Self-Regulatory Organizations; Fixed Income Clearing Corporation; Notice of Filing of Proposed Rule Change To Require Confirmation of Cybersecurity Program, 58194-58198 [2019-23650]

Agencies

• SECURITIES AND EXCHANGE COMMISSION

[Federal Register Volume 84, Number 210 (Wednesday, October 30, 2019)]
[Notices]
[Pages 58194-58198]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-23650]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-87394; File No. SR-FICC-2019-005]


Self-Regulatory Organizations; Fixed Income Clearing Corporation; 
Notice of Filing of Proposed Rule Change To Require Confirmation of 
Cybersecurity Program

October 24, 2019.
    Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 
(``Act'') \1\ and Rule 19b-4 thereunder,\2\ notice is hereby given that 
on October 15, 2019, Fixed Income Clearing Corporation (``FICC'') filed 
with the Securities and Exchange Commission (``Commission'') the 
proposed rule change as described in Items I, II and III below, which 
Items have been prepared by the clearing agency. The Commission is 
publishing this notice to solicit comments on the proposed rule change 
from interested persons.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
---------------------------------------------------------------------------

I. Clearing Agency's Statement of the Terms of Substance of the 
Proposed Rule Change

    The proposed rule change consists of modifications to FICC's 
Government Securities Division (``GSD'') Rulebook (``GSD Rules''), 
FICC's Mortgage-Backed Securities Division (``MBSD'') Clearing Rules 
(``MBSD Rules''), and the Electronic Pool Notification (``EPN'') Rules 
of MBSD (``EPN Rules,'' and, together with the GSD Rules and the MBSD 
Rules, the ``Rules'') \3\ in order to (1) define ``Cybersecurity 
Confirmation'' as a signed, written representation that addresses the 
submitting firm's cybersecurity program; and (2) enhance the GSD and 
MBSD application requirements and ongoing requirements for Members to 
(a) require that a Cybersecurity Confirmation be provided as part of 
the application materials for all Members, and (b) require that all 
Members deliver to FICC a complete, updated Cybersecurity Confirmation 
at least every two years, as described in greater detail below.
---------------------------------------------------------------------------

    \3\ Capitalized terms not defined herein are defined in the 
Rules, available at https://www.dtcc.com/legal/rules-and-procedures. 
References to ``Members'' in this filing include the participants of 
GSD and MBSD, including GSD Netting Members, GSD Comparison-Only 
Members, GSD Sponsoring Members, GSD CCIT Members, GSD Funds-Only 
Settling Bank Members, MBSD Clearing Members, MBSD Cash Settling 
Bank Members, and MBSD EPN Users, as such terms are defined in the 
respective Rules.
---------------------------------------------------------------------------

II. Clearing Agency's Statement of the Purpose of, and Statutory Basis 
for, the Proposed Rule Change

    In its filing with the Commission, the clearing agency included 
statements concerning the purpose of and basis for the proposed rule 
change and discussed any comments it received on the proposed rule 
change. The text of these statements may be examined at the places 
specified in Item IV below. The clearing agency has prepared summaries, 
set forth in sections A, B, and C below, of the most significant 
aspects of such statements.

(A) Clearing Agency's Statement of the Purpose of, and Statutory Basis 
for, the Proposed Rule Change

1. Purpose
(i) Overview
    FICC is proposing to modify the Rules in order to (1) define 
``Cybersecurity Confirmation'' as a signed, written representation that 
addresses the submitting firm's cybersecurity program; and (2) enhance 
the GSD and MBSD application requirements and ongoing requirements for 
Members to (a) require that a Cybersecurity Confirmation be provided as 
part of the application materials for all Members, and (b) require that 
all Members deliver to FICC a complete, updated Cybersecurity 
Confirmation at least every two years.
    The proposed change would require all Members and applicants to 
deliver to FICC a signed, written Cybersecurity Confirmation, which 
includes representations regarding the submitting firm's cybersecurity 
program and framework. The Cybersecurity Confirmation would be required 
to be (1) delivered with the application materials for every applicant, 
and (2) updated and re-delivered at least every two years by all 
Members.
    As described in more detail below, the Cybersecurity Confirmation 
would help FICC to assess the cybersecurity risks that may be 
introduced to it by Members that connect to FICC either through the 
Securely Managed and Reliable Technology (``SMART'') network \4\ or 
through other connections. The proposed Cybersecurity Confirmation 
would allow FICC to

[[Page 58195]]

better understand its Members' cybersecurity programs and frameworks 
and identify possible cybersecurity risk exposures. Based on this 
information, FICC would be able to establish appropriate controls to 
mitigate these risks and their possible impacts to FICC's operations.
---------------------------------------------------------------------------

    \4\ The SMART network is a technology managed by FICC's parent 
company, The Depository Trust & Clearing Corporation (``DTCC''), 
that connects a nationwide complex of networks, processing centers 
and control facilities. This network extends between FICC's and its 
Members' operating premises. DTCC operates on a shared services 
model with respect to FICC and DTCC's other subsidiaries pursuant to 
intercompany agreements under which it is generally DTCC that 
provides a relevant service to its subsidiaries, including FICC.
---------------------------------------------------------------------------

(ii) Background of Proposal
    FICC believes it is prudent to better understand the cybersecurity 
risks that it may face through its interconnections to Members. As a 
designated systemically important financial market utility, or 
``SIFMU,'' FICC occupies a unique position in the marketplace such that 
a failure or a disruption to FICC could increase the risk of 
significant liquidity problems spreading among financial institutions 
or markets and thereby threaten the stability of the financial system 
in the United States.\5\ Given its designation as a SIFMU, FICC 
believes it is prudent to develop an enhanced endpoint security 
framework designed so that its SMART network or other connectivity is 
adequately protected against cyberattacks.
---------------------------------------------------------------------------

    \5\ FICC and its affiliates, The Depository Trust Company and 
National Securities Clearing Corporation, were designated SIFMUs 
under Title VIII of the Dodd-Frank Wall Street Reform and Consumer 
Protection Act of 2010. 12 U.S.C. 5465(e)(1).
---------------------------------------------------------------------------

    Currently, FICC does not obtain any information regarding the 
security of a firm's systems or cybersecurity program prior to 
permitting that firm to connect either directly to the SMART network or 
to FICC through another means, such as through a third party service 
provider, service bureau, network, or the internet. Given FICC's 
critical role in the marketplace, FICC is proposing to address the 
risks that could be posed by these connections.
    Members may currently be subject to regulations that are designed, 
in part, to enhance the safeguards used by these entities to protect 
themselves against cyberattacks.\6\ In order to comply with such 
regulations, Members and applicants would be required to follow 
standards established by national or international organizations 
focused on information security management, and would have already 
established protocols to allow their senior management to verify that 
they have sufficient cybersecurity programs in place to fulfill 
existing regulatory obligations. Other Members have established and 
follow substantially similar protocols because of evolving expectations 
by regulators or by institutional customers as to the sufficiency of 
their cyber safeguards. FICC believes that it should require 
confirmation of the cybersecurity standards utilized by its Members and 
applicants that connect to its network.
---------------------------------------------------------------------------

    \6\ For example, depending on the type of entity, Members may be 
subject to one or more of the following regulations: (1) Regulation 
S-ID, which requires ``financial institutions'' or ``creditors'' 
under the rule to adopt programs to identify and address the risk of 
identity theft of individuals (17 CFR 248.201-202); (2) Regulation 
S-P, which requires broker-dealers, investment companies, and 
investment advisers to adopt written policies and procedures that 
address administrative, technical, and physical safeguards for the 
protection of customer records and information (17 CFR 248.1-30); 
and (3) Rule 15c3-5 under the Act, known as the ``Market Access 
Rule,'' which requires broker-dealers to establish, document, and 
maintain a system for regularly reviewing the effectiveness of its 
management controls and supervisory procedures (17 CFR 240.15c3-5).
---------------------------------------------------------------------------

    The proposed Cybersecurity Confirmation would require Members and 
applicants to represent that they have established adequate controls 
and security to help limit (1) cybersecurity risks to FICC and to the 
other Members' networks and (2) access by unauthorized third parties 
while the firm is connected to FICC either directly through the SMART 
network or through other connectivity such as a service provider, 
service bureau, network, or the internet.
(iii) Proposed Rule Changes
    FICC is proposing to modify its Rules to (1) define ``Cybersecurity 
Confirmation;'' and (2) require that firms deliver a completed 
Cybersecurity Confirmation (a) as part of their initial application 
with FICC, and (b) on an ongoing basis, at least every two years. Each 
of these proposed rule changes is described in greater detail below.
(1) Proposed Cybersecurity Confirmation
    FICC is proposing to adopt a definition of ``Cybersecurity 
Confirmation.'' Each Cybersecurity Confirmation would be required to be 
in writing on a form provided by FICC and signed by a designated senior 
executive of the submitting firm who is authorized to attest to these 
matters. Based on the form provided by FICC, each Cybersecurity 
Confirmation would contain representations regarding the submitting 
firm's cybersecurity program and framework. Such representations by the 
submitting firm would cover the two years prior to the date of the most 
recently provided Cybersecurity Confirmation.
    FICC is proposing to require that the following representations be 
included in the form of Cybersecurity Confirmation:
    First, the Cybersecurity Confirmation would include a 
representation that the submitting firm has defined and maintains a 
comprehensive cybersecurity program and framework that considers 
potential cyber threats that impact the organization and protects the 
confidentiality, integrity and availability requirements of its systems 
and information.
    Second, the Cybersecurity Confirmation would include a 
representation that the submitting firm has implemented and maintains a 
written enterprise cybersecurity policy or policies approved by the 
submitting firm's senior management or board of directors, and the 
organization's cybersecurity framework is in alignment with standard 
industry best practices and guidelines.\7\
---------------------------------------------------------------------------

    \7\ Examples of recognized frameworks, guidelines and standards 
that FICC believes are adequate include the Financial Services 
Sector Coordinating Council Cybersecurity Profile, the National 
Institute of Standards and Technology Cybersecurity Framework 
(``NIST CSF''), International Organization for Standardization 
(``ISO'') standard 27001/27002 (``ISO 27001''), Federal Financial 
Institutions Examination Council (``FFIEC'') Cybersecurity 
Assessment Tool, Critical Security Controls Top 20, and Control 
Objectives for Information and Related Technologies. FICC would 
identify recognized frameworks, guidelines and standards in the form 
of Cybersecurity Confirmation and in an Important Notice that FICC 
would issue from time to time. FICC would also consider accepting 
other standards upon request by a Member or applicant.
---------------------------------------------------------------------------

    Third, the Cybersecurity Confirmation would include a 
representation that, if the submitting firm is using a third party 
service provider or service bureau(s) to connect or transact business 
or to manage the connection with FICC, the submitting firm has an 
appropriate program to (a) evaluate the cyber risks and impact of these 
third parties, and (b) review the third party assurance reports.
    Fourth, the Cybersecurity Confirmation would include a 
representation that the submitting firm's cybersecurity program and 
framework protect the segment of their system that connects to and/or 
interacts with FICC.
    Fifth, the Cybersecurity Confirmation would include a 
representation that the submitting firm has in place an established 
process to remediate cyber issues identified to fulfill the submitting 
firm's regulatory and/or statutory requirements.
    Sixth, the Cybersecurity Confirmation would include a 
representation that the submitting firm's cybersecurity program's and 
framework's risk processes are updated periodically based on a risk 
assessment or changes to technology, business, threat ecosystem, and/or 
regulatory environment.
    And, finally, the Cybersecurity Confirmation would include a 
representation that the review of the

[[Page 58196]]

submitting firm's cybersecurity program and framework has been 
conducted by one of the following: (1) The submitting firm, if it has 
filed and maintains a current Certification of Compliance with the 
Superintendent of the New York State Department of Financial Services 
confirming compliance with its Cybersecurity Requirements for Financial 
Services Companies; \8\ (2) a regulator who assesses the program 
against an industry cybersecurity framework or industry standard, 
including those that are listed on the form of Cybersecurity 
Confirmation and in an Important Notice that is issued by FICC from 
time to time; \9\ (3) an independent external entity with cybersecurity 
domain expertise in relevant industry standards and practices, 
including those that are listed on the form of Cybersecurity 
Confirmation and in an Important Notice that is issued by FICC from 
time to time; \10\ or (4) an independent internal audit function 
reporting directly to the submitting firm's board of directors or 
designated board of directors committee, such that the findings of that 
review are shared with these governance bodies.
---------------------------------------------------------------------------

    \8\ 23 N.Y. Comp. Codes R. & Regs. tit. 23, Sec.  500 (2017). 
This regulation requires firms to confirm that they have a 
comprehensive cybersecurity program, as described in the regulation, 
which FICC believes is sufficient to meet the objectives of the 
proposed Cybersecurity Confirmation.
    \9\ Industry cybersecurity frameworks and industry standards 
could include, for example, the Office of the Comptroller of the 
Currency or the FFIEC Cybersecurity Assessment Tool. FICC would 
identify acceptable industry cybersecurity frameworks and standards 
in the form of Cybersecurity Confirmation and in an Important Notice 
that FICC would issue from time to time. FICC would also consider 
accepting other industry cybersecurity frameworks and standards upon 
request by a Member or applicant.
    \10\ A third party with cybersecurity domain expertise is one 
that follows and understands industry standards, practices and 
regulations that are relevant to the financial sector. Examples of 
such standards and practices include ISO 27001 certification or NIST 
CSF assessment. FICC would identify acceptable industry standards 
and practices in the form of Cybersecurity Confirmation and in an 
Important Notice that FICC would issue from time to time. FICC would 
also consider accepting other industry standards and practices upon 
request by a Member or applicant.
---------------------------------------------------------------------------

    Together, the required representations are designed to provide FICC 
with evidence of each Member's or applicant's management of 
cybersecurity with respect to their connectivity to FICC. By requiring 
these representations from Members and applicants, the proposed 
Cybersecurity Confirmation would provide FICC with information that it 
could use to make decisions about risks or threats, perform additional 
monitoring, target potential vulnerabilities, and protect the FICC 
network.
    FICC is proposing to amend Rule 1 (Definitions) of the GSD Rules, 
Rule 1 (Definitions) of the MBSD Rules, and Rule 1 (Definitions) of 
Article I (Definitions and General Provisions) of the EPN Rules, to 
include a definition of ``Cybersecurity Confirmation'' as described 
above.
(2) Initial and Ongoing Membership Requirement
    FICC is proposing to require that a Cybersecurity Confirmation be 
submitted to FICC by any applicant, as part of their application 
materials, and at least every two years by all Members. With respect to 
the requirement to deliver a Cybersecurity Confirmation at least every 
two years, FICC would provide all Members with notice of the date on 
which such Cybersecurity Confirmations would be due no later than 180 
calendar days prior to such due date.
    In order to implement these proposed changes, FICC would amend 
Section 5 of Rule 2A (Initial Membership Requirements) of the GSD 
Rules, Section 3 of Rule 3B (Centrally Cleared Institutional Triparty 
Service) of the GSD Rules, Section 4 of Rule 13 (Funds-Only Settlement) 
of the GSD Rules, Section 3 of Rule 2A (Initial Membership 
Requirements) of the MBSD Rules, Rule 3A (Cash Settlement Bank Members) 
of the MBSD Rules, and Section 2 of Rule 1 (Requirements Applicable to 
EPN Users) of Article III of the EPN Rules to require that applicants 
complete and deliver a Cybersecurity Confirmation as part of their 
application materials.
    Further, FICC would amend Section 2 of Rule 3 (Ongoing Membership 
Requirements) of the GSD Rules, Section 5 of Rule 3B (Centrally Cleared 
Institutional Triparty Service) of the GSD Rules, Section 4 of Rule 13 
(Funds-Only Settlement) of the GSD Rules, Section 2 of Rule 3 (Ongoing 
Membership Requirements) of the MBSD Rules, Rule 3A (Cash Settlement 
Bank Members) of the MBSD Rules and Section 8 of Rule 1 (Requirements 
Applicable to EPN Users) of Article III of the EPN Rules to require 
each Member to complete and deliver a Cybersecurity Confirmation at 
least every two years, on a date that is set by FICC and following 
notice that is provided no later than 180 calendar days prior to such 
due date.
(iv) Implementation Timeframe
    Subject to approval by the Commission, the proposed rule change 
would become effective immediately. The proposed requirement that 
applicants deliver a Cybersecurity Confirmation with their application 
materials would be implemented immediately and would apply to 
applications that have been submitted at that time but have not yet 
been approved or rejected. Following the effective date of the proposed 
rule change, FICC would provide Members with notice of the due date of 
their Cybersecurity Confirmations, no later than 180 days prior to such 
due date, and would provide such notice at least every two years going 
forward.
2. Statutory Basis
    FICC believes the proposed rule changes are consistent with the 
requirements of the Act and the rules and regulations thereunder 
applicable to a registered clearing agency. In particular, FICC 
believes that the proposed rule changes are consistent with Section 
17A(b)(3)(F) of the Act,\11\ and Rules 17Ad-22(e)(17)(i) and 
(e)(17)(ii), each promulgated under the Act,\12\ for the reasons 
described below.
---------------------------------------------------------------------------

    \11\ 15 U.S.C. 78q-1(b)(3)(F).
    \12\ 17 CFR 240.17Ad-22(e)(17)(i) and (e)(17)(ii).
---------------------------------------------------------------------------

    Section 17A(b)(3)(F) of the Act requires that the rules of FICC be 
designed to, among other things, promote the prompt and accurate 
clearance and settlement of securities transactions and assure the 
safeguarding of securities and funds which are in the custody or 
control of the clearing agency or for which it is responsible.\13\
---------------------------------------------------------------------------

    \13\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

    As described above, the proposed requirement that Members and 
applicants provide a Cybersecurity Confirmation regarding their 
cybersecurity program that includes the representations described above 
would provide FICC with evidence of each Member's or applicant's 
management of endpoint security with respect to the SMART network or 
other connectivity and would enhance the protection of FICC against 
cyberattacks. The proposed Cybersecurity Confirmation would provide 
FICC with information that it could use to make decisions about risks 
or threats, perform additional monitoring, target potential 
vulnerabilities, and protect the FICC network. The proposed 
Cybersecurity Confirmation would give FICC the ability to further 
identify its exposure and enable it to take steps to mitigate risks. 
These requirements would help reduce risk to FICC's network with 
respect to its communications with Members and their submission of 
instructions and transactions to FICC by requiring all Members 
connecting to

[[Page 58197]]

FICC to have appropriate cybersecurity programs in place.
    Risks, threats and potential vulnerabilities could impact FICC's 
ability to clear and settle securities transactions, or to safeguard 
the securities and funds which are in its custody or control, or for 
which it is responsible. Therefore, by implementing a tool that would 
help to mitigate these risks, FICC believes the proposal would promote 
the prompt and accurate clearance and settlement of securities 
transactions and assure the safeguarding of securities and funds which 
are in the custody or control of the clearing agency or for which it is 
responsible, consistent with the requirements of Section 17A(b)(3)(F) 
of the Act.\14\
---------------------------------------------------------------------------

    \14\ Id.
---------------------------------------------------------------------------

    Rule 17Ad-22(e)(17)(i) under the Act requires that each covered 
clearing agency establish, implement, maintain and enforce written 
policies and procedures reasonably designed to manage the covered 
clearing agency's operational risks by identifying the plausible 
sources of operational risk, both internal and external, and mitigating 
their impact through the use of appropriate systems, policies, 
procedures, and controls.\15\ The proposed Cybersecurity Confirmation 
would reduce cybersecurity risks to FICC by requiring all Members and 
applicants to confirm they have defined and maintain cybersecurity 
programs that meet standard industry best practices and guidelines. The 
proposed representations in the Cybersecurity Confirmations would help 
FICC to mitigate its exposure to cybersecurity risk and, thereby, 
decrease the operational risks to FICC that are presented by 
connections to FICC through the SMART network or otherwise. The 
proposed Cybersecurity Confirmations would identify to FICC potential 
sources of external operational risks and enable it to mitigate these 
risks and their possible impacts to FICC's operations. As a result, 
FICC believes the proposal is consistent with the requirements of Rule 
17Ad-22(e)(17)(i) under the Act.\16\
---------------------------------------------------------------------------

    \15\ 17 CFR 240.17Ad-22(e)(17)(i).
    \16\ Id.
---------------------------------------------------------------------------

    Rule 17Ad-22(e)(17)(ii) under the Act requires that each covered 
clearing agency establish, implement, maintain and enforce written 
policies and procedures reasonably designed to manage the covered 
clearing agency's operational risks by ensuring, in part, that systems 
have a high degree of security, resiliency, and operational 
reliability.\17\ The proposed Cybersecurity Confirmation would enhance 
the security, resiliency, and operational reliability of the endpoint 
security with respect to the SMART network or other connectivity 
because, as noted above, by making the Cybersecurity Confirmation an 
application requirement and an ongoing membership requirement, FICC 
would be able to prevent the connection by any applicant, and take 
action against any Member, that may pose an increased cyber risk to 
FICC by not having a defined and ongoing cybersecurity program that 
meets appropriate standards. Members or applicants that are not in 
alignment with a recognized framework, guideline, or standard that FICC 
believes is adequate to guide and assess such organization's 
cybersecurity program may present increased risk to FICC. By enabling 
FICC to identify these risks, the proposed changes would allow FICC to 
more effectively secure its environment against potential 
vulnerabilities. FICC's controls are strengthened when FICC's Members 
have similar technology risk management controls and programs within 
their computing environment. Control weaknesses within a Member's 
environment could allow for malicious or unauthorized usage of the link 
between FICC and the Member. As a result, FICC believes the proposal 
would improve FICC's ability to ensure that its systems have a high 
degree of security, resiliency, and operational reliability, and, as 
such, is consistent with the requirements of Rule 17Ad-22(e)(17)(ii) 
under the Act.\18\
---------------------------------------------------------------------------

    \17\ 17 CFR 240.17Ad-22(e)(17)(ii).
    \18\ Id.
---------------------------------------------------------------------------

(B) Clearing Agency's Statement on Burden on Competition

    FICC believes the proposed rule change could have an impact on 
competition. Specifically, FICC believes that the proposed rule change 
could burden competition because it would require Members and 
applicants that do not already have cybersecurity programs that meet 
the standards set out in the Cybersecurity Confirmation to incur 
additional costs including, but not limited to, establishing a 
cybersecurity program and framework, engaging an internal audit 
function or appropriate third party to review that program and 
framework, and remediating any findings from such review. In addition, 
those Members and applicants that do not connect directly to the SMART 
network, but connect through a third party service provider or service 
bureau would have the additional burden of evaluating the cyber risks 
and impact of these third parties and reviewing the third party's 
assurance reports.
    FICC believes the above described burden on competition that could 
be created by the proposed changes would be both necessary and 
appropriate in furtherance of the purposes of the Act, as permitted by 
Section 17A(b)(3)(I) of the Act, for the reasons described below.\19\
---------------------------------------------------------------------------

    \19\ 15 U.S.C. 78q-1(b)(3)(I).
---------------------------------------------------------------------------

    First, FICC believes the proposed rule change would be necessary in 
furtherance of the Act, specifically Section 17A(b)(3)(F) of the Act, 
because the Rules must be designed to promote the prompt and accurate 
clearance and settlement of securities transactions and assure the 
safeguarding of securities and funds which are in the custody or 
control of the clearing agency or for which it is responsible.\20\ By 
requiring that Members and applicants provide a Cybersecurity 
Confirmation, the proposed rule change would allow FICC to better 
understand, assess, and, therefore, mitigate the cyber risks that FICC 
could face through its connections to its Members. As described above, 
these risks could impact FICC's ability to clear and settle securities 
transactions, or to safeguard the securities and funds which are in 
FICC's custody or control, or for which it is responsible. Implementing 
a tool as described above would help to mitigate these risks, and 
therefore FICC believes the proposal is necessary in furtherance of the 
requirements of Section 17A(b)(3)(F) of the Act.\21\
---------------------------------------------------------------------------

    \20\ 15 U.S.C. 78q-1(b)(3)(F).
    \21\ Id.
---------------------------------------------------------------------------

    The proposed changes are also necessary in furtherance of the 
purposes of Rules 17Ad-22(e)(17)(i) and (e)(17)(ii) under the Act.\22\ 
The proposed Cybersecurity Confirmations would identify to FICC 
potential sources of external operational risks and allow it to 
establish appropriate controls that would mitigate these risks and 
their possible impacts to FICC's operations. The proposed changes would 
also improve FICC's ability to ensure that its systems have a high 
degree of security, by enabling FICC to identify the cybersecurity 
risks that may be presented to it by Members that connect to FICC.
---------------------------------------------------------------------------

    \22\ 17 CFR 240.17Ad-22(e)(17)(i) and (e)(17)(ii).
---------------------------------------------------------------------------

    Second, FICC believes that the proposed rule change would be 
appropriate in furtherance of the purposes of the Act. The proposed 
rule change would apply equally to all Members and applicants. As 
described above, FICC believes Members may already be subject to one or 
more

[[Page 58198]]

regulatory requirements that include the implementation of a 
cybersecurity program, and these firms would already follow a widely 
recognized framework, guideline, or standard, to guide and assess their 
organization's cybersecurity program to comply with these regulations. 
Therefore, FICC believes any burden that may be imposed by the proposed 
rule change would be appropriate.
    Further, while the proposed Cybersecurity Confirmation would 
identify certain standards and guidelines that would be appropriate, 
FICC would consider requests by applicants and Members to allow other 
standards in accepting a Cybersecurity Confirmation. Additionally, the 
proposed Cybersecurity Confirmation would provide differing options to 
conduct the review of the applicant's or Member's cybersecurity 
program. As such, FICC has endeavored to design the Cybersecurity 
Confirmation in a way that is reasonable and does not require one 
approach for meeting its requirements.
    Finally, FICC is proposing to provide Members with a minimum of 180 
calendar days' notice before the deadline for providing a Cybersecurity 
Confirmation. This notice would allow Members to address any impact 
this change may have on their business. Applicants would be required to 
provide the Cybersecurity Confirmation as part of their application 
materials upon the effective date of this proposed rule change. This 
implementation schedule is designed to be fair and not 
disproportionately impact any Members more than others. The proposal is 
designed to provide all impacted Members with time to review their 
cybersecurity programs with respect to the required representations, 
and identify, if necessary, internal or third party cybersecurity 
reviewers.
    For the reasons described above, FICC believes any burden on 
competition that may result from the proposed rule change would be both 
necessary and appropriate in furtherance of the purposes of the Act, as 
permitted by Section 17A(b)(3)(I) of the Act.\23\
---------------------------------------------------------------------------

    \23\ 15 U.S.C. 78q-1(b)(3)(I).
---------------------------------------------------------------------------

(C) Clearing Agency's Statement on Comments on the Proposed Rule Change 
Received From Members, Participants, or Others

    FICC has not solicited or received any written comments relating to 
this proposal. FICC will notify the Commission of any written comments 
received.

III. Date of Effectiveness of the Proposed Rule Change, and Timing for 
Commission Action

    Within 45 days of the date of publication of this notice in the 
Federal Register or within such longer period up to 90 days (i) as the 
Commission may designate if it finds such longer period to be 
appropriate and publishes its reasons for so finding or (ii) as to 
which the self-regulatory organization consents, the Commission will:
    (A) By order approve or disapprove such proposed rule change, or
    (B) institute proceedings to determine whether the proposed rule 
change should be disapproved.

IV. Solicitation of Comments

    Interested persons are invited to submit written data, views and 
arguments concerning the foregoing, including whether the proposed rule 
change is consistent with the Act. Comments may be submitted by any of 
the following methods:

Electronic Comments

     Use the Commission's internet comment form (https://www.sec.gov/rules/sro.shtml); or
     Send an email to [email protected]. Please include 
File Number SR-FICC-2019-005 on the subject line.

Paper Comments

     Send paper comments in triplicate to Secretary, Securities 
and Exchange Commission, 100 F Street NE, Washington, DC 20549.

All submissions should refer to File Number SR-FICC-2019-005. This file 
number should be included on the subject line if email is used. To help 
the Commission process and review your comments more efficiently, 
please use only one method. The Commission will post all comments on 
the Commission's internet website (https://www.sec.gov/rules/sro.shtml). 
Copies of the submission, all subsequent amendments, all written 
statements with respect to the proposed rule change that are filed with 
the Commission, and all written communications relating to the proposed 
rule change between the Commission and any person, other than those 
that may be withheld from the public in accordance with the provisions 
of 5 U.S.C. 552, will be available for website viewing and printing in 
the Commission's Public Reference Room, 100 F Street NE, Washington, DC 
20549 on official business days between the hours of 10:00 a.m. and 
3:00 p.m. Copies of the filing also will be available for inspection 
and copying at the principal office of FICC and on DTCC's website 
(https://dtcc.com/legal/sec-rule-filings.aspx). All comments received 
will be posted without change. Persons submitting comments are 
cautioned that we do not redact or edit personal identifying 
information from comment submissions. You should submit only 
information that you wish to make available publicly. All submissions 
should refer to File Number SR-FICC-2019-005 and should be submitted on 
or before November 20, 2019.

    \24\ 17 CFR 200.30-3(a)(12).

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\24\
Eduardo A. Aleman,
Deputy Secretary.
[FR Doc. 2019-23650 Filed 10-29-19; 8:45 am]
 BILLING CODE 8011-01-P