Self-Regulatory Organizations; National Securities Clearing Corporation; Order Approving a Proposed Rule Change To Require Confirmation of Cybersecurity Program, 68243-68246 [2019-26843]
Download as PDF
Federal Register / Vol. 84, No. 240 / Friday, December 13, 2019 / Notices
for a Charged NMS Connection would
defray expenses or why it is otherwise
reasonably related to the cost to provide
access to the NMS Network).
In addition, it is not clear from the
information provided why it is equitable
and not unfairly discriminatory for
those Users that purchase access to the
IP network or LCN on the proposed
conditions to receive connections to the
NMS Network at no additional charge,
whereas other Users (e.g., those seeking
connections to the NMS Network that
do not satisfy the proposed conditions,
or those who do not otherwise require
access to the LCN or IP network) would
be required to pay $10,000 initially and
$11,000 or $18,000 monthly for a 10 Gb
or 40 Gb connection, respectively. In
particular, it is unclear the basis on
which the Exchanges have determined
the proposed conditions for making
available a No Additional Fee NMS
Network Connection, and whether that
basis is reasonable, equitable, and not
unfairly discriminatory as required by
the Exchange Act.
Further, the Commission solicits
additional comment on whether the
Exchanges’ proposed fee structure for
the NMS Network would impose a
burden on competition that is not
necessary or appropriate in furtherance
of the purposes of the Act.
V. Commission’s Solicitation of
Comments
The Commission requests that
interested persons provide written
submissions of their views, data, and
arguments with respect to the issues
identified above, as well as any other
concerns they may have with the
proposals. In particular, the
Commission invites the written views of
interested persons concerning whether
the proposals are consistent with
Sections 6(b)(4),59 6(b)(5),60 6(b)(8) 61 or
any other provision of the Act, or the
rules and regulations thereunder.
Although there do not appear to be any
issues relevant to approval or
disapproval that would be facilitated by
an oral presentation of views, data, and
arguments, the Commission will
consider, pursuant to Rule 19b–4 under
the Act,62 any request for an
opportunity to make an oral
presentation.63
59 15
U.S.C. 78f(b)(4).
U.S.C. 78f(b)(5).
61 15 U.S.C. 78f(b)(8).
62 17 CFR 240.19b–4.
63 Section 19(b)(2) of the Exchange Act, as
amended by the Securities Act Amendments of
1975, Public Law 94–29 (June 4, 1975), grants the
Commission flexibility to determine what type of
proceeding—either oral or notice and opportunity
for written comments—is appropriate for
jbell on DSKJLSW7X2PROD with NOTICES
60 15
VerDate Sep<11>2014
17:42 Dec 12, 2019
Jkt 250001
Interested persons are invited to
submit written data, views, and
arguments regarding whether the
proposals should be approved or
disapproved by January 3, 2020. Any
person who wishes to file a rebuttal to
any other person’s submission must file
that rebuttal by January 17, 2020.
Comments may be submitted by any of
the following methods:
Electronic Comments
• Use the Commission’s internet
comment form (https://www.sec.gov/
rules/sro.shtml); or
• Send an email to rule-comments@
sec.gov. Please include File Numbers
SR–NYSE–2019–46, SR–NYSENAT–
2019–19, SR–NYSEArca–2019–61, SR–
NYSEAMER–2019–34 on the subject
line.
Paper Comments
• Send paper comments in triplicate
to: Secretary, Securities and Exchange
Commission, 100 F Street NE,
Washington, DC 20549–1090.
All submissions should refer to File
Numbers SR–NYSE–2019–46, SR–
NYSENAT–2019–19, SR–NYSEArca–
2019–61, SR–NYSEAMER–2019–34.
This file number should be included on
the subject line if email is used. To help
the Commission process and review
your comments more efficiently, please
use only one method. The Commission
will post all comments on the
Commission’s internet website (https://
www.sec.gov/rules/sro.shtml). Copies of
the submission, all subsequent
amendments, all written statements
with respect to the proposed rule
change that are filed with the
Commission, and all written
communications relating to the
proposed rule change between the
Commission and any person, other than
those that may be withheld from the
public in accordance with the
provisions of 5 U.S.C. 552, will be
available for website viewing and
printing in the Commission’s Public
Reference Room, 100 F Street NE,
Washington, DC 20549 on official
business days between the hours of
10:00 a.m. and 3:00 p.m. Copies of the
filing also will be available for
inspection and copying at the principal
office of the Exchange. All comments
received will be posted without change.
Persons submitting comments are
cautioned that we do not redact or edit
personal identifying information from
comment submissions. You should
consideration of a particular proposal by a selfregulatory organization. See Securities Act
Amendments of 1975, Senate Comm. on Banking,
Housing & Urban Affairs, S. Rep. No. 75, 94th
Cong., 1st Sess. 30 (1975).
PO 00000
Frm 00144
Fmt 4703
Sfmt 4703
68243
submit only information that you wish
to make available publicly. All
submissions should refer to File
Numbers SR–NYSE–2019–46, SR–
NYSENAT–2019–19, SR–NYSEArca–
2019–61, SR–NYSEAMER–2019–34 and
should be submitted on or before
January 3, 2020.
For the Commission, by the Division of
Trading and Markets, pursuant to delegated
authority.64
Jill M. Peterson,
Assistant Secretary.
[FR Doc. 2019–26846 Filed 12–12–19; 8:45 am]
BILLING CODE 8011–01–P
SECURITIES AND EXCHANGE
COMMISSION
[Release No. 34–87696; File No. SR–NSCC–
2019–003]
Self-Regulatory Organizations;
National Securities Clearing
Corporation; Order Approving a
Proposed Rule Change To Require
Confirmation of Cybersecurity
Program
December 9, 2019.
I. Introduction
On October 15, 2019, National
Securities Clearing Corporation
(‘‘NSCC’’) filed with the Securities and
Exchange Commission (‘‘Commission’’),
pursuant to Section 19(b)(1) of the
Securities Exchange Act of 1934
(‘‘Act’’) 1 and Rule 19b–4 thereunder,2
proposed rule change SR–NSCC–2019–
003. The proposed rule change was
published for comment in the Federal
Register on October 30, 2019.3 The
Commission did not receive any
comment letters on the proposed rule
change. For the reasons discussed
below, the Commission is approving the
proposed rule change.
II. Description of the Proposed Rule
Change
NSCC proposes to modify its Rules
and Procedures (‘‘Rules’’) 4 in order to
(1) define the term ‘‘Cybersecurity
Confirmation’’ as a written
representation that addresses a
submitting entity’s cybersecurity
program (described more fully below);
64 17
CFR 200.30–3(a)(12).
U.S.C. 78s(b)(1).
2 17 CFR 240.19b–4.
3 Securities Exchange Act Release No. 87392
(October 24, 2019), 84 FR 58183 (October 30, 2019)
(SR–NSCC–2019–003) (‘‘Notice’’).
4 Capitalized terms not defined herein are defined
in the Rules, available at https://www.dtcc.com/
legal/rules-and-procedures. References to
‘‘members’’ in this Order include both Members
and Limited Members, as such terms are defined in
the Rules.
1 15
E:\FR\FM\13DEN1.SGM
13DEN1
68244
Federal Register / Vol. 84, No. 240 / Friday, December 13, 2019 / Notices
(2) require NSCC’s members and
applicants for membership to submit to
NSCC a Cybersecurity Confirmation
(both as part of an initial application for
membership, and on an ongoing basis
for members, at least every two years);
and (3) provide that NSCC may require
a Cybersecurity Confirmation from
organizations that report trade data to
NSCC for comparison and trade
recording.
A. Background
jbell on DSKJLSW7X2PROD with NOTICES
NSCC plays a prominent role in
providing clearance, settlement, risk
management, central counterparty
services, and a guarantee of completion
for virtually all broker-to-broker trades
involving equity securities, corporate
and municipal debt securities,
American depository receipts, exchange
traded funds, and unit investment
trusts.5 In light of NSCC’s critical role in
the marketplace, NSCC was designated
a Systemically Important Financial
Market Utility (‘‘SIFMU’’) under Title
VIII of the Dodd-Frank Wall Street
Reform and Consumer Protection Act of
2010.6 Due to NSCC’s unique position
in the marketplace, a failure or a
disruption to NSCC could, among other
things, increase the risk of significant
liquidity problems spreading among
financial institutions or markets, and
thereby threaten the stability of the
financial system in the United States.7
NSCC’s members and trade data
reporting organizations connect to
NSCC, either through the Securely
Managed and Reliable Technology
(‘‘SMART’’) network or through other
electronic means, such as a third party
service provider, service bureau,
network, or the internet. The SMART
network is a technology managed by
NSCC’s parent company, The
Depository Trust & Clearing Corporation
(‘‘DTCC’’), that connects a nationwide
complex of networks, processing
centers, and control facilities. Currently,
NSCC does not require its members,
applicants for membership, or trade data
reporting organizations to represent that
they maintain a cybersecurity program
as a condition for connecting to NSCC
via the SMART network or other means.
NSCC states that many of its
members, applicants for membership,
and trade data reporting organizations
may currently be subject to regulations
that are designed, in part, to protect
5 See Financial Stability Oversight Counsel 2012
Annual Report, Appendix A (‘‘FSOC 2012 Report’’),
available at https://www.treasury.gov/initiatives/
fsoc/Documents/2012%20Annual%20Report.pdf.
