Pursuant to Executive Order 13636
(EO13636) Improving Critical Infrastructure Cybersecurity and
Presidential Policy Directive 21 (PPD 21) Critical Infrastructure
Security and Resilience, Treasury serves as the Sector-Specific
Agency (SSA) for the financial services sector. Within Treasury,
the Office of Cybersecurity and Critical Infrastructure Protection
(OCCIP) executes the Department’s SSA responsibilities as part of
its mission to enhance the security and resilience of the financial
services sector’s critical infrastructure. Further, OCCIP supports
the implementation of the National Cyber Strategy as it pertains to
financial services cybersecurity. To enable Treasury to fulfill its
SSA duties, and given increased cybersecurity risks related to
COVID-19 pandemic response, OCCIP seeks to collect and analyze
information on cyber threats and vulnerabilities to better
understand the cybersecurity risk to the U.S. financial services
sector operations and critical infrastructure. OCCIP intends to
solicit this information from approximately 50 respondents
representing the largest systemically important financial
institutions and financial market utilities, which collectively
form the backbone of U.S. financial service critical
infrastructure. OCCIP is requesting information related to each
respondent’s critical functions and processes, including various
business lines and intrasector relationships. This information
collection will support OCCIP’s efforts to enhance the security and
resilience of the financial services sector, and to work
collaboratively with industry and interagency partners to mitigate
cybersecurity risks that could impact financial services sector
operations.
The Department of
Treasury (Treasury) is requesting emergency processing of a new
collection (OMB 1505-0265) to survey financial institutions to
identify security vulnerabilities. Treasury is requesting emergency
approval for this information collection to support incident
response and continuity of the economy planning in light of the
COVID-19 pandemic. Following the declaration of a public health
emergency in numerous jurisdictions (including, but not limited to,
the New York metropolitan area), the U.S. financial services sector
workforce moved to telework to accommodate shelter-in-place orders.
This shift to remote operations has introduced new cybersecurity
risks and vulnerabilities to financial services critical
infrastructure, with the potential to disrupt critical functions
and processes that enable the U.S. financial system. Treasury is
seeking information from financial services firms regarding their
networks, systems, and data to better understand how these firms
are interconnected and the vulnerabilities that arise from these
connections that, if exploited by a cyber threat actor, could
negatively impact the operations of the U.S. financial services
sector and the broader U.S. economy. In particular, Treasury has
observed increased reports of ransomware attacks against financial
services firms and service providers. Therefore, it is critical
that Treasury is able to solicit and collect this information in a
timely fashion to reduce growing cybersecurity risks to the
financial services sector as it maintains remote operations due to
COVID-19. Due to the unprecedented COVID-19 emergency situation,
Treasury is planning to begin administering these surveys on
September 30, 2020. In order to meet this tight deadline, Treasury
would like to request a waiver of the requirement to publish a
notice seeking public comments during the Office of Management and
Budget (OMB) review period and requests OMB approval by September
28, 2020.
EO: EO
13636 Name/Subject of EO: Improving Critical Infrastructure
Cybersecurity
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.