Self-Regulatory Organizations; National Securities Clearing Corporation; Order Approving a Proposed Rule Change To Require Confirmation of Cybersecurity Program, 68243-68246 [2019-26843]

Download as PDF Federal Register / Vol. 84, No. 240 / Friday, December 13, 2019 / Notices for a Charged NMS Connection would defray expenses or why it is otherwise reasonably related to the cost to provide access to the NMS Network). In addition, it is not clear from the information provided why it is equitable and not unfairly discriminatory for those Users that purchase access to the IP network or LCN on the proposed conditions to receive connections to the NMS Network at no additional charge, whereas other Users (e.g., those seeking connections to the NMS Network that do not satisfy the proposed conditions, or those who do not otherwise require access to the LCN or IP network) would be required to pay $10,000 initially and $11,000 or $18,000 monthly for a 10 Gb or 40 Gb connection, respectively. In particular, it is unclear the basis on which the Exchanges have determined the proposed conditions for making available a No Additional Fee NMS Network Connection, and whether that basis is reasonable, equitable, and not unfairly discriminatory as required by the Exchange Act. Further, the Commission solicits additional comment on whether the Exchanges’ proposed fee structure for the NMS Network would impose a burden on competition that is not necessary or appropriate in furtherance of the purposes of the Act. V. Commission’s Solicitation of Comments The Commission requests that interested persons provide written submissions of their views, data, and arguments with respect to the issues identified above, as well as any other concerns they may have with the proposals. In particular, the Commission invites the written views of interested persons concerning whether the proposals are consistent with Sections 6(b)(4),59 6(b)(5),60 6(b)(8) 61 or any other provision of the Act, or the rules and regulations thereunder. Although there do not appear to be any issues relevant to approval or disapproval that would be facilitated by an oral presentation of views, data, and arguments, the Commission will consider, pursuant to Rule 19b–4 under the Act,62 any request for an opportunity to make an oral presentation.63 59 15 U.S.C. 78f(b)(4). U.S.C. 78f(b)(5). 61 15 U.S.C. 78f(b)(8). 62 17 CFR 240.19b–4. 63 Section 19(b)(2) of the Exchange Act, as amended by the Securities Act Amendments of 1975, Public Law 94–29 (June 4, 1975), grants the Commission flexibility to determine what type of proceeding—either oral or notice and opportunity for written comments—is appropriate for jbell on DSKJLSW7X2PROD with NOTICES 60 15 VerDate Sep<11>2014 17:42 Dec 12, 2019 Jkt 250001 Interested persons are invited to submit written data, views, and arguments regarding whether the proposals should be approved or disapproved by January 3, 2020. Any person who wishes to file a rebuttal to any other person’s submission must file that rebuttal by January 17, 2020. Comments may be submitted by any of the following methods: Electronic Comments • Use the Commission’s internet comment form (http://www.sec.gov/ rules/sro.shtml); or • Send an email to rule-comments@ sec.gov. Please include File Numbers SR–NYSE–2019–46, SR–NYSENAT– 2019–19, SR–NYSEArca–2019–61, SR– NYSEAMER–2019–34 on the subject line. Paper Comments • Send paper comments in triplicate to: Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549–1090. All submissions should refer to File Numbers SR–NYSE–2019–46, SR– NYSENAT–2019–19, SR–NYSEArca– 2019–61, SR–NYSEAMER–2019–34. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission’s internet website (http:// www.sec.gov/rules/sro.shtml). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the Commission’s Public Reference Room, 100 F Street NE, Washington, DC 20549 on official business days between the hours of 10:00 a.m. and 3:00 p.m. Copies of the filing also will be available for inspection and copying at the principal office of the Exchange. All comments received will be posted without change. Persons submitting comments are cautioned that we do not redact or edit personal identifying information from comment submissions. You should consideration of a particular proposal by a selfregulatory organization. See Securities Act Amendments of 1975, Senate Comm. on Banking, Housing & Urban Affairs, S. Rep. No. 75, 94th Cong., 1st Sess. 30 (1975). PO 00000 Frm 00144 Fmt 4703 Sfmt 4703 68243 submit only information that you wish to make available publicly. All submissions should refer to File Numbers SR–NYSE–2019–46, SR– NYSENAT–2019–19, SR–NYSEArca– 2019–61, SR–NYSEAMER–2019–34 and should be submitted on or before January 3, 2020. For the Commission, by the Division of Trading and Markets, pursuant to delegated authority.64 Jill M. Peterson, Assistant Secretary. [FR Doc. 2019–26846 Filed 12–12–19; 8:45 am] BILLING CODE 8011–01–P SECURITIES AND EXCHANGE COMMISSION [Release No. 34–87696; File No. SR–NSCC– 2019–003] Self-Regulatory Organizations; National Securities Clearing Corporation; Order Approving a Proposed Rule Change To Require Confirmation of Cybersecurity Program December 9, 2019. I. Introduction On October 15, 2019, National Securities Clearing Corporation (‘‘NSCC’’) filed with the Securities and Exchange Commission (‘‘Commission’’), pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (‘‘Act’’) 1 and Rule 19b–4 thereunder,2 proposed rule change SR–NSCC–2019– 003. The proposed rule change was published for comment in the Federal Register on October 30, 2019.3 The Commission did not receive any comment letters on the proposed rule change. For the reasons discussed below, the Commission is approving the proposed rule change. II. Description of the Proposed Rule Change NSCC proposes to modify its Rules and Procedures (‘‘Rules’’) 4 in order to (1) define the term ‘‘Cybersecurity Confirmation’’ as a written representation that addresses a submitting entity’s cybersecurity program (described more fully below); 64 17 CFR 200.30–3(a)(12). U.S.C. 78s(b)(1). 2 17 CFR 240.19b–4. 3 Securities Exchange Act Release No. 87392 (October 24, 2019), 84 FR 58183 (October 30, 2019) (SR–NSCC–2019–003) (‘‘Notice’’). 4 Capitalized terms not defined herein are defined in the Rules, available at http://www.dtcc.com/ legal/rules-and-procedures. References to ‘‘members’’ in this Order include both Members and Limited Members, as such terms are defined in the Rules. 