systems with which we will interact and vendors with whom we will interact, including regular reviews and oversight of these service providers through performance and technological reviews and escalation of any unsatisfactory reviews. As of the date of this report, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect FHLBank, including FHLBank’s business strategy, results of operations or financial condition. Cybersecurity Governance Our board of directors devotes significant time and attention to data and systems protection, including cybersecurity and information security risk. Our board of directors oversees the ERM Program, the Enterprise Security Program and Information Security through policies and principles including the Enterprise Security Policy, the Security Incident Response Plan, and the Business Resiliency Management Policy. The board of directors oversees management’s approach to staffing, policies, processes, and practices to gauge and address cybersecurity and information security risk. Our board of directors has oversight of our ERM Program, the Enterprise Security Program, and Information Security areas which include risks from cybersecurity threats and has approved specific controls for the mitigation, monitoring and reporting associated with those risks. The Risk Oversight Committee and Operations Committee of the board of directors receive regular reporting (at least quarterly) on the risks and are responsible for overseeing cybersecurity and information risks, including receiving Enterprise Security Program updates from the information security officer (ISO), Information Technology status updates, and reviewing enterprise risk analysis and status information, and annually reviews the Business Resiliency Management Policy and Program. Our Enterprise Security Program is led by the ISO. The ISO reports to the Chief Risk Officer (CRO). FHLBank’s Information Security area is led by the Director of Information Security, who reports to the Chief Information Officer (CIO). The Business Resiliency Management Program is led by the Director of Enterprise Risk Management, who reports to the CRO. 29 T able of Contents We have a Technology Committee, which reviews and discusses all technology-related methodologies and initiatives related to information technology and cybersecurity, among other topics. The Technology Committee is a management committee and reports to the Strategic Operations Management Committee (SOMC). We also have an Operations Risk Committee (ORC), which is a management committee, and is the secondary venue for reviewing enterprise security initiatives. The ORC also serves as the primary governance venue for the Business Resiliency Management Program and escalates business resiliency concerns and risk issues, among other matters, to the Strategic Risk Management Committee (SRMC). The ORC, is responsible for annually reviewing and providing recommendations on FHLBank’s Security Incident Response Plan and receives monthly updates on the Enterprise Security Program. The ISO is a required member of both the Technology Committee and the ORC. The SOMC and SRMC are comprised of senior leadership and executive-level officers, including FHLBank’s CRO and CIO. The SOMC is responsible for receiving reports on issues escalated from the Technology Committee. The SRMC is responsible for management of operational risk and implementation of the cybersecurity risk management framework within the ERM Program as approved by the board of directors and receives reports on issues escalated from the ORC. The Executive Team, comprised of chief-level officers, annually reviews and provides recommendations on the Enterprise Security Policy, Security Incident Response Plan, and the Business Resiliency Management Policy. The President and Chief Executive Officer (CEO) annually approves each policy for submission to the board of directors for its consideration and ultimate approval. In addition to the board of directors and management committees, we have an Information Security Working Group (ISWG). Membership in the ISWG consists of leadership and business partners from a cross section of areas, including operational risk, information security, information technology, legal, operations, and others throughout FHLBank. The breadth and depth of experience of members of the ISWG allows for detailed discussions on information security trends and emerging risks which can be elevated to the Technology Committee for action or further discussion, as necessary and appropriate. We have an Information Security area of the Information Technology department comprised of specialized professionals responsible for the day-to-day, hands-on management of cybersecurity risk. The area handles processes and procedures to mitigate and implement protective, proactive and reactive measures to protect FHLBank against cybersecurity risks and is responsible for the practices designed to prevent unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. Those responsible for assessing and managing FHLBank’s material risks from cybersecurity threats have expertise and experience relevant to their roles. FHLBank’s CIO has served in technology and leadership roles for over 30 years, including almost 27 years of experience with FHLBank. During the last 14 years, the CIO has provided oversight and strategic direction for the Information Security area of the Information Technology department, including cybersecurity risk management, cybersecurity governance, and incident response. The ISO has more than 25 years of information technology experience, including 24 in the financial industry, and 22 years of experience managing information security. The ISO has a Bachelor of Science degree in Computer Science Information Systems. The Director of Information Security is a retired United States Air Force Lt. Colonel whose primary career focus was in intelligence analysis. The Director of Information Security also has 14 years of experience building and leading cybersecurity programs, including cyber threat intelligence programs and cyber regulatory compliance; 16 years of cyber intelligence analysis experience, including military and civilian; five years of continuity of operations and business continuity program development; and holds a Master of Arts degree in Strategic Intelligence Studies and is a Certified Information System Security Professional. The Technology Committee and ORC, as appropriate, receive regular and prompt information from the Information Security area as reported by the