|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|
We are subject to cybersecurity risk, which includes intentional and unintentional acts that may jeopardize the confidentiality, integrity, or availability of our information technology assets and data under our control. Cybersecurity risk can take the form of a variety of circumstances to cause harm to us, our members, our service providers, and the economy in general. These circumstances include, but are not limited to, malicious software or exploited vulnerabilities, social engineering, such as phishing, denial-of-service attacks, viruses, malware, and natural disasters. Refer to Item 1A — Risk Factors for a description of cybersecurity and other operational risks that may affect our information technology assets and data under our control.
In alignment with industry standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and FHFA regulatory guidance, we have implemented processes for assessing, identifying, and managing cybersecurity risk through a layered approach throughout our environment and in our service provider arrangements, including SaaS and IaaS engagements. We endeavor to continuously develop our policies and practices to mitigate our exposure to cybersecurity risks given, among other things, the evolving natures of these risks, the involvement of uncontrollable circumstances, such as fires or flooding, and our role in the financial services industry and the broader economy. Our cybersecurity risk-mitigating processes include, but are not limited to the following: performing regular risk assessments to identify, understand, and prioritize risks from cybersecurity threats; the implementation of firewalls, anti-virus software, and real-time network monitoring; the deployment of software updates to address security vulnerabilities; maintaining a
vulnerability management program to timely identify and remediate cybersecurity risks, and; periodic employee training to educate employees on how to identify and avoid various forms of social engineering.
We also maintain a business continuity program designed to ensure that resources and plans are in place to protect the Bank from potential loss during a disruption, which includes the unavailability of our information technology assets due to unintentional events like fire, power loss, and other technical incidents such as hardware failures. These business continuity resources and plans include, but are not limited to, maintaining a business continuity site to ensure continued operations, regular backing up of data and systems, testing our ability to operate on disaster recovery systems, and annually reviewing department level business continuity procedures.
We regularly engage with third parties to test, maintain, and enhance our cybersecurity risk management practices and threat monitoring. These engagements include, among other things, incident response exercises, penetration testing, constant managed detection and response services, and intrusion prevention and detection applications. Our vendor risk management program includes regular reviews and oversight of these third parties, including performance and technological reviews and escalation of any unsatisfactory reviews.Our results of operations and financial condition have not been materially affected by cybersecurity threats or incidents during the period covered by this report. However, to assess, identify, and manage risks from cybersecurity threats, including as a result of previous cybersecurity incidents, we have invested, and expect to continue to invest, significant resources to maintain and enhance our information security and business continuity programs designed to preserve the confidentiality, integrity, and availability of our information technology assets and data under our control. As a result, the risk of cybersecurity threats has materially affected our business strategy. It is inevitable that cybersecurity incidents will occur in the future and any such cybersecurity incident could result in significantly harmful consequences to us, our members, and their customers. We assess the materiality of each cybersecurity incident from several perspectives including, but not limited to, our ability to continue to service our members, any loss of or unauthorized access to data, lost revenue, increased operating costs, litigation, and reputational harm.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|
In alignment with industry standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, and FHFA regulatory guidance, we have implemented processes for assessing, identifying, and managing cybersecurity risk through a layered approach throughout our environment and in our service provider arrangements, including SaaS and IaaS engagements. We endeavor to continuously develop our policies and practices to mitigate our exposure to cybersecurity risks given, among other things, the evolving natures of these risks, the involvement of uncontrollable circumstances, such as fires or flooding, and our role in the financial services industry and the broader economy. Our cybersecurity risk-mitigating processes include, but are not limited to the following: performing regular risk assessments to identify, understand, and prioritize risks from cybersecurity threats; the implementation of firewalls, anti-virus software, and real-time network monitoring; the deployment of software updates to address security vulnerabilities; maintaining a
vulnerability management program to timely identify and remediate cybersecurity risks, and; periodic employee training to educate employees on how to identify and avoid various forms of social engineering.
