The Office of the Comptroller of the
Currency, the Federal Deposit Insurance Corporation, the Board of
Governors of the Federal Reserve, and the National Credit Union
Administration (together, the "agencies"), under the auspices of
the Federal Financial Institutions Examination Council ("FFIEC"),
have accelerated efforts to assess and enhance the state of the
financial industry's cyber preparedness, and to close gaps in the
agencies' examination procedures and training that can strengthen
the oversight of financial industry cybersecurity readiness. The
agencies also have focused on improving their abilities to provide
financial institutions with resources that can assist in protecting
institutions and their customers from the growing risk posed by
cyber attacks. As part of these increased efforts, the agencies
have developed a Cybersecurity Assessment Tool ("Assessment") that
will assist financial institutions of all sizes in assessing their
inherent cybersecurity risk and their risk management capabilities.
The Assessment allows a financial institution to identify its
inherent cyber risk profile based on the financial institution's
technologies and connection types, delivery channels, online/mobile
products and technology services it offers, organizational
characteristics, and threats it is likely to face. Once an
institution identifies its inherent risk, it can evaluate its level
of cybersecurity preparedness based on the institution's cyber risk
management and oversight, threat intelligence capabilities,
cybersecurity controls, external dependency management, and cyber
incident management and resiliency planning using the Assessment's
maturity matrix. A financial institution can use the maturity
levels to identify opportunities for improving the institution's
cybersecurity, based on its inherent risk profile. The Assessment
also will enable financial institutions to identify areas more
rapidly that could improve their cybersecurity risk management and
response programs, if needed.
Cyber threats have
evolved and increased exponentially, with greater sophistication
than ever before. Financial institutions are exposed to cyber risks
because they are dependent on information technology to deliver
services to consumers and businesses every day. Cyber attacks on
financial institutions may not only result in access to, and the
compromise of, confidential information, but also the destruction
of critical data and systems. Disruption, degradation, or
unauthorized alteration of information and systems can affect an
institution’s operations and core processes, and undermine
confidence in the nation's financial services sector. Absent
immediate attention to these rapidly increasing threats, financial
institutions and the financial sector as a whole are at risk. The
agencies, under the auspices of the Federal Financial Institutions
Examination Council, have developed the attached Assessment that
will assist financial institutions of all sizes in assessing their
inherent cybersecurity risk and their risk management capabilities.
Financial institutions, particularly smaller institutions, have
requested this assistance. The Assessment incorporates existing
regulatory requirements applicable to financial institutions and
the cybersecurity framework developed by the National Institute of
Standards and Technology. The Assessment will enable financial
institutions to identify areas that could improve their
cybersecurity risk management and response programs more rapidly,
if needed. The agencies would like to issue the Assessment as
expeditiously as possible, given the potential severity and
imminence of cyber threats to individual financial institutions and
the financial sector as whole. The agencies note that addressing
cyber threats to critical infrastructure also is an Administration
priority. The timeframes required by the ordinary clearance process
would delay use of the Assessment and could have a negative impact
on the cybersecurity preparedness of the financial sector. For
these reasons, the agencies’ request emergency OMB approval of this
collection. The agencies believe that immediate collection of this
information is in the best interest of the United States, the
banking system, and the public. The agencies also request a waiver
of a Federal Register publication for emergency clearance. Of
course, the renewal procedure will involve Federal Register notice
and public comment. The agencies will carefully consider all
comments received in connection with the renewal procedure to
determine if revision to the information collection is
warranted.
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.
Emergency Request Letter.pdf
PRA Cybersecurity Self-Assessment 6-16-15 Clean.doc
FFIEC Cybersecurity Assessment Tool