Skip to Content


Agency Information Collection Activities: Information Collection Renewal; Comment Request; FFIEC Cybersecurity Assessment Tool

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


Office of the Comptroller of the Currency (OCC), Treasury.


Notice and request for comment.


The OCC, the Board of Governor of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) (collectively, the Agencies), as part of their continuing effort to reduce paperwork and respondent burden, invite the general public and other Federal agencies to take this opportunity to comment on a continuing information collection, as required by the Paperwork Reduction Act of 1995 (PRA).

In accordance with the requirements of the PRA, the Agencies may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number.

The OCC is soliciting comment on behalf of the Agencies concerning renewal of the information collection titled, “FFIEC Cybersecurity Assessment Tool.”


Comments must be received by September 21, 2015.


Because paper mail in the Washington, DC area and at the OCC is subject to delay, commenters are encouraged to submit comments by email, if possible. Comments may be sent to: Legislative and Regulatory Activities Division, Office of the Comptroller of the Currency, Attention: 1557-0328, 400 7th Street SW., Suite 3E-218, Mail Stop 9W-11, Washington, DC 20219. In addition, comments may be sent by fax to (571) 465-4326 or by electronic mail to You may personally inspect and photocopy comments at the OCC, 400 7th Street SW., Washington, DC 20219. For security reasons, the OCC requires that visitors make an appointment to inspect comments. You may do so by calling (202) 649-6700. Upon arrival, visitors will be required to present valid government-issued photo identification and to submit to security screening in order to inspect and photocopy comments.

All comments received, including attachments and other supporting Start Printed Page 43556materials, are part of the public record and subject to public disclosure. Do not enclose any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure.

Start Further Info


Shaquita Merritt, OCC Clearance Officer, or Beth Knickerbocker, Counsel (202) 649-5490, for persons who are deaf or hard of hearing, TTY, (202) 649-5597, Legislative and Regulatory Activities Division, Office of the Comptroller of the Currency, 400 7th Street SW., Suite 3E-218, Mail Stop 9W-11, Washington, DC 20219.

End Further Info End Preamble Start Supplemental Information


Under the PRA (44 U.S.C. 3501-3520), Federal agencies must obtain approval from OMB for each collection of information they conduct or sponsor. “Collection of information” is defined in 44 U.S.C. 3502(3) and 5 CFR 1320.3(c) to include agency requests or requirements that members of the public submit reports, keep records, or provide information to a third party. The definition contained in 5 CFR 1320.3(c) also includes a voluntary collection. Section 3506(c)(2)(A) of the PRA (44 U.S.C. 3506(c)(2)(A)) requires Federal agencies to provide a 60-day notice in the Federal Register concerning each proposed collection of information, including each proposed extension of an existing collection of information, before submitting the collection to OMB for approval. To comply with this requirement, the OCC is publishing, on behalf of the Agencies, a notice of the proposed collection of information set forth in this document.

In connection with issuance of the assessment entitled “FFIEC Cybersecurity Assessment Tool,” [1] OMB provided a six-month approval for this information collection. The OCC is proposing to extend OMB approval of the collection for the standard three years.

Title: FFIEC Cybersecurity Assessment Tool.

OMB Number: 1557-0328.

Description: Cyber threats have evolved and increased exponentially with greater sophistication than ever before. Financial institutions [2] are exposed to cyber risks because they are dependent on information technology to deliver services to consumers and businesses every day. Cyber attacks on financial institutions may not only result in access to, and the compromise of, confidential information, but also the destruction of critical data and systems. Disruption, degradation, or unauthorized alteration of information and systems can affect an institution's operations and core processes and undermine confidence in the nation's financial services sector. Absent immediate attention to these rapidly increasing threats, financial institutions and the financial sector as a whole are at risk.

For this reason, the Agencies, under the auspices of the Federal Financial Institutions Examination Council (“FFIEC”), have accelerated efforts to assess and enhance the state of the financial industry's cyber preparedness and to close gaps in the Agencies' examination procedures and training that can strengthen the oversight of financial industry cybersecurity readiness. The Agencies also have focused on improving their abilities to provide financial institutions with resources that can assist in protecting institutions and their customers from the growing risk posed by cyber attacks.

As part of these increased efforts, the Agencies have developed a Cybersecurity Assessment Tool (“Assessment”) that will assist financial institutions of all sizes in assessing their inherent cybersecurity risks and their risk management capabilities. The Assessment will allow a financial institution to identify its inherent cyber risk profile based on the financial institution's technologies and connection types, delivery channels, online/mobile products and technology services it offers, organizational characteristics, and threats it is likely to face. Once an institution identifies its inherent cyber risk profile, it will be able to use the Assessment's maturity matrix to evaluate its level of cybersecurity preparedness based on the institution's cyber risk management and oversight, threat intelligence capabilities, cybersecurity controls, external dependency management, and cyber incident management and resiliency planning. A financial institution can use the matrix's maturity levels to identify opportunities for improving the institution's cybersecurity, based on its inherent risk profile. The Assessment also will enable a financial institution to identify areas more rapidly that could improve its cybersecurity risk management and response programs, if needed. Use of the Assessment by financial institutions is not mandatory.

Type of Review: Regular.

Affected Public: Businesses or other for-profit.

Estimated Number of Respondents:[3]

OCC: 1,511 (19 large; 48 mid-size (including credit card banks); and 1,444 community national banks and Federal savings associations).

Estimated Burden per Response: 80 hours.

Total Estimated Burden: 120,880 hours.

Board: 5,282 (858 state member banks; 522 large bank holding companies; 3,902 small bank holding companies).

Estimated Burden per Response: 80 hours.

Total Estimated Burden: 422,560.

FDIC: 4,084 (includes 3,882 community banks).

Estimated Burden per Response: 80 hours.

Total Estimated Burden: 326,720.

NCUA: 6,206.

Estimated Burden per Response: 80 hours.

Total Estimated Burden: 496,480.

All Agencies:

Estimated Number of Respondents: 176 technology service providers.

Estimated Burden per Response: 80 hours.

Total Estimated Burden: 14,080 hours.

Estimated Frequency of Response: On occasion.

Estimated Total Annual Burden: 1,380,720 hours.

Comments submitted in response to this notice will be summarized and included in the request for OMB approval. All comments will become a matter of public record. Comments are invited on:

(a) Whether the collection of information is necessary for the proper performance of the functions of the Agencies, including whether the information has practical utility;

(b) The accuracy of the Agencies' estimates of the burden of the collection of information;

(c) Ways to enhance the quality, utility, and clarity of the information to be collected;

(d) Ways to minimize the burden of the collection on respondents, including through the use of automated collection techniques or other forms of information technology; and

(e) Estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information.

Start Signature
Start Printed Page 43557

Dated: July 16, 2015.

Stuart E. Feldstein,

Director, Legislative and Regulatory Activities Division, Office of the Comptroller of the Currency.

End Signature End Supplemental Information


2.  For purposes of this information collection, the term “financial institution” includes banks, savings associations, credit unions, bank and saving and loan holding companies and critical third-party service providers to financial institutions.

Back to Citation

3.  Burden is estimated conservatively and assumes all institutions will complete the Assessment. Therefore, the estimated burden may exceed the actual burden because use of the Assessment by financial institutions is not mandatory.

Back to Citation

[FR Doc. 2015-17907 Filed 7-21-15; 8:45 am]