Agency Information Collection Activities: Information Collection Renewal; Submission for Review; FFIEC Cybersecurity Assessment Tool
Notice And Request For Comment.
The OCC, the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) (collectively, the Agencies), as part of their continuing effort to reduce paperwork and respondent burden, invite the general public and other Federal agencies to comment on a continuing information collection, as required by the Paperwork Reduction Act of 1995 (PRA).
In accordance with the requirements of the PRA, the Agencies may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number.
The OCC is soliciting comment on behalf of the Agencies concerning renewal of the information collection titled “FFIEC Cybersecurity Assessment Tool” (“Assessment”). The OCC also is giving notice that it has sent the collection to OMB for review.
Table of Contents Back to Top
- FOR FURTHER INFORMATION CONTACT:
- SUPPLEMENTARY INFORMATION:
- 1. Request for More Information on the Information Being Collected
- 2. Usability and Format of the Assessment
- 3. Utility of the Assessment
- 4. Accuracy of Burden Estimate
- 5. Information Storage and Confidentiality
- 6. Benchmarking
- 7. Voluntary Use of the Assessment
Tables Back to Top
DATES: Back to Top
Comments must be received by January 15, 2016.
ADDRESSES: Back to Top
Because paper mail in the Washington, DC area and at the OCC is subject to delay, commenters are encouraged to submit comments by email, if possible. Comments may be sent to: Legislative and Regulatory Activities Division, Office of the Comptroller of the Currency, Attention: 1557-0328, 400 7th Street SW., Suite 3E-218, Mail Stop 9W-11, Washington, DC 20219. In addition, comments may be sent by fax to (571) 465-4326 or by electronic mail to firstname.lastname@example.org. You may personally inspect and photocopy comments at the OCC, 400 7th Street SW., Washington, DC 20219. For security reasons, the OCC requires that visitors make an appointment to inspect comments. You may do so by calling (202) 649-6700, for persons who are deaf or hard of hearing, TTY, (202) 649-5597. Upon arrival, visitors will be required to present valid government-issued photo identification and to submit to security screening in order to inspect and photocopy comments.
All comments received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. Do not enclose any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure.
Additionally, please send a copy of your comments by mail to: OCC Desk Officer, 1557-0328, U.S. Office of Management and Budget, 725 17th Street NW., #10235, Washington, DC 20503, or by email to: email@example.com.
FOR FURTHER INFORMATION CONTACT: Back to Top
Shaquita Merritt, OCC Clearance Officer, or Beth Knickerbocker, Counsel (202) 649-5490, Legislative and Regulatory Activities Division, for persons who are deaf or hard of hearing, TTY, (202) 649-5597, Office of the Comptroller of the Currency, 400 7th Street SW., Suite 3E-218, Mail Stop 9W-11, Washington, DC 20219.
SUPPLEMENTARY INFORMATION: Back to Top
Under the PRA (44 U.S.C. 3501-3520), Federal agencies must obtain approval from OMB for each collection of information they conduct or sponsor. “Collection of information” is defined in 44 U.S.C. 3502(3) and 5 CFR 1320.3(c) to include agency requests or requirements that members of the public submit reports, keep records, or provide information to a third party. The definition contained in 5 CFR 1320.3(c) also includes a voluntary collection of information.
In connection with issuance of the Assessment,  OMB provided a six-month approval for this information collection. On behalf of the Agencies, the OCC is proposing to extend OMB approval of the collection for the standard three years.
Title: FFIEC Cybersecurity Assessment Tool.
OMB Number: 1557-0328.
Description: Cyber threats have evolved and increased exponentially with greater sophistication than ever before. Financial institutions  are exposed to cyber risks because they are dependent on information technology to deliver services to consumers and businesses every day. Cyber attacks on financial institutions may not only result in access to, and the compromise of, confidential information, but also the destruction of critical data and systems. Disruption, degradation, or unauthorized alteration of information and systems can affect a financial institution's operations and core processes and undermine confidence in the nation's financial services sector. Absent immediate attention to these rapidly increasing threats, financial institutions and the financial sector as a whole are at risk.
For this reason, the Agencies, under the auspices of the Federal Financial Institutions Examination Council (“FFIEC”), have accelerated efforts to assess and enhance the state of the financial industry's cyber preparedness and to improve the Agencies' examination procedures and training that can strengthen the oversight of financial industry cybersecurity readiness. The Agencies also have focused on improving their abilities to provide financial institutions with resources that can assist in protecting financial institutions and their customers from the growing risks posed by cyber attacks.