6 12 U.S.C. 5465(e)(1). See FSOC 2012 Report,
supra note 5.
7 See FSOC 2012 Report, supra note 5.
VerDate Sep<11>2014
17:42 Dec 12, 2019
Jkt 250001
against cyberattacks.8 Accordingly, such
entities would currently be required to
follow standards established by national
or international organizations focused
on information security management,
and they would currently maintain
protocols for their senior management to
verify the existence of cybersecurity
programs sufficient to meet regulatory
obligations. NSCC further believes that
some of its members, applicants for
membership, and trade data reporting
organizations might also currently
follow protocols substantially similar to
the regulations referred to earlier in this
paragraph in order to meet the evolving
cybersecurity expectations of regulators
and/or their own institutional
customers.9
Although NSCC believes that its
members, applicants for membership,
and trade data reporting organizations
may currently maintain robust
cybersecurity programs, NSCC seeks to
better ensure the protection of its
network by requiring its members,
applicants for membership, and trade
data reporting organizations to confirm
that they are meeting certain
cybersecurity standards in order to
connect to NSCC via the SMART
network or other means. Therefore,
NSCC proposes to require all members,
applicants for membership, and certain
trade data reporting organizations to
submit a written Cybersecurity
Confirmation that includes specific
representations regarding the submitting
entity’s cybersecurity program and
framework. NSCC states that the
information contained in the
Cybersecurity Confirmation would help
NSCC to better understand the
cybersecurity programs and frameworks
of entities seeking to connect to NSCC,
and thereby identify possible cyber risk
exposures.10 As a result, NSCC would
be better able to establish appropriate
8 For example, depending on the type of entity,
NSCC states that its members may be subject to one
or more of the following regulations: (1) Regulation
S–ID, which requires ‘‘financial institutions’’ or
‘‘creditors’’ under the rule to adopt programs to
identify and address the risk of identity theft of
individuals (17 CFR 248.201—202); (2) Regulation
S–P, which requires broker-dealers, investment
companies, and investment advisers to adopt
written policies and procedures that address
administrative, technical, and physical safeguards
for the protection of customer records and
information (17 CFR 248.1—30); and (3) Rule
15c3–5 under the Act, known as the ‘‘Market
Access Rule,’’ which requires broker-dealers to
establish, document, and maintain a system for
regularly reviewing the effectiveness of its
management controls and supervisory procedures
(17 CFR 240.15c3–5). Notice, supra note 3, at
58184.
9 Id.
10 Notice, supra note 3, at 58183.
PO 00000
Frm 00145
Fmt 4703
Sfmt 4703
controls to mitigate such risks and their
possible impacts on NSCC’s operations.
B. Proposed Changes
NSCC proposes to modify its Rules to:
(1) Provide a detailed definition of the
Cybersecurity Confirmation; (2) require
NSCC’s members and applicants for
membership to submit to NSCC a
Cybersecurity Confirmation (both as
part of an initial application for
membership, and on an ongoing basis
for members, at least every two years);
and (3) provide that NSCC may require
a Cybersecurity Confirmation from
organizations that report trade data to
NSCC. Each of these proposed rule
changes is described in greater detail
below.
1. Cybersecurity Confirmation
NSCC proposes to define the term
‘‘Cybersecurity Confirmation’’ to mean a
written form, in a format provided by
NSCC and signed by the submitting
entity’s designated senior executive
with the authority to attest to the
cybersecurity matters contained in the
form.11 The form would contain specific
representations regarding the submitting
entity’s cybersecurity program and
framework. Such representations would
cover the two years prior to the date of
the most recently provided
Cybersecurity Confirmation. The
Cybersecurity Confirmation would
include the following representations:
• The submitting entity has defined
and maintains a comprehensive
cybersecurity program and framework
that considers potential cyber threats
that impact the submitting entity’s
organization, and protects the
confidentiality, integrity, and
availability requirements of its systems
and information.
• The submitting entity has
implemented and maintains a written
enterprise cybersecurity policy or
policies approved by the submitting
entity’s senior management or board of
directors, and the submitting entity’s
cybersecurity framework is in alignment
with standard industry best practices
and guidelines.12
11 Notice, supra note 3, at 58183. See also NSCC
Cybersecurity Confirmation Form, submitted as
Exhibit 3 to SR–FICC–2019–003, available at
https://www.sec.gov/rules/sro/nscc/2019/34-87392ex3.pdf.
12 Examples of recognized frameworks, guidelines
and standards that NSCC believes are adequate
include the Financial Services Sector Coordinating
Council Cybersecurity Profile, the National Institute
of Standards and Technology Cybersecurity
Framework (‘‘NIST CSF’’), International
Organization for Standardization (‘‘ISO’’) standard
27001/27002 (‘‘ISO 27001’’), Federal Financial
Institutions Examination Council (‘‘FFIEC’’)
Cybersecurity Assessment Tool, Critical Security
Controls Top 20, and Control Objectives for
E:\FR\FM\13DEN1.SGM
13DEN1
Federal Register / Vol. 84, No. 240 / Friday, December 13, 2019 / Notices
jbell on DSKJLSW7X2PROD with NOTICES
• If the submitting entity uses a third
party service provider or service
bureau(s) to connect or transact business
or to manage the connection with NSCC,
the submitting entity has an appropriate
program to evaluate the cyber risks and
impact of these third parties and to
review the third party assurance reports.
• The submitting entity’s
cybersecurity program and framework
protects the segment of its system that
connects to and/or interacts with NSCC.
• The submitting entity has in place
an established process to remediate
cyber issues identified to meet its
regulatory and/or statutory
requirements.
• The submitting entity periodically
updates the risk processes of its
cybersecurity program and framework
based on a risk assessment or changes
to technology, business, threat
ecosystem, and/or regulatory
environment.
• The submitting entity’s
cybersecurity program and framework
has been reviewed by one of the
following: (1) The submitting entity, if
it has filed and maintains a current
Certification of Compliance with the
Superintendent of the New York State
Department of Financial Services
confirming compliance with its
Cybersecurity Requirements for
Financial Services Companies; 13 (2) a
regulator who assesses the submitting
entity’s cybersecurity program and
framework against an industry
cybersecurity framework or industry
standard, including those that are listed
on the Cybersecurity Confirmation form
and in an Important Notice that is
issued by NSCC from time to time; 14 (3)
an independent external entity with
cybersecurity domain expertise in
relevant industry standards and
practices, including those that are listed
Information and Related Technologies. NSCC
would identify recognized frameworks, guidelines
and standards in the form of Cybersecurity
Confirmation and in an Important Notice that NSCC
would issue from time to time. NSCC would also
consider accepting other standards upon request.
Notice, supra note 3, at 58184.
13 23 N.Y. Comp. Codes R. & Regs. tit. 23, § 500
et seq. (2017). NSCC states that this regulation
requires entities to confirm that they have
comprehensive cybersecurity programs as described
in the regulation, and NSCC believes this regime is
sufficient to meet the objectives of the proposed
Cybersecurity Confirmation. Notice, supra note 3, at
58184.
14 NSCC states that current industry cybersecurity
frameworks and industry standards could include,
for example, the Office of the Comptroller of the
Currency or the FFIEC Cybersecurity Assessment
Tool. NSCC would identify acceptable industry
cybersecurity frameworks and standards in the
Cybersecurity Confirmation form and in an
Important Notice that NSCC would issue from time
to time. NSCC would also consider accepting other
industry cybersecurity frameworks and standards
upon request. Notice, supra note 3, at 58185.
VerDate Sep<11>2014
17:42 Dec 12, 2019
Jkt 250001
on the Cybersecurity Confirmation form
and in an Important Notice that is
issued by NSCC from time to time; 15 or
(4) an independent internal audit
function reporting directly to the
submitting entity’s board of directors or
designated board of directors
committee, such that the findings of that
review are shared with these governance
bodies.
NSCC states that it designed the
representations in the Cybersecurity
Confirmation to provide information on
how each submitting entity manages
cybersecurity with respect to its
connectivity to NSCC.16 NSCC believes
that by requiring these representations
from members, applicants for
membership, and trade data reporting
organizations, the proposed
Cybersecurity Confirmation would
provide useful information designed to
enable NSCC to make informed
decisions about risks or threats, perform
additional monitoring, target potential
vulnerabilities, and otherwise protect
the NSCC network.17
2. Initial and Ongoing Membership
Requirement
NSCC proposes to require new
applicants for NSCC membership to
submit a Cybersecurity Confirmation as
part of their application materials.
NSCC also proposes to require all NSCC
members to submit a Cybersecurity
Confirmation at least every two years.
With respect to the requirement to
submit a Cybersecurity Confirmation at
least every two years, NSCC would
provide all members with notice of the
date on which the Cybersecurity
Confirmation would be due no later
than 180 calendar days prior to the due
date.
3. Organizations Reporting Trade Data
to NSCC
NSCC proposes to modify the Rules to
provide that, when determining whether
to accept trade data from an
organization for comparison and trade
recording,18 NSCC may require the
organization to submit a Cybersecurity
Confirmation. Since such organizations
15 NSCC states that a third party with
cybersecurity domain expertise is one that follows
and understands applicable industry standards,
practices, and regulations, such as ISO 27001
certification or NIST CSF assessment. NSCC would
identify acceptable industry standards and practices
in the Cybersecurity Confirmation form and in an
Important Notice that NSCC would issue from time
to time. NSCC would also consider accepting other
industry standards and practices upon request.
Notice, supra note 3, at 58185.
16 Notice, supra note 3, at 58185.
17 Id.
18 See Rule 7 (Comparison and Trade Recording
Operation), supra note 4.
PO 00000
Frm 00146
Fmt 4703
Sfmt 4703
68245
are not NSCC members, contracts (i.e.,
separate from the Rules) govern the
relationships between NSCC and such
organizations. NSCC states that this
proposal would provide transparency
regarding the steps NSCC may take
when determining whether to accept
trade data from such organizations.19
C. Implementation Timeframe
The proposed rule change would be
effective upon Commission approval.
New applicants for NSCC membership
would be required to submit a
Cybersecurity Confirmation as part of
their application materials. The
requirement to submit a Cybersecurity
Confirmation would also apply to
applicants whose applications are
pending with NSCC at the time the
Commission approves the proposed rule
change. For existing NSCC members,
NSCC would provide notice of the due
date to submit a Cybersecurity
Confirmation, not later than 180 days
prior to the due date. Finally, NSCC
would provide such notice to its
members at least every two years going
forward.
III. Discussion and Commission
Findings
Section 19(b)(2)(C) of the Act 20
directs the Commission to approve a
proposed rule change of a selfregulatory organization if it finds that
such proposed rule change is consistent
with the requirements of the Act and
rules and regulations thereunder
applicable to such organization. After
carefully considering the proposed rule
change, the Commission finds that the
proposed rule change is consistent with
the requirements of the Act and the
rules and regulations thereunder
applicable to NSCC. In particular, the
Commission finds that the proposed
rule change is consistent with Section
17A(b)(3)(F) of the Act,21 and Rules
17Ad–22(e)(17)(i) and (e)(17)(ii)
promulgated under the Act,22 for the
reasons described below.
A. Consistency With Section
17A(b)(3)(F) of the Act
Section 17A(b)(3)(F) of the Act
requires that the rules of a clearing
agency be designed to, among other
things, promote the prompt and
accurate clearance and settlement of
securities transactions and assure the
safeguarding of securities and funds
which are in the custody or control of
19 Notice,
supra note 3, at 58185.
U.S.C. 78s(b)(2)(C).
21 15 U.S.C. 78q–1(b)(3)(F).
22 17 CFR 240.17Ad–22(e)(17)(i) and (e)(17)(ii).
20 15
E:\FR\FM\13DEN1.SGM
13DEN1
68246
Federal Register / Vol. 84, No. 240 / Friday, December 13, 2019 / Notices
jbell on DSKJLSW7X2PROD with NOTICES
the clearing agency or for which it is
responsible.23
As described above, NSCC proposes
to require its members, applicants for
membership, and trade data reporting
organizations seeking to connect to
NSCC via the SMART network or other
means, to submit a Cybersecurity
Confirmation, confirming the existence
and nature of their cybersecurity
programs. The Cybersecurity
Confirmations should provide NSCC
with useful information regarding the
cybersecurity programs of the
submitting entities. By conditioning an
entity’s connectivity to NSCC via the
SMART network or other means on the
submission of a Cybersecurity
Confirmation, NSCC should be better
enabled to reduce the cyber risks of
electronically connecting to entities that
have not confirmed the existence and
nature of their cybersecurity programs.
Accordingly, the proposed
Cybersecurity Confirmation requirement
should provide NSCC with information
to better identify its exposure to cyber
risks and to take steps to mitigate those
risks.
If not adequately addressed, the risk
of cyberattacks and other cyber
vulnerabilities could affect NSCC’s
network and NSCC’s ability to clear and
settle securities transactions, or to
safeguard the securities and funds
which are in NSCC’s custody or control,
or for which it is responsible. The
proposed Cybersecurity Confirmation
requirement is a tool designed to
address those risks as described above.
Therefore, the Commission finds the
proposed Cybersecurity Confirmation
requirement would promote the prompt
and accurate clearance and settlement of
securities transactions and assure the
safeguarding of securities and funds
which are in the custody or control of
NSCC or for which it is responsible,
consistent with the requirements of
Section 17A(b)(3)(F) of the Act.24
B. Consistency With Rule 17Ad–
22(e)(17)(i) Under the Act
Rule 17Ad–22(e)(17)(i) under the Act
requires that each covered clearing
agency establish, implement, maintain
and enforce written policies and
procedures reasonably designed to
manage the covered clearing agency’s
operational risks by identifying the
plausible sources of operational risk,
both internal and external, and
mitigating their impact through the use
of appropriate systems, policies,
procedures, and controls.25 NSCC’s
23 15
C. Consistency With Rule 17Ad–
22(e)(17)(ii) Under the Act
Rule 17Ad–22(e)(17)(ii) under the Act
requires that each covered clearing
agency establish, implement, maintain
and enforce written policies and
procedures reasonably designed to
manage the covered clearing agency’s
operational risks by ensuring, in part,
that systems have a high degree of
security, resiliency, and operational
reliability.27 As noted above, NSCC’s
operational risks include protecting its
electronic systems from cyber risks.
Although NSCC believes that its
members, applicants for membership,
and trade data reporting organizations
may currently maintain robust
cybersecurity programs, NSCC currently
does not require those entities to
represent that they maintain a
cybersecurity program as a condition for
connecting to NSCC via the SMART
network or other means. NSCC designed
the proposed Cybersecurity
Confirmation requirement to reduce
cyber risks by requiring its members,
applicants, and trade data reporting
organizations to confirm that they have
defined and maintain cybersecurity
programs and frameworks that meet
standard industry best practices and
guidelines. The representations in each
U.S.C. 78q–1(b)(3)(F).
24 Id.
25 17
operational risks include protecting its
electronic systems from cyber risks.
As described above, entities connect
electronically to NSCC via the SMART
network or other means. The proposed
Cybersecurity Confirmation requirement
should reduce cyber risks to NSCC by
requiring members, applicants for
membership, and trade data reporting
organizations to confirm that they have
defined and maintain cybersecurity
programs and frameworks that meet
standard industry best practices and
guidelines. The representations in each
submitting entity’s Cybersecurity
Confirmation would provide
information that should help NSCC to
mitigate its exposure to cyber risks, and
thereby decrease the operational risks
presented to NSCC by its connections to
such entities. Thus, the proposed
Cybersecurity Confirmations should
enable NSCC to better identify potential
sources of external operational risks and
mitigate the possible impacts of those
risks. Because the proposed changes
would help NSCC identify and mitigate
plausible sources of external operational
risk, the Commission finds the proposed
changes are consistent with the
requirements of Rule 17Ad–22(e)(17)(i)
under the Act.26
26 Id.
CFR 240.17Ad–22(e)(17)(i).
VerDate Sep<11>2014
17:42 Dec 12, 2019
27 17
Jkt 250001
PO 00000
CFR 240.17Ad–22(e)(17)(ii).
Frm 00147
Fmt 4703
Sfmt 4703
submitting entity’s Cybersecurity
Confirmation would provide more
security for NSCC’s SMART network
and other systems by providing NSCC
with information designed to help
manage its cyber-related operational
risks, which in turn, would enable
NSCC to take steps necessary to
strengthen the security of its network to
mitigate those risks. Since the proposal
would enhance NSCC’s ability to ensure
that its systems have a high degree of
security, resiliency, and operational
reliability, the Commission finds the
proposed changes are consistent with
the requirements of Rule 17Ad–
22(e)(17)(ii) under the Act.28
IV. Conclusion
On the basis of the foregoing, the
Commission finds that the proposed
rule change is consistent with the
requirements of the Act and, in
particular, with the requirements of
Section 17A of the Act 29 and the rules
and regulations promulgated
thereunder.
It is therefore ordered, pursuant to
Section 19(b)(2) of the Act 30 that
proposed rule change SR–NSCC–2019–
003, be, and hereby is, approved.31
For the Commission, by the Division of
Trading and Markets, pursuant to delegated
authority.32
Jill M. Peterson,
Assistant Secretary.
[FR Doc. 2019–26843 Filed 12–12–19; 8:45 am]
BILLING CODE 8011–01–P
SECURITIES AND EXCHANGE
COMMISSION
[Release No. 34–87685; File No. SR–
NYSEARCA–2019–85]
Self-Regulatory Organizations; NYSE
Arca, Inc.; Notice of Filing and
Immediate Effectiveness of Proposed
Rule Change Amending the NYSE Arca
Options Fees and Charges and the
NYSE Arca Equities Fees and Charges
Related to Co-Location Services
December 9, 2019.
Pursuant to Section 19(b)(1) 1 of the
Securities Exchange Act of 1934 (the
‘‘Act’’) 2 and Rule 19b–4 thereunder,3
notice is hereby given that, on
28 Id.
29 15
U.S.C. 78q–1.
U.S.C. 78s(b)(2).
31 In approving the proposed rule change, the
Commission considered the proposals’ impact on
efficiency, competition, and capital formation. 15
U.S.C. 78c(f).
32 17 CFR 200.30–3(a)(12).
1 15 U.S.C. 78s(b)(1).
2 15 U.S.C. 78a.
3 17 CFR 240.19b–4.
30 15
E:\FR\FM\13DEN1.SGM
13DEN1
Agencies
[Federal Register Volume 84, Number 240 (Friday, December 13, 2019)]
[Notices]
[Pages 68243-68246]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-26843]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-87696; File No. SR-NSCC-2019-003]
Self-Regulatory Organizations; National Securities Clearing
Corporation; Order Approving a Proposed Rule Change To Require
Confirmation of Cybersecurity Program
December 9, 2019.
I. Introduction
On October 15, 2019, National Securities Clearing Corporation
(``NSCC'') filed with the Securities and Exchange Commission
(``Commission''), pursuant to Section 19(b)(1) of the Securities
Exchange Act of 1934 (``Act'') \1\ and Rule 19b-4 thereunder,\2\
proposed rule change SR-NSCC-2019-003. The proposed rule change was
published for comment in the Federal Register on October 30, 2019.\3\
The Commission did not receive any comment letters on the proposed rule
change. For the reasons discussed below, the Commission is approving
the proposed rule change.
---------------------------------------------------------------------------
\1\ 15 U.S.C. 78s(b)(1).
\2\ 17 CFR 240.19b-4.
\3\ Securities Exchange Act Release No. 87392 (October 24,
2019), 84 FR 58183 (October 30, 2019) (SR-NSCC-2019-003)
(``Notice'').
---------------------------------------------------------------------------
II. Description of the Proposed Rule Change
NSCC proposes to modify its Rules and Procedures (``Rules'') \4\ in
order to (1) define the term ``Cybersecurity Confirmation'' as a
written representation that addresses a submitting entity's
cybersecurity program (described more fully below);
[[Page 68244]]
(2) require NSCC's members and applicants for membership to submit to
NSCC a Cybersecurity Confirmation (both as part of an initial
application for membership, and on an ongoing basis for members, at
least every two years); and (3) provide that NSCC may require a
Cybersecurity Confirmation from organizations that report trade data to
NSCC for comparison and trade recording.
---------------------------------------------------------------------------
\4\ Capitalized terms not defined herein are defined in the
Rules, available at https://www.dtcc.com/legal/rules-and-procedures.
References to ``members'' in this Order include both Members and
Limited Members, as such terms are defined in the Rules.
---------------------------------------------------------------------------
A. Background
NSCC plays a prominent role in providing clearance, settlement,
risk management, central counterparty services, and a guarantee of
completion for virtually all broker-to-broker trades involving equity
securities, corporate and municipal debt securities, American
depository receipts, exchange traded funds, and unit investment
trusts.\5\ In light of NSCC's critical role in the marketplace, NSCC
was designated a Systemically Important Financial Market Utility
(``SIFMU'') under Title VIII of the Dodd-Frank Wall Street Reform and
Consumer Protection Act of 2010.\6\ Due to NSCC's unique position in
the marketplace, a failure or a disruption to NSCC could, among other
things, increase the risk of significant liquidity problems spreading
among financial institutions or markets, and thereby threaten the
stability of the financial system in the United States.\7\
---------------------------------------------------------------------------
\5\ See Financial Stability Oversight Counsel 2012 Annual
Report, Appendix A (``FSOC 2012 Report''), available at https://www.treasury.gov/initiatives/fsoc/Documents/2012%20Annual%20Report.pdf.
\6\ 12 U.S.C. 5465(e)(1). See FSOC 2012 Report, supra note 5.
\7\ See FSOC 2012 Report, supra note 5.
---------------------------------------------------------------------------
NSCC's members and trade data reporting organizations connect to
NSCC, either through the Securely Managed and Reliable Technology
(``SMART'') network or through other electronic means, such as a third
party service provider, service bureau, network, or the internet. The
SMART network is a technology managed by NSCC's parent company, The
Depository Trust & Clearing Corporation (``DTCC''), that connects a
nationwide complex of networks, processing centers, and control
facilities. Currently, NSCC does not require its members, applicants
for membership, or trade data reporting organizations to represent that
they maintain a cybersecurity program as a condition for connecting to
NSCC via the SMART network or other means.
NSCC states that many of its members, applicants for membership,
and trade data reporting organizations may currently be subject to
regulations that are designed, in part, to protect against
cyberattacks.\8\ Accordingly, such entities would currently be required
to follow standards established by national or international
organizations focused on information security management, and they
would currently maintain protocols for their senior management to
verify the existence of cybersecurity programs sufficient to meet
regulatory obligations. NSCC further believes that some of its members,
applicants for membership, and trade data reporting organizations might
also currently follow protocols substantially similar to the
regulations referred to earlier in this paragraph in order to meet the
evolving cybersecurity expectations of regulators and/or their own
institutional customers.\9\
---------------------------------------------------------------------------
\8\ For example, depending on the type of entity, NSCC states
that its members may be subject to one or more of the following
regulations: (1) Regulation S-ID, which requires ``financial
institutions'' or ``creditors'' under the rule to adopt programs to
identify and address the risk of identity theft of individuals (17
CFR 248.201--202); (2) Regulation S-P, which requires broker-
dealers, investment companies, and investment advisers to adopt
written policies and procedures that address administrative,
technical, and physical safeguards for the protection of customer
records and information (17 CFR 248.1--30); and (3) Rule 15c3-5
under the Act, known as the ``Market Access Rule,'' which requires
broker-dealers to establish, document, and maintain a system for
regularly reviewing the effectiveness of its management controls and
supervisory procedures (17 CFR 240.15c3-5). Notice, supra note 3, at
58184.
\9\ Id.
---------------------------------------------------------------------------
Although NSCC believes that its members, applicants for membership,
and trade data reporting organizations may currently maintain robust
cybersecurity programs, NSCC seeks to better ensure the protection of
its network by requiring its members, applicants for membership, and
trade data reporting organizations to confirm that they are meeting
certain cybersecurity standards in order to connect to NSCC via the
SMART network or other means. Therefore, NSCC proposes to require all
members, applicants for membership, and certain trade data reporting
organizations to submit a written Cybersecurity Confirmation that
includes specific representations regarding the submitting entity's
cybersecurity program and framework. NSCC states that the information
contained in the Cybersecurity Confirmation would help NSCC to better
understand the cybersecurity programs and frameworks of entities
seeking to connect to NSCC, and thereby identify possible cyber risk
exposures.\10\ As a result, NSCC would be better able to establish
appropriate controls to mitigate such risks and their possible impacts
on NSCC's operations.
---------------------------------------------------------------------------
\10\ Notice, supra note 3, at 58183.
---------------------------------------------------------------------------
B. Proposed Changes
NSCC proposes to modify its Rules to: (1) Provide a detailed
definition of the Cybersecurity Confirmation; (2) require NSCC's
members and applicants for membership to submit to NSCC a Cybersecurity
Confirmation (both as part of an initial application for membership,
and on an ongoing basis for members, at least every two years); and (3)
provide that NSCC may require a Cybersecurity Confirmation from
organizations that report trade data to NSCC. Each of these proposed
rule changes is described in greater detail below.
1. Cybersecurity Confirmation
NSCC proposes to define the term ``Cybersecurity Confirmation'' to
mean a written form, in a format provided by NSCC and signed by the
submitting entity's designated senior executive with the authority to
attest to the cybersecurity matters contained in the form.\11\ The form
would contain specific representations regarding the submitting
entity's cybersecurity program and framework. Such representations
would cover the two years prior to the date of the most recently
provided Cybersecurity Confirmation. The Cybersecurity Confirmation
would include the following representations:
---------------------------------------------------------------------------
\11\ Notice, supra note 3, at 58183. See also NSCC Cybersecurity
Confirmation Form, submitted as Exhibit 3 to SR-FICC-2019-003,
available at https://www.sec.gov/rules/sro/nscc/2019/34-87392-ex3.pdf.
---------------------------------------------------------------------------
The submitting entity has defined and maintains a
comprehensive cybersecurity program and framework that considers
potential cyber threats that impact the submitting entity's
organization, and protects the confidentiality, integrity, and
availability requirements of its systems and information.
The submitting entity has implemented and maintains a
written enterprise cybersecurity policy or policies approved by the
submitting entity's senior management or board of directors, and the
submitting entity's cybersecurity framework is in alignment with
standard industry best practices and guidelines.\12\
---------------------------------------------------------------------------
\12\ Examples of recognized frameworks, guidelines and standards
that NSCC believes are adequate include the Financial Services
Sector Coordinating Council Cybersecurity Profile, the National
Institute of Standards and Technology Cybersecurity Framework
(``NIST CSF''), International Organization for Standardization
(``ISO'') standard 27001/27002 (``ISO 27001''), Federal Financial
Institutions Examination Council (``FFIEC'') Cybersecurity
Assessment Tool, Critical Security Controls Top 20, and Control
Objectives for Information and Related Technologies. NSCC would
identify recognized frameworks, guidelines and standards in the form
of Cybersecurity Confirmation and in an Important Notice that NSCC
would issue from time to time. NSCC would also consider accepting
other standards upon request. Notice, supra note 3, at 58184.
---------------------------------------------------------------------------
[[Page 68245]]
If the submitting entity uses a third party service
provider or service bureau(s) to connect or transact business or to
manage the connection with NSCC, the submitting entity has an
appropriate program to evaluate the cyber risks and impact of these
third parties and to review the third party assurance reports.
The submitting entity's cybersecurity program and
framework protects the segment of its system that connects to and/or
interacts with NSCC.
The submitting entity has in place an established process
to remediate cyber issues identified to meet its regulatory and/or
statutory requirements.
The submitting entity periodically updates the risk
processes of its cybersecurity program and framework based on a risk
assessment or changes to technology, business, threat ecosystem, and/or
regulatory environment.
The submitting entity's cybersecurity program and
framework has been reviewed by one of the following: (