We also maintain a business continuity program designed to ensure that resources and plans are in place to protect the Bank from potential loss during a disruption, which includes the unavailability of our information technology assets due to unintentional events like fire, power loss, and other technical incidents such as hardware failures. These business continuity resources and plans include, but are not limited to, maintaining a business continuity site to ensure continued operations, regular backing up of data and systems, testing our ability to operate on disaster recovery systems, and annually reviewing department level business continuity procedures.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Text Block]
|Our results of operations and financial condition have not been materially affected by cybersecurity threats or incidents during the period covered by this report. However, to assess, identify, and manage risks from cybersecurity threats, including as a result of previous cybersecurity incidents, we have invested, and expect to continue to invest, significant resources to maintain and enhance our information security and business continuity programs designed to preserve the confidentiality, integrity, and availability of our information technology assets and data under our control. As a result, the risk of cybersecurity threats has materially affected our business strategy. It is inevitable that cybersecurity incidents will occur in the future and any such cybersecurity incident could result in significantly harmful consequences to us, our members, and their customers. We assess the materiality of each cybersecurity incident from several perspectives including, but not limited to, our ability to continue to service our members, any loss of or unauthorized access to data, lost revenue, increased operating costs, litigation, and reputational harm.
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|Our board of directors oversees our information security program through regular review of policies and principles, including our information security policy designed to establish clear management direction and commitment to preserve the confidentiality, integrity, and availability of all information technology assets, including data.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our Bank Technology Governance Committee, a management level committee, consisting of members of our senior leadership, including our chief risk officer and chief information officer, is responsible for approving policies to support the management and implementation of the cybersecurity program. This committee receives regular reporting from our director of information security similar to what is provided to the board of directors, and more detailed reporting regarding the availability of information technology assets and cybersecurity threats being monitored.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our director of information security provides regular reporting (at least quarterly) to the Risk Committee and Technology Committee of our board of directors on topics such as threat intelligence, major cybersecurity risk areas and threats, technologies and best practices, and any cybersecurity incidents that may have impacted us, and more frequently if there is an ongoing cybersecurity incident.
The business continuity program is overseen by the Finance Committee of our board of directors and includes, among other items, business impact analysis for developing effective plans and a disaster recovery plan to respond, recover, resume, and restore technology assets critical for us to operate. Our Operational Risk Committee, a management level committee, including leadership representatives from our operational risk, information security, information technology, legal, operations, and other departments throughout the Bank, is responsible for oversight of operational risk and oversees the implementation of the business continuity program as approved by the board of directors.
|Cybersecurity Risk Role of Management [Text Block]
|Our Bank Technology Governance Committee, a management level committee, consisting of members of our senior leadership, including our chief risk officer and chief information officer, is responsible for approving policies to support the management and implementation of the cybersecurity program. This committee receives regular reporting from our director of information security similar to what is provided to the board of directors, and more detailed reporting regarding the availability of information technology assets and cybersecurity threats being monitored.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|Our Bank Technology Governance Committee, a management level committee, consisting of members of our senior leadership, including our chief risk officer and chief information officer, is responsible for approving policies to support the management and implementation of the cybersecurity program. This committee receives regular reporting from our director of information security similar to what is provided to the board of directors, and more detailed reporting regarding the availability of information technology assets and cybersecurity threats being monitored.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|
Our director of information security, who reports both to our chief risk officer and our chief information officer, manages the Bank’s cybersecurity governance framework designed to protect the confidentiality, integrity, and availability of the Bank’s information technology assets and data under our control. Our director of information security has more than 25 years of experience in information technology in successively more responsible roles and has led teams to design, secure, and implement numerous technology solutions. Our information security department is responsible for developing, documenting, and approving our information security control standards, guidelines, and procedures, in line with the policies and standards set forth by our board of directors and the Bank Technology Governance Committee.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our director of information security provides regular reporting (at least quarterly) to the Risk Committee and Technology Committee of our board of directors on topics such as threat intelligence, major cybersecurity risk areas and threats, technologies and best practices, and any cybersecurity incidents that may have impacted us, and more frequently if there is an ongoing cybersecurity incident.
The business continuity program is overseen by the Finance Committee of our board of directors and includes, among other items, business impact analysis for developing effective plans and a disaster recovery plan to respond, recover, resume, and restore technology assets critical for us to operate. Our Operational Risk Committee, a management level committee, including leadership representatives from our operational risk, information security, information technology, legal, operations, and other departments throughout the Bank, is responsible for oversight of operational risk and oversees the implementation of the business continuity program as approved by the board of directors.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef