The CalHFA Audit Committee convened on October 23, 2024, to discuss critical updates regarding the agency's Information Security Program, emphasizing its importance in safeguarding sensitive data and maintaining operational integrity. As California faces increasing cybersecurity threats, the committee highlighted the ongoing efforts to enhance data protection measures and ensure compliance with regulatory standards.

The meeting began with an overview of CalHFA's commitment to information security, which is vital for the agency's daily operations. The program aims to protect against cyber attacks, data breaches, and fraud, thereby fostering trust among customers who expect their information to be secure. The committee noted that maintaining this trust is essential for CalHFA's reputation and operational efficiency.

Key discussions included the identification of five business domains crucial for data protection. The agency reported successful implementation of cybersecurity resilience measures and ongoing remedial work to address vulnerabilities. Notably, CalHFA has not experienced any information security incidents in the past fiscal year, although two external partners reported breaches that did not affect CalHFA directly.

The committee also addressed the evolving threat landscape, particularly the persistent risk of ransomware attacks. They acknowledged the challenges in obtaining comprehensive data on such threats due to the dynamic nature of cybersecurity incidents. In response, CalHFA is actively testing its technology recovery and incident response plans to ensure preparedness against potential breaches.

Looking ahead, the committee outlined plans for the upcoming fiscal year, focusing on enhancing the agency's security posture and aligning with industry best practices. This includes the adoption of new policies and ongoing training for staff to effectively handle external threats.

In conclusion, the CalHFA Audit Committee's discussions underscored the agency's proactive approach to information security amidst a challenging cybersecurity environment. As they continue to refine their strategies, the emphasis remains on protecting sensitive data while ensuring operational efficiency and compliance with regulatory requirements.