ISO, which in turn provide periodic, regular and prompt reporting to the SRMC and SOMC on topics such as threat intelligence, major cybersecurity risk areas, technologies and best practices, and any cybersecurity incidents that may have impacted FHLBank, as applicable and needed. The SRMC and SOMC may escalate reporting as applicable and needed to the Executive Team or board of directors. The board of directors receives prompt and timely information from the Security Incident Response Team, which includes the CRO, CIO, ISO, and Director of Information Security, among others, as set forth in the Security Incident Response Plan, on any cybersecurity or information security incident that may pose significant risk to FHLBank and continues to receive regular reports on the incident until its conclusion. The board of directors, Risk Oversight Committee and Operations Committee each receive regular presentations and reports throughout the year on cybersecurity and information security risk. These presentations and reports address a broad range of topics, including updates on technology trends, regulatory developments, legal issues, policies and practices, information security resources and organization, the threat environment and vulnerability assessments, and specific and ongoing efforts to prevent, detect, and respond to internal and external incidents and critical threats. At least quarterly, the board discusses cybersecurity and information security risks with the ISO and CRO. 30 T able of Contents
Item 1C: Cybersecurity FHLBank Topeka recognizes the critical importance of maintaining the trust and confidence of our members, business partners, employees and other stakeholders. We have implemented processes for assessing, identifying, and managing material risks from cybersecurity threats or incidents that may directly or indirectly impact our business strategy, results of operations, or financial condition. Our cybersecurity risk management framework for assessing, identifying, and managing material risks from cybersecurity threats seeks to protect the confidentiality, security and availability of the information that we collect and store by focusing on identifying, preventing and mitigating cybersecurity threats and effectively responding to cybersecurity incidents when they occur. 28 T able of Contents Cybersecurity risk management is part of our ERM Program, which includes specific controls and processes for mitigation, monitoring and reporting associated with cybersescurity and information risks. Specifically, cybersecurity controls and processes include the Enterprise Security Policy, the Security Incident Response Plan, and the Business Resiliency Management Policy. The Risk Oversight committee of the board of directors oversees these controls and processes and annually recommends each for approval. The full board of directors annually reviews and approves each of our Enterprise Security Policy, Security Incident Response Plan, and Business Resiliency Management Policy. The Enterprise Security Policy establishes administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of FHLBank physical and intangible information technology assets in accordance with the GLB Act and the interagency guidelines issued thereunder, and applicable laws. The Security Incident Response Plan determines how cybersecurity threats and incidents are identified, classified, and escalated, including for the purposes of reporting, and providing relevant information to the Risk Oversight committee and the full board of directors. The Security Incident Response Plan also requires assessment of materiality of the threat or incident for the purposes of public disclosure. The Business Resiliency Management Policy is designed to ensure our critical business functions remain available during business disruptions and to minimize the impact of such disruptions, including the unavailability of information technology assets due to unintentional events like fire, power loss, and other technical incidents such as hardware failures. The Business Resiliency Management Policy includes, among other items, business impact analysis for developing effective plans and a disaster recovery plan to respond, recover, resume, and restore technology assets critical for FHLBank to operate. We regularly engage with third parties to assist in the testing, maintenance, and development of our cybersecurity risk management practices and to assess, identify, and manage cybersecurity incident and threat risk. Our cyber incident response plan includes third-party cybersecurity incidents and threats. Through our vendor management program, we undertake due diligence of third-party systems with which we will interact and vendors with whom we will interact, including regular reviews and oversight of these service providers through performance and technological reviews and escalation of any unsatisfactory reviews. As of the date of this report, we are not aware of any material risks from cybersecurity threats that have materially affected or are reasonably likely to materially affect FHLBank, including FHLBank’s business strategy, results of operations or financial condition. Cybersecurity Governance Our board of directors devotes significant time and attention to data and systems protection, including cybersecurity and information security risk. Our board of directors oversees the ERM Program, the Enterprise Security Program and Information Security through policies and principles including the Enterprise Security Policy, the Security Incident Response Plan, and the Business Resiliency Management Policy. The board of directors oversees management’s approach to staffing, policies, processes, and practices to gauge and address cybersecurity and information security risk. Our board of directors has oversight of our ERM Program, the Enterprise Security Program, and Information Security areas which include risks from cybersecurity threats and has approved specific controls for the mitigation, monitoring and reporting associated with those risks. The Risk Oversight Committee and Operations Committee of the board of directors receive regular reporting (at least quarterly) on the risks and are responsible for overseeing cybersecurity and information risks, including receiving Enterprise Security Program updates from the information security officer (ISO), Information Technology status updates, and reviewing enterprise risk analysis and status information, and annually reviews the Business Resiliency Management Policy and