80 FR 43555 - Agency Information Collection Activities: Information Collection Renewal; Comment Request; FFIEC Cybersecurity Assessment Tool

DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency

Federal Register Volume 80, Issue 140 (July 22, 2015)

The OCC, the Board of Governor of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) (collectively, the Agencies), as part of their continuing effort to reduce paperwork and respondent burden, invite the general public and other Federal agencies to take this opportunity to comment on a continuing information collection, as required by the Paperwork Reduction Act of 1995 (PRA). In accordance with the requirements of the PRA, the Agencies may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number. The OCC is soliciting comment on behalf of the Agencies concerning renewal of the information collection titled, ``FFIEC Cybersecurity Assessment Tool.''

[Federal Register Volume 80, Number 140 (Wednesday, July 22, 2015)]
[Notices]
[Pages 43555-43557]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2015-17907]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency


Agency Information Collection Activities: Information Collection 
Renewal; Comment Request; FFIEC Cybersecurity Assessment Tool

AGENCY: Office of the Comptroller of the Currency (OCC), Treasury.

ACTION: Notice and request for comment.

-----------------------------------------------------------------------

SUMMARY: The OCC, the Board of Governor of the Federal Reserve System 
(Board), the Federal Deposit Insurance Corporation (FDIC), and the 
National Credit Union Administration (NCUA) (collectively, the 
Agencies), as part of their continuing effort to reduce paperwork and 
respondent burden, invite the general public and other Federal agencies 
to take this opportunity to comment on a continuing information 
collection, as required by the Paperwork Reduction Act of 1995 (PRA).
    In accordance with the requirements of the PRA, the Agencies may 
not conduct or sponsor, and the respondent is not required to respond 
to, an information collection unless it displays a currently valid 
Office of Management and Budget (OMB) control number.
    The OCC is soliciting comment on behalf of the Agencies concerning 
renewal of the information collection titled, ``FFIEC Cybersecurity 
Assessment Tool.''

DATES: Comments must be received by September 21, 2015.

ADDRESSES: Because paper mail in the Washington, DC area and at the OCC 
is subject to delay, commenters are encouraged to submit comments by 
email, if possible. Comments may be sent to: Legislative and Regulatory 
Activities Division, Office of the Comptroller of the Currency, 
Attention: 1557-0328, 400 7th Street SW., Suite 3E-218, Mail Stop 9W-
11, Washington, DC 20219. In addition, comments may be sent by fax to 
(571) 465-4326 or by electronic mail to [email protected]. You may 
personally inspect and photocopy comments at the OCC, 400 7th Street 
SW., Washington, DC 20219. For security reasons, the OCC requires that 
visitors make an appointment to inspect comments. You may do so by 
calling (202) 649-6700. Upon arrival, visitors will be required to 
present valid government-issued photo identification and to submit to 
security screening in order to inspect and photocopy comments.
    All comments received, including attachments and other supporting

[[Page 43556]]

materials, are part of the public record and subject to public 
disclosure. Do not enclose any information in your comment or 
supporting materials that you consider confidential or inappropriate 
for public disclosure.

FOR FURTHER INFORMATION CONTACT: Shaquita Merritt, OCC Clearance 
Officer, or Beth Knickerbocker, Counsel (202) 649-5490, for persons who 
are deaf or hard of hearing, TTY, (202) 649-5597, Legislative and 
Regulatory Activities Division, Office of the Comptroller of the 
Currency, 400 7th Street SW., Suite 3E-218, Mail Stop 9W-11, 
Washington, DC 20219.

SUPPLEMENTARY INFORMATION: Under the PRA (44 U.S.C. 3501-3520), Federal 
agencies must obtain approval from OMB for each collection of 
information they conduct or sponsor. ``Collection of information'' is 
defined in 44 U.S.C. 3502(3) and 5 CFR 1320.3(c) to include agency 
requests or requirements that members of the public submit reports, 
keep records, or provide information to a third party. The definition 
contained in 5 CFR 1320.3(c) also includes a voluntary collection. 
Section 3506(c)(2)(A) of the PRA (44 U.S.C. 3506(c)(2)(A)) requires 
Federal agencies to provide a 60-day notice in the Federal Register 
concerning each proposed collection of information, including each 
proposed extension of an existing collection of information, before 
submitting the collection to OMB for approval. To comply with this 
requirement, the OCC is publishing, on behalf of the Agencies, a notice 
of the proposed collection of information set forth in this document.
    In connection with issuance of the assessment entitled ``FFIEC 
Cybersecurity Assessment Tool,'' \1\ OMB provided a six-month approval 
for this information collection. The OCC is proposing to extend OMB 
approval of the collection for the standard three years.
---------------------------------------------------------------------------

    \1\ http://www.ffiec.gov/cyberassessmenttool.htm.
---------------------------------------------------------------------------

