|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
Information security risk includes the risk that cyber incidents and threats could result in a failure or interruption of our business operations. A cybersecurity incident is an unauthorized occurrence, or a series of related unauthorized occurrences, through information systems that jeopardizes the confidentiality, integrity, or availability of our information systems or any information residing therein. Cybersecurity threats are potential unauthorized occurrences on or conducted through information systems that may result in adverse effects on the confidentiality, integrity, or availability of information systems or any information residing therein. Information systems are any electronic information resources, owned or used by us, including physical or virtual infrastructure controlled by such information resources, or their components, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of our information to maintain or support our operations. We have implemented processes to identify, assess, and manage material risks from cybersecurity incidents or threats that may directly or indirectly impact our business strategy, results of operations, or financial condition. Please refer to “Item 1A. Risk Factors” for additional information on our operational risk, which includes the risk of failures or interruptions in information systems resulting from cybersecurity threats or incidents.
Our cybersecurity program is designed to identify, assess, and manage material risks from cybersecurity threats and to protect the confidentiality, integrity, and availability of our IT assets and data. We utilize a widely adopted industry framework to guide and benchmark the activities of our information security program in alignment with our risk appetite statement. Our cybersecurity program includes specific controls and processes for the monitoring, mitigation, and reporting associated with cybersecurity risks. For example, administrative, physical, and logical controls are in place for identifying, monitoring, and controlling system access, sensitive data, and system changes. In addition, we employ an information security training program that includes security training lessons and phishing exercises for all employees as well as mandatory staff training on cyber risks. We also regularly engage with third-parties to test, maintain, and enhance our cybersecurity risk management practices and threat monitoring. These engagements include, among other things, penetration testing, detection and response services, cybersecurity tabletops, and cybersecurity framework assessments. We also maintain cyber insurance coverage in an effort to reduce financial losses stemming from a security incident.
To ensure the continuance of our operations in the event of a cybersecurity incident or threat, we have established an Information Security Policy and Security Incident Response Plan, and have adopted a business continuity management program.
Our Information Security Policy establishes administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of Bank information in accordance with Finance Agency regulations, the Gramm-Leach-Bliley Act and the interagency guidelines issued thereunder, and applicable laws.
Our Security Incident Response Plan determines how cybersecurity threats and incidents are identified, classified, and escalated, including for the purposes of reporting, and providing relevant information to senior management and the Board of Directors. The Security Incident Response Plan requires management to assess materiality of the threat or incident for purposes of public disclosure.
Our Security Incident Response Plan includes third-party cybersecurity incidents and threats, as we do rely on third-party information systems and other technologies. As part of our vendor risk management process, we undertake due diligence of third-party systems with whom we interact, including risk profiling and classification, in addition to requiring data protection covenants in our vendor agreements. Our vendor risk management program includes regular reviews and oversight of service providers, including performance and technology reviews, and escalation of any unsatisfactory reviews.
Our business continuity management program is designed to ensure that necessary resources are in place to protect us from potential loss during a disruption, which includes the unavailability of IT assets due to unintentional events like fire, power loss, and other technical incidents, such as hardware failures.
During the period covered by this report, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, did not have a material impact on our business strategy, results of operations, or financial condition. Cybersecurity incidents may occur in the future and any such cybersecurity incident could result in significantly harmful consequences to us, our members, and their customers. We are prepared to assess materiality of any such cybersecurity incident from several perspectives including, but not limited to, our ability to continue to service our members and protect the privacy of the data they or their customers have entrusted to us, lost revenue, disruption of business operations, increased operating costs, litigation, and reputational harm.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
Our cybersecurity program is designed to identify, assess, and manage material risks from cybersecurity threats and to protect the confidentiality, integrity, and availability of our IT assets and data. We utilize a widely adopted industry framework to guide and benchmark the activities of our information security program in alignment with our risk appetite statement. Our cybersecurity program includes specific controls and processes for the monitoring, mitigation, and reporting associated with cybersecurity risks. For example, administrative, physical, and logical controls are in place for identifying, monitoring, and controlling system access, sensitive data, and system changes. In addition, we employ an information security training program that includes security training lessons and phishing exercises for all employees as well as mandatory staff training on cyber risks. We also regularly engage with third-parties to test, maintain, and enhance our cybersecurity risk management practices and threat monitoring. These engagements include, among other things, penetration testing, detection and response services, cybersecurity tabletops, and cybersecurity framework assessments. We also maintain cyber insurance coverage in an effort to reduce financial losses stemming from a security incident.
To ensure the continuance of our operations in the event of a cybersecurity incident or threat, we have established an Information Security Policy and Security Incident Response Plan, and have adopted a business continuity management program.
Our Information Security Policy establishes administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of Bank information in accordance with Finance Agency regulations, the Gramm-Leach-Bliley Act and the interagency guidelines issued thereunder, and applicable laws.
