To conduct and manage its business operations, Farmer Mac relies heavily on technology and information systems, including from third parties, for the secure collection, processing, transmission, and storage of confidential, proprietary, and personal information in its information systems (and those of third parties). These technology and information systems encompass an integrated set of hardware, software, infrastructure, and personnel organized to facilitate the planning, control, coordination, operations, and decision-making processes within Farmer Mac. Risks to Farmer Mac's information systems and data as a result of cybersecurity attacks has increased as the importance and complexity of Farmer Mac's technology and information systems has increased, and as new technologies are developed that are used by its customers, Farmer Mac, and its service providers to support its business and operations. Like many other financial institutions, Farmer Mac and its third-party service providers, vendors, and suppliers face regular attacks by threat actors attempting to gain unauthorized access to, or disrupt, its information systems and access or acquire its data, including from organized criminal groups, hackers, nation states, activists, insiders, and others. These threats come from a variety of different sources, including cyber-attacks, computer viruses, malware, exploits of system and network vulnerabilities, human error, phishing, ransomware, and distributed denial of service attacks. The threats Farmer Mac and its third-party service providers face and the methods used to gain unauthorized access to or disrupt their information systems and data are evolving. Farmer Mac is not always able to prevent or recognize attacks, its existing cybersecurity defenses may not be sufficient to detect attacks in a timely manner or to fully investigate an attack, and it may be unable to implement effective preventive measures or proactively address these threats until after a cybersecurity incident has been discovered. Farmer Mac also may have limited or no control over its service providers' handling of cybersecurity incidents, including their recognition and prevention practices. Any employees or agents of Farmer Mac's (or its third-party customers or vendors) who have authorized access to confidential, proprietary, or personal information could also intentionally, inadvertently, or erroneously disseminate the information to unauthorized third parties.
Farmer Mac's current information security program with cybersecurity procedures, policies, practices, and controls, may not be sufficient to prevent unauthorized access to its information technology assets or data, which could lead to a significant disruption to business operations; unauthorized access to or acquisition, destruction, alteration, release, theft, or loss of confidential, proprietary, or personal data; fraud (on Farmer Mac and/or its customers); extortion; financial and economic loss or costs; errors in its financial statements; impairment of its liquidity; harm to employees, customers, or vendors; liability or service interruptions to its customers; loss of customers or vendors; violation of data protection laws and other litigation and legal risk; increased regulatory or legislative scrutiny; or reputational damage. Even when an attempted cybersecurity attack or other security breach is successfully avoided or thwarted, Farmer Mac may need to expend substantial resources in doing so, may be required to take actions that could adversely affect customer satisfaction or behavior, or may be exposed to reputational damage. Farmer Mac also could be subject to litigation and government enforcement actions as a result of any failure in its procedures, policies, practices, and controls. Any such claim or proceeding could cause us to incur significant unplanned expenses in excess of Farmer Mac's insurance coverage, which could adversely affect Farmer Mac's financial condition and results of operations. The amount and scope of insurance Farmer Mac maintains may not cover all expenses related to those claims. Also, the risk of unauthorized access to confidential, proprietary, or personal information through information system breaches or inadvertent dissemination may be heightened in a remote-working environment, which is currently more prevalent at Farmer Mac.