[Federal Register Volume 80, Number 241 (Wednesday, December 16, 2015)]
[Notices]
[Pages 78285-78289]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-31583]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency


Agency Information Collection Activities: Information Collection 
Renewal; Submission for Review; FFIEC Cybersecurity Assessment Tool

AGENCY: Office of the Comptroller of the Currency (OCC), Treasury.

ACTION: Notice and request for comment.

-----------------------------------------------------------------------

SUMMARY: The OCC, the Board of Governors of the Federal Reserve System 
(Board), the Federal Deposit Insurance Corporation (FDIC), and the 
National Credit Union Administration (NCUA) (collectively, the 
Agencies), as part of their continuing effort to reduce paperwork and 
respondent burden, invite the general public and other Federal agencies 
to comment on a continuing information collection, as required by the 
Paperwork Reduction Act of 1995 (PRA).
    In accordance with the requirements of the PRA, the Agencies may 
not conduct or sponsor, and the respondent is not required to respond 
to, an information collection unless it displays a currently valid 
Office of Management and Budget (OMB) control number.
    The OCC is soliciting comment on behalf of the Agencies concerning 
renewal of the information collection titled ``FFIEC Cybersecurity 
Assessment Tool'' (``Assessment''). The OCC also is giving notice that 
it has sent the collection to OMB for review.

DATES: Comments must be received by January 15, 2016.

ADDRESSES: Because paper mail in the Washington, DC area and at the OCC 
is subject to delay, commenters are encouraged to submit comments by 
email, if possible. Comments may be sent to: Legislative and Regulatory 
Activities Division, Office of the Comptroller of the Currency, 
Attention: 1557-0328, 400 7th Street SW., Suite 3E-218, Mail Stop 9W-
11, Washington, DC 20219. In addition, comments may be sent by fax to 
(571) 465-4326 or by electronic mail to [email protected]. You may 
personally inspect and photocopy comments at the OCC, 400 7th Street 
SW., Washington, DC 20219. For security reasons, the OCC requires that 
visitors make an appointment to inspect comments. You may do so by 
calling (202) 649-6700, for persons who are deaf or hard of hearing, 
TTY, (202) 649-5597. Upon arrival, visitors will be required to present 
valid government-issued photo identification and to submit to security 
screening in order to inspect and photocopy comments.
    All comments received, including attachments and other supporting 
materials, are part of the public record and subject to public 
disclosure. Do not enclose any information in your comment or 
supporting materials that you consider confidential or inappropriate 
for public disclosure.
    Additionally, please send a copy of your comments by mail to: OCC 
Desk Officer, 1557-0328, U.S. Office of Management and Budget, 725 17th 
Street NW., #10235, Washington, DC 20503, or by email to: 
[email protected].

[[Page 78286]]


FOR FURTHER INFORMATION CONTACT: Shaquita Merritt, OCC Clearance 
Officer, or Beth Knickerbocker, Counsel (202) 649-5490, Legislative and 
Regulatory Activities Division, for persons who are deaf or hard of 
hearing, TTY, (202) 649-5597, Office of the Comptroller of the 
Currency, 400 7th Street SW., Suite 3E-218, Mail Stop 9W-11, 
Washington, DC 20219.

SUPPLEMENTARY INFORMATION: Under the PRA (44 U.S.C. 3501-3520), Federal 
agencies must obtain approval from OMB for each collection of 
information they conduct or sponsor. ``Collection of information'' is 
defined in 44 U.S.C. 3502(3) and 5 CFR 1320.3(c) to include agency 
requests or requirements that members of the public submit reports, 
keep records, or provide information to a third party. The definition 
contained in 5 CFR 1320.3(c) also includes a voluntary collection of 
information.
    In connection with issuance of the Assessment,\1\ OMB provided a 
six-month approval for this information collection. On behalf of the 
Agencies, the OCC is proposing to extend OMB approval of the collection 
for the standard three years.
---------------------------------------------------------------------------

    \1\ http://www.ffiec.gov/cyberassessmenttool.htm.
---------------------------------------------------------------------------

