Agency Information Collection Activities: Information Collection Renewal; Submission for OMB Review; Computer-Security Incident Notification

Issuing agencies

Abstract

The OCC, as part of its continuing effort to reduce paperwork and respondent burden, invites comment on a continuing information collection, as required by the Paperwork Reduction Act of 1995 (PRA). In accordance with the requirements of the PRA, the OCC may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number. The OCC is soliciting comment concerning the renewal of its information collection titled, "Computer-Security Incident Notification." The OCC also is giving notice that it has sent the collection to OMB for review.

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 20 (Friday, January 31, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 20 (Friday, January 31, 2025)]
[Notices]
[Pages 8735-8736]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-02019]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency


Agency Information Collection Activities: Information Collection 
Renewal; Submission for OMB Review; Computer-Security Incident 
Notification

AGENCY: Office of the Comptroller of the Currency (OCC), Treasury.

ACTION:  Notice and request for comment.

-----------------------------------------------------------------------

SUMMARY: The OCC, as part of its continuing effort to reduce paperwork 
and respondent burden, invites comment on a continuing information 
collection, as required by the Paperwork Reduction Act of 1995 (PRA). 
In accordance with the requirements of the PRA, the OCC may not conduct 
or sponsor, and the respondent is not required to respond to, an 
information collection unless it displays a currently valid Office of 
Management and Budget (OMB) control number. The OCC is soliciting 
comment concerning the renewal of its information collection titled, 
``Computer-Security Incident Notification.'' The OCC also is giving 
notice that it has sent the collection to OMB for review.

DATES: Comments must be received by March 3, 2025.

ADDRESSES:  Commenters are encouraged to submit comments by email, if 
possible. You may submit comments by any of the following methods:
    <bullet> Email: <a href="/cdn-cgi/l/email-protection#f58587949c9b939ab59a9696db8187909486db929a83"><span class="__cf_email__" data-cfemail="b6c6c4d7dfd8d0d9f6d9d5d598c2c4d3d7c598d1d9c0">[email&#160;protected]</span></a>.
    <bullet> Mail: Chief Counsel's Office, Attention: Comment 
Processing, Office of the Comptroller of the Currency, Attention: 1557-
0350, 400 7th Street SW, Suite 3E-218, Washington, DC 20219.
    <bullet> Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218, 
Washington, DC 20219.
    <bullet> Fax: (571) 293-4835.
    Instructions: You must include ``OCC'' as the agency name and 
``1557-0350'' in your comment. In general, the OCC will publish 
comments on <a href="http://www.reginfo.gov">www.reginfo.gov</a> without change, including any business or 
personal information provided, such as name and address information, 
email addresses, or phone numbers. Comments received, including 
attachments and other supporting materials, are part of the public 
record and subject to public disclosure. Do not include any information 
in your comment or supporting materials that you consider confidential 
or inappropriate for public disclosure.
    Written comments and recommendations for the proposed information 
collection should also be sent within 30 days of publication of this 
notice to <a href="http://www.reginfo.gov/public/do/PRAMain">www.reginfo.gov/public/do/PRAMain</a>. You can find this 
information collection by selecting ``Currently under 30-day Review--
Open for Public Comments'' or by using the search function.
    You may review comments and other related materials that pertain to 
this information collection following the

[[Page 8736]]

close of the 30-day comment period for this notice by the method set 
forth in the next bullet.
    <bullet> Viewing Comments Electronically: Go to <a href="http://www.reginfo.gov">www.reginfo.gov</a>. 
Hover over the ``Information Collection Review'' tab and click on 
``Information Collection Review'' from the drop-down menu. From the 
``Currently under Review'' drop-down menu, select ``Department of 
Treasury'' and then click ``submit.'' This information collection can 
be located by searching OMB control number ``1557-0350'' or ``Computer-
Security Incident Notification.'' Upon finding the appropriate 
information collection, click on the related ``ICR Reference Number.'' 
On the next screen, select ``View Supporting Statement and Other 
Documents'' and then click on the link to any comment listed at the 
bottom of the screen.
    <bullet> For assistance in navigating <a href="http://www.reginfo.gov">www.reginfo.gov</a>, please 
contact the Regulatory Information Service Center at (202) 482-7340.

FOR FURTHER INFORMATION CONTACT: Shaquita Merritt, Clearance Officer, 
(202) 649-5490, Chief Counsel's Office, Office of the Comptroller of 
the Currency, 400 7th Street SW, Washington, DC 20219. If you are deaf, 
hard of hearing, or have a speech disability, please dial 7-1-1 to 
access telecommunications relay services.

SUPPLEMENTARY INFORMATION:  Under the PRA (44 U.S.C. 3501 et seq.), 
Federal agencies must obtain approval from the OMB for each collection 
of information that they conduct or sponsor. ``Collection of 
information'' is defined in 44 U.S.C. 3502(3) and 5 CFR 1320.3(c) to 
include agency requests or requirements that members of the public 
submit reports, keep records, or provide information to a third party. 
The OCC asks the OMB to extend its approval of the collection in this 
notice.
    Title: Computer-Security Incident Notification.
    OMB Control No.: 1557-0350.
    Type of Review: Regular.
    Affected Public: Businesses or other for-profit.
    Description: Pursuant to 12 CFR part 53, the OCC has established 
certain computer-security incident notification requirements applicable 
to banking organizations \1\ and bank service providers.\2\ 
Specifically, 12 CFR 53.3 requires a banking organization to notify the 
OCC about a ``notification incident'' as soon as possible but no later 
than 36 hours after the banking organization determines that a 
notification incident has occurred. The regulation defines a 
``notification incident'' as ``a computer-security incident that has 
materially disrupted or degraded, or is reasonably likely to materially 
disrupt or degrade, a banking organization's--(i) [a]bility to carry 
out banking operations, activities, or processes, or deliver banking 
products and services to a material portion of its customer base, in 
the ordinary course of business; (ii) [b]usiness line(s), including 
associated operations, services, functions, and support, that upon 
failure would result in a material loss of revenue, profit, or 
franchise value; or (iii) [o]perations, including associated services, 
functions and support, as applicable, the failure or discontinuance of 
which would pose a threat to the financial stability of the United 
States.'' \3\
---------------------------------------------------------------------------

    \1\ A banking organization as ``a national bank, Federal savings 
association, or Federal branch or agency of a foreign bank; 
provided, however, that no designated financial market utility shall 
be considered a banking organization.'' 12 CFR 53.2(b)(1).
    \2\ A bank service provider is ``a bank service company or other 
person that performs covered services; provided, however, that no 
designated financial market utility shall be considered a bank 
service provider.'' 12 CFR 53.2(b)(2).
    \3\ 12 CFR 53.2(b)(7). A ``computer-security incident'' is ``an 
occurrence that results in actual harm to the confidentiality, 
integrity, or availability of an information system or the 
information that the system processes, stores, or transmits.'' 12 
CFR 53.2(b)(4).
---------------------------------------------------------------------------

    Additionally, a bank service provider must notify at least one 
bank-designated point of contact at each affected banking organization 
customer as soon as possible when the bank service provider determines 
that it has experienced a computer-security incident that has 
materially disrupted or degraded, or is reasonably likely to materially 
disrupt or degrade, covered services provided to such banking 
organization for four or more hours.
    Estimated Burden:
    Estimated Frequency of Response: On occasion; event generated.
    Estimated Number of Respondents:
    Reporting: 100 Respondents.
    Disclosure: 832 Respondents.
    Estimated Total Annual Burden: 2,796 hours.
    Comments: On November 27, 2024, the OCC published a 60-day notice 
for this information collection, (89 FR 93827). No comments were 
received.
    Comments continue to be invited on:
    (a) Whether the collection of information is necessary for the 
proper performance of the functions of the OCC, including whether the 
information has practical utility;
    (b) The accuracy of the OCC's estimate of the burden of the 
collection of information;
    (c) Ways to enhance the quality, utility, and clarity of the 
information to be collected;
    (d) Ways to minimize the burden of the collection on respondents, 
including through the use of automated collection techniques or other 
forms of information technology; and
    (e) Estimates of capital or start-up costs and costs of operation, 
maintenance, and purchase of services to provide information.

Patrick T. Tierney,
Assistant Director, Office of the Comptroller of the Currency.
[FR Doc. 2025-02019 Filed 1-30-25; 8:45 am]
BILLING CODE 4810-33-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>