June 20, 2024
By Way of EDGAR
Office of Finance
Division of Corporation Finance
United States Securities and Exchange Commission
100 F Street, NE
Washington, DC 20549
James Lopez
|
|
Re:
|
Federal Home Loan Bank of New York
|
|
|
|
Form 8-K
|
|
|
|
Filed March 1, 2024
|
|
|
|
File No. 000-51397
|
Ladies and Gentlemen:
Reference is made to the letter dated May 24, 2024 (the “Comment Letter”), to the Federal Home Loan Bank of New York (the “Bank”) from the staff of the Office of Finance, Division of Corporation Finance, of the U.S. Securities and Exchange
Commission (the “Staff” of the “SEC”) with respect to the above-referenced Current Report on Form 8-K, reporting an event occurring February 21, 2024 (the “February Form 8-K”). This letter responds to the following inquiry reflected in the Comment
Letter:
We note the statement that you experienced a cybersecurity incident. Please advise us as to why you determined to file under Item 1.05 of Form 8-K given the statement that the incident has not had a
material impact on your operations, and you believe it will not materially impact your financial condition or results of operations.
Bank Background
The Bank is one of eleven federally chartered Federal Home Loan Banks (“FHLBanks”) organized under the authority of the Federal Home Loan Bank Act of 1932 to provide liquidity to commercial banks. The Bank is a cooperative in which all thrift
institutions, commercial banks, credit unions, insurance companies and certified community development financial institutions located within the Bank’s designated district (i.e., New Jersey, New York, Puerto Rico, and the U.S. Virgin Islands) engaged
in residential housing finance can apply for membership. The Bank is supervised by the Federal Housing Finance Agency (the independent Federal regulator of the FHLBanks, the Federal National Mortgage Association (Fannie Mae) and the Federal Home Loan
Mortgage Association (Freddie Mac)), which is tasked with ensuring that the FHLBanks operate in a safe and sound manner.
The Bank’s mission is to provide its members with reliable liquidity in support of housing and local community development, which in turn supports a stable and liquid mortgage market. In support of that mission, the Bank’s primary business is
making collateralized loans, or advances, to its members. The Bank requires members to purchase a specified amount of its capital stock as a condition of membership. In addition, a member taking an advance from the Bank is required to hold a
specified level of Bank capital stock in support of the advance, which typically requires the member to purchase Bank stock in connection with each advance. Bank stock is issued and redeemed only at its stated par value of $100 per share. All
transactions in Bank stock are between the Bank and its members. In addition, Bank stock generally may be held only by members, is not publicly traded and may not be traded, even in private transactions.
The Cybersecurity Incident
As reported in the February Form 8-K, on February 21, 2024, the Bank detected unknown persons attempting to obtain funds from the Bank using fraudulent means (the “Incident”). The Bank immediately activated its response process and quickly
determined that the Incident resulted from the compromise of a vendor of a Bank vendor. The Bank took prompt action to contain and remediate the Incident. It also determined that its information technology systems and networks were not compromised or
affected, no unauthorized transactions were executed, no monies were transferred to the unknown persons, and Bank members were able to continue to execute transactions with the Bank.
Bank Disclosure Process
On February 26, 2024, the Bank’s Disclosure Committee (the “Committee”) met with outside counsel, as well as the Bank’s General Counsel and Chief Legal Officer (both of whom are members of the Committee), to discuss appropriate disclosure of the
Incident in light of the newly effective disclosure requirements under Item 1.05 of Form 8-K (adopted by the SEC on July 26, 2023 and effective on December 18, 2023). The Committee was presented with a synopsis of the Incident and the new Item 1.05
requirements, and received guidance from counsel, including that a determination that a cybersecurity incident is “material” triggers mandatory disclosure under Item 1.05 and that “materiality” can be based on quantitative and/or qualitative
factors. The Committee members engaged in an extended discussion of the Incident and whether it was quantitatively and/or qualitatively material, during which the Committee members acknowledged that the question was a close one, but that such close
questions are to be resolved in favor of disclosure. Based on that discussion and a vote of its members, the Committee concluded that (a) the Incident was not quantitatively material, as it had not had a material impact on the Bank’s operations and
was not expected to materially impact its financial condition or results of operations but that (b) it was qualitatively material, due to its potentially significant effects on a number of Bank
constituencies. Therefore, the Committee determined that disclosure under Item 1.05 was required. Thereafter, the Bank prepared and filed the requisite February Form 8-K on March 1, 2024.
Analysis
The Staff has inquired as to why the Bank determined to report the Incident under Item 1.05 of Form 8‑K in light of the fact that the Bank had determined that the Incident had not had a material impact on the Bank’s operations, and that the Bank
did not believe that the Incident would materially impact its financial condition or results of operations. As a threshold matter, the Bank advises the Staff that, as indicated above, the Committee had determined that the Incident was qualitatively, but not quantitatively, material. It was the Bank’s expectation that filing the February Form 8-K using Item 1.05 would effectively communicate the materiality determination. In that light, the
Bank did not perceive any lack of clarity or inconsistency between disclosing the Incident under Item 1.05 and its statement that effects on operations, financial condition and results of operations were not the basis of its materiality conclusion.