    Title: FFIEC Cybersecurity Assessment Tool.
    OMB Number: 1557-0328.
    Description: Cyber threats have evolved and increased exponentially 
with greater sophistication than ever before. Financial institutions 
\2\ are exposed to cyber risks because they are dependent on 
information technology to deliver services to consumers and businesses 
every day. Cyber attacks on financial institutions may not only result 
in access to, and the compromise of, confidential information, but also 
the destruction of critical data and systems. Disruption, degradation, 
or unauthorized alteration of information and systems can affect a 
financial institution's operations and core processes and undermine 
confidence in the nation's financial services sector. Absent immediate 
attention to these rapidly increasing threats, financial institutions 
and the financial sector as a whole are at risk.
---------------------------------------------------------------------------

    \2\ For purposes of this information collection, the term 
``financial institution'' includes banks, savings associations, 
credit unions, and bank holding companies.
---------------------------------------------------------------------------

    For this reason, the Agencies, under the auspices of the Federal 
Financial Institutions Examination Council (``FFIEC''), have 
accelerated efforts to assess and enhance the state of the financial 
industry's cyber preparedness and to improve the Agencies' examination 
procedures and training that can strengthen the oversight of financial 
industry cybersecurity readiness. The Agencies also have focused on 
improving their abilities to provide financial institutions with 
resources that can assist in protecting financial institutions and 
their customers from the growing risks posed by cyber attacks.
    As part of these increased efforts, the Agencies developed the 
Assessment to assist financial institutions of all sizes in assessing 
their inherent cyber risks and their risk management capabilities. The 
Assessment allows a financial institution to identify its inherent 
cyber risk profile based on the financial institution's technologies 
and connection types, delivery channels, online/mobile products and 
technology services that it offers to its customers, its organizational 
characteristics, and the cyber threats it is likely to face. Once a 
financial institution identifies its inherent cyber risk profile, it 
will be able to use the Assessment's maturity matrix to evaluate its 
level of cybersecurity preparedness based on the financial 
institution's cyber risk management and oversight, threat intelligence 
capabilities, cybersecurity controls, external dependency management, 
and cyber incident management and resiliency planning. A financial 
institution may use the matrix's maturity levels to identify 
opportunities for improving the financial institution's cyber risk 
management based on its inherent risk profile. The Assessment also 
enables a financial institution to identify areas more rapidly that 
could improve the financial institution's cyber risk management and 
response programs, if needed. Use of the Assessment by financial 
institutions is voluntary.
    Type of Review: Regular.
    Affected Public: Businesses or other for-profit.
    Estimated Burdens: \3\
---------------------------------------------------------------------------

    \3\ Burden is estimated conservatively and assumes all financial 
institutions will complete the Assessment. Therefore, the estimated 
burden may exceed the actual burden because use of the Assessment by 
financial institutions is not mandatory. The Agencies intend to 
address their review of the cybersecurity readiness and preparedness 
of financial institutions' technology service providers (TSPs) 
separately and therefore are no longer including a separate 
estimated burden for TSPs. However, the burden estimates for 
financial institutions does include that of TSPs who may assist 
financial institutions in completing their Assessment.

--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                               Estimated number of    Estimated number of
                                       Estimated number of      respondents $500        respondents $10      Estimated number of      Estimated total
     Assessment burden estimate       respondents less than    million-$10 billion    billion-$50 billion    respondents over $50  respondents and total
                                     $500 million @80 hours        @120 hours              @160 hours         billion @180 hours    annual burden hours
--------------------------------------------------------------------------------------------------------------------------------------------------------
OCC National Banks and Federal       1,102 x 80 = 88,160     149 x 120 = 17,880      132 x 160 = 21,120     87 x 180 = 15,660      1,470 respondents
 Savings Associations.                hours.                  hours.                  hours.                 hours.                 142,820 hours.
FDIC State Non-Member Banks and      3,224 x 80 = 257,920    728 x 120 = 87,360      22 x 160 = 3,520       5 x 180 = 900 hours..  3,979 respondents
 State Savings Associations.          hours.                  hours.                  hours.                                        349,700 hours.
Board State Member Banks and Bank    4,083 x 80 = 326,640    1,083 x 120 = 129,960   74 x 160 = 11,840      42 x 180 = 7,560       5,282 respondents
 Holding Companies.                   hours.                  hours.                  hours.                 hours.                 476,000 hours.
NCUA Federally-Insured Credit        5,622 x 80 = 449,760    463 x 120 = 55,560      4 x 160 = 640 hours..  1 x 180 = 180 hours..  6,090 respondents
 Unions.                              hours.                  hours.                                                                506,140 hours.
                                    --------------------------------------------------------------------------------------------------------------------
    Total..........................  14,031 x 80 =           2,423 x 120 = 290,760   232 x 160 = 37,120     135 x 180 = 24,300     16,821 respondents
                                      1,122,480 hours.        hours.                  hours.                 hours.                 1,474,660 hours.
--------------------------------------------------------------------------------------------------------------------------------------------------------

