89 FR 229 pgs. 93827-93829 - Agency Information Collection Activities: Information Collection Renewal; Comment Request; Computer-Security Incident Notification
Type: NOTICEVolume: 89Number: 229Pages: 93827 - 93829
Pages: 93827, 93828, 93829FR document: [FR Doc. 2024-27876 Filed 11-26-24; 8:45 am]
Agency: Treasury Department
Sub Agency: Customs Service
Official PDF Version: PDF Version
[top]
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
Agency Information Collection Activities: Information Collection Renewal; Comment Request; Computer-Security Incident Notification
AGENCY:
Office of the Comptroller of the Currency (OCC), Treasury.
ACTION:
Notice and request for comment.
SUMMARY:
[top] The OCC, as part of its continuing effort to reduce paperwork and respondent burden, invites
DATES:
Comments must be received by January 27, 2025.
ADDRESSES:
Commenters are encouraged to submit comments by email, if possible. You may submit comments by any of the following methods:
• Email: prainfo@occ.treas.gov.
• Mail: Chief Counsel's Office, Attention: Comment Processing, Office of the Comptroller of the Currency, Attention: 1557-0350, 400 7th Street SW, Suite 3E-218, Washington, DC 20219.
• Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218, Washington, DC 20219.
• Fax: (571) 293-4835.
Instructions: You must include "OCC" as the agency name and "1557-0350" in your comment. In general, the OCC will publish comments on www.reginfo.gov without change, including any business or personal information provided, such as name and address information, email addresses, or phone numbers. Comments received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. Do not include any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure.
Following the close of this notice's 60-day comment period, the OCC will publish a second notice with a 30-day comment period. You may review comments and other related materials that pertain to this information collection beginning on the date of publication of the second notice for this collection by the method set forth in the next bullet.
• Viewing Comments Electronically: Go to www.reginfo.gov. Hover over the "Information Collection Review" tab and click on "Information Collection Review" from the drop-down menu. From the "Currently under Review" drop-down menu, select "Department of Treasury" and then click "submit." This information collection can be located by searching OMB control number "1557-0350" or "Computer-Security Incident Notification." Upon finding the appropriate information collection, click on the related "ICR Reference Number." On the next screen, select "View Supporting Statement and Other Documents" and then click on the link to any comment listed at the bottom of the screen.
• For assistance in navigating www.reginfo.gov, please contact the Regulatory Information Service Center at (202) 482-7340.
FOR FURTHER INFORMATION CONTACT:
Shaquita Merritt, Clearance Officer, (202) 649-5490, Chief Counsel's Office, Office of the Comptroller of the Currency, 400 7th Street SW, Washington, DC 20219. If you are deaf, hard of hearing, or have a speech disability, please dial 7-1-1 to access telecommunications relay services.
SUPPLEMENTARY INFORMATION:
Under the PRA (44 U.S.C. 3501 et seq. ), Federal agencies must obtain approval from the OMB for each collection of information that they conduct or sponsor. "Collection of information" is defined in 44 U.S.C. 3502(3) and 5 CFR 1320.3(c) to include agency requests or requirements that members of the public submit reports, keep records, or provide information to a third party. Section 3506(c)(2)(A) of title 44 generally requires Federal agencies to provide a 60-day notice in the Federal Register concerning each proposed collection of information, including each proposed extension of an existing collection of information, before submitting the collection to OMB for approval. To comply with this requirement, the OCC is publishing notice of the renewal of this collection.
Title: Computer-Security Incident Notification.
OMB Control No.: 1557-0350.
Type of Review: Regular.
Affected Public: Businesses or other for-profit.
Description: Pursuant to 12 CFR part 53, the OCC has established certain computer-security incident notification requirements applicable to banking organizations? 1 and bank service providers. 2 Specifically, 12 CFR 53.3 requires a banking organization to notify the OCC about a "notification incident" as soon as possible but no later than 36 hours after the banking organization determines that a notification incident has occurred. The regulation defines a "notification incident" as "a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization's-(i) [a]bility to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) [b]usiness line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or (iii) [o]perations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States."? 3
Footnotes:
1 ?A banking organization as "a national bank, Federal savings association, or Federal branch or agency of a foreign bank; provided, however, that no designated financial market utility shall be considered a banking organization." 12 CFR 53.2(b)(1).
2 ?A bank service provider is "a bank service company or other person that performs covered services; provided, however, that no designated financial market utility shall be considered a bank service provider." 12 CFR 53.2(b)(2).
3 ?12 CFR 53.2(b)(7). A "computer-security incident" is "an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits." 12 CFR 53.2(b)(4).
Additionally, a bank service provider must notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.
Estimated Burden:
Estimated Frequency of Response: On occasion; event generated.
Estimated Number of Respondents:
Reporting: 100 Respondents.
Disclosure: 832 Respondents.
Estimated Total Annual Burden: 2,795 hours.
Comments submitted in response to this notice will be summarized and included in the request for OMB approval. All comments will become a matter of public record. Comments are invited on:
(a) Whether the collection of information is necessary for the proper performance of the functions of the OCC, including whether the information has practical utility;
(b) The accuracy of the OCC's estimate of the burden of the collection of information;
(c) Ways to enhance the quality, utility, and clarity of the information to be collected;
[top] (d) Ways to minimize the burden of the collection on respondents, including
(e) Estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information.
Patrick T. Tierney,
Assistant Director, Office of the Comptroller of the Currency.
[FR Doc. 2024-27876 Filed 11-26-24; 8:45 am]
BILLING CODE 4810-33-P