Corporate Governance: Cyber Risk Oversight by the Fannie Mae Board of Directors Highlights the Need for FHFA's Closer Attention to Governance Issues

Published by the Federal Housing Finance Agency, Office of Inspector General on 2016-03-31.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

           Federal Housing Finance Agency
               Office of Inspector General

Corporate Governance: Cyber Risk
Oversight by the Fannie Mae Board
of Directors Highlights the Need for
    FHFA’s Closer Attention to
         Governance Issues

Evaluation Report  EVL-2016-006  March 31, 2016
The Federal Housing Finance Agency (FHFA or Agency) recognizes that cyber risk has
become an increasing concern for the financial services industry and housing finance. The
entities FHFA supervises and regulates—Fannie Mae, Freddie Mac, and the Federal Home
Loan Banks—are central to the financial services industry and are interconnected with large
banks and other large financial institutions. Disruptions to their businesses from cyber attacks
could have widespread and harmful effects on the housing finance system. Cyber attacks
could also result in the theft of proprietary, trade secret, and confidential consumer data and
expose the regulated entities to reputational and legal risk. FHFA, as conservator, has
delegated to the boards of directors of Fannie Mae and Freddie Mac (collectively, the
Enterprises) responsibility for adopting cyber risk management policies that meet FHFA’s
supervisory expectations, overseeing the entity’s cyber risk management program to ensure
that the program meets FHFA’s supervisory expectations, and holding management
accountable in its efforts to develop such a cyber risk management program and address
FHFA’s supervisory concerns in a timely and appropriate manner.

FHFA Office of Inspector General (OIG) conducted this evaluation to assess execution of
cyber risk management responsibilities by Fannie Mae’s Board of Directors (the Board).
Because this evaluation reviews Fannie Mae’s cyber risk management policies and practices
and because information we learned could be abused to circumvent Fannie Mae’s internal
controls, OIG has determined to issue only this summary of its review and its

Oversight Responsibilities of the Enterprises’ Boards of Directors for Cyber Risk

A board of directors always sets the “tone at the top” for the organization. FHFA’s
predecessor safety and soundness regulator for the Enterprises, the Office of Federal Housing
Enterprise Oversight (OFHEO), explained the duties of Enterprise directors in its May 2006
Report of Special Examination:

        Well-settled principles of good corporate governance hold that, to be
        observant of the best interests of the corporation, an independent director must
        “exercise a healthy skepticism.” In fact, a director’s independence should be
        her “most distinguishing characteristic.” That said, in order to be effective, a
        director must do more than simply monitor management’s performance.
        Applicable standards require that a director must actively undertake
        vigorous scrutiny of the corporation’s affairs… (emphasis added.)1

 In that report, OFHEO found that the Fannie Mae Board of Directors, none of whom currently serve as a
Fannie Mae director, “was a passive and complacent entity, controlled by, rather than controlling senior
management” because it gave management “unbridled authority over its agenda” and “allowed management to

                                 OIG  EVL-2016-006  March 31, 2015                                       2
The OFHEO governance regulations remained in place until FHFA’s governance regulations
took effect in November 2015. According to FHFA, its governance regulations “relocate and
consolidate” regulations previously issued by OFHEO. FHFA’s governance regulations,
Prudential Management and Operations Standards, Examination Manual, and supervisory
guidance (collectively, FHFA standards) establish specific oversight responsibilities for the
board of directors of each Enterprise. These FHFA standards require an Enterprise board to
approve, have in effect at all times, and periodically review, an Enterprise-wide risk
management program that establishes the Enterprise’s risk appetite, aligns the risk appetite
with its strategies and objectives, addresses its exposure to operational risk, and complies
with all applicable FHFA regulations and policies. FHFA charges an Enterprise board with
responsibility to ensure that the Enterprise complies with all applicable laws, regulations, and
with FHFA’s supervisory guidance and to assess the adequacy of management’s efforts to
comply with FHFA requirements for secure information systems. FHFA’s governance
regulations and Examination Manual make clear that an Enterprise board is ultimately
responsible for: ensuring that the conditions and practices that gave rise to any supervisory
concerns are corrected, and that executive officers have been responsive in addressing all of
FHFA’s supervisory concerns in a timely and appropriate manner; and holding management
accountable for remediating those conditions and practices.