As part of these increased efforts, the Agencies developed the Assessment to assist financial institutions of all sizes in assessing their inherent cyber risks and their risk management capabilities. The Assessment allows a financial institution to identify its inherent cyber risk profile based on the financial institution's technologies and connection types, delivery channels, online/mobile products and technology services that it offers to its customers, its organizational characteristics, and the cyber threats it is likely to face. Once a financial institution identifies its inherent cyber risk profile, it will be able to use the Assessment's maturity matrix to evaluate its level of cybersecurity preparedness based on the financial institution's cyber risk management and oversight, threat intelligence capabilities, cybersecurity controls, external dependency management, and cyber incident management and resiliency planning. A financial institution may use the matrix's maturity levels to identify opportunities for improving the financial institution's cyber risk management based on its inherent risk profile. The Assessment also enables a financial institution to identify areas more rapidly that could improve the financial institution's cyber risk management and response programs, if needed. Use of the Assessment by financial institutions is voluntary.
Type of Review: Regular.
Affected Public: Businesses or other for-profit.
Estimated Burdens: 
|Assessment burden estimate||Estimated number of respondents less than $500 million @80 hours||Estimated number of respondents $500 million-$10 billion @120 hours||Estimated number of respondents $10 billion-$50 billion @160 hours||Estimated number of respondents over $50 billion @180 hours||Estimated total respondents and total annual burden hours|
|OCC National Banks and Federal Savings Associations||1,102 × 80 = 88,160 hours||149 × 120 = 17,880 hours||132 × 160 = 21,120 hours||87 × 180 = 15,660 hours||1,470 respondents 142,820 hours.|
|FDIC State Non-Member Banks and State Savings Associations||3,224 × 80 = 257,920 hours||728 × 120 = 87,360 hours||22 × 160 = 3,520 hours||5 × 180 = 900 hours||3,979 respondents 349,700 hours.|
|Board State Member Banks and Bank Holding Companies||4,083 × 80 = 326,640 hours||1,083 × 120 = 129,960 hours||74 × 160 = 11,840 hours||42 × 180 = 7,560 hours||5,282 respondents 476,000 hours.|
|NCUA Federally-Insured Credit Unions||5,622 × 80 = 449,760 hours||463 × 120 = 55,560 hours||4 × 160 = 640 hours||1 × 180 = 180 hours||6,090 respondents 506,140 hours.|
|Total||14,031 × 80 = 1,122,480 hours||2,423 × 120 = 290,760 hours||232 × 160 = 37,120 hours||135 × 180 = 24,300 hours||16,821 respondents 1,474,660 hours.|
On July 22, 2015, (80 FR 4355), the Office of the Comptroller of the Currency (OCC), on behalf of itself, the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) (collectively, the Agencies) published a 60-day notice requesting comment on the collection of information titled “FFIEC Cybersecurity Assessment Tool (Assessment).” The Agencies received eighteen comments: Twelve comments from individuals, five from industry trade associations, and one from the Financial Services Sector Coordinating Council. The comments described below address concerns related to the collection of information. The commenters also mentioned aspects of the Assessment unrelated to the collection of information; these views are not relevant to this notice or the paperwork burden analysis and, accordingly, they are not addressed below. However, the comments unrelated to the paperwork burden analysis were provided to Agency personnel responsible for the Assessment for possible consideration in future updates of the Assessment.
1. Request for More Information on the Information Being Collected Back to Top
Eight of the commenters requested that the Agencies provide additional clarity and interpretative information regarding the Assessment. Several of these commenters requested that the Agencies clarify some of the statements in the Inherent Risk Profile.  Commenters also stated that many of the declarative statements in the Cybersecurity Maturity  were subjective and susceptible to different interpretation. Other commenters requested the Agencies provide additional information regarding the relationship between the Inherent Risk Profile and the Cybersecurity Maturity parts of the Assessment.
Five commenters requested that the Agencies publish information clarifying the Assessment, such as an appendix to the Assessment or a separate frequently asked questions (FAQ) document. One commenter requested that the Agencies issue a separate document describing the assumptions the Agencies used in developing the Assessment. Another commenter requested that the Agencies provide examples of how community financial institutions might satisfy certain declarative statements. Additionally, one commenter requested that the Agencies develop a 12-18 month collaborative process with the commenter to improve the Assessment prior to finalizing the Assessment or using the Assessment on examinations.
The Agencies appreciate the feedback and comments received from the commenters. The Agencies recognize that there may be a need to clarify certain aspects of the Assessment and will consider developing an FAQ document to address questions and requests for clarification that they have received since the publication of the Assessment, including from commenters. Additionally, the Agencies are developing a process to update the Assessment on a periodic basis. The update process will consider comments from interested parties.
2. Usability and Format of the Assessment Back to Top
Four commenters suggested changes to the format of the Assessment to increase usability. The commenters requested that the Agencies develop an automated or editable form of the Assessment. Commenters stated that the ability to save and edit responses contained in the Assessment would improve a financial institution's ability to use the Assessment on an ongoing basis.
