Financial Regulators Want To Know If Their Cyber Assessment Tool Is Worth It

Four federal regulators that have developed a system for assessing the cybersecurity vulnerabilities of financial institutions are asking those organizations whether the system is giving enough bang for the buck.

The four agencies—the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, or FDIC, and the National Credit Union Administration—all sit on the Federal Financial Institutions Examination Council and collectively manage the council’s Cybersecurity Assessment Tool.

The tool itself is more of a framework, by which financial institutions can assess their cyber risk and ability to mitigate the fallout of potential cyberattacks. In order to receive such an assessment, the institutions have to provide a trove of information.

For instance, a financial institution with assets between $500 million and $10 billion would be expected to spend about 120 work hours responding to data calls for the assessment tool. With almost 2,220 organizations potentially reporting to the council, that comes to more than 266,000 hours.

Looking across all levels—from less than $500 million to more than $50 billion—a potential 13,690 organizations would spend an estimated 1.2 million hours responding to these data calls.

The process is voluntary and could be seen as too burdensome to bother participating in, the agencies note in a call for feedback posted Friday to the Federal Register. If that’s the case, the agencies want to know so they can tweak the process or spend their time elsewhere.

In the call for comments, the agencies are seeking responses to five specific questions:

• Whether the collection of information is necessary for the proper performance of the functions of the agencies, including whether the information has practical utility?
• The accuracy of the agencies’ estimates of the burden of the collection of information.
• Ways to enhance the quality, utility and clarity of the information to be collected.
• Ways to minimize the burden of the collection on respondents, including through the use of automated collection techniques or other forms of information technology.
• Estimates of capital or start-up costs and costs of operation, maintenance and purchase of services to provide information.

Comments are due 60 days from publication in the Federal Register, or June 4, and can be submitted through a variety of channels, including mail, email, fax or in person.