Computer Security Incident Supporting Statement 10-14-21

Computer Security Incident Supporting Statement 10-14-21.docx

Computer-Security Incident Notification

OMB: 1557-0350

Document [docx]
Download: docx | pdf


Office of the Comptroller of the Currency

Supporting Statement

Libor Self-Assessment

OMB Control No. 1557-NEW


A. Justification.


1. Circumstances that make the collection necessary:


The final rule contains a reporting requirement that is subject to the PRA. The reporting requirement is found in § 53.3 of the final rule, which requires a banking organization to notify its primary federal bank regulatory agency of the occurrence of a “notification incident” at the banking organization. The final rule also contains a disclosure requirement that is subject to the PRA. The disclosure requirement is found in § 53.4 of the final rule, which require a bank service provider to notify at least two individuals at affected banking organization customers immediately after it experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided subject to the BSCA for four or more hours.


A “computer-security incident” is defined as an occurrence that results in actual or potential jeopardy to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits; or constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. The final rule requires a banking organization to notify its primary federal banking regulator upon the occurrence of a “notification incident” at the banking organization. A banking organization may authorize or contract with a bank service provider to notify its primary federal banking regulator of such an incident on its behalf. The agencies recognize that the final rule imposes a limited amount of burden, beyond what is usual and customary, on banking organizations in the event of a computer-security incident even if it does not rise to the level of a notification incident, as banking organizations will need to engage in an analysis to determine whether the relevant thresholds for notification are met. Therefore, the agencies’ estimated burden per notification incident takes into account the burden associated with such computer-security incidents. The final rule also requires a bank service provider, as defined herein and in accordance with the BSCA to notify affected banking organization customers as soon as possible when it experiences a computer-security incident that it reasonably believes could disrupt, degrade, or impair services provided subject to the BSCA for four or more hours.


2. Use of the information:


These requirements are intended to serve as an early alert to a banking organization’s primary federal regulator and is not intended to provide an assessment of the incident.


3. Consideration of the use of improved information technology:


Not applicable.


4. Efforts to identify duplication:


There is no duplication.


5. If the collection of information impacts small businesses or other small entities, describe any methods used to minimize burden.


Not applicable.


6. Consequences to the federal program if the collection were conducted less frequently:


Not applicable.


7. Special circumstances that would cause an information collection to be conducted in a manner inconsistent with 12 CFR part 1320:


Not applicable.


8. Efforts to consult with persons outside the agency:


The OCC issued a notice of proposed rulemaking for comment containing the collection. The agencies received one PRA-related comment, which agreed that collections of information have practical utility.


9. Payment or gift to respondents:


None.


10. Any assurance of confidentiality:


The information will be kept private to the extent permitted by law.


11. Justification for questions of a sensitive nature:


There are no questions of a sensitive nature.


12. Burden estimate: 1


Reporting: 22 Respondents x 3 hours = 66 hours


Disclosure: 802 Respondents x 3 hours = 2,406 hours


2,406 hours x $114.17 = $ 274.693.02


To estimate wages, the OCC reviewed May 2020 data for wages (by industry and occupation) from the U.S. Bureau of Labor Statistics (BLS) for credit intermediation and related activities (NAICS 5220A1).  To estimate compensation costs associated with the rule, the OCC uses $114.17 per hour, which is based on the average of the 90th percentile for six occupations adjusted for inflation (2 percent as of Q1 2021), plus an additional 33.4 percent for benefits (based on the percent of total compensation allocated to benefits as of Q4 2020 for NAICS 522: credit intermediation and related activities).


13. Estimate of total annual cost to respondents (excluding cost of hour burden in Item #12):


Not applicable.


14. Estimates of annualized costs to the federal government:


Not applicable.


15. Change in burden:


This is a new collection.


16. Information regarding collections whose results are to be published for statistical use:


Not applicable.

17. Reasons for not displaying OMB expiration date:


Not applicable.


18. Exceptions to the certification statement:


Not applicable.


B. Collections of Information Employing Statistical Methods.


Not applicable.











1 The number of respondents for the reporting requirement is based on allocating the estimated 150 notification incidents among the agencies based on the percentage of entities supervised by each agency. The FDIC represents the majority of the banking organizations (64 percent), while the Board supervises approximately 21 percent of the banking organizations, with the OCC supervising the remaining 15 percent of banking organizations. The number of respondents for the disclosure requirement is based on an assumption of an approximately 2 percent per year frequency of incidents from 120,392 firms, which is divided equally among the OCC, FDIC, and Board. The number of 120,392 firms is the number of firms in the United States under NAICS code 5415 in 2018, the latest year for which such data is available. See U.S. Census Bureau, 2018 SUSB Annual Data Tables by Establishment Industry, https://www.census.gov/data/tables/2018/econ/susb/2018-susb-annual.html (last revised Aug. 27, 2021).

5


File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File TitleSM 2020-10, Libor Work Program
SubjectCapital Markets > Balance Sheet Management
AuthorOCC
File Modified0000-00-00
File Created2021-11-24

© 2022 OMB.report | Privacy Policy