One commenter also recommended that the Agencies revise the Assessment to include hyperlinks to the Assessment Glossary and User Guide instructions. Another commenter suggested that the Agencies revise the Assessment to assign a maturity level  automatically to the financial institution once it completes the Inherent Risk Profile portion of the Assessment. In addition, this commenter suggests that once a financial institution answers “no” to a declarative statement in a particular domain of the Cybersecurity Maturity, the Assessment should automatically prevent the financial institution from responding to the remainder of the declarative statements within that domain. The commenter also stated the Assessment should automatically populate answers to similar questions across domains and maturity levels.
The Agencies acknowledge the potential value of an automated or editable form of the Assessment for financial institutions that choose to use the Assessment and are exploring the possibility of developing an automated form in the future, including the possibility of hyperlinking to definitions and instructions. Any automation of the form, however, would not include the automatic assignment of a maturity level as the Agencies do not have expectations for any financial institution to reach a specific maturity level within the Assessment, and a financial institution may find value in identifying activities it is already performing at a higher maturity level.
3. Utility of the Assessment Back to Top
Two commenters stated that there are a number of cybersecurity assessment frameworks available to financial institutions to use in determining their inherent risk and cybersecurity preparedness. These commenters questioned the need for the development of an additional framework. One commenter focused on the potential duplication between the National Institute of Standards and Technology's Cybersecurity Framework (NIST Framework) and the Assessment. This commenter stated that use of the Assessment by financial institutions, instead of the NIST Framework, could dilute the value of the NIST Framework as a tool for cross-sector collaboration.
The Agencies, under the auspices of the FFIEC, developed the Assessment to assist financial institutions in addressing the cyber risks unique to the financial industry. The Assessment supports financial institutions by giving them a systematic way to assess their cybersecurity preparedness and evaluate their progress. Unlike other frameworks, the Assessment is specifically tailored to the products and services offered by financial institutions and the control and risk mitigation techniques used by the industry. In addition, the Agencies have received many requests from financial institutions, particularly smaller financial institutions, to provide them with a meaningful way to assess cyber risks themselves based on financial sector-specific risks and mitigation techniques. The Agencies developed the Assessment, in part, to address those requests and received several positive comments about how the Assessment met this need. As discussed more fully below, a financial institution is not required to use the Assessment and may choose any method the financial institution determines is relevant and meaningful to assess its inherent risk and cybersecurity preparedness.
The Agencies agree that the NIST Framework is a valuable tool and the Agencies incorporated concepts from the NIST Framework into the Assessment. The Assessment contains an appendix that maps the NIST Framework to the Assessment. NIST reviewed and provided input on the mapping to ensure consistency with the NIST Framework's principles and to highlight the complementary nature of the two resources. The Agencies also agree that the NIST Framework provides a mechanism for cross-sector coordination. However, because of the unique cyber risks facing the financial industry, the Agencies identified a need to develop a more granular framework that is more specific to the financial services industry to assist financial institutions in evaluating themselves.
Several commenters also raised questions regarding the Agencies' use of a maturity model as a part of the Assessment. Four commenters were concerned with the “all or nothing” approach to achieving a maturity level, particularly insofar as a financial institution might not be credited for activities taken at a higher level that might mitigate risks at a lower level. Some commenters stated that a maturity model is too prescriptive and does not adequately account for compensating controls or risk tolerance and others questioned why the Assessment does not discuss the concept of residual risk.
The Agencies designed the Cybersecurity Maturity contained in the Assessment to assist financial institutions in understanding the ranges of controls and practices needed to manage cyber risk. As previously stated, use of the tool is voluntary and a financial institution may use any method to assess inherent risk and cybersecurity preparedness that it considers relevant and meaningful.
The User Guide does provide general parameters to assist financial institutions that choose to use the Assessment in considering how to align inherent risk with the financial institution's processes and control maturity.
4. Accuracy of Burden Estimate Back to Top
The Agencies estimated that, annually, it would take a financial institution 80 burden hours, on average, to complete the Assessment. Five comment letters addressed the accuracy of the Agencies' burden estimate. These letters generally stated that the Agencies' burden estimate understated the burden involved. One commenter stated that credit unions that choose to use the Assessment could take 80-100 hours to complete it. However, other commenters stated that it may take a financial institution several hundred hours to complete the Assessment in the first year of use.
One commenter stated that the estimated burden will vary based on financial institution size, with smaller financial institutions requiring hundreds of hours to complete the Assessment, medium-sized financial institutions approaching 1,000-2,000 hours, and the large financial institutions investing 1,000-2,000 hours or more. This commenter stated that the burden estimate includes the amount of time needed to collect information and documentation sufficient to provide answers supportable in the examination context, report to internal steering committees and prepare for examinations. Another commenter stated that the Agencies' evaluation of 80 hours “largely underestimates” the time required to complete the Assessment. This commenter stated that the initial completion of the Assessment would include collecting data, discussing and verifying responses, performing gap analysis, preparing and implementing action plans, where needed, and presenting results to executives.