1 15 E:\FR\FM\13DEN1.SGM 13DEN1 68244 Federal Register / Vol. 84, No. 240 / Friday, December 13, 2019 / Notices (2) require NSCC’s members and applicants for membership to submit to NSCC a Cybersecurity Confirmation (both as part of an initial application for membership, and on an ongoing basis for members, at least every two years); and (3) provide that NSCC may require a Cybersecurity Confirmation from organizations that report trade data to NSCC for comparison and trade recording. A. Background jbell on DSKJLSW7X2PROD with NOTICES NSCC plays a prominent role in providing clearance, settlement, risk management, central counterparty services, and a guarantee of completion for virtually all broker-to-broker trades involving equity securities, corporate and municipal debt securities, American depository receipts, exchange traded funds, and unit investment trusts.5 In light of NSCC’s critical role in the marketplace, NSCC was designated a Systemically Important Financial Market Utility (‘‘SIFMU’’) under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.6 Due to NSCC’s unique position in the marketplace, a failure or a disruption to NSCC could, among other things, increase the risk of significant liquidity problems spreading among financial institutions or markets, and thereby threaten the stability of the financial system in the United States.7 NSCC’s members and trade data reporting organizations connect to NSCC, either through the Securely Managed and Reliable Technology (‘‘SMART’’) network or through other electronic means, such as a third party service provider, service bureau, network, or the internet. The SMART network is a technology managed by NSCC’s parent company, The Depository Trust & Clearing Corporation (‘‘DTCC’’), that connects a nationwide complex of networks, processing centers, and control facilities. Currently, NSCC does not require its members, applicants for membership, or trade data reporting organizations to represent that they maintain a cybersecurity program as a condition for connecting to NSCC via the SMART network or other means. NSCC states that many of its members, applicants for membership, and trade data reporting organizations may currently be subject to regulations that are designed, in part, to protect 5 See Financial Stability Oversight Counsel 2012 Annual Report, Appendix A (‘‘FSOC 2012 Report’’), available at http://www.treasury.gov/initiatives/ fsoc/Documents/2012%20Annual%20Report.pdf. 6 12 U.S.C. 5465(e)(1). See FSOC 2012 Report, supra note 5. 7 See FSOC 2012 Report, supra note 5. VerDate Sep<11>2014 17:42 Dec 12, 2019 Jkt 250001 against cyberattacks.8 Accordingly, such entities would currently be required to follow standards established by national or international organizations focused on information security management, and they would currently maintain protocols for their senior management to verify the existence of cybersecurity programs sufficient to meet regulatory obligations. NSCC further believes that some of its members, applicants for membership, and trade data reporting organizations might also currently follow protocols substantially similar to the regulations referred to earlier in this paragraph in order to meet the evolving cybersecurity expectations of regulators and/or their own institutional customers.9 Although NSCC believes that its members, applicants for membership, and trade data reporting organizations may currently maintain robust cybersecurity programs, NSCC seeks to better ensure the protection of its network by requiring its members, applicants for membership, and trade data reporting organizations to confirm that they are meeting certain cybersecurity standards in order to connect to NSCC via the SMART network or other means. Therefore, NSCC proposes to require all members, applicants for membership, and certain trade data reporting organizations to submit a written Cybersecurity Confirmation that includes specific representations regarding the submitting entity’s cybersecurity program and framework. NSCC states that the information contained in the Cybersecurity Confirmation would help NSCC to better understand the cybersecurity programs and frameworks of entities seeking to connect to NSCC, and thereby identify possible cyber risk exposures.10 As a result, NSCC would be better able to establish appropriate 8 For example, depending on the type of entity, NSCC states that its members may be subject to one or more of the following regulations: (1) Regulation S–ID, which requires ‘‘financial institutions’’ or ‘‘creditors’’ under the rule to adopt programs to identify and address the risk of identity theft of individuals (17 CFR 248.201—202); (2) Regulation S–P, which requires broker-dealers, investment companies, and investment advisers to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information (17 CFR 248.1—30); and (3) Rule 15c3–5 under the Act, known as the ‘‘Market Access Rule,’’ which requires broker-dealers to establish, document, and maintain a system for regularly reviewing the effectiveness of its management controls and supervisory procedures (17 CFR 240.15c3–5). Notice, supra note 3, at 58184. 9 Id. 10 Notice, supra note 3, at 58183. PO 00000 Frm 00145 Fmt 4703 Sfmt 4703 controls to mitigate such risks and their possible impacts on NSCC’s operations. B. Proposed Changes NSCC proposes to modify its Rules to: (1) Provide a detailed definition of the Cybersecurity Confirmation; (2) require NSCC’s members and applicants for membership to submit to NSCC a Cybersecurity Confirmation (both as part of an initial application for membership, and on an ongoing basis for members, at least every two years); and (3) provide that NSCC may require a Cybersecurity Confirmation from organizations that report trade data to NSCC. Each of these proposed rule changes is described in greater detail below. 1. Cybersecurity Confirmation NSCC proposes to define the term ‘‘Cybersecurity Confirmation’’ to mean a written form, in a format provided by NSCC and signed by the submitting entity’s designated senior executive with the authority to attest to the cybersecurity matters contained in the form.11 The form would contain specific representations regarding the submitting entity’s cybersecurity program and framework. Such representations would cover the two years prior to the date of the most recently provided Cybersecurity Confirmation. The Cybersecurity Confirmation would include the following representations: • The submitting entity has defined and maintains a comprehensive cybersecurity program and framework that considers potential cyber threats that impact the submitting entity’s organization, and protects the confidentiality, integrity, and availability requirements of its systems and information. • The submitting entity has implemented and maintains a written enterprise cybersecurity policy or policies approved by the submitting entity’s senior management or board of directors, and the submitting entity’s cybersecurity framework is in alignment with standard industry best practices and guidelines.12 11 Notice, supra note 3, at 58183. See also NSCC Cybersecurity Confirmation Form, submitted as Exhibit 3 to SR–FICC–2019–003, available at https://www.sec.gov/rules/sro/nscc/2019/34-87392ex3.pdf. 12 Examples of recognized frameworks, guidelines and standards that NSCC believes are adequate include the Financial Services Sector Coordinating Council Cybersecurity Profile, the National Institute of Standards and Technology Cybersecurity Framework (‘‘NIST CSF’’), International Organization for Standardization (‘‘ISO’’) standard 27001/27002 (‘‘ISO 27001’’), Federal Financial Institutions Examination Council (‘‘FFIEC’’) Cybersecurity Assessment Tool, Critical Security Controls Top 20, and Control Objectives for E:\FR\FM\13DEN1.SGM 13DEN1 Federal Register / Vol. 84, No. 240 / Friday, December 