While the Enterprises have been in conservatorship since September 2008, FHFA has
delegated responsibility for oversight of general corporate matters to each Enterprise’s board
of directors, including oversight of the risk management program, which includes cyber risk.
FHFA has supplemented its general governance standards with supervisory expectations for
board oversight and monitoring of an Enterprise’s cyber risk management program set forth in
its Advisory Bulletin 2014-05, Cyber Risk Management Guidance (AB), May 2014.
According to the AB, FHFA expects the cyber risk management program implemented by a
regulated entity to be commensurate with prevailing technology, industry, and government
standards. In this AB, FHFA emphasizes the responsibility of a board of directors to establish
the regulated entity’s overall cyber risk management policy and appropriate board-level
reporting. The AB directs that a board’s cyber risk management policy should include five
critical elements: define the institution’s governance and risk management structure, prioritize
cyber risk management efforts in alignment with institution goals and objectives, establish
risk tolerance levels and escalation procedures, define how the institution will assess and
respond to cyber risks, and ensure the board or its designees receive appropriate reporting.

determine with little opposition the information it received,” without challenging or questioning management’s
representations and assumptions.

                                   OIG  EVL-2016-006  March 31, 2015                                           3
Oversight of Cyber Risk Management by Fannie Mae’s Board of Directors

In each of the past five years, FHFA has highlighted supervisory concerns in its public reports
to Congress over information technology issues at Fannie Mae that have the potential to
increase risks to the effectiveness of its cyber security controls. Of these supervisory
concerns, Fannie Mae’s continued reliance on legacy information technology and stresses to
its operating environment from legacy architecture feature prominently, as do Fannie Mae’s
efforts to upgrade and replace its outdated and inflexible information systems. In its most
recent report, FHFA observed that the high level of operational risk at Fannie Mae reflected
the risk posed by the execution of the Enterprise’s plan to replace its existing information
technology infrastructure. Fannie Mae has acknowledged the magnitude of the exposure
presented by cyber risks in filings with the U.S. Securities and Exchange Commission.

With so much at stake for Fannie Mae, oversight of cyber risk management is an integral
component of the Board’s oversight responsibilities. The Board’s oversight of Fannie Mae’s
cyber risk management program is part of its oversight obligations to manage risk. As with
any risk, the Board must approve and periodically review an Enterprise-wide risk
management program that establishes the Enterprise’s risk appetite, aligns the risk appetite
with its strategies and objectives, addresses its exposure to operational risk, and complies with
applicable FHFA regulations and policies. It must adopt policies that establish Fannie Mae’s
cyber risk management appetite and capability and define appropriate board-level reporting.
And, it must hold management accountable to effectively manage Fannie Mae’s cyber risk

Like any other board of directors, Fannie Mae’s directors are not required or expected to be
cyber experts; they are responsible for oversight of the cyber risk management program, not
with the actual design and implementation of it. Fannie Mae’s Board of Directors has taken
steps to strengthen its oversight of cyber security risk management. The Fannie Mae directors
interviewed by us reported that they consider cyber security a high priority for the company
and emphasized that the Board’s goal is to ensure that Fannie Mae is constantly vigilant and
working to enhance its cyber risk management practices. For a number of years, the Board has
taken steps to educate itself on cyber security matters from external subject matter experts.
For example, in 2014 and 2015, the Board was briefed by well-regarded cyber security
professionals on cyber threats and the role of a board in oversight of a cyber risk management
program. It commissioned an external assessment of its oversight of Fannie Mae’s cyber risk
management program from a highly regarded consultant. To enhance its baseline knowledge
of cyber security risks and issues, it added a new director with substantial professional
experience and expertise in information technology and risk management. These efforts have
provided directors with an understanding of cyber risks and issues related to cyber threats,
vulnerabilities, and consequences.

                              OIG  EVL-2016-006  March 31, 2015                                   4
The Board has approved three policies that provide the foundation for Fannie Mae’s cyber
risk management program. Consistent with these policies, the Board, during the third quarter
of 2015, approved an Enterprise-wide cyber risk management framework and a cyber risk
appetite statement.

Although the Board has made progress, our evaluation found that much more remains to be
done by the Board in order to satisfy the cyber risk management responsibilities delegated to
it by FHFA. Oversight by a board of directors of a cyber risk management program for a
complex financial institution is difficult, and this task is made more challenging by the
numerous legacy information technology systems used by Fannie Mae. In view of these
challenges, we recognize that the Board may benefit from regular access to outside cyber
security expertise to assist it in its oversight responsibilities.

In our evaluation, we compared the Board’s three foundational cyber risk management
policies against FHFA’s supervisory expectations announced in its AB, and we determined
that these policies did not meet these expectations and should be enhanced. We reviewed
numerous management presentations on its ongoing efforts to achieve the desired target state
for cyber risk management at Fannie Mae to the Board and minutes for those meetings. From
that review, we determined that management offered plan after plan to enhance Fannie Mae’s
existing program without explaining the reasons for the numerous plans or the integration of
one plan with another, and offered timeline upon timeline, but provided little evidence of
concrete progress in remediating conditions giving rise to FHFA’s supervisory concerns. Our
evaluation found that the Board largely received these presentations without challenging
management’s changing timelines or reasons for multiple plans, questioning the integration of
one plan with prior plans still in effect, or pressing management to provide a comprehensive
master plan with clear timelines and milestones to remediate legacy technology issues and
implement current cyber security initiatives. Based on our review of minutes of these
meetings, we determined that they do not, in large measure, reflect the substance of questions
asked by the Board, management responses, or any specific actions directed by the Board for
follow-up. As a consequence, we found that the Board acted only to monitor management’s
design and implementation of Fannie Mae’s cyber risk management program, rather than to
oversee it.

To address these shortcomings, we recommend that FHFA:

   1. Direct the Fannie Mae Board to enhance Fannie Mae’s existing cyber risk
      management policies to:

           a. Require a baseline Enterprise-wide cyber risk assessment with subsequent
              periodic updates;

           b. Describe information to be reported to the Board and committees;

                              OIG  EVL-2016-006  March 31, 2015                                5
          c. Include a cyber risk framework and cyber risk appetite.

   2. Instruct the Fannie Mae Board to establish and communicate a desired target state of
      cyber risk management for Fannie Mae that identifies and prioritizes which risks to
      avoid, accept, mitigate, or transfer through insurance.

   3. Direct the Fannie Mae Board to oversee management’s efforts to leverage industry
      standards to:

          a. Protect against and detect existing threats;

          b. Remain informed on emerging risks;

          c. Enable timely response and recovery in the event of a breach; and

          d. Achieve the desired target state of cyber risk management identified in
             Recommendation 2 above within a time period agreed upon by the Board.

We provided FHFA an opportunity to respond to a draft summary of this evaluation. In its
management response, which is reprinted in its entirety at the end of this summary, FHFA agreed
with our recommendations, but disagreed with certain aspects of the report. The Agency asserts
that our report does not sufficiently recognize the Board’s recent activities and offers work
performed by three third party experts who evaluated Fannie Mae’s cyber risk management
efforts. Two of the third party reports were not completed until January and March 2016, after
our field work concluded, and the findings of those reports will not be shared with the Board
until its May meeting. The third report, while complimentary overall, recommended that the
board place extremely high priority on completing certain core steps that are fundamental to
conformance with the National Institute of Standards and Technology Framework for Improving
Critical Infrastructure Cybersecurity (NIST Framework). Thus, the Board was on notice of the
need for management to take action to resolve gaps in the information security program and
complete key actions to conform with the NIST Framework.

                             OIG  EVL-2016-006  March 31, 2015                             6
Objective, Scope, and Methodology

The objective of this report was to assess the cybersecurity oversight exercised by the Fannie
Mae Board of directors. To achieve this objective, we interviewed certain FHFA and Fannie Mae
officials and Fannie Mae Board members. We reviewed publicly available documents and
industry standards as well as FHFA and Fannie Mae documents.

Our work was conducted under the authority of the Inspector General Act and in accordance
with the Council of the Inspectors General on Integrity and Efficiency’s Quality Standards for
Inspection and Evaluation (January 2012). These standards require us to plan and perform an
evaluation based upon evidence sufficient to provide reasonable bases to support its findings
and recommendations. We believe that the findings and recommendations discussed in this
report meet these standards.

The fieldwork for this evaluation was performed between March and November 2015.

                              OIG  EVL-2016-006  March 31, 2015                                7
FHFA’s Comments on OIG’s Findings and Recommendation

                       OIG  EVL-2016-006  March 31, 2015   8