In light of the comments received and recent supervisory experience performing information technology examinations, the Agencies are revising their burden estimates. In revisiting the burden estimates, the Agencies are taking a more conservative approach to estimating the potential burden involved in using the Assessment. The Agencies recognize that size and complexity of a financial institution, as noted by some of the commenters, impacts the amount of time and resources to complete the Assessment and therefore the Agencies have further refined their burden estimates based on financial institution asset size.
The Agencies note that the revised burden estimates assume that the Assessment is completed by knowledgeable individuals at the financial institution who have readily-available information to complete the Assessment. The Agencies' revised burden estimates do not include the amount of time associated with reporting to management and internal committees, developing and implementing action plans, and preparing for examination as such time and resources are outside the scope of the PRA.
5. Information Storage and Confidentiality Back to Top
Two commenters requested information on how the Agencies will use and store the Assessment information that financial institutions provide to the Agencies.
The Agencies are subject to compliance with the Federal Information Security Management Act (FISMA) and they operate cybersecurity programs to protect critical information resources, including sensitive financial institution information obtained or created during their supervision activities. The programs include policies, standards and controls, monitoring, technical controls, and other information assurance processes. If a financial institution provides the Assessment, or any other, confidential information to an examiner as part of the supervisory process, the storage and use of such information would be subject to the Agencies' cybersecurity programs.
6. Benchmarking Back to Top
One commenter suggested that the Agencies collect, anonymize, and share Assessment information to allow financial institutions to benchmark themselves against comparably sized financial institutions. Since use of the Assessment by financial institutions is voluntary, the Agencies do not to intend to collect the Assessment from financial institutions or publish the results.
7. Voluntary Use of the Assessment Back to Top
Several commenters expressed concern that since some of the Agencies will be using the Assessment as an aid in their examination processes, financial institutions may believe that their use of the Assessment is mandated by the Agencies. Another commenter requested that the Agencies ensure that examiners do not force financial institutions to use the Assessment or require financial institutions to justify their decisions to use an alternative cybersecurity assessment. Several commenters requested that the Agencies reiterate to examiners and to financial institutions that use of the Assessment by a financial institution is voluntary.
As the Agencies stated when the Assessment was first published, use of the Assessment by financial institutions is voluntary. Financial institutions may use the Assessment or any other framework or process to identify their inherent risk and cybersecurity preparedness. The Agencies' examiners will not require a financial institution to complete the Assessment. However, if a financial institution has completed an Assessment, examiners may ask the financial institution for a copy, as they would for any risk self-assessment performed by the financial institution. The Agencies are educating examiners on the voluntary nature of the Assessment and including statements about its voluntary nature in examiner training materials.
Additional Comments Welcome: Comments continue to be invited on:
(a) Whether the collection of information is necessary for the proper performance of the functions of the Agencies, including whether the information has practical utility;
(b) The accuracy of the Agencies' estimates of the burden of the collection of information;
(c) Ways to enhance the quality, utility, and clarity of the information to be collected;
(d) Ways to minimize the burden of the collection on respondents, including through the use of automated collection techniques or other forms of information technology; and
(e) Estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information.
Dated: December 10, 2015.
Stuart E. Feldstein,
Director, Legislative and Regulatory Activities Division, Office of the Comptroller of the Currency.
[FR Doc. 2015-31583 Filed 12-15-15; 8:45 am]
BILLING CODE 4810-33-P
Footnotes Back to Top
2. For purposes of this information collection, the term “financial institution” includes banks, savings associations, credit unions, and bank holding companies.Back to Context
3. Burden is estimated conservatively and assumes all financial institutions will complete the Assessment. Therefore, the estimated burden may exceed the actual burden because use of the Assessment by financial institutions is not mandatory. The Agencies intend to address their review of the cybersecurity readiness and preparedness of financial institutions' technology service providers (TSPs) separately and therefore are no longer including a separate estimated burden for TSPs. However, the burden estimates for financial institutions does include that of TSPs who may assist financial institutions in completing their Assessment.Back to Context
4. Part One of the Assessment, the Inherent Risk Profile, assists a financial institution in identifying its inherent risk before implementing controls.Back to Context
5. Part Two of the Assessment, the Cybersecurity Maturity, assists a financial institution in determining its current state of cybersecurity preparedness represented by maturity levels across five domains.Back to Context
6. Within the five domains of the Cybersecurity Maturity, declarative statements describe the requirements for achieving five possible maturity levels for each domain.Back to Context