Agency Information Collection Activities: Information Collection Renewal; Comment Request; FFIEC Cybersecurity Assessment Tool, 13786-13787 [2019-06644]
Download as PDF
<![CDATA[
13786
Federal Register / Vol. 84, No. 66 / Friday, April 5, 2019 / Notices
going system to collect up-to-date
contact information and capabilities
statements from potential suppliers.
This information allows the OCC to
update and enhance its internal
database of interested minority- and
women-owned businesses. This
information also allows the OCC to
measure the effectiveness of its
technical assistance and outreach efforts
and to target areas where additional
outreach efforts are necessary.
Comments submitted in response to
this notice will be summarized and
included in the request for OMB
approval. The OCC invites comment on:
(a) Whether the collection of
information is necessary for the proper
performance of the functions of the
OCC, including whether the information
shall have practical utility;
(b) The accuracy of the OCC’s
estimate of the burden of the collection
of information;
(c) Ways to enhance the quality,
utility, and clarity of the information to
be collected;
(d) Ways to minimize the burden of
the collection of information on
respondents, including through the use
of automated collection techniques or
other forms of information technology,
and
(e) Estimates of capital or start-up
costs and costs of operation,
maintenance, and purchase of services
to provide information.
Dated: March 29, 2019.
Theodore J. Dowd,
Deputy Chief Counsel, Office of the
Comptroller of the Currency.
[FR Doc. 2019–06642 Filed 4–4–19; 8:45 am]
BILLING CODE 4810–33–P
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the
Currency
Agency Information Collection
Activities: Information Collection
Renewal; Comment Request; FFIEC
Cybersecurity Assessment Tool
Office of the Comptroller of the
Currency (OCC), Treasury.
ACTION: : Notice and request for
comment.
khammond on DSKBBV9HB2PROD with NOTICES
AGENCY:
The OCC, the Board of
Governors of the Federal Reserve
System (Board), the Federal Deposit
Insurance Corporation (FDIC), and the
National Credit Union Administration
(NCUA) (collectively, the Agencies), as
part of their continuing effort to reduce
paperwork and respondent burden,
invite the general public and other
SUMMARY:
VerDate Sep<11>2014
18:46 Apr 04, 2019
Jkt 247001
federal agencies to take this opportunity
to comment on a continuing information
collection as required by the Paperwork
Reduction Act of 1995 (PRA).
In accordance with the requirements
of the PRA, the Agencies may not
conduct or sponsor, and the respondent
is not required to respond to, an
information collection unless it displays
a currently valid Office of Management
and Budget (OMB) control number.
The OCC is soliciting comment on
behalf of the Agencies concerning
renewal of the information collection
titled, ‘‘FFIEC Cybersecurity Assessment
Tool’’ (‘‘Assessment’’).
DATES: Comments must be submitted on
or before June 4, 2019.
ADDRESSES: Commenters are encouraged
to submit comments by email, if
possible. You may submit comments by
any of the following methods:
• Email: prainfo@occ.treas.gov.
• Mail: Chief Counsel’s Office, Office
of the Comptroller of the Currency,
Attention: 1557–0328, 400 7th Street
SW, Suite 3E–218, Washington, DC
20219.
• Hand Delivery/Courier: 400 7th
Street SW, Suite 3E–218, Washington,
DC 20219.
• Fax: (571) 465–4326.
Instructions: You must include
‘‘OCC’’ as the agency name and ‘‘1557–
0328’’ in your comment. In general, the
OCC will publish comments on
www.reginfo.gov without change,
including any business or personal
information provided, such as name and
address information, email addresses, or
phone numbers. Comments received,
including attachments and other
supporting materials, are part of the
public record and subject to public
disclosure. Do not include any
information in your comment or
supporting materials that you consider
confidential or inappropriate for public
disclosure.
You may review comments and other
related materials that pertain to this
information collection beginning on the
date of publication of the second notice
for this collection 1 by any of the
following methods:
• Viewing Comments Electronically:
Go to www.reginfo.gov. Click on the
‘‘Information Collection Review’’ tab.
Underneath the ‘‘Currently under
Review’’ section heading, from the dropdown menu, select ‘‘Department of
Treasury’’ and then click ‘‘submit.’’ This
information collection can be located by
searching by OMB control number
‘‘1557–0328’’ or ‘‘FFIEC Cybersecurity
1 Following the close of the 60-day comment
period for this notice, the OCC will publish a notice
for 30 days of comment for this collection.
PO 00000
Frm 00162
Fmt 4703
Sfmt 4703
Assessment Tool.’’ Upon finding the
appropriate information collection, click
on the related ‘‘ICR Reference Number.’’
