Yesterday the OMB’s Office of Information and Regulatory
Affairs (OIRA) announced that it had approved an emergency information collection
request for the use of a cybersecurity assessment tool “that will assist
financial institutions of all sizes in assessing their inherent cybersecurity
risk and their risk management capabilities”.
This cybersecurity assessment tool was developed as a
cooperative project of the Office of the Comptroller of the Currency (OCC), the
Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the
Federal Reserve (Board), and the National Credit Union Administration (NCUA), under
the auspices of the Federal Financial Institutions Examination Council (FFIEC).
The table below lists the burden estimates, both for the individual agencies
and the total burden and is based upon the supporting
data [.DOC download] submitted to OIRA. The hours-burden is based upon an
estimated 80 hours per assessment.
|
Agency
|
Respondents
|
Hour-Burden
|
|
OCC
|
1,511
|
120,880
|
|
Board
|
5,282
|
422,560
|
|
FDIC
|
4,084
|
326,720
|
|
NCUA
|
6,206
|
496,480
|
|
All Agencies
|
176
|
14,080
|
|
Total
|
17,259
|
1,380,720
|
NOTE: The ‘all agencies’ figures are not well described;
being listed solely as “technology service providers”.
The supporting data document also notes that (pg 3):
“The Assessment incorporates the
publicly available cybersecurity framework developed by the National Institute
of Standards and Technology. The
Assessment tailors this framework to the financial industry.”
Finally, even though the Treasury reports that failure to
use the tool could lead to “disruption, degradation, or unauthorized alteration
of information and systems could affect a financial institution’s operations
and core processes and undermine confidence in the nation's financial services
sector” (pg 2) the collection is voluntary.
Commentary
I certainly do not intend to start covering cybersecurity
issues in the banking sector as a normal topic in this blog. But I thought that
this ICR approval is an illustration of the way that this Administration is
addressing the cybersecurity situation that we are currently facing in this
country (and let’s face it, the world).
First off, this is little more than an adaptation of the
NIST Cybersecurity Framework (CSF) that was issued in February of 2014, well
over a year ago. The implementation of the CSF, a risk-management tool not a
cybersecurity tool, was to be a main focus for the various critical
infrastructure regulatory agencies. And now, 15 months later, the financial
services sector is getting ‘emergency’ approval to use this tool. This is
hardly an expeditious response for protecting a sector that is arguably one of
the most targeted for cyber attack.
Finally, the Administration continues to insist on making
the use of the CSF related tools completely voluntary, even in one of the most
highly regulated environments. This makes absolutely no sense what so ever.
This hands-off attitude in addressing serious cybersecurity problems
is a hallmark of this Administration and may be a key reason that its own
cybersecurity problem keep re-occurring with such regularity.
Posts
No comments:
Post a Comment