OCC Bulletin 2022-21| September 7, 2022
Information Security: Expectations for Protecting Non-public OCC Information on Institution- or Other Non-OCC-Owned or Managed Video Teleconferencing Services
Chief Executive Officers of All National Banks, Federal Savings Associations, and Federal Branches and Agencies; Department and Division Heads; All Examining Personnel; and Other Interested Parties
The Office of the Comptroller of the Currency (OCC) is issuing this bulletin to explain the OCC’s expectations for protecting non-public OCC information, as defined in 12 CFR 4.32(b)(1), shared on video teleconferencing services that are operated or managed by an institution1 or any other party. Video teleconferencing (VTC) services provide collaboration capabilities that allow communication via internet-enabled text, voice, and video and can allow the sharing of files and other content. VTC services are a key enabler for OCC supervisory activities. This bulletin describes the security provisions designed to protect non-public OCC information from disclosure that need to be in place for OCC personnel to join meetings hosted on institution- or other non-OCC-operated or managed VTC services in which such information is expected to be communicated.
Note for Community Banks
This bulletin applies to community banks.
This bulletin explains
- legal requirements for protecting non-public OCC information.
- how VTC services can be secured to prevent disclosure of non-public OCC information.
- types of non-public OCC information affected by this bulletin.
- the OCC’s requirements for protecting non-public OCC information.
Legal Requirements for Protecting Non-public OCC Information
The OCC complies with the Federal Information Security Modernization Act (FISMA) of 2014, as amended, and with all related issuances from the Office of Management and Budget and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to protect the confidentiality, integrity, and availability of its information. The OCC implements security and privacy controls that meet or exceed National Institute of Standards and Technology standards to protect the OCC’s non-public information and information technology systems against loss or compromise.
Banks and other parties in possession of non-public OCC information are prohibited by regulation from disclosing such information without the OCC’s prior approval except in very limited circumstances (see 12 CFR 4.36(d) and 4.37(b)). This prohibition extends to the disclosure of OCC information displayed, processed, stored, or transmitted by institution- or other non-OCC information systems, including VTC services.
Security Expectations for VTC Services Not Operated or Managed by the OCC
Protecting non-public information during meetings hosted on VTC services involves a combination of technology-based and behavioral controls for secure connection, access control, data security, and cyber hygiene. The OCC’s own VTC services meet the agency’s requirements for protecting non-public OCC information. OCC personnel may join meetings hosted on institution- or other non-OCC VTC services only if the following security provisions are in place to prevent the disclosure of non-public OCC information communicated in the meeting setting:
Secure connection: The VTC service supports an encrypted connection that protects transmission confidentiality with end-point devices used to access the service.
Access control: The VTC service
- offers the ability to create moderated meetings and employs access controls, such as waiting rooms or “lock and remove attendee” features, to ensure that only invited participants are able to join the meeting.
- encrypts communication across participants in a meeting setting.
Data security: No recording or transcript is made of a meeting hosted on the VTC service in which OCC personnel communicate non-public OCC information. Screen capture functionality is disabled or its use is prohibited for those meetings in which non-public OCC information is transmitted.
Cyber hygiene: The VTC service is securely configured and routinely patched to protect against cyber intrusion and data loss or compromise.
Types of Non-public OCC Information
Non-public OCC information is the property of the OCC (see 12 CFR 4.32(b)(2)) and includes the following:
- OCC reports of examination, including ratings such as CAMELS and the Uniform Rating System for Information Technology ratings.2
- Supervisory correspondence.
- Institution responses to supervisory correspondence.
- Investigatory files.
- Certain enforcement-related information, including matters requiring attention.
- Proprietary or confidential information obtained by the OCC in connection with the OCC’s performance of its responsibilities, including while conducting the agency’s oversight activities.
- Other OCC records created or obtained in connection with OCC supervision, licensing, regulation, or examination that are not required to be made available under the Freedom of Information Act, 5 USC 552, or that the OCC has not yet published or made publicly available pursuant to 12 USC 1818(u). (See 12 CFR 4.32(b)(1)).
OCC Internal Information Security and Cyber Protection Direction
In support of the OCC’s information and cybersecurity objectives, the OCC provides its staff with the following direction for participating in these meetings hosted on VTC services not operated or managed by the OCC:
- Access the service using only OCC-issued information technology (IT) equipment and verify that equipment has the most recent security updates applied to it before accessing the service.
- Join only those meetings or collaboration settings where participation has been authorized and ensure that only OCC-authorized personnel, including other federal or state regulatory agency personnel participating in a joint examination activity led by the OCC, join the meeting or collaboration setting.
- Share only that OCC information which is required for the OCC’s purposes and which has been authorized for communication in the meeting or other collaboration setting hosted on the service.
- Send any required materials in advance via approved encrypted channels, e.g., OCC-encrypted email or established and verified Transport Layer Security (TLS) connection.
- Do not use any VTC chat or file upload features to transmit non-public OCC information, do not download any files shared in the meeting or collaboration setting, and do not upload any files for sharing in the meeting setting.
- Do not request or allow presentation control from the OCC-issued device used to access the service.
- Do not record or otherwise replicate, including via screen capture, any portion of the session hosted on the VTC service.
The OCC may enter into memorandum agreements with individual institutions or other parties to establish specific information security and cyber protection terms, as appropriate.
Questions about this bulletin should be directed to your OCC supervisory office.
Acting Senior Deputy Comptroller for Management/Chief Financial Officer
- OCC Bulletin 2019-15, “Supervisory Ratings and Other Nonpublic OCC Information: Statement on Confidentiality”
1 “Institutions” refer to the OCC’s supervised financial institutions or other entities subject to OCC examination. Such entities include service providers that perform services subject to OCC examination pursuant to the Bank Service Company Act, 12 USC 1861 et seq., and the Home Owners’ Loan Act, 12 USC 1461 et seq., and other organizations that agree to OCC examination, such as an organization seeking to establish, acquire, or become a national bank or federal savings association. The term “institutions” covers both OCC-supervised financial institutions as well as these other entities for the purposes of this OCC bulletin.
2 An institution’s composite rating under the Uniform Financial Institutions Rating System, or CAMELS, integrates ratings from six component areas: capital adequacy, asset quality, management, earnings, liquidity, and sensitivity to market risk.