We note that the SEC release adopting the Item 1.05 (the “Adopting Release”) 1 confirms that:
the materiality standard that registrants should apply in evaluating whether a Form 8-K would be triggered under proposed Item 1.05 would be consistent with that set out in the numerous cases
addressing materiality in the securities laws, including TSC Industries, Inc. v. Northway, Inc., Basic, Inc. v. Levinson, and Matrixx
Initiatives, Inc. v. Siracusano, and likewise with that set forth in 17 CFR 230.405 (“Securities Act Rule 405”) and 17 CFR 240.12b-2 (“Exchange Act Rule 12b-2”). That is, information is material if “there is a substantial likelihood that a
reasonable shareholder would consider it important” in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.”
The release that originally proposed Item 1.05 (the “Proposing Release”) 2 and the Adopting Release3 both address the elements of materiality in more detail, observing that:
[The assessment of materiality] should not be limited to the impact on “financial condition and results of operations,” and “companies should consider qualitative factors alongside quantitative
factors.” For example, companies should consider whether the incident will “harm . . . [its] reputation, customer or vendor relationships, or competitiveness.” Companies also should consider “the possibility of litigation or regulatory investigations
or actions, including regulatory actions by state and Federal Governmental authorities and non-U.S. authorities.”4
As indicated above, consideration of whether a matter has a material impact on a registrant’s operations, financial condition and results of operations, does not address the totality of elements that must be examined in determining materiality for
purposes of Item 1.05. In evaluating the materiality of the Incident, the Committee explicitly considered a number of qualitative factors and concluded that these elements were sufficient to render the Incident a material event, even in the absence
of a finding of quantitative material effects on the Bank’s results of operations, financial condition or results of operations. In particular, the Committee considered the nature, significance and number of qualitative factors present, and concluded
that a “reasonable investor” in the Bank’s stock (who would also be a Bank member and customer) likely would consider the incident to be important to an investment (and commercial) decision.
|1
|
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release Nos. 33-11216; 34-97989 (July 26, 2023), 88 FR 51896
(Aug. 4, 2023).
|2
|
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release No. 33-11038 (Mar. 9, 2022) 87 FR 16590 (Mar. 23, 2022).
|3
|
Adopting Release at 29.
|4
|
Corporation Finance Division Director Erik Gerding reiterated this view in his recent statement on the appropriate use of Item 1.05. Disclosure of Cybersecurity Incidents
Determined To Be Material and Other Cybersecurity Incidents, SEC, Statement of Erik Gerding (May 21, 2024), https://www.sec.gov/news/statement /gerding-cybersecurity-incidents-05212024.
In particular, in analyzing whether qualitative factors rendered the Incident material, the Committee considered:
|
|
(1)
|
The Incident’s potential to harm the Bank’s
|
|•
|
Competitiveness, as the Bank’s competitive position could be damaged if concerned members chose other funding sources or other providers of correspondent services;
|
|•
|
Unique relationship with its investors and customers, who are one and the same; and
|
|•
|
Reputation and business relationships with its members;
|
|(2)
|
That the incident touched upon the Bank’s mission and core business of providing liquidity to Bank members; and
|
|(3)
|
That the Bank is regulated for “safety and soundness” by Federal Housing Finance Agency, heightening the Incident’s potential to trigger regulatory action and the significance of such action
Further, the Committee considered that, although the SEC’s disclosure rules do not provide a “bright line” as to whether a particular incident is “material,” and reasonable minds may reach different conclusions, both the Proposing5 and
Adopting6 Releases note that “[d]oubts as to the ‘critical nature’ of the relevant information should be ‘resolved in favor of those the statute is designed to protect,’ namely investors”. Based on the Bank’s conclusion that a “reasonable
investor” (again, with an investment in the Bank’s stock generally arising only in the context of the type of advance transaction touched upon by the Incident itself) likely would consider the Incident to be important to an investment (and
commercial) decision, and in light of the interpretive approach to “close cases” set out above, the Committee concluded that those factors were sufficient to render the Incident material, even in the absence of quantitatively material effects.
Conclusion
After careful consideration the Bank, through its Disclosure Committee, determined that the qualitative aspects of the Incident were sufficient to render the Incident material, even in the absence of findings of quantitative effects on the Bank,
and that, therefore, a filing under Item 1.05 of Form 8‑K was required. The Bank now recognizes that the statement regarding materiality in the February Form 8-K may not have been as clear as the Bank had intended it to be. In considering any future
filings under Item 1.05 of Form 8-K, the Bank intends to provide the necessary and appropriate disclosure to make this clear, taking into account the recent guidance from Corporation Finance Division Director Erik Gerding (provided May 21, 2024) as
to disclosures under Item 1.05, as well as any additional guidance the Staff may provide in the future.
* * * * *
|5
|
Proposing Release at 23.
|6
|
Adopting Release at 15.
We would be pleased to discuss this matter further with the Staff and to provide any additional information that it might require. Should the Staff desire to discuss or to receive additional information, please contact the undersigned. Finally, we
acknowledge that the Bank and its management are responsible for the accuracy and adequacy of their disclosures, notwithstanding any review, comments, action or absence of action by the Staff.
|
|
Very truly yours,
|
|
|
|
/s/ Paul Friend
|
|
Paul Friend
|
|
General Counsel
|cc:
|
Jonathan West, Chief Legal Officer
Kevin Neylan, Chief Financial Officer
Lawrence Bard, Esquire