    Title: FFIEC Cybersecurity Assessment Tool.
    OMB Number: 1557-0328.
    Description: Cyber threats have evolved and increased exponentially 
with greater sophistication than ever before. Financial institutions 
\2\ are exposed to cyber risks because they are dependent on 
information technology to deliver services to consumers and businesses 
every day. Cyber attacks on financial institutions may not only result 
in access to, and the compromise of, confidential information, but also 
the destruction of critical data and systems. Disruption, degradation, 
or unauthorized alteration of information and systems can affect an 
institution's operations and core processes and undermine confidence in 
the nation's financial services sector. Absent immediate attention to 
these rapidly increasing threats, financial institutions and the 
financial sector as a whole are at risk.
---------------------------------------------------------------------------

    \2\ For purposes of this information collection, the term 
``financial institution'' includes banks, savings associations, 
credit unions, bank and saving and loan holding companies and 
critical third-party service providers to financial institutions.
---------------------------------------------------------------------------

    For this reason, the Agencies, under the auspices of the Federal 
Financial Institutions Examination Council (``FFIEC''), have 
accelerated efforts to assess and enhance the state of the financial 
industry's cyber preparedness and to close gaps in the Agencies' 
examination procedures and training that can strengthen the oversight 
of financial industry cybersecurity readiness. The Agencies also have 
focused on improving their abilities to provide financial institutions 
with resources that can assist in protecting institutions and their 
customers from the growing risk posed by cyber attacks.
    As part of these increased efforts, the Agencies have developed a 
Cybersecurity Assessment Tool (``Assessment'') that will assist 
financial institutions of all sizes in assessing their inherent 
cybersecurity risks and their risk management capabilities. The 
Assessment will allow a financial institution to identify its inherent 
cyber risk profile based on the financial institution's technologies 
and connection types, delivery channels, online/mobile products and 
technology services it offers, organizational characteristics, and 
threats it is likely to face. Once an institution identifies its 
inherent cyber risk profile, it will be able to use the Assessment's 
maturity matrix to evaluate its level of cybersecurity preparedness 
based on the institution's cyber risk management and oversight, threat 
intelligence capabilities, cybersecurity controls, external dependency 
management, and cyber incident management and resiliency planning. A 
financial institution can use the matrix's maturity levels to identify 
opportunities for improving the institution's cybersecurity, based on 
its inherent risk profile. The Assessment also will enable a financial 
institution to identify areas more rapidly that could improve its 
cybersecurity risk management and response programs, if needed. Use of 
the Assessment by financial institutions is not mandatory.
    Type of Review: Regular.
    Affected Public: Businesses or other for-profit.
    Estimated Number of Respondents: \3\
---------------------------------------------------------------------------

    \3\ Burden is estimated conservatively and assumes all 
institutions will complete the Assessment. Therefore, the estimated 
burden may exceed the actual burden because use of the Assessment by 
financial institutions is not mandatory.
---------------------------------------------------------------------------

    OCC: 1,511 (19 large; 48 mid-size (including credit card banks); 
and 1,444 community national banks and Federal savings associations).
    Estimated Burden per Response: 80 hours.
    Total Estimated Burden: 120,880 hours.
    Board: 5,282 (858 state member banks; 522 large bank holding 
companies; 3,902 small bank holding companies).
    Estimated Burden per Response: 80 hours.
    Total Estimated Burden: 422,560.
    FDIC: 4,084 (includes 3,882 community banks).
    Estimated Burden per Response: 80 hours.
    Total Estimated Burden: 326,720.
    NCUA: 6,206.
    Estimated Burden per Response: 80 hours.
    Total Estimated Burden: 496,480.
    All Agencies:
    Estimated Number of Respondents: 176 technology service providers.
    Estimated Burden per Response: 80 hours.
    Total Estimated Burden: 14,080 hours.
    Estimated Frequency of Response: On occasion.
    Estimated Total Annual Burden: 1,380,720 hours.
    Comments submitted in response to this notice will be summarized 
and included in the request for OMB approval. All comments will become 
a matter of public record. Comments are invited on:
    (a) Whether the collection of information is necessary for the 
proper performance of the functions of the Agencies, including whether 
the information has practical utility;
    (b) The accuracy of the Agencies' estimates of the burden of the 
collection of information;
    (c) Ways to enhance the quality, utility, and clarity of the 
information to be collected;
    (d) Ways to minimize the burden of the collection on respondents, 
including through the use of automated collection techniques or other 
forms of information technology; and
    (e) Estimates of capital or start-up costs and costs of operation, 
maintenance, and purchase of services to provide information.


[[Page 43557]]


     Dated: July 16, 2015.
Stuart E. Feldstein,
Director, Legislative and Regulatory Activities Division, Office of the 
Comptroller of the Currency.
[FR Doc. 2015-17907 Filed 7-21-15; 8:45 am]
BILLING CODE P