Pursuant to Executive Order 13636 (EO13636) Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive 21 (PPD 21) Critical Infrastructure Security and Resilience, Treasury serves as the Sector-Specific Agency (SSA) for the financial services sector. Within Treasury, the Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) executes the Departmentâs SSA responsibilities as part of its mission to enhance the security and resilience of the financial services sectorâs critical infrastructure. Further, OCCIP supports the implementation of the National Cyber Strategy as it pertains to financial services cybersecurity.
To enable Treasury to fulfill its SSA duties, and given increased cybersecurity risks related to COVID-19 pandemic response, OCCIP seeks to collect and analyze information on cyber threats and vulnerabilities to better understand the cybersecurity risk to the U.S. financial services sector operations and critical infrastructure. OCCIP intends to solicit this information from approximately 50 respondents representing the largest systemically important financial institutions and financial market utilities, which collectively form the backbone of U.S. financial service critical infrastructure. OCCIP is requesting information related to each respondentâs critical functions and processes, including various business lines and intrasector relationships. This information collection will support OCCIPâs efforts to enhance the security and resilience of the financial services sector, and to work collaboratively with industry and interagency partners to mitigate cybersecurity risks that could impact financial services sector operations.
The Department of Treasury (Treasury) is requesting emergency processing of a new collection (OMB 1505-0265) to survey financial institutions to identify security vulnerabilities. Treasury is requesting emergency approval for this information collection to support incident response and continuity of the economy planning in light of the COVID-19 pandemic. Following the declaration of a public health emergency in numerous jurisdictions (including, but not limited to, the New York metropolitan area), the U.S. financial services sector workforce moved to telework to accommodate shelter-in-place orders. This shift to remote operations has introduced new cybersecurity risks and vulnerabilities to financial services critical infrastructure, with the potential to disrupt critical functions and processes that enable the U.S. financial system.
Treasury is seeking information from financial services firms regarding their networks, systems, and data to better understand how these firms are interconnected and the vulnerabilities that arise from these connections that, if exploited by a cyber threat actor, could negatively impact the operations of the U.S. financial services sector and the broader U.S. economy. In particular, Treasury has observed increased reports of ransomware attacks against financial services firms and service providers. Therefore, it is critical that Treasury is able to solicit and collect this information in a timely fashion to reduce growing cybersecurity risks to the financial services sector as it maintains remote operations due to COVID-19.
Due to the unprecedented COVID-19 emergency situation, Treasury is planning to begin administering these surveys on September 30, 2020. In order to meet this tight deadline, Treasury would like to request a waiver of the requirement to publish a notice seeking public comments during the Office of Management and Budget (OMB) review period and requests OMB approval by September 28, 2020.
EO: EO 13636 Name/Subject of EO: Improving Critical Infrastructure Cybersecurity
On behalf of this Federal agency, I certify that the collection of information encompassed by this request complies with 5 CFR 1320.9 and the related provisions of 5 CFR 1320.8(b)(3).
The following is a summary of the topics, regarding the proposed collection of information, that the certification covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control number;
If you are unable to certify compliance with any of these provisions, identify the item by leaving the box unchecked and explain the reason in the Supporting Statement.
1505-0265 - OCCIP - Emergency Justification Memo to OMB_FINAL.pdf
1505-0265_OCCIP Survey SS-B_Final.docx
Financial Services Sector Critical Functions Survey