Our Security Incident Response Plan determines how cybersecurity threats and incidents are identified, classified, and escalated, including for the purposes of reporting, and providing relevant information to senior management and the Board of Directors. The Security Incident Response Plan requires management to assess materiality of the threat or incident for purposes of public disclosure.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|
During the period covered by this report, risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, did not have a material impact on our business strategy, results of operations, or financial condition. Cybersecurity incidents may occur in the future and any such cybersecurity incident could result in significantly harmful consequences to us, our members, and their customers. We are prepared to assess materiality of any such cybersecurity incident from several perspectives including, but not limited to, our ability to continue to service our members and protect the privacy of the data they or their customers have entrusted to us, lost revenue, disruption of business operations, increased operating costs, litigation, and reputational harm.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Our Board of Directors is responsible for the oversight of our information security program and establishes our information security risk appetite.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Technology and Operations Committee provides independent and integrated oversight over our information security program, physical security program, business continuity program, security policies and procedures, and security exceptions and violations. This committee is comprised of leadership representatives from our operational risk, information security, IT, and legal departments, as well as other departments that provide both specific technical and multidisciplinary expertise to the committee.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|
Our Technology and Operations Committee provides independent and integrated oversight over our information security program, physical security program, business continuity program, security policies and procedures, and security exceptions and violations. This committee is comprised of leadership representatives from our operational risk, information security, IT, and legal departments, as well as other departments that provide both specific technical and multidisciplinary expertise to the committee. This committee is responsible for reviewing and approving our Information Security Policy. It also receives regular, prompt, and periodic information from the Information Security Department, which in turn provides periodic, regular, and prompt reporting to the Technology Committee of the Board of Directors on topics such as threat intelligence, major cybersecurity risk areas, technologies and best practices, and any cybersecurity incidents that may have impacted us, as well as risk assessment, management, and monitoring updates, as applicable or needed.
Our Board of Directors receives regular presentations and reports throughout the year on cybersecurity and information security addressing a broad range of topics. These topics include, but are not limited to, updates on technology trends, regulatory developments, legal issues, policies and practices, information security resources, environmental threats and vulnerability assessments, and efforts to prevent, detect, and respond to potential gaps, internal and external incidents, and critical threats. At least quarterly, our Board of Directors discusses cybersecurity and information security risks with our CIO. Our Board of Directors is also required to complete cybersecurity training and participate in a cloud computing education session annually. Our policies and processes are designed such that the Board of Directors would receive prompt and timely information from Bank management on any cybersecurity or information security incident or threat that may pose significant risk to us and would continue to receive regular reports on any incident until its conclusion.
|Cybersecurity Risk Role of Management [Text Block]
|
Our Information Security Department is led by the CIO, who reports to the President and CEO. Our CIO establishes our strategic direction and provides executive support for our information security program, and has significant experience in information systems and information security. Refer to “Item 10. Directors, Executive Officers and Corporate Governance” for more information.Our dedicated Information Security Department is comprised of specialized professionals responsible for the day-to-day, hands-on management of cybersecurity risk, including the processes and procedures to mitigate and implement protective, proactive, and reactive measures to protect us against this risk. Personnel in this department hold a variety of technical certifications relevant to their job functions and engage in continuing education. This department is also responsible for developing, documenting, and approving our technical information security control standards, guidelines, and procedures designed to preserve the confidentiality, integrity, and availability of our IT assets and data under our control.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|
Our Information Security Department is led by the CIO, who reports to the President and CEO. Our CIO establishes our strategic direction and provides executive support for our information security program, and has significant experience in information systems and information security. Refer to “Item 10. Directors, Executive Officers and Corporate Governance” for more information.Our dedicated Information Security Department is comprised of specialized professionals responsible for the day-to-day, hands-on management of cybersecurity risk, including the processes and procedures to mitigate and implement protective, proactive, and reactive measures to protect us against this risk. Personnel in this department hold a variety of technical certifications relevant to their job functions and engage in continuing education. This department is also responsible for developing, documenting, and approving our technical information security control standards, guidelines, and procedures designed to preserve the confidentiality, integrity, and availability of our IT assets and data under our control.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Our Information Security Department is led by the CIO, who reports to the President and CEO. Our CIO establishes our strategic direction and provides executive support for our information security program, and has significant experience in information systems and information security. Refer to “Item 10. Directors, Executive Officers and Corporate Governance” for more information.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our Technology and Operations Committee provides independent and integrated oversight over our information security program, physical security program, business continuity program, security policies and procedures, and security exceptions and violations. This committee is comprised of leadership representatives from our operational risk, information security, IT, and legal departments, as well as other departments that provide both specific technical and multidisciplinary expertise to the committee. This committee is responsible for reviewing and approving our Information Security Policy. It also receives regular, prompt, and periodic information from the Information Security Department,
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef