September 7, 2022

OCC: New Bulletin Sets Expectations for Protecting Non-Public Infomation on Managed Video Teleconferencing Services

The Office of the Comptroller of the Currency (OCC) is issuing this bulletin to explain the OCC’s expectations for protecting non-public OCC information, as defined in 12 CFR 4.32(b)(1), shared on video teleconferencing services that are operated or managed by an institution1 or any other party. Video teleconferencing (VTC) services provide collaboration capabilities that allow communication via internet-enabled text, voice, and video and can allow the sharing of files and other content. VTC services are a key enabler for OCC supervisory activities. This bulletin describes the security provisions designed to protect non-public OCC information from disclosure that need to be in place for OCC personnel to join meetings hosted on institution- or other non-OCC-operated or managed VTC services in which such information is expected to be communicated.

Note for Community Banks

This bulletin applies to community banks.

Highlights

This bulletin explains

Legal Requirements for Protecting Non-public OCC Information

The OCC complies with the Federal Information Security Modernization Act (FISMA) of 2014, as amended, and with all related issuances from the Office of Management and Budget and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to protect the confidentiality, integrity, and availability of its information. The OCC implements security and privacy controls that meet or exceed National Institute of Standards and Technology standards to protect the OCC’s non-public information and information technology systems against loss or compromise.

Banks and other parties in possession of non-public OCC information are prohibited by regulation from disclosing such information without the OCC’s prior approval except in very limited circumstances (see 12 CFR 4.36(d) and 4.37(b)). This prohibition extends to the disclosure of OCC information displayed, processed, stored, or transmitted by institution- or other non-OCC information systems, including VTC services.

Security Expectations for VTC Services Not Operated or Managed by the OCC

Protecting non-public information during meetings hosted on VTC services involves a combination of technology-based and behavioral controls for secure connection, access control, data security, and cyber hygiene. The OCC’s own VTC services meet the agency’s requirements for protecting non-public OCC information. OCC personnel may join meetings hosted on institution- or other non-OCC VTC services only if the following security provisions are in place to prevent the disclosure of non-public OCC information communicated in the meeting setting:

Secure connection: The VTC service supports an encrypted connection that protects transmission confidentiality with end-point devices used to access the service.

Access control: The VTC service

Data security: No recording or transcript is made of a meeting hosted on the VTC service in which OCC personnel communicate non-public OCC information. Screen capture functionality is disabled or its use is prohibited for those meetings in which non-public OCC information is transmitted.

Cyber hygiene: The VTC service is securely configured and routinely patched to protect against cyber intrusion and data loss or compromise.

Types of Non-public OCC Information

Non-public OCC information is the property of the OCC (see 12 CFR 4.32(b)(2)) and includes the following:

OCC Internal Information Security and Cyber Protection Direction

In support of the OCC’s information and cybersecurity objectives, the OCC provides its staff with the following direction for participating in these meetings hosted on VTC services not operated or managed by the OCC:

The OCC may enter into memorandum agreements with individual institutions or other parties to establish specific information security and cyber protection terms, as appropriate.

Further Information

Questions about this bulletin should be directed to your OCC supervisory office.

Margaret Sherry
Acting Senior Deputy Comptroller for Management/Chief Financial Officer

Related Link

1 “Institutions” refer to the OCC’s supervised financial institutions or other entities subject to OCC examination. Such entities include service providers that perform services subject to OCC examination pursuant to the Bank Service Company Act, 12 USC 1861 et seq., and the Home Owners’ Loan Act, 12 USC 1461 et seq., and other organizations that agree to OCC examination, such as an organization seeking to establish, acquire, or become a national bank or federal savings association. The term “institutions” covers both OCC-supervised financial institutions as well as these other entities for the purposes of this OCC bulletin.

2 An institution’s composite rating under the Uniform Financial Institutions Rating System, or CAMELS, integrates ratings from six component areas: capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk.

This post was originally published here.