Program. Our Enterprise Security Program is led by the ISO. The ISO reports to the Chief Risk Officer (CRO). FHLBank’s Information Security area is led by the Director of Information Security, who reports to the Chief Information Officer (CIO). The Business Resiliency Management Program is led by the Director of Enterprise Risk Management, who reports to the CRO. 29 T able of Contents We have a Technology Committee, which reviews and discusses all technology-related methodologies and initiatives related to information technology and cybersecurity, among other topics. The Technology Committee is a management committee and reports to the Strategic Operations Management Committee (SOMC). We also have an Operations Risk Committee (ORC), which is a management committee, and is the secondary venue for reviewing enterprise security initiatives. The ORC also serves as the primary governance venue for the Business Resiliency Management Program and escalates business resiliency concerns and risk issues, among other matters, to the Strategic Risk Management Committee (SRMC). The ORC, is responsible for annually reviewing and providing recommendations on FHLBank’s Security Incident Response Plan and receives monthly updates on the Enterprise Security Program. The ISO is a required member of both the Technology Committee and the ORC. The SOMC and SRMC are comprised of senior leadership and executive-level officers, including FHLBank’s CRO and CIO. The SOMC is responsible for receiving reports on issues escalated from the Technology Committee. The SRMC is responsible for management of operational risk and implementation of the cybersecurity risk management framework within the ERM Program as approved by the board of directors and receives reports on issues escalated from the ORC. The Executive Team, comprised of chief-level officers, annually reviews and provides recommendations on the Enterprise Security Policy, Security Incident Response Plan, and the Business Resiliency Management Policy. The President and Chief Executive Officer (CEO) annually approves each policy for submission to the board of directors for its consideration and ultimate approval. In addition to the board of directors and management committees, we have an Information Security Working Group (ISWG). Membership in the ISWG consists of leadership and business partners from a cross section of areas, including operational risk, information security, information technology, legal, operations, and others throughout FHLBank. The breadth and depth of experience of members of the ISWG allows for detailed discussions on information security trends and emerging risks which can be elevated to the Technology Committee for action or further discussion, as necessary and appropriate. We have an Information Security area of the Information Technology department comprised of specialized professionals responsible for the day-to-day, hands-on management of cybersecurity risk. The area handles processes and procedures to mitigate and implement protective, proactive and reactive measures to protect FHLBank against cybersecurity risks and is responsible for the practices designed to prevent unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information. Those responsible for assessing and managing FHLBank’s material risks from cybersecurity threats have expertise and experience relevant to their roles. FHLBank’s CIO has served in technology and leadership roles for over 30 years, including almost 27 years of experience with FHLBank. During the last 14 years, the CIO has provided oversight and strategic direction for the Information Security area of the Information Technology department, including cybersecurity risk management, cybersecurity governance, and incident response. The ISO has more than 25 years of information technology experience, including 24 in the financial industry, and 22 years of experience managing information security. The ISO has a Bachelor of Science degree in Computer Science Information Systems. The Director of Information Security is a retired United States Air Force Lt. Colonel whose primary career focus was in intelligence analysis. The Director of Information Security also has 14 years of experience building and leading cybersecurity programs, including cyber threat intelligence programs and cyber regulatory compliance; 16 years of cyber intelligence analysis experience, including military and civilian; five years of continuity of operations and business continuity program development; and holds a Master of Arts degree in Strategic Intelligence Studies and is a Certified Information System Security Professional. The Technology Committee and ORC, as appropriate, receive regular and prompt information from the Information Security area as reported by the ISO, which in turn provide periodic, regular and prompt reporting to the SRMC and SOMC on topics such as threat intelligence, major cybersecurity risk areas, technologies and best practices, and any cybersecurity incidents that may have impacted FHLBank, as applicable and needed. The SRMC and SOMC may escalate reporting as applicable and needed to the Executive Team or board of directors. The board of directors receives prompt and timely information from the Security Incident Response Team, which includes the CRO, CIO, ISO, and Director of Information Security, among others, as set forth in the Security Incident Response Plan, on any cybersecurity or information security incident that may pose significant risk to FHLBank and continues to receive regular reports on the incident until its conclusion. The board of directors, Risk Oversight Committee and Operations Committee each receive regular presentations and reports throughout the year on cybersecurity and information security risk. These presentations and reports address a broad range of topics, including updates on technology trends, regulatory developments, legal issues, policies and practices, information security resources and organization, the threat environment and vulnerability assessments, and specific and ongoing efforts to prevent, detect, and respond to internal and external incidents and critical threats. At least quarterly, the board discusses cybersecurity and information security risks with the ISO and CRO. 30 T able of Contents
Company Information
| Name | Federal Home Loan Bank of Topeka |
| CIK | 0001325878 |
| SIC Description | Federal & Federally-Sponsored Credit Agencies |
| Ticker | |
| Website | |
| Category | Non-accelerated filer |
| Fiscal Year End | December 30 |