Thursday, June 25, 2015

OMB Approves Emergency ICR for FFIEC Cybersecurity Assessment Tool

Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced that it had approved an emergency information collection request for the use of a cybersecurity assessment tool “that will assist financial institutions of all sizes in assessing their inherent cybersecurity risk and their risk management capabilities”.

This cybersecurity assessment tool was developed as a cooperative project of the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve (Board), and the National Credit Union Administration (NCUA), under the auspices of the Federal Financial Institutions Examination Council (FFIEC). The table below lists the burden estimates, both for the individual agencies and the total burden and is based upon the supporting data [.DOC download] submitted to OIRA. The hours-burden is based upon an estimated 80 hours per assessment.

Agency
Respondents
Hour-Burden
OCC
1,511
120,880
Board
5,282
422,560
FDIC
4,084
326,720
NCUA
6,206
496,480
All Agencies
176
14,080
Total
17,259
1,380,720

NOTE: The ‘all agencies’ figures are not well described; being listed solely as “technology service providers”.

The supporting data document also notes that (pg 3):

“The Assessment incorporates the publicly available cybersecurity framework developed by the National Institute of Standards and Technology.  The Assessment tailors this framework to the financial industry.”

Finally, even though the Treasury reports that failure to use the tool could lead to “disruption, degradation, or unauthorized alteration of information and systems could affect a financial institution’s operations and core processes and undermine confidence in the nation's financial services sector” (pg 2) the collection is voluntary.

Commentary

I certainly do not intend to start covering cybersecurity issues in the banking sector as a normal topic in this blog. But I thought that this ICR approval is an illustration of the way that this Administration is addressing the cybersecurity situation that we are currently facing in this country (and let’s face it, the world).

First off, this is little more than an adaptation of the NIST Cybersecurity Framework (CSF) that was issued in February of 2014, well over a year ago. The implementation of the CSF, a risk-management tool not a cybersecurity tool, was to be a main focus for the various critical infrastructure regulatory agencies. And now, 15 months later, the financial services sector is getting ‘emergency’ approval to use this tool. This is hardly an expeditious response for protecting a sector that is arguably one of the most targeted for cyber attack.

Finally, the Administration continues to insist on making the use of the CSF related tools completely voluntary, even in one of the most highly regulated environments. This makes absolutely no sense what so ever.


This hands-off attitude in addressing serious cybersecurity problems is a hallmark of this Administration and may be a key reason that its own cybersecurity problem keep re-occurring with such regularity.

No comments:

 
/* Use this with templates/template-twocol.html */