    On July 22, 2015, (80 FR 4355), the Office of the Comptroller of 
the Currency (OCC), on behalf of itself, the Board of Governors of the 
Federal Reserve System (Board), the Federal Deposit Insurance 
Corporation (FDIC), and the National Credit Union Administration (NCUA) 
(collectively, the Agencies) published a 60-day notice requesting 
comment on the collection of information titled ``FFIEC Cybersecurity 
Assessment Tool (Assessment).'' The Agencies received eighteen 
comments: Twelve comments from individuals, five from industry trade 
associations, and

[[Page 78287]]

one from the Financial Services Sector Coordinating Council. The 
comments described below address concerns related to the collection of 
information. The commenters also mentioned aspects of the Assessment 
unrelated to the collection of information; these views are not 
relevant to this notice or the paperwork burden analysis and, 
accordingly, they are not addressed below. However, the comments 
unrelated to the paperwork burden analysis were provided to Agency 
personnel responsible for the Assessment for possible consideration in 
future updates of the Assessment.

1. Request for More Information on the Information Being Collected

    Eight of the commenters requested that the Agencies provide 
additional clarity and interpretative information regarding the 
Assessment. Several of these commenters requested that the Agencies 
clarify some of the statements in the Inherent Risk Profile.\4\ 
Commenters also stated that many of the declarative statements in the 
Cybersecurity Maturity \5\ were subjective and susceptible to different 
interpretation. Other commenters requested the Agencies provide 
additional information regarding the relationship between the Inherent 
Risk Profile and the Cybersecurity Maturity parts of the Assessment.
---------------------------------------------------------------------------

    \4\ Part One of the Assessment, the Inherent Risk Profile, 
assists a financial institution in identifying its inherent risk 
before implementing controls.
    \5\ Part Two of the Assessment, the Cybersecurity Maturity, 
assists a financial institution in determining its current state of 
cybersecurity preparedness represented by maturity levels across 
five domains.
---------------------------------------------------------------------------

    Five commenters requested that the Agencies publish information 
clarifying the Assessment, such as an appendix to the Assessment or a 
separate frequently asked questions (FAQ) document. One commenter 
requested that the Agencies issue a separate document describing the 
assumptions the Agencies used in developing the Assessment. Another 
commenter requested that the Agencies provide examples of how community 
financial institutions might satisfy certain declarative statements. 
Additionally, one commenter requested that the Agencies develop a 12-18 
month collaborative process with the commenter to improve the 
Assessment prior to finalizing the Assessment or using the Assessment 
on examinations.
    The Agencies appreciate the feedback and comments received from the 
commenters. The Agencies recognize that there may be a need to clarify 
certain aspects of the Assessment and will consider developing an FAQ 
document to address questions and requests for clarification that they 
have received since the publication of the Assessment, including from 
commenters. Additionally, the Agencies are developing a process to 
update the Assessment on a periodic basis. The update process will 
consider comments from interested parties.

2. Usability and Format of the Assessment

    Four commenters suggested changes to the format of the Assessment 
to increase usability. The commenters requested that the Agencies 
develop an automated or editable form of the Assessment. Commenters 
stated that the ability to save and edit responses contained in the 
Assessment would improve a financial institution's ability to use the 
Assessment on an ongoing basis.
    One commenter also recommended that the Agencies revise the 
Assessment to include hyperlinks to the Assessment Glossary and User 
Guide instructions. Another commenter suggested that the Agencies 
revise the Assessment to assign a maturity level \6\ automatically to 
the financial institution once it completes the Inherent Risk Profile 
portion of the Assessment. In addition, this commenter suggests that 
once a financial institution answers ``no'' to a declarative statement 
in a particular domain of the Cybersecurity Maturity, the Assessment 
should automatically prevent the financial institution from responding 
to the remainder of the declarative statements within that domain. The 
commenter also stated the Assessment should automatically populate 
answers to similar questions across domains and maturity levels.
---------------------------------------------------------------------------

    \6\ Within the five domains of the Cybersecurity Maturity, 
declarative statements describe the requirements for achieving five 
possible maturity levels for each domain.
---------------------------------------------------------------------------

    The Agencies acknowledge the potential value of an automated or 
editable form of the Assessment for financial institutions that choose 
to use the Assessment and are exploring the possibility of developing 
an automated form in the future, including the possibility of 
hyperlinking to definitions and instructions. Any automation of the 
form, however, would not include the automatic assignment of a maturity 
level as the Agencies do not have expectations for any financial 
institution to reach a specific maturity level within the Assessment, 
and a financial institution may find value in identifying activities it 
is already performing at a higher maturity level.

