Supporting Statement
U.S. Department of the Treasury
Office of Cybersecurity and Critical Infrastructure Protection
Financial Sector Information Collection
OMB 1505-0265
Survey to Identify and Analyze the Operations Dependencies of Financial Services Sector Critical Functions
Justification
Circumstances Making the Collection of Information Necessary.
Pursuant to Executive Order 13636 (EO13636) Improving Critical Infrastructure Cybersecurity and Presidential Policy Directive 21 (PPD 21) Critical Infrastructure Security and Resilience, Treasury serves as the Sector-Specific Agency (SSA) for the financial services sector. Within Treasury, the Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) executes the Department’s SSA responsibilities as part of its mission to enhance the security and resilience of the financial services sector’s critical infrastructure. Further, OCCIP supports the implementation of the National Cyber Strategy as it pertains to financial services cybersecurity.
To enable Treasury to fulfill its SSA duties, and given increased cybersecurity risks related to COVID-19 pandemic response, OCCIP seeks to collect and analyze information on cyber threats and vulnerabilities to better understand the cybersecurity risk to the U.S. financial services sector operations and critical infrastructure. OCCIP intends to solicit this information from approximately 50 respondents representing the largest systemically important financial institutions and financial market utilities, which collectively form the backbone of U.S. financial service critical infrastructure. OCCIP is requesting information related to each respondent’s critical functions and processes, including various business lines and intrasector relationships. This information collection will support OCCIP’s efforts to enhance the security and resilience of the financial services sector, and to work collaboratively with industry and interagency partners to mitigate cybersecurity risks that could impact financial services sector operations.
Purpose and Use of the Information Collection.
OCCIP will use this information to support Treasury’s SSA responsibilities to reduce operational risk to U.S. financial services sector critical infrastructure and preserve economic stability. This information will increase Treasury’s overall understanding of financial services sector operations and the associated cybersecurity risks that may negatively impact those operations. Treasury will use this information in the development and coordination of cyber incident response protocols and recovery planning, as well as to improve OCCIP’s risk analysis and management initiatives, including the SECURE program.
To achieve its mission and fulfill its duties as the financial services sector SSA, OCCIP has developed the SECURE program to analyze the cyber and operational risks to and resilience of U.S. financial services critical infrastructure. SECURE will apply methodological approaches to identify and understand the key financial services sector architecture (e.g., critical functions, key institutions) and related cross-sector infrastructure (e.g., energy, telecommunications). This approach will enable targeted follow-on activities aimed at reducing sector systemic risk.
Successful implementation of the SECURE program depends on the collection and analysis of operational data that resides within financial institutions, which OCCIP can aggregate and analyze across firms to provide a holistic view of the financial services sector. The data collected through this survey will enable OCCIP to map sector interdependencies and better identify and mitigate systemic cyber and operational risks.
Consideration Given to Information Technology.
OCCIP will collect information electronically and use online collaboration tools as appropriate to reduce burden. Respondents will submit their information via electronic mail directly to the SECURE program management team.
Duplication of Information.
No similar data is gathered or maintained by OCCIP or available from other sources. Treasury is not a Federal financial regulatory agency and therefore does not have access to confidential supervisory information (CSI) that financial institutions are required to submit to their regulator(s). This information collection does not duplicate CSI.
Reducing the Burden on Small Entities.
This collection of information is not expected to have a significant impact on small entities.
Consequences of Not Conducting Collection.
Treasury cannot fulfill its SSA responsibilities to enhance the security and resilience of the financial services sector without an adequate understanding of the cybersecurity and operational risks to financial services critical infrastructure. Treasury requires critical functions and operations data to make timely and informed risk management decisions to reduce negative impacts to financial sector operations.
Special Circumstances.
There are no special circumstances. The collection of information is conducted in a manner consistent with the guidelines in 5 CFR 1320.6.
Consultations with Persons Outside the Agency.
Treasury is not seeking public comments as this is an emergency information collection request.
Payment or Gift.
No payments or gifts will be made to respondents.
Confidentiality.
This information collection is subject to all Federal regulations with respect to confidentiality of the information provided in this collection of information.
Questions of a Sensitive Nature.
No questions of a sensitive nature are asked in this information collection. No personally identifiable information (PII) is collected.
Estimate of the Hour Burden of Information Collection.
The estimated total hour burden of this information collection is 3,000 hours. This calculation is based on 50 respondents providing 1 responses per year, for an annual total of 50 responses, with an estimated time per response of 60 hours.
|
Number of Respondents |
Annual Frequency per Response |
Total Responses |
Hours Per Response |
Total Hours |
Surveys |
50 |
1 |
50 |
60 |
3000 |
TOTAL |
50 |
|
50 |
|
3000 |
Estimate of the Annual Cost to Respondents.
It is not expected that this information collection will have a cost burden to respondents other than the hour burden described in item number 12. OCCIP estimates the total annualized cost to respondents is $148,290. This is based on an estimated annual hour burden of 3,000 and an hourly total compensation rate for the financial sector of $49.43, per the Bureau of Labor Statistics.1
No purchases of equipment or services are necessary for this information collection.
Cost to the Federal Government.
The cost to the Government is the OCCIP staff and contractor time required to develop the survey, review submitted survey responses, collect follow-up information from respondents, and analyze the results. The estimate of annualized cost to the Federal government is $1,091,000.
This estimate is based on projected Federal employee labor costs of $381,800 and Federal contractor services of $709,200. The Federal employee labor costs reflect loaded rates by GS level (GS-13) and based on an estimated 4,160 labor hours. Federal contractor services consist of an interagency agreement with a Federally funded research and development center. Federal contractor services amount reflects OCCIP’s FY20 spend plan.
Reason for Change.
Not applicable as this is a new information collection request.
Tabulation of Results, Schedule, Analysis Plans.
Confidential or proprietary information collected through the application will not be published. All information collected and derivative analysis will be for Treasury internal use and with the Critical Infrastructure Partnership Advisory Council as appropriate and necessary.
Display of OMB Expiration Date.
OCCIP plans to display the expiration date for OMB approval of the information collection on all instruments.
Exceptions to Certification for Paperwork Reduction Act Submission.
There are no exceptions to the certification statement.
1 Wage rate from Bureau of Labor Statistics wage data for financial activities is $49.43 for December 2019. https://www.bls.gov/news.release/ecec.t04.htm#ect_table4.f.1
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | DRAFT |
| Author | PCxx |
| File Modified | 0000-00-00 |
| File Created | 2021-01-13 |