[Federal Register Volume 84, Number 66 (Friday, April 5, 2019)]
[Notices]
[Pages 13786-13787]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-06644]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency


Agency Information Collection Activities: Information Collection 
Renewal; Comment Request; FFIEC Cybersecurity Assessment Tool

AGENCY: Office of the Comptroller of the Currency (OCC), Treasury.

ACTION: : Notice and request for comment.

-----------------------------------------------------------------------

SUMMARY:  The OCC, the Board of Governors of the Federal Reserve System 
(Board), the Federal Deposit Insurance Corporation (FDIC), and the 
National Credit Union Administration (NCUA) (collectively, the 
Agencies), as part of their continuing effort to reduce paperwork and 
respondent burden, invite the general public and other federal agencies 
to take this opportunity to comment on a continuing information 
collection as required by the Paperwork Reduction Act of 1995 (PRA).
    In accordance with the requirements of the PRA, the Agencies may 
not conduct or sponsor, and the respondent is not required to respond 
to, an information collection unless it displays a currently valid 
Office of Management and Budget (OMB) control number.
    The OCC is soliciting comment on behalf of the Agencies concerning 
renewal of the information collection titled, ``FFIEC Cybersecurity 
Assessment Tool'' (``Assessment'').

DATES:  Comments must be submitted on or before June 4, 2019.

ADDRESSES: Commenters are encouraged to submit comments by email, if 
possible. You may submit comments by any of the following methods:
     Email: [email protected].
     Mail: Chief Counsel's Office, Office of the Comptroller of 
the Currency, Attention: 1557-0328, 400 7th Street SW, Suite 3E-218, 
Washington, DC 20219.
     Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218, 
Washington, DC 20219.
     Fax: (571) 465-4326.
    Instructions: You must include ``OCC'' as the agency name and 
``1557-0328'' in your comment. In general, the OCC will publish 
comments on www.reginfo.gov without change, including any business or 
personal information provided, such as name and address information, 
email addresses, or phone numbers. Comments received, including 
attachments and other supporting materials, are part of the public 
record and subject to public disclosure. Do not include any information 
in your comment or supporting materials that you consider confidential 
or inappropriate for public disclosure.
    You may review comments and other related materials that pertain to 
this information collection beginning on the date of publication of the 
second notice for this collection \1\ by any of the following methods:
---------------------------------------------------------------------------

    \1\ Following the close of the 60-day comment period for this 
notice, the OCC will publish a notice for 30 days of comment for 
this collection.
---------------------------------------------------------------------------

     Viewing Comments Electronically: Go to www.reginfo.gov. 
Click on the ``Information Collection Review'' tab. Underneath the 
``Currently under Review'' section heading, from the drop-down menu, 
select ``Department of Treasury'' and then click ``submit.'' This 
information collection can be located by searching by OMB control 
number ``1557-0328'' or ``FFIEC Cybersecurity Assessment Tool.'' Upon 
finding the appropriate information collection, click on the related 
``ICR Reference Number.'' On the next screen, select ``View Supporting 
Statement and Other Documents'' and then click on the link to any 
comment listed at the bottom of the screen.
     For assistance in navigating www.reginfo.gov, please 
contact the Regulatory Information Service Center at (202) 482-7340.
     Viewing Comments Personally: You may personally inspect 
comments at the OCC, 400 7th Street SW, Washington, DC. For security 
reasons, the OCC requires that visitors make an appointment to inspect 
comments. You may do so by calling (202) 649-6700 or, for persons who 
are deaf or hearing impaired, TTY, (202) 649-5597. Upon arrival, 
visitors will be required to present valid government-issued photo 
identification and submit to security screening in order to inspect 
comments.

FOR FURTHER INFORMATION CONTACT: Shaquita Merritt, OCC Clearance 
Officer, Carl Kaminski, Special Counsel, or Priscilla Benner, Attorney 
(202) 649-5490, for persons who are deaf or hearing impaired, TTY, 
(202) 649-5597, Chief Counsel's Office, Office of the Comptroller of 
the Currency, 400 7th Street SW, Suite 3E-218, Washington, DC 20219.

SUPPLEMENTARY INFORMATION: Under the PRA (44 U.S.C. et seq.), federal 
agencies must obtain approval from OMB for each collection of 
information they conduct or sponsor. ``Collection of information'' is 
defined in 44 U.S.C. 3502(3) and 5 CFR 1320.3(c) to include agency 
requests or requirements that members of the public submit reports, 
keep records, or provide information to a third party. The definition 
contained in 5 CFR 1320.3(c) also includes a voluntary collection. 
Section 3506(c)(2)(A) of title 44 requires federal agencies to provide 
a 60-day notice in the Federal Register concerning each proposed 
collection of information, including each proposed extension of an 
existing collection of information, before submitting the collection to 
OMB for approval. To comply with this requirement, the OCC is 
publishing, on behalf of the Agencies, a notice of the proposed 
collection of information set forth in this document.
    Title: FFIEC Cybersecurity Assessment Tool.
    OMB Number: 1557-0328.
    Description: Cyber threats continue to evolve and increase 
exponentially with greater sophistication. Financial