3. Utility of the Assessment

    Two commenters stated that there are a number of cybersecurity 
assessment frameworks available to financial institutions to use in 
determining their inherent risk and cybersecurity preparedness. These 
commenters questioned the need for the development of an additional 
framework. One commenter focused on the potential duplication between 
the National Institute of Standards and Technology's Cybersecurity 
Framework (NIST Framework) and the Assessment. This commenter stated 
that use of the Assessment by financial institutions, instead of the 
NIST Framework, could dilute the value of the NIST Framework as a tool 
for cross-sector collaboration.
    The Agencies, under the auspices of the FFIEC, developed the 
Assessment to assist financial institutions in addressing the cyber 
risks unique to the financial industry. The Assessment supports 
financial institutions by giving them a systematic way to assess their 
cybersecurity preparedness and evaluate their progress. Unlike other 
frameworks, the Assessment is specifically tailored to the products and 
services offered by financial institutions and the control and risk 
mitigation techniques used by the industry. In addition, the Agencies 
have received many requests from financial institutions, particularly 
smaller financial institutions, to provide them with a meaningful way 
to assess cyber risks themselves based on financial sector-specific 
risks and mitigation techniques. The Agencies developed the Assessment, 
in part, to address those requests and received several positive 
comments about how the Assessment met this need. As discussed more 
fully below, a financial institution is not required to use the 
Assessment and may choose any method the financial institution 
determines is relevant and meaningful to assess its inherent risk and 
cybersecurity preparedness.
    The Agencies agree that the NIST Framework is a valuable tool and 
the Agencies incorporated concepts from the NIST Framework into the 
Assessment. The Assessment contains an appendix that maps the NIST 
Framework to the Assessment. NIST reviewed and provided input on the 
mapping to ensure consistency with the NIST Framework's principles and 
to highlight the complementary nature of the two resources. The 
Agencies also agree that the NIST Framework provides a mechanism for 
cross-sector coordination. However, because of the unique cyber risks 
facing the financial industry, the Agencies identified a need

[[Page 78288]]

to develop a more granular framework that is more specific to the 
financial services industry to assist financial institutions in 
evaluating themselves.
    Several commenters also raised questions regarding the Agencies' 
use of a maturity model as a part of the Assessment. Four commenters 
were concerned with the ``all or nothing'' approach to achieving a 
maturity level, particularly insofar as a financial institution might 
not be credited for activities taken at a higher level that might 
mitigate risks at a lower level. Some commenters stated that a maturity 
model is too prescriptive and does not adequately account for 
compensating controls or risk tolerance and others questioned why the 
Assessment does not discuss the concept of residual risk.
    The Agencies designed the Cybersecurity Maturity contained in the 
Assessment to assist financial institutions in understanding the ranges 
of controls and practices needed to manage cyber risk. As previously 
stated, use of the tool is voluntary and a financial institution may 
use any method to assess inherent risk and cybersecurity preparedness 
that it considers relevant and meaningful.
    The User Guide does provide general parameters to assist financial 
institutions that choose to use the Assessment in considering how to 
align inherent risk with the financial institution's processes and 
control maturity.

4. Accuracy of Burden Estimate

    The Agencies estimated that, annually, it would take a financial 
institution 80 burden hours, on average, to complete the Assessment. 
Five comment letters addressed the accuracy of the Agencies' burden 
estimate. These letters generally stated that the Agencies' burden 
estimate understated the burden involved. One commenter stated that 
credit unions that choose to use the Assessment could take 80-100 hours 
to complete it. However, other commenters stated that it may take a 
financial institution several hundred hours to complete the Assessment 
in the first year of use.
    One commenter stated that the estimated burden will vary based on 
financial institution size, with smaller financial institutions 
requiring hundreds of hours to complete the Assessment, medium-sized 
financial institutions approaching 1,000-2,000 hours, and the large 
financial institutions investing 1,000-2,000 hours or more. This 
commenter stated that the burden estimate includes the amount of time 
needed to collect information and documentation sufficient to provide 
answers supportable in the examination context, report to internal 
steering committees and prepare for examinations. Another commenter 
stated that the Agencies' evaluation of 80 hours ``largely 
underestimates'' the time required to complete the Assessment. This 
commenter stated that the initial completion of the Assessment would 
include collecting data, discussing and verifying responses, performing 
gap analysis, preparing and implementing action plans, where needed, 
and presenting results to executives.
    In light of the comments received and recent supervisory experience 
performing information technology examinations, the Agencies are 
revising their burden estimates. In revisiting the burden estimates, 
the Agencies are taking a more conservative approach to estimating the 
potential burden involved in using the Assessment. The Agencies 
recognize that size and complexity of a financial institution, as noted 
by some of the commenters, impacts the amount of time and resources to 
complete the Assessment and therefore the Agencies have further refined 
their burden estimates based on financial institution asset size.
    The Agencies note that the revised burden estimates assume that the 
Assessment is completed by knowledgeable individuals at the financial 
institution who have readily-available information to complete the 
Assessment. The Agencies' revised burden estimates do not include the 
amount of time associated with reporting to management and internal 
committees, developing and implementing action plans, and preparing for 
examination as such time and resources are outside the scope of the 
PRA.

5. Information Storage and Confidentiality

    Two commenters requested information on how the Agencies will use 
and store the Assessment information that financial institutions 
provide to the Agencies.
    The Agencies are subject to compliance with the Federal Information 
Security Management Act (FISMA) and they operate cybersecurity programs 
to protect critical information resources, including sensitive 
financial institution information obtained or created during their 
supervision activities. The programs include policies, standards and 
controls, monitoring, technical controls, and other information 
assurance processes. If a financial institution provides the 
Assessment, or any other, confidential information to an examiner as 
part of the supervisory process, the storage and use of such 
information would be subject to the Agencies' cybersecurity programs.

6. Benchmarking

    One commenter suggested that the Agencies collect, anonymize, and 
share Assessment information to allow financial institutions to 
benchmark themselves against comparably sized financial institutions. 
Since use of the Assessment by financial institutions is voluntary, the 
Agencies do not to intend to collect the Assessment from financial 
institutions or publish the results.

7. Voluntary Use of the Assessment

    Several commenters expressed concern that since some of the 
Agencies will be using the Assessment as an aid in their examination 
processes, financial institutions may believe that their use of the 
Assessment is mandated by the Agencies. Another commenter requested 
that the Agencies ensure that examiners do not force financial 
institutions to use the Assessment or require financial institutions to 
justify their decisions to use an alternative cybersecurity assessment. 
Several commenters requested that the Agencies reiterate to examiners 
and to financial institutions that use of the Assessment by a financial 
institution is voluntary.
    As the Agencies stated when the Assessment was first published, use 
of the Assessment by financial institutions is voluntary. Financial 
institutions may use the Assessment or any other framework or process 
to identify their inherent risk and cybersecurity preparedness. The 
Agencies' examiners will not require a financial institution to 
complete the Assessment. However, if a financial institution has 
completed an Assessment, examiners may ask the financial institution 
for a copy, as they would for any risk self-assessment performed by the 
financial institution. The Agencies are educating examiners on the 
voluntary nature of the Assessment and including statements about its 
voluntary nature in examiner training materials.
    Additional Comments Welcome: Comments continue to be invited on:
    (a) Whether the collection of information is necessary for the 
proper performance of the functions of the Agencies, including whether 
the information has practical utility;
    (b) The accuracy of the Agencies' estimates of the burden of the 
collection of information;
    (c) Ways to enhance the quality, utility, and clarity of the 
information to be collected;

[[Page 78289]]

    (d) Ways to minimize the burden of the collection on respondents, 
including through the use of automated collection techniques or other 
forms of information technology; and
    (e) Estimates of capital or start-up costs and costs of operation, 
maintenance, and purchase of services to provide information.

    Dated: December 10, 2015.
Stuart E. Feldstein,
Director, Legislative and Regulatory Activities Division, Office of the 
Comptroller of the Currency.
[FR Doc. 2015-31583 Filed 12-15-15; 8:45 am]
BILLING CODE 4810-33-P