On the next screen, select ‘‘View
Supporting Statement and Other
Documents’’ and then click on the link
to any comment listed at the bottom of
the screen.
• For assistance in navigating
www.reginfo.gov, please contact the
Regulatory Information Service Center
at (202) 482–7340.
• Viewing Comments Personally: You
may personally inspect comments at the
OCC, 400 7th Street SW, Washington,
DC. For security reasons, the OCC
requires that visitors make an
appointment to inspect comments. You
may do so by calling (202) 649–6700 or,
for persons who are deaf or hearing
impaired, TTY, (202) 649–5597. Upon
arrival, visitors will be required to
present valid government-issued photo
identification and submit to security
screening in order to inspect comments.
FOR FURTHER INFORMATION CONTACT:
Shaquita Merritt, OCC Clearance
Officer, Carl Kaminski, Special Counsel,
or Priscilla Benner, Attorney (202) 649–
5490, for persons who are deaf or
hearing impaired, TTY, (202) 649–5597,
Chief Counsel’s Office, Office of the
Comptroller of the Currency, 400 7th
Street SW, Suite 3E–218, Washington,
DC 20219.
Under the
PRA (44 U.S.C. et seq.), federal agencies
must obtain approval from OMB for
each collection of information they
conduct or sponsor. ‘‘Collection of
information’’ is defined in 44 U.S.C.
3502(3) and 5 CFR 1320.3(c) to include
agency requests or requirements that
members of the public submit reports,
keep records, or provide information to
a third party. The definition contained
in 5 CFR 1320.3(c) also includes a
voluntary collection. Section
3506(c)(2)(A) of title 44 requires federal
agencies to provide a 60-day notice in
the Federal Register concerning each
proposed collection of information,
including each proposed extension of an
existing collection of information,
before submitting the collection to OMB
for approval. To comply with this
requirement, the OCC is publishing, on
behalf of the Agencies, a notice of the
proposed collection of information set
forth in this document.
Title: FFIEC Cybersecurity
Assessment Tool.
OMB Number: 1557–0328.
Description: Cyber threats continue to
evolve and increase exponentially with
greater sophistication. Financial
SUPPLEMENTARY INFORMATION:
E:\FR\FM\05APN1.SGM
05APN1
13787
Federal Register / Vol. 84, No. 66 / Friday, April 5, 2019 / Notices
institutions 2 are exposed to cyber risks
because they are dependent on
information technology to deliver
services to consumers and businesses
every day. Cyber attacks on financial
institutions may result in unauthorized
access to, and the compromise of,
confidential information, as well as the
destruction of critical data and systems.
Disruption, degradation, or
unauthorized alteration of information
and systems can affect a financial
institution’s operations and core
processes and undermine confidence in
the nation’s financial services sector.
Absent immediate attention to these
rapidly increasing threats, financial
institutions and the financial sector as a
whole are at risk.
For this reason, the Agencies, under
the auspices of the Federal Financial
Institutions Examination Council
(‘‘FFIEC’’), have worked diligently to
assess and enhance the state of the
financial industry’s cyber preparedness
Assessment burden
estimate
OCC National Banks and
Federal Savings Associations.
FDIC State Non-Member
Banks and State Savings Associations.
Board State Member
Banks and Bank Holding Companies.
NCUA Federally-Insured
Credit Unions.
khammond on DSKBBV9HB2PROD with NOTICES
Total ..........................
and to improve the Agencies’
examination procedures and training to
strengthen the oversight of financial
industry cybersecurity readiness. The
Agencies also have focused on
providing financial institutions with
resources that can assist in protecting
them and their customers from the
growing risks posed by cyber attacks.
As part of these efforts, the Agencies
developed the Assessment to assist
financial institutions of all sizes in
assessing their inherent cyber risks and
their risk management capabilities. The
Assessment allows a financial
institution to identify its inherent cyber
risk profile based on the technologies
and connection types, delivery
channels, online/mobile products and
technology services that it offers to its
customers, its organizational
characteristics, and the cyber threats it
is likely to face. Once a financial
institution identifies its inherent cyber
risk profile, it can use the Assessment’s
maturity matrix to evaluate its level of
cybersecurity preparedness based on the
financial institution’s cyber risk
management and oversight, threat
intelligence capabilities, cybersecurity
controls, external dependency
management, and cyber incident
management and resiliency planning. A
financial institution may use the
matrix’s maturity levels to identify
opportunities for improving the
financial institution’s cyber risk
management based on its inherent risk
profile. The Assessment also enables a
financial institution to rapidly identify
areas that could improve the financial
institution’s cyber risk management and
response programs, as appropriate. Use
of the Assessment by financial
institutions is voluntary.
Type of Review: Regular.
Affected Public: Businesses or other
for-profit.
Burden Estimates: 3
Estimated number of
respondents $500
million –$10 billion @120
hours
Estimated number of
respondents $10 billion –
$50
billion @160 hours
Estimated number of respondents over $50 billion @180 hours
823 × 80 = 65,840 hours
157 × 120 = 18,840
hours.
123 × 160 = 19,680
hours.
82 × 180 = 14,760 hours
1,185 respondents
119,120 hours.
2,689 × 80 = 215,120
hours.
760 × 120 = 91,200
hours.
34 × 160 = 5,440 hours ..
6 × 180 = 1,080 hours ....
3,489 respondents
312,840 hours.
2,768 × 80 = 221,440
hours.
766 × 120 = 91,920
hours.
81 × 160 = 12,960 hours
26 × 180 = 4,680 hours ..
3,641 respondents
331,000 hours.
4,830 × 80 = 386,400
hours.
536 × 120 = 64,320
hours.
8 × 160 = 1,280 hours ....
1 × 180 = 180 hours .......
5,375 respondents
452,180 hours.
11,110 × 80 = hours =
888,800.
2,219 × 120 hours =
266,280 hours.
246 hours × 160 =
39,360 hours.
115 hours × 180 =
20,700 hours.
13,690 respondents
1,215,140 hours.
Estimated number of
respondents less than
$500 million
@80 hours
Comments submitted in response to
this notice will be summarized and
included in the request for OMB
approval. All comments will become a
matter of public record. Comments are
invited on:
(a) Whether the collection of
information is necessary for the proper
performance of the functions of the
Agencies, including whether the
information has practical utility;
(b) The accuracy of the Agencies’
estimates of the burden of the collection
of information;
(c) Ways to enhance the quality,
utility, and clarity of the information to
be collected;
(d) Ways to minimize the burden of
the collection on respondents, including
through the use of automated collection
2 For purposes of this information collection, the
term ‘‘financial institution’’ includes banks, savings
associations, credit unions, and bank holding
companies.
VerDate Sep<11>2014
18:46 Apr 04, 2019
Jkt 247001
techniques or other forms of information
technology; and
(e) Estimates of capital or start-up
costs and costs of operation,
maintenance, and purchase of services
to provide information.
Dated: March 29, 2019.
Theodore J. Dowd,
Deputy Chief Counsel, Office of the
Comptroller of the Currency.
[FR Doc. 2019–06644 Filed 4–4–19; 8:45 am]
BILLING CODE 4810–33–P
3 Burden is estimated conservatively and assumes
all institutions will complete the Assessment.
Therefore, the estimated burden may exceed the
actual burden because use of the Assessment by
financial institutions is not mandatory. The burden
PO 00000
Frm 00163
Fmt 4703
Sfmt 4703
Estimated total
respondents and
total annual burden hours
DEPARTMENT OF THE TREASURY
Internal Revenue Service
Proposed Collection; Comment
Request for Form 4972
Internal Revenue Service (IRS),
Treasury.
ACTION: Notice and request for
comments.
AGENCY:
The Internal Revenue Service,
as part of its continuing effort to reduce
paperwork and respondent burden,
invites the general public and other
Federal agencies to take this
opportunity to comment on information
collections, as required by the
Paperwork Reduction Act of 1995. The
IRS is soliciting comments concerning
SUMMARY:
estimates for financial institutions include
technology service providers who may assist
financial institutions in completing their
Assessments.
E:\FR\FM\05APN1.SGM
05APN1
]]>Agencies
[Federal Register Volume 84, Number 66 (Friday, April 5, 2019)]
[Notices]
[Pages 13786-13787]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-06644]
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
Agency Information Collection Activities: Information Collection
Renewal; Comment Request; FFIEC Cybersecurity Assessment Tool
AGENCY: Office of the Comptroller of the Currency (OCC), Treasury.
ACTION: : Notice and request for comment.
-----------------------------------------------------------------------
SUMMARY: The OCC, the Board of Governors of the Federal Reserve System
(Board), the Federal Deposit Insurance Corporation (FDIC), and the
National Credit Union Administration (NCUA) (collectively, the
Agencies), as part of their continuing effort to reduce paperwork and
respondent burden, invite the general public and other federal agencies
to take this opportunity to comment on a continuing information
collection as required by the Paperwork Reduction Act of 1995 (PRA).
In accordance with the requirements of the PRA, the Agencies may
not conduct or sponsor, and the respondent is not required to respond
to, an information collection unless it displays a currently valid
Office of Management and Budget (OMB) control number.
The OCC is soliciting comment on behalf of the Agencies concerning
renewal of the information collection titled, ``FFIEC Cybersecurity
Assessment Tool'' (``Assessment'').
DATES: Comments must be submitted on or before June 4, 2019.
ADDRESSES: Commenters are encouraged to submit comments by email, if
possible. You may submit comments by any of the following methods:
Email: [email protected].
Mail: Chief Counsel's Office, Office of the Comptroller of
the Currency, Attention: 1557-0328, 400 7th Street SW, Suite 3E-218,
Washington, DC 20219.
Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218,
Washington, DC 20219.
Fax: (571) 465-4326.
Instructions: You must include ``OCC'' as the agency name and
``1557-0328'' in your comment. In general, the OCC will publish
comments on www.reginfo.gov without change, including any business or
personal information provided, such as name and address information,
email addresses, or phone numbers. Comments received, including
attachments and other supporting materials, are part of the public
record and subject to public disclosure. Do not include any information
in your comment or supporting materials that you consider confidential
or inappropriate for public disclosure.
You may review comments and other related materials that pertain to
this information collection beginning on the date of publication of the
second notice for this collection \1\ by any of the following methods:
---------------------------------------------------------------------------
\1\ Following the close of the 60-day comment period for this
notice, the OCC will publish a notice for 30 days of comment for
this collection.
---------------------------------------------------------------------------
Viewing Comments Electronically: Go to www.reginfo.gov.
Click on the ``Information Collection Review'' tab. Underneath the
``Currently under Review'' section heading, from the drop-down menu,
select ``Department of Treasury'' and then click ``submit.'' This
information collection can be located by searching by OMB control
number ``1557-0328'' or ``FFIEC Cybersecurity Assessment Tool.'' Upon
finding the appropriate information collection, click on the related
``ICR Reference Number.'' On the next screen, select ``View Supporting
Statement and Other Documents'' and then click on the link to any
comment listed at the bottom of the screen.
For assistance in navigating www.reginfo.gov, please
contact the Regulatory Information Service Center at (202) 482-7340.
Viewing Comments Personally: You may personally inspect
comments at the OCC, 400 7th Street SW, Washington, DC. For security
reasons, the OCC requires that visitors make an appointment to inspect
comments. You may do so by calling (202) 649-6700 or, for persons who
are deaf or hearing impaired, TTY, (202) 649-5597. Upon arrival,
visitors will be required to present valid government-issued photo
identification and submit to security screening in order to inspect
comments.
FOR FURTHER INFORMATION CONTACT: Shaquita Merritt, OCC Clearance
Officer, Carl Kaminski, Special Counsel, or Priscilla Benner, Attorney
(202) 649-5490, for persons who are deaf or hearing impaired, TTY,
(202) 649-5597, Chief Counsel's Office, Office of the Comptroller of
the Currency, 400 7th Street SW, Suite 3E-218, Washington, DC 20219.
SUPPLEMENTARY INFORMATION: Under the PRA (44 U.S.C. et seq.), federal
agencies must obtain approval from OMB for each collection of
information they conduct or sponsor. ``Collection of information'' is
defined in 44 U.S.C. 3502(3) and 5 CFR 1320.3(c) to include agency
requests or requirements that members of the public submit reports,
keep records, or provide information to a third party. The definition
contained in 5 CFR 1320.3(c) also includes a voluntary collection.
Section 3506(c)(2)(A) of title 44 requires federal agencies to provide
a 60-day notice in the Federal Register concerning each proposed
collection of information, including each proposed extension of an
existing collection of information, before submitting the collection to
OMB for approval. To comply with this requirement, the OCC is
publishing, on behalf of the Agencies, a notice of the proposed
collection of information set forth in this document.
Title: FFIEC Cybersecurity Assessment Tool.
OMB Number: 1557-0328.
Description: Cyber threats continue to evolve and increase
exponentially with greater sophistication. Financial
[[Page 13787]]
institutions \2\ are exposed to cyber risks because they are dependent
on information technology to deliver services to consumers and
businesses every day. Cyber attacks on financial institutions may
result in unauthorized access to, and the compromise of, confidential
information, as well as the destruction of critical data and systems.
Disruption, degradation, or unauthorized alteration of information and
systems can affect a financial institution's operations and core
processes and undermine confidence in the nation's financial services
sector. Absent immediate attention to these rapidly increasing threats,
financial institutions and the financial sector as a whole are at risk.
---------------------------------------------------------------------------
\2\ For purposes of this information collection, the term
``financial institution'' includes banks, savings associations,
credit unions, and bank holding companies.
---------------------------------------------------------------------------
For this reason, the Agencies, under the auspices of the Federal
Financial Institutions Examination Council (``FFIEC''), have worked
diligently to assess and enhance the state of the financial industry's
cyber preparedness and to improve the Agencies' examination procedures
and training to strengthen the oversight of financial industry
cybersecurity readiness. The Agencies also have focused on providing
financial institutions with resources that can assist in protecting
them and their customers from the growing risks posed by cyber attacks.
As part of these efforts, the Agencies developed the Assessment to
assist financial institutions of all sizes in assessing their inherent
cyber risks and their risk management capabilities. The Assessment
allows a financial institution to identify its inherent cyber risk
profile based on the technologies and connection types, delivery
channels, online/mobile products and technology services that it offers
to its customers, its organizational characteristics, and the cyber
threats it is likely to face. Once a financial institution identifies
its inherent cyber risk profile, it can use the Assessment's maturity
matrix to evaluate its level of cybersecurity preparedness based on the
financial institution's cyber risk management and oversight, threat
intelligence capabilities, cybersecurity controls, external dependency
management, and cyber incident management and resiliency planning. A
financial institution may use the matrix's maturity levels to identify
opportunities for improving the financial institution's cyber risk
management based on its inherent risk profile. The Assessment also
enables a financial institution to rapidly identify areas that could
improve the financial institution's cyber risk management and response
programs, as appropriate. Use of the Assessment by financial
institutions is voluntary.
Type of Review: Regular.
Affected Public: Businesses or other for-profit.
Burden Estimates: \3\
---------------------------------------------------------------------------
\3\ Burden is estimated conservatively and assumes all
institutions will complete the Assessment. Therefore, the estimated
burden may exceed the actual burden because use of the Assessment by
financial institutions is not mandatory. The burden estimates for
financial institutions include technology service providers who may
assist financial institutions in completing their Assessments.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Estimated number of Estimated number of
Estimated number of respondents $500 respondents $10 Estimated number of Estimated total
Assessment burden estimate respondents less than million -$10 billion billion -$50 billion respondents over $50 respondents and total
$500 million @80 hours @120 hours @160 hours billion @180 hours annual burden hours
--------------------------------------------------------------------------------------------------------------------------------------------------------
OCC National Banks and Federal 823 x 80 = 65,840 157 x 120 = 18,840 123 x 160 = 19,680 82 x 180 = 14,760 1,185 respondents
Savings Associations. hours. hours. hours. hours. 119,120 hours.
FDIC State Non-Member Banks and 2,689 x 80 = 215,120 760 x 120 = 91,200 34 x 160 = 5,440 6 x 180 = 1,080 hours 3,489 respondents
State Savings Associations. hours. hours. hours. 312,840 hours.
Board State Member Banks and Bank 2,768 x 80 = 221,440 766 x 120 = 91,920 81 x 160 = 12,960 26 x 180 = 4,680 3,641 respondents
Holding Companies. hours. hours. hours. hours. 331,000 hours.
NCUA Federally-Insured Credit 4,830 x 80 = 386,400 536 x 120 = 64,320 8 x 160 = 1,280 hours 1 x 180 = 180 hours.. 5,375 respondents
Unions. hours. hours. 452,180 hours.
--------------------------------------------------------------------------------------------------------------------
Total.......................... 11,110 x 80 = hours = 2,219 x 120 hours = 246 hours x 160 = 115 hours x 180 = 13,690 respondents
888,800. 266,280 hours. 39,360 hours. 20,700 hours. 1,215,140 hours.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Comments submitted in response to this notice will be summarized
and included in the request for OMB approval. All comments will become
a matter of public record. Comments are invited on:
(a) Whether the collection of information is necessary for the
proper performance of the functions of the Agencies, including whether
the information has practical utility;
(b) The accuracy of the Agencies' estimates of the burden of the
collection of information;
(c) Ways to enhance the quality, utility, and clarity of the
information to be collected;
(d) Ways to minimize the burden of the collection on respondents,
including through the use of automated collection techniques or other
forms of information technology; and
(e) Estimates of capital or start-up costs and costs of operation,
maintenance, and purchase of services to provide information.
Dated: March 29, 2019.
Theodore J. Dowd,
Deputy Chief Counsel, Office of the Comptroller of the Currency.
[FR Doc. 2019-06644 Filed 4-4-19; 8:45 am]
BILLING CODE 4810-33-P