[[Page 13787]]

institutions \2\ are exposed to cyber risks because they are dependent 
on information technology to deliver services to consumers and 
businesses every day. Cyber attacks on financial institutions may 
result in unauthorized access to, and the compromise of, confidential 
information, as well as the destruction of critical data and systems. 
Disruption, degradation, or unauthorized alteration of information and 
systems can affect a financial institution's operations and core 
processes and undermine confidence in the nation's financial services 
sector. Absent immediate attention to these rapidly increasing threats, 
financial institutions and the financial sector as a whole are at risk.
---------------------------------------------------------------------------

    \2\ For purposes of this information collection, the term 
``financial institution'' includes banks, savings associations, 
credit unions, and bank holding companies.
---------------------------------------------------------------------------

    For this reason, the Agencies, under the auspices of the Federal 
Financial Institutions Examination Council (``FFIEC''), have worked 
diligently to assess and enhance the state of the financial industry's 
cyber preparedness and to improve the Agencies' examination procedures 
and training to strengthen the oversight of financial industry 
cybersecurity readiness. The Agencies also have focused on providing 
financial institutions with resources that can assist in protecting 
them and their customers from the growing risks posed by cyber attacks.
    As part of these efforts, the Agencies developed the Assessment to 
assist financial institutions of all sizes in assessing their inherent 
cyber risks and their risk management capabilities. The Assessment 
allows a financial institution to identify its inherent cyber risk 
profile based on the technologies and connection types, delivery 
channels, online/mobile products and technology services that it offers 
to its customers, its organizational characteristics, and the cyber 
threats it is likely to face. Once a financial institution identifies 
its inherent cyber risk profile, it can use the Assessment's maturity 
matrix to evaluate its level of cybersecurity preparedness based on the 
financial institution's cyber risk management and oversight, threat 
intelligence capabilities, cybersecurity controls, external dependency 
management, and cyber incident management and resiliency planning. A 
financial institution may use the matrix's maturity levels to identify 
opportunities for improving the financial institution's cyber risk 
management based on its inherent risk profile. The Assessment also 
enables a financial institution to rapidly identify areas that could 
improve the financial institution's cyber risk management and response 
programs, as appropriate. Use of the Assessment by financial 
institutions is voluntary.
    Type of Review: Regular.
    Affected Public: Businesses or other for-profit.
    Burden Estimates: \3\
---------------------------------------------------------------------------

    \3\ Burden is estimated conservatively and assumes all 
institutions will complete the Assessment. Therefore, the estimated 
burden may exceed the actual burden because use of the Assessment by 
financial institutions is not mandatory. The burden estimates for 
financial institutions include technology service providers who may 
assist financial institutions in completing their Assessments.

--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                               Estimated number of    Estimated number of
                                       Estimated number of      respondents $500        respondents $10      Estimated number of      Estimated total
     Assessment burden estimate       respondents less than   million -$10 billion    billion -$50 billion   respondents over $50  respondents and total
                                     $500 million @80 hours        @120 hours              @160 hours         billion @180 hours    annual burden hours
--------------------------------------------------------------------------------------------------------------------------------------------------------
OCC National Banks and Federal       823 x 80 = 65,840       157 x 120 = 18,840      123 x 160 = 19,680     82 x 180 = 14,760      1,185 respondents
 Savings Associations.                hours.                  hours.                  hours.                 hours.                 119,120 hours.
FDIC State Non-Member Banks and      2,689 x 80 = 215,120    760 x 120 = 91,200      34 x 160 = 5,440       6 x 180 = 1,080 hours  3,489 respondents
 State Savings Associations.          hours.                  hours.                  hours.                                        312,840 hours.
Board State Member Banks and Bank    2,768 x 80 = 221,440    766 x 120 = 91,920      81 x 160 = 12,960      26 x 180 = 4,680       3,641 respondents
 Holding Companies.                   hours.                  hours.                  hours.                 hours.                 331,000 hours.
NCUA Federally-Insured Credit        4,830 x 80 = 386,400    536 x 120 = 64,320      8 x 160 = 1,280 hours  1 x 180 = 180 hours..  5,375 respondents
 Unions.                              hours.                  hours.                                                                452,180 hours.
                                    --------------------------------------------------------------------------------------------------------------------
    Total..........................  11,110 x 80 = hours =   2,219 x 120 hours =     246 hours x 160 =      115 hours x 180 =      13,690 respondents
                                      888,800.                266,280 hours.          39,360 hours.          20,700 hours.          1,215,140 hours.
--------------------------------------------------------------------------------------------------------------------------------------------------------

    Comments submitted in response to this notice will be summarized 
and included in the request for OMB approval. All comments will become 
a matter of public record. Comments are invited on:
    (a) Whether the collection of information is necessary for the 
proper performance of the functions of the Agencies, including whether 
the information has practical utility;
    (b) The accuracy of the Agencies' estimates of the burden of the 
collection of information;
    (c) Ways to enhance the quality, utility, and clarity of the 
information to be collected;
    (d) Ways to minimize the burden of the collection on respondents, 
including through the use of automated collection techniques or other 
forms of information technology; and
    (e) Estimates of capital or start-up costs and costs of operation, 
maintenance, and purchase of services to provide information.

    Dated: March 29, 2019.
Theodore J. Dowd,
Deputy Chief Counsel, Office of the Comptroller of the Currency.
[FR Doc. 2019-06644 Filed 4-4-19; 8:45 am]
 BILLING CODE 4810-33-P