13, 2019 / Notices jbell on DSKJLSW7X2PROD with NOTICES • If the submitting entity uses a third party service provider or service bureau(s) to connect or transact business or to manage the connection with NSCC, the submitting entity has an appropriate program to evaluate the cyber risks and impact of these third parties and to review the third party assurance reports. • The submitting entity’s cybersecurity program and framework protects the segment of its system that connects to and/or interacts with NSCC. • The submitting entity has in place an established process to remediate cyber issues identified to meet its regulatory and/or statutory requirements. • The submitting entity periodically updates the risk processes of its cybersecurity program and framework based on a risk assessment or changes to technology, business, threat ecosystem, and/or regulatory environment. • The submitting entity’s cybersecurity program and framework has been reviewed by one of the following: (1) The submitting entity, if it has filed and maintains a current Certification of Compliance with the Superintendent of the New York State Department of Financial Services confirming compliance with its Cybersecurity Requirements for Financial Services Companies; 13 (2) a regulator who assesses the submitting entity’s cybersecurity program and framework against an industry cybersecurity framework or industry standard, including those that are listed on the Cybersecurity Confirmation form and in an Important Notice that is issued by NSCC from time to time; 14 (3) an independent external entity with cybersecurity domain expertise in relevant industry standards and practices, including those that are listed Information and Related Technologies. NSCC would identify recognized frameworks, guidelines and standards in the form of Cybersecurity Confirmation and in an Important Notice that NSCC would issue from time to time. NSCC would also consider accepting other standards upon request. Notice, supra note 3, at 58184. 13 23 N.Y. Comp. Codes R. & Regs. tit. 23, § 500 et seq. (2017). NSCC states that this regulation requires entities to confirm that they have comprehensive cybersecurity programs as described in the regulation, and NSCC believes this regime is sufficient to meet the objectives of the proposed Cybersecurity Confirmation. Notice, supra note 3, at 58184. 14 NSCC states that current industry cybersecurity frameworks and industry standards could include, for example, the Office of the Comptroller of the Currency or the FFIEC Cybersecurity Assessment Tool. NSCC would identify acceptable industry cybersecurity frameworks and standards in the Cybersecurity Confirmation form and in an Important Notice that NSCC would issue from time to time. NSCC would also consider accepting other industry cybersecurity frameworks and standards upon request. Notice, supra note 3, at 58185. VerDate Sep<11>2014 17:42 Dec 12, 2019 Jkt 250001 on the Cybersecurity Confirmation form and in an Important Notice that is issued by NSCC from time to time; 15 or (4) an independent internal audit function reporting directly to the submitting entity’s board of directors or designated board of directors committee, such that the findings of that review are shared with these governance bodies. NSCC states that it designed the representations in the Cybersecurity Confirmation to provide information on how each submitting entity manages cybersecurity with respect to its connectivity to NSCC.16 NSCC believes that by requiring these representations from members, applicants for membership, and trade data reporting organizations, the proposed Cybersecurity Confirmation would provide useful information designed to enable NSCC to make informed decisions about risks or threats, perform additional monitoring, target potential vulnerabilities, and otherwise protect the NSCC network.17 2. Initial and Ongoing Membership Requirement NSCC proposes to require new applicants for NSCC membership to submit a Cybersecurity Confirmation as part of their application materials. NSCC also proposes to require all NSCC members to submit a Cybersecurity Confirmation at least every two years. With respect to the requirement to submit a Cybersecurity Confirmation at least every two years, NSCC would provide all members with notice of the date on which the Cybersecurity Confirmation would be due no later than 180 calendar days prior to the due date. 3. Organizations Reporting Trade Data to NSCC NSCC proposes to modify the Rules to provide that, when determining whether to accept trade data from an organization for comparison and trade recording,18 NSCC may require the organization to submit a Cybersecurity Confirmation. Since such organizations 15 NSCC states that a third party with cybersecurity domain expertise is one that follows and understands applicable industry standards, practices, and regulations, such as ISO 27001 certification or NIST CSF assessment. NSCC would identify acceptable industry standards and practices in the Cybersecurity Confirmation form and in an Important Notice that NSCC would issue from time to time. NSCC would also consider accepting other industry standards and practices upon request. Notice, supra note 3, at 58185. 16 Notice, supra note 3, at 58185. 17 Id. 18 See Rule 7 (Comparison and Trade Recording Operation), supra note 4. PO 00000 Frm 00146 Fmt 4703 Sfmt 4703 68245 are not NSCC members, contracts (i.e., separate from the Rules) govern the relationships between NSCC and such organizations. NSCC states that this proposal would provide transparency regarding the steps NSCC may take when determining whether to accept trade data from such organizations.19 C. Implementation Timeframe The proposed rule change would be effective upon Commission approval. New applicants for NSCC membership would be required to submit a Cybersecurity Confirmation as part of their application materials. The requirement to submit a Cybersecurity Confirmation would also apply to applicants whose applications are pending with NSCC at the time the Commission approves the proposed rule change. For existing NSCC members, NSCC would provide notice of the due date to submit a Cybersecurity Confirmation, not later than 180 days prior to the due date. Finally, NSCC would provide such notice to its members at least every two years going forward. III. Discussion and Commission Findings Section 19(b)(2)(C) of the Act 20 directs the Commission to approve a proposed rule change of a selfregulatory organization if it finds that such proposed rule change is consistent with the requirements of the Act and rules and regulations thereunder applicable to such organization. After carefully considering the proposed rule change, the Commission finds that the proposed rule change is consistent with the requirements of the Act and the rules and regulations thereunder applicable to NSCC. In particular, the Commission finds that the proposed rule change is consistent with Section 17A(b)(3)(F) of the Act,21 and Rules 17Ad–22(e)(17)(i) and (e)(17)(ii) promulgated under the Act,22 for the reasons described below. A. Consistency With Section 17A(b)(3)(F) of the Act Section 17A(b)(3)(F) of the Act requires that the rules of a clearing agency be designed to, among other things, promote the prompt and accurate clearance and settlement of securities transactions and assure the safeguarding of securities and funds which are in the custody or control of 19 Notice, supra note 3, at 58185. U.S.C. 78s(b)(2)(C). 21 15 U.S.C. 78q–1(b)(3)(F). 22 17 CFR 240.17Ad–22(e)(17)(i) and (e)(17)(ii). 20 15 E:\FR\FM\13DEN1.SGM 13DEN1 68246 Federal Register / Vol. 84, No. 240 / Friday, December 13, 2019 / Notices jbell on DSKJLSW7X2PROD with NOTICES the clearing agency or for which it is responsible.23 As described above, NSCC proposes to require its members, applicants for membership, and trade data reporting organizations seeking to connect to NSCC via the SMART network or other means, to submit a Cybersecurity Confirmation, confirming the existence and nature of their cybersecurity programs. The Cybersecurity Confirmations should provide NSCC with useful information regarding the cybersecurity programs of the submitting entities. By conditioning an entity’s connectivity to NSCC via the SMART network or other means on the submission of a Cybersecurity Confirmation, NSCC should be better enabled to reduce the cyber risks of electronically connecting to entities that have not confirmed the existence and nature of their cybersecurity programs. Accordingly, the proposed Cybersecurity Confirmation requirement should provide NSCC with information to better identify its exposure to cyber risks and to take steps to mitigate those risks. If not adequately addressed, the risk of cyberattacks and other cyber vulnerabilities could affect NSCC’s network and NSCC’s ability to clear and settle securities transactions, or to safeguard the securities and funds which are in NSCC’s custody or control, or for which it is responsible. The proposed Cybersecurity Confirmation requirement is a tool designed to address those risks as described above. Therefore, the Commission finds the proposed Cybersecurity Confirmation requirement would promote the prompt and accurate clearance and settlement of securities transactions and assure the safeguarding of securities and funds which are in the custody or control of NSCC or for which it is responsible, consistent with the requirements of Section 17A(b)(3)(F) of the Act.24 B. Consistency With Rule 17Ad– 22(e)(17)(i) Under the Act Rule 17Ad–22(e)(17)(i) under the Act requires that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency’s operational risks by identifying the plausible sources of operational risk, both internal and external, and mitigating their impact through the use of appropriate systems, policies, procedures, and controls.25 NSCC’s 23 15 C. Consistency With Rule 17Ad– 22(e)(17)(ii) Under the Act Rule 17Ad–22(e)(17)(ii) under the Act requires that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency’s operational risks by ensuring, in part, that systems have a high degree of security, resiliency, and operational reliability.27 As noted above, NSCC’s operational risks include protecting its electronic systems from cyber risks. Although NSCC believes that its members, applicants for membership, and trade data reporting organizations may currently maintain robust cybersecurity programs, NSCC currently does not require those entities to represent that they maintain a cybersecurity program as a condition for connecting to NSCC via the SMART network or other means. NSCC designed the proposed Cybersecurity Confirmation requirement to reduce cyber risks by requiring its members, applicants, and trade data reporting organizations to confirm that they have defined and maintain cybersecurity programs and frameworks that meet standard industry best practices and guidelines. The representations in each U.S.C. 78q–1(b)(3)(F). 24 Id. 25 17 operational risks include protecting its electronic systems from cyber risks. As described above, entities connect electronically to NSCC via the SMART network or other means. The proposed Cybersecurity Confirmation requirement should reduce cyber risks to NSCC by requiring members, applicants for membership, and trade data reporting organizations to confirm that they have defined and maintain cybersecurity programs and frameworks that meet standard industry best practices and guidelines. The representations in each submitting entity’s Cybersecurity Confirmation would provide information that should help NSCC to mitigate its exposure to cyber risks, and thereby decrease the operational risks presented to NSCC by its connections to such entities. Thus, the proposed Cybersecurity Confirmations should enable NSCC to better identify potential sources of external operational risks and mitigate the possible impacts of those risks. Because the proposed changes would help NSCC identify and mitigate plausible sources of external operational risk, the Commission finds the proposed changes are consistent with the requirements of Rule 17Ad–22(e)(17)(i) under the Act.26 26 Id. CFR 240.17Ad–22(e)(17)(i). VerDate Sep<11>2014 17:42 Dec 12, 2019 27 17 Jkt 250001 PO 00000 CFR 240.17Ad–22(e)(17)(ii). Frm 00147 Fmt 4703 Sfmt 4703 submitting entity’s Cybersecurity Confirmation would provide more security for NSCC’s SMART network and other systems by providing NSCC with information designed to help manage its cyber-related operational risks, which in turn, would enable NSCC to take steps necessary to strengthen the security of its network to mitigate those risks. Since the proposal would enhance NSCC’s ability to ensure that its systems have a high degree of security, resiliency, and operational reliability, the Commission finds the proposed changes are consistent with the requirements of Rule 17Ad– 22(e)(17)(ii) under the Act.28 IV. Conclusion On the basis of the foregoing, the Commission finds that the proposed rule change is consistent with the requirements of the Act and, in particular, with the requirements of Section 17A of the Act 29 and the rules and regulations promulgated thereunder. It is therefore ordered, pursuant to Section 19(b)(2) of the Act 30 that proposed rule change SR–NSCC–2019– 003, be, and hereby is, approved.31 For the Commission, by the Division of Trading and Markets, pursuant to delegated authority.32 Jill M. Peterson, Assistant Secretary. [FR Doc. 2019–26843 Filed 12–12–19; 8:45 am] BILLING CODE 8011–01–P SECURITIES AND EXCHANGE COMMISSION [Release No. 34–87685; File No. SR– NYSEARCA–2019–85] Self-Regulatory Organizations; NYSE Arca, Inc.; Notice of Filing and Immediate Effectiveness of Proposed Rule Change Amending the NYSE Arca Options Fees and Charges and the NYSE Arca Equities Fees and Charges Related to Co-Location Services December 9, 2019. Pursuant to Section 19(b)(1) 1 of the Securities Exchange Act of 1934 (the ‘‘Act’’) 2 and Rule 19b–4 thereunder,3 notice is hereby given that, on 28 Id. 29 15 U.S.C. 78q–1. U.S.C. 78s(b)(2). 31 In approving the proposed rule change, the Commission considered the proposals’ impact on efficiency, competition, and capital formation. 15 U.S.C. 78c(f). 32 17 CFR 200.30–3(a)(12). 1 15 U.S.C. 78s(b)(1). 2 15 U.S.C. 78a. 3 17 CFR 240.19b–4. 30 15 E:\FR\FM\13DEN1.SGM 13DEN1

Agencies

[Federal Register Volume 84, Number 240 (Friday, December 13, 2019)]
[Notices]
[Pages 68243-68246]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-26843]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-87696; File No. SR-NSCC-2019-003]


Self-Regulatory Organizations; National Securities Clearing 
Corporation; Order Approving a Proposed Rule Change To Require 
Confirmation of Cybersecurity Program

December 9, 2019.

I. Introduction

    On October 15, 2019, National Securities Clearing Corporation 
(``NSCC'') filed with the Securities and Exchange Commission 
(``Commission''), pursuant to Section 19(b)(1) of the Securities 
Exchange Act of 1934 (``Act'') \1\ and Rule 19b-4 thereunder,\2\ 
proposed rule change SR-NSCC-2019-003. The proposed rule change was 
published for comment in the Federal Register on October 30, 2019.\3\ 
The Commission did not receive any comment letters on the proposed rule 
change. For the reasons discussed below, the Commission is approving 
the proposed rule change.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
    \3\ Securities Exchange Act Release No. 87392 (October 24, 
2019), 84 FR 58183 (October 30, 2019) (SR-NSCC-2019-003) 
(``Notice'').
---------------------------------------------------------------------------

II. Description of the Proposed Rule Change

    NSCC proposes to modify its Rules and Procedures (``Rules'') \4\ in 
order to (1) define the term ``Cybersecurity Confirmation'' as a 
written representation that addresses a submitting entity's 
cybersecurity program (described more fully below);

[[Page 68244]]

(2) require NSCC's members and applicants for membership to submit to 
NSCC a Cybersecurity Confirmation (both as part of an initial 
application for membership, and on an ongoing basis for members, at 
least every two years); and (3) provide that NSCC may require a 
Cybersecurity Confirmation from organizations that report trade data to 
NSCC for comparison and trade recording.
---------------------------------------------------------------------------

    \4\ Capitalized terms not defined herein are defined in the 
Rules, available at http://www.dtcc.com/legal/rules-and-procedures. 
References to ``members'' in this Order include both Members and 
Limited Members, as such terms are defined in the Rules.
---------------------------------------------------------------------------

A. Background

    NSCC plays a prominent role in providing clearance, settlement, 
risk management, central counterparty services, and a guarantee of 
completion for virtually all broker-to-broker trades involving equity 
securities, corporate and municipal debt securities, American 
depository receipts, exchange traded funds, and unit investment 
trusts.\5\ In light of NSCC's critical role in the marketplace, NSCC 
was designated a Systemically Important Financial Market Utility 
(``SIFMU'') under Title VIII of the Dodd-Frank Wall Street Reform and 
Consumer Protection Act of 2010.\6\ Due to NSCC's unique position in 
the marketplace, a failure or a disruption to NSCC could, among other 
things, increase the risk of significant liquidity problems spreading 
among financial institutions or markets, and thereby threaten the 
stability of the financial system in the United States.\7\
---------------------------------------------------------------------------

    \5\ See Financial Stability Oversight Counsel 2012 Annual 
Report, Appendix A (``FSOC 2012 Report''), available at http://www.treasury.gov/initiatives/fsoc/Documents/2012%20Annual%20Report.pdf.
    \6\ 12 U.S.C. 5465(e)(1). See FSOC 2012 Report, supra note 5.
    \7\ See FSOC 2012 Report, supra note 5.
---------------------------------------------------------------------------

    NSCC's members and trade data reporting organizations connect to 
NSCC, either through the Securely Managed and Reliable Technology 
(``SMART'') network or through other electronic means, such as a third 
party service provider, service bureau, network, or the internet. The 
SMART network is a technology managed by NSCC's parent company, The 
Depository Trust & Clearing Corporation (``DTCC''), that connects a 
nationwide complex of networks, processing centers, and control 
facilities. Currently, NSCC does not require its members, applicants 
for membership, or trade data reporting organizations to represent that 
they maintain a cybersecurity program as a condition for connecting to 
NSCC via the SMART network or other means.
    NSCC states that many of its members, applicants for membership, 
and trade data reporting organizations may currently be subject to 
regulations that are designed, in part, to protect against 
cyberattacks.\8\ Accordingly, such entities would currently be required 
to follow standards established by national or international 
organizations focused on information security management, and they 
would currently maintain protocols for their senior management to 
verify the existence of cybersecurity programs sufficient to meet 
regulatory obligations. NSCC further believes that some of its members, 
applicants for membership, and trade data reporting organizations might 
also currently follow protocols substantially similar to the 
regulations referred to earlier in this paragraph in order to meet the 
evolving cybersecurity expectations of regulators and/or their own 
institutional customers.\9\
---------------------------------------------------------------------------

    \8\ For example, depending on the type of entity, NSCC states 
that its members may be subject to one or more of the following 
regulations: (1) Regulation S-ID, which requires ``financial 
institutions'' or ``creditors'' under the rule to adopt programs to 
identify and address the risk of identity theft of individuals (17 
CFR 248.201--202); (2) Regulation S-P, which requires broker-
dealers, investment companies, and investment advisers to adopt 
written policies and procedures that address administrative, 
technical, and physical safeguards for the protection of customer 
records and information (17 CFR 248.1--30); and (3) Rule 15c3-5 
under the Act, known as the ``Market Access Rule,'' which requires 
broker-dealers to establish, document, and maintain a system for 
regularly reviewing the effectiveness of its management controls and 
supervisory procedures (17 CFR 240.15c3-5). Notice, supra note 3, at 
58184.
    \9\ Id.
---------------------------------------------------------------------------

    Although NSCC believes that its members, applicants for membership, 
and trade data reporting organizations may currently maintain robust 
cybersecurity programs, NSCC seeks to better ensure the protection of 
its network by requiring its members, applicants for membership, and 
trade data reporting organizations to confirm that they are meeting 
certain cybersecurity standards in order to connect to NSCC via the 
SMART network or other means. Therefore, NSCC proposes to require all 
members, applicants for membership, and certain trade data reporting 
organizations to submit a written Cybersecurity Confirmation that 
includes specific representations regarding the submitting entity's 
cybersecurity program and framework. NSCC states that the information 
contained in the Cybersecurity Confirmation would help NSCC to better 
understand the cybersecurity programs and frameworks of entities 
seeking to connect to NSCC, and thereby identify possible cyber risk 
exposures.\10\ As a result, NSCC would be better able to establish 
appropriate controls to mitigate such risks and their possible impacts 
on NSCC's operations.
---------------------------------------------------------------------------

    \10\ Notice, supra note 3, at 58183.
---------------------------------------------------------------------------

B. Proposed Changes

    NSCC proposes to modify its Rules to: (1) Provide a detailed 
definition of the Cybersecurity Confirmation; (2) require NSCC's 
members and applicants for membership to submit to NSCC a Cybersecurity 
Confirmation (both as part of an initial application for membership, 
and on an ongoing basis for members, at least every two years); and (3) 
provide that NSCC may require a Cybersecurity Confirmation from 
organizations that report trade data to NSCC. Each of these proposed 
rule changes is described in greater detail below.
1. Cybersecurity Confirmation
    NSCC proposes to define the term ``Cybersecurity Confirmation'' to 
mean a written form, in a format provided by NSCC and signed by the 
submitting entity's designated senior executive with the authority to 
attest to the cybersecurity matters contained in the form.\11\ The form 
would contain specific representations regarding the submitting 
entity's cybersecurity program and framework. Such representations 
would cover the two years prior to the date of the most recently 
provided Cybersecurity Confirmation. The Cybersecurity Confirmation 
would include the following representations:
---------------------------------------------------------------------------

    \11\ Notice, supra note 3, at 58183. See also NSCC Cybersecurity 
Confirmation Form, submitted as Exhibit 3 to SR-FICC-2019-003, 
available at https://www.sec.gov/rules/sro/nscc/2019/34-87392-ex3.pdf.
---------------------------------------------------------------------------

     The submitting entity has defined and maintains a 
comprehensive cybersecurity program and framework that considers 
potential cyber threats that impact the submitting entity's 
organization, and protects the confidentiality, integrity, and 
availability requirements of its systems and information.
     The submitting entity has implemented and maintains a 
written enterprise cybersecurity policy or policies approved by the 
submitting entity's senior management or board of directors, and the 
submitting entity's cybersecurity framework is in alignment with 
standard industry best practices and guidelines.\12\
---------------------------------------------------------------------------

    \12\ Examples of recognized frameworks, guidelines and standards 
that NSCC believes are adequate include the Financial Services 
Sector Coordinating Council Cybersecurity Profile, the National 
Institute of Standards and Technology Cybersecurity Framework 
(``NIST CSF''), International Organization for Standardization 
(``ISO'') standard 27001/27002 (``ISO 27001''), Federal Financial 
Institutions Examination Council (``FFIEC'') Cybersecurity 
Assessment Tool, Critical Security Controls Top 20, and Control 
Objectives for Information and Related Technologies. NSCC would 
identify recognized frameworks, guidelines and standards in the form 
of Cybersecurity Confirmation and in an Important Notice that NSCC 
would issue from time to time. NSCC would also consider accepting 
other standards upon request. Notice, supra note 3, at 58184.

---------------------------------------------------------------------------

[[Page 68245]]

     If the submitting entity uses a third party service 
provider or service bureau(s) to connect or transact business or to 
manage the connection with NSCC, the submitting entity has an 
appropriate program to evaluate the cyber risks and impact of these 
third parties and to review the third party assurance reports.
     The submitting entity's cybersecurity program and 
framework protects the segment of its system that connects to and/or 
interacts with NSCC.
     The submitting entity has in place an established process 
to remediate cyber issues identified to meet its regulatory and/or 
statutory requirements.
     The submitting entity periodically updates the risk 
processes of its cybersecurity program and framework based on a risk 
assessment or changes to technology, business, threat ecosystem, and/or 
regulatory environment.
     The submitting entity's cybersecurity program and 
framework has been reviewed by one of the following: (1) The submitting 
entity, if it has filed and maintains a current Certification of 
Compliance with the Superintendent of the New York State Department of 
Financial Services confirming compliance with its Cybersecurity 
Requirements for Financial Services Companies; \13\ (2) a regulator who 
assesses the submitting entity's cybersecurity program and framework 
against an industry cybersecurity framework or industry standard, 
including those that are listed on the Cybersecurity Confirmation form 
and in an Important Notice that is issued by NSCC from time to time; 
\14\ (3) an independent external entity with cybersecurity domain 
expertise in relevant industry standards and practices, including those 
that are listed on the Cybersecurity Confirmation form and in an 
Important Notice that is issued by NSCC from time to time; \15\ or (4) 
an independent internal audit function reporting directly to the 
submitting entity's board of directors or designated board of directors 
committee, such that the findings of that review are shared with these 
governance bodies.
---------------------------------------------------------------------------

    \13\ 23 N.Y. Comp. Codes R. & Regs. tit. 23, Sec.  500 et seq. 
(2017). NSCC states that this regulation requires entities to 
confirm that they have comprehensive cybersecurity programs as 
described in the regulation, and NSCC believes this regime is 
sufficient to meet the objectives of the proposed Cybersecurity 
Confirmation. Notice, supra note 3, at 58184.
    \14\ NSCC states that current industry cybersecurity frameworks 
and industry standards could include, for example, the Office of the 
Comptroller of the Currency or the FFIEC Cybersecurity Assessment 
Tool. NSCC would identify acceptable industry cybersecurity 
frameworks and standards in the Cybersecurity Confirmation form and 
in an Important Notice that NSCC would issue from time to time. NSCC 
would also consider accepting other industry cybersecurity 
frameworks and standards upon request. Notice, supra note 3, at 
58185.
    \15\ NSCC states that a third party with cybersecurity domain 
expertise is one that follows and understands applicable industry 
standards, practices, and regulations, such as ISO 27001 
certification or NIST CSF assessment. NSCC would identify acceptable 
industry standards and practices in the Cybersecurity Confirmation 
form and in an Important Notice that NSCC would issue from time to 
time. NSCC would also consider accepting other industry standards 
and practices upon request. Notice, supra note 3, at 58185.
---------------------------------------------------------------------------

    NSCC states that it designed the representations in the 
Cybersecurity Confirmation to provide information on how each 
submitting entity manages cybersecurity with respect to its 
connectivity to NSCC.\16\ NSCC believes that by requiring these 
representations from members, applicants for membership, and trade data 
reporting organizations, the proposed Cybersecurity Confirmation would 
provide useful information designed to enable NSCC to make informed 
decisions about risks or threats, perform additional monitoring, target 
potential vulnerabilities, and otherwise protect the NSCC network.\17\
---------------------------------------------------------------------------

    \16\ Notice, supra note 3, at 58185.
    \17\ Id.
---------------------------------------------------------------------------

2. Initial and Ongoing Membership Requirement
    NSCC proposes to require new applicants for NSCC membership to 
submit a Cybersecurity Confirmation as part of their application 
materials. NSCC also proposes to require all NSCC members to submit a 
Cybersecurity Confirmation at least every two years. With respect to 
the requirement to submit a Cybersecurity Confirmation at least every 
two years, NSCC would provide all members with notice of the date on 
which the Cybersecurity Confirmation would be due no later than 180 
calendar days prior to the due date.
3. Organizations Reporting Trade Data to NSCC
    NSCC proposes to modify the Rules to provide that, when determining 
whether to accept trade data from an organization for comparison and 
trade recording,\18\ NSCC may require the organization to submit a 
Cybersecurity Confirmation. Since such organizations are not NSCC 
members, contracts (i.e., separate from the Rules) govern the 
relationships between NSCC and such organizations. NSCC states that 
this proposal would provide transparency regarding the steps NSCC may 
take when determining whether to accept trade data from such 
organizations.\19\
---------------------------------------------------------------------------

    \18\ See Rule 7 (Comparison and Trade Recording Operation), 
supra note 4.
    \19\ Notice, supra note 3, at 58185.
---------------------------------------------------------------------------

C. Implementation Timeframe

    The proposed rule change would be effective upon Commission 
approval. New applicants for NSCC membership would be required to 
submit a Cybersecurity Confirmation as part of their application 
materials. The requirement to submit a Cybersecurity Confirmation would 
also apply to applicants whose applications are pending with NSCC at 
the time the Commission approves the proposed rule change. For existing 
NSCC members, NSCC would provide notice of the due date to submit a 
Cybersecurity Confirmation, not later than 180 days prior to the due 
date. Finally, NSCC would provide such notice to its members at least 
every two years going forward.

III. Discussion and Commission Findings

    Section 19(b)(2)(C) of the Act \20\ directs the Commission to 
approve a proposed rule change of a self-regulatory organization if it 
finds that such proposed rule change is consistent with the 
requirements of the Act and rules and regulations thereunder applicable 
to such organization. After carefully considering the proposed rule 
change, the Commission finds that the proposed rule change is 
consistent with the requirements of the Act and the rules and 
regulations thereunder applicable to NSCC. In particular, the 
Commission finds that the proposed rule change is consistent with 
Section 17A(b)(3)(F) of the Act,\21\ and Rules 17Ad-22(e)(17)(i) and 
(e)(17)(ii) promulgated under the Act,\22\ for the reasons described 
below.
---------------------------------------------------------------------------

    \20\ 15 U.S.C. 78s(b)(2)(C).
    \21\ 15 U.S.C. 78q-1(b)(3)(F).
    \22\ 17 CFR 240.17Ad-22(e)(17)(i) and (e)(17)(ii).
---------------------------------------------------------------------------

A. Consistency With Section 17A(b)(3)(F) of the Act

    Section 17A(b)(3)(F) of the Act requires that the rules of a 
clearing agency be designed to, among other things, promote the prompt 
and accurate clearance and settlement of securities transactions and 
assure the safeguarding of securities and funds which are in the 
custody or control of

[[Page 68246]]

the clearing agency or for which it is responsible.\23\
---------------------------------------------------------------------------

    \23\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

    As described above, NSCC proposes to require its members, 
applicants for membership, and trade data reporting organizations 
seeking to connect to NSCC via the SMART network or other means, to 
submit a Cybersecurity Confirmation, confirming the existence and 
nature of their cybersecurity programs. The Cybersecurity Confirmations 
should provide NSCC with useful information regarding the cybersecurity 
programs of the submitting entities. By conditioning an entity's 
connectivity to NSCC via the SMART network or other means on the 
submission of a Cybersecurity Confirmation, NSCC should be better 
enabled to reduce the cyber risks of electronically connecting to 
entities that have not confirmed the existence and nature of their 
cybersecurity programs. Accordingly, the proposed Cybersecurity 
Confirmation requirement should provide NSCC with information to better 
identify its exposure to cyber risks and to take steps to mitigate 
those risks.
    If not adequately addressed, the risk of cyberattacks and other 
cyber vulnerabilities could affect NSCC's network and NSCC's ability to 
clear and settle securities transactions, or to safeguard the 
securities and funds which are in NSCC's custody or control, or for 
which it is responsible. The proposed Cybersecurity Confirmation 
requirement is a tool designed to address those risks as described 
above. Therefore, the Commission finds the proposed Cybersecurity 
Confirmation requirement would promote the prompt and accurate 
clearance and settlement of securities transactions and assure the 
safeguarding of securities and funds which are in the custody or 
control of NSCC or for which it is responsible, consistent with the 
requirements of Section 17A(b)(3)(F) of the Act.\24\
---------------------------------------------------------------------------

    \24\ Id.
---------------------------------------------------------------------------

B. Consistency With Rule 17Ad-22(e)(17)(i) Under the Act

    Rule 17Ad-22(e)(17)(i) under the Act requires that each covered 
clearing agency establish, implement, maintain and enforce written 
policies and procedures reasonably designed to manage the covered 
clearing agency's operational risks by identifying the plausible 
sources of operational risk, both internal and external, and mitigating 
their impact through the use of appropriate systems, policies, 
procedures, and controls.\25\ NSCC's operational risks include 
protecting its electronic systems from cyber risks.
---------------------------------------------------------------------------

    \25\ 17 CFR 240.17Ad-22(e)(17)(i).
---------------------------------------------------------------------------

    As described above, entities connect electronically to NSCC via the 
SMART network or other means. The proposed Cybersecurity Confirmation 
requirement should reduce cyber risks to NSCC by requiring members, 
applicants for membership, and trade data reporting organizations to 
confirm that they have defined and maintain cybersecurity programs and 
frameworks that meet standard industry best practices and guidelines. 
The representations in each submitting entity's Cybersecurity 
Confirmation would provide information that should help NSCC to 
mitigate its exposure to cyber risks, and thereby decrease the 
operational risks presented to NSCC by its connections to such 
entities. Thus, the proposed Cybersecurity Confirmations should enable 
NSCC to better identify potential sources of external operational risks 
and mitigate the possible impacts of those risks. Because the proposed 
changes would help NSCC identify and mitigate plausible sources of 
external operational risk, the Commission finds the proposed changes 
are consistent with the requirements of Rule 17Ad-22(e)(17)(i) under 
the Act.\26\
---------------------------------------------------------------------------

    \26\ Id.
---------------------------------------------------------------------------

C. Consistency With Rule 17Ad-22(e)(17)(ii) Under the Act

    Rule 17Ad-22(e)(17)(ii) under the Act requires that each covered 
clearing agency establish, implement, maintain and enforce written 
policies and procedures reasonably designed to manage the covered 
clearing agency's operational risks by ensuring, in part, that systems 
have a high degree of security, resiliency, and operational 
reliability.\27\ As noted above, NSCC's operational risks include 
protecting its electronic systems from cyber risks.
---------------------------------------------------------------------------

    \27\ 17 CFR 240.17Ad-22(e)(17)(ii).
---------------------------------------------------------------------------

    Although NSCC believes that its members, applicants for membership, 
and trade data reporting organizations may currently maintain robust 
cybersecurity programs, NSCC currently does not require those entities 
to represent that they maintain a cybersecurity program as a condition 
for connecting to NSCC via the SMART network or other means. NSCC 
designed the proposed Cybersecurity Confirmation requirement to reduce 
cyber risks by requiring its members, applicants, and trade data 
reporting organizations to confirm that they have defined and maintain 
cybersecurity programs and frameworks that meet standard industry best 
practices and guidelines. The representations in each submitting 
entity's Cybersecurity Confirmation would provide more security for 
NSCC's SMART network and other systems by providing NSCC with 
information designed to help manage its cyber-related operational 
risks, which in turn, would enable NSCC to take steps necessary to 
strengthen the security of its network to mitigate those risks. Since 
the proposal would enhance NSCC's ability to ensure that its systems 
have a high degree of security, resiliency, and operational 
reliability, the Commission finds the proposed changes are consistent 
with the requirements of Rule 17Ad-22(e)(17)(ii) under the Act.\28\
---------------------------------------------------------------------------

    \28\ Id.
---------------------------------------------------------------------------

IV. Conclusion

    On the basis of the foregoing, the Commission finds that the 
proposed rule change is consistent with the requirements of the Act 
and, in particular, with the requirements of Section 17A of the Act 
\29\ and the rules and regulations promulgated thereunder.
---------------------------------------------------------------------------

    \29\ 15 U.S.C. 78q-1.
---------------------------------------------------------------------------

    It is therefore ordered, pursuant to Section 19(b)(2) of the Act 
\30\ that proposed rule change SR-NSCC-2019-003, be, and hereby is, 
approved.\31\
---------------------------------------------------------------------------

    \30\ 15 U.S.C. 78s(b)(2).
    \31\ In approving the proposed rule change, the Commission 
considered the proposals' impact on efficiency, competition, and 
capital formation. 15 U.S.C. 78c(f).

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\32\
---------------------------------------------------------------------------

    \32\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------

Jill M. Peterson,
Assistant Secretary.
[FR Doc. 2019-26843 Filed 12-12-19; 8:45 am]
 BILLING CODE 8011-01-P