eLaws | eCases | United States Code | Federal Courts |
Home » 2025 Issues » 90 FR (01/31/2025) » 2025-02019. Agency Information Collection Activities: Information Collection Renewal; Submission for OMB Review; Computer-Security Incident Notification

  2025-02019. Agency Information Collection Activities: Information Collection Renewal; Submission for OMB Review; Computer-Security Incident Notification  

  • Document Headings

    Document headings vary by document type but may contain the following:

    1. the agency or agencies that issued and signed a document
    2. the number of the CFR title and the number of each part the document amends, proposes to amend, or is directly related to
    3. the agency docket number / agency internal file number
    4. the RIN which identifies each regulatory action listed in the Unified Agenda of Federal Regulatory and Deregulatory Actions

    See the Document Drafting Handbook for more details.

    Department of the Treasury
    Office of the Comptroller of the Currency

    AGENCY:

    Office of the Comptroller of the Currency (OCC), Treasury.

    ACTION:

    Notice and request for comment.

    SUMMARY:

    The OCC, as part of its continuing effort to reduce paperwork and respondent burden, invites comment on a continuing information collection, as required by the Paperwork Reduction Act of 1995 (PRA). In accordance with the requirements of the PRA, the OCC may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number. The OCC is soliciting comment concerning the renewal of its information collection titled, “Computer-Security Incident Notification.” The OCC also is giving notice that it has sent the collection to OMB for review.

    DATES:

    Comments must be received by March 3, 2025.

    ADDRESSES:

    Commenters are encouraged to submit comments by email, if possible. You may submit comments by any of the following methods:

    • Email: prainfo@occ.treas.gov.
    • Mail: Chief Counsel's Office, Attention: Comment Processing, Office of the Comptroller of the Currency, Attention: 1557-0350, 400 7th Street SW, Suite 3E-218, Washington, DC 20219.
    • Hand Delivery/Courier: 400 7th Street SW, Suite 3E-218, Washington, DC 20219.
    • Fax: (571) 293-4835.

    Instructions: You must include “OCC” as the agency name and “1557-0350” in your comment. In general, the OCC will publish comments on www.reginfo.gov without change, including any business or personal information provided, such as name and address information, email addresses, or phone numbers. Comments received, including attachments and other supporting materials, are part of the public record and subject to public disclosure. Do not include any information in your comment or supporting materials that you consider confidential or inappropriate for public disclosure.

    Written comments and recommendations for the proposed information collection should also be sent within 30 days of publication of this notice to www.reginfo.gov/​public/​do/​PRAMain. You can find this information collection by selecting “Currently under 30-day Review—Open for Public Comments” or by using the search function.

    You may review comments and other related materials that pertain to this information collection following the ( print page 8736) close of the 30-day comment period for this notice by the method set forth in the next bullet.

    • Viewing Comments Electronically: Go to www.reginfo.gov. Hover over the “Information Collection Review” tab and click on “Information Collection Review” from the drop-down menu. From the “Currently under Review” drop-down menu, select “Department of Treasury” and then click “submit.” This information collection can be located by searching OMB control number “1557-0350” or “Computer-Security Incident Notification.” Upon finding the appropriate information collection, click on the related “ICR Reference Number.” On the next screen, select “View Supporting Statement and Other Documents” and then click on the link to any comment listed at the bottom of the screen.
    • For assistance in navigatingwww.reginfo.gov, please contact the Regulatory Information Service Center at (202) 482-7340.

    FOR FURTHER INFORMATION CONTACT:

    Shaquita Merritt, Clearance Officer, (202) 649-5490, Chief Counsel's Office, Office of the Comptroller of the Currency, 400 7th Street SW, Washington, DC 20219. If you are deaf, hard of hearing, or have a speech disability, please dial 7-1-1 to access telecommunications relay services.

    SUPPLEMENTARY INFORMATION:

    Under the PRA (44 U.S.C. 3501 et seq.), Federal agencies must obtain approval from the OMB for each collection of information that they conduct or sponsor. “Collection of information” is defined in 44 U.S.C. 3502(3) and 5 CFR 1320.3(c) to include agency requests or requirements that members of the public submit reports, keep records, or provide information to a third party. The OCC asks the OMB to extend its approval of the collection in this notice.

    Title: Computer-Security Incident Notification.

    OMB Control No.: 1557-0350.

    Type of Review: Regular.

    Affected Public: Businesses or other for-profit.

    Description: Pursuant to 12 CFR part 53, the OCC has established certain computer-security incident notification requirements applicable to banking organizations [1] and bank service providers.[2] Specifically, 12 CFR 53.3 requires a banking organization to notify the OCC about a “notification incident” as soon as possible but no later than 36 hours after the banking organization determines that a notification incident has occurred. The regulation defines a “notification incident” as “a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization's—(i) [a]bility to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) [b]usiness line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or (iii) [o]perations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.” [3]

    Additionally, a bank service provider must notify at least one bank-designated point of contact at each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, covered services provided to such banking organization for four or more hours.

    Estimated Burden:

    Estimated Frequency of Response: On occasion; event generated.

    Estimated Number of Respondents:

    Reporting: 100 Respondents.

    Disclosure: 832 Respondents.

    Estimated Total Annual Burden: 2,796 hours.

    Comments: On November 27, 2024, the OCC published a 60-day notice for this information collection, (89 FR 93827). No comments were received.

    Comments continue to be invited on:

    (a) Whether the collection of information is necessary for the proper performance of the functions of the OCC, including whether the information has practical utility;

    (b) The accuracy of the OCC's estimate of the burden of the collection of information;

    (c) Ways to enhance the quality, utility, and clarity of the information to be collected;

    (d) Ways to minimize the burden of the collection on respondents, including through the use of automated collection techniques or other forms of information technology; and

    (e) Estimates of capital or start-up costs and costs of operation, maintenance, and purchase of services to provide information.

    Patrick T. Tierney,

    Assistant Director, Office of the Comptroller of the Currency.

    Footnotes

    1.  A banking organization as “a national bank, Federal savings association, or Federal branch or agency of a foreign bank; provided, however, that no designated financial market utility shall be considered a banking organization.” 12 CFR 53.2(b)(1).

    Back to Citation

    2.  A bank service provider is “a bank service company or other person that performs covered services; provided, however, that no designated financial market utility shall be considered a bank service provider.” 12 CFR 53.2(b)(2).

    Back to Citation

    3.  12 CFR 53.2(b)(7). A “computer-security incident” is “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” 12 CFR 53.2(b)(4).

    Back to Citation

    [FR Doc. 2025-02019 Filed 1-30-25; 8:45 am]

    BILLING CODE 4810-33-P

Visit the Official Version
Leave a Comment

Document Information

Published:
01/31/2025
Department:
Comptroller of the Currency
Entry Type:
Notice
Action:
Notice and request for comment.
Document Number:
2025-02019
Dates:
Comments must be received by March 3, 2025.
Pages:
8735-8736 (2 pages)
PDF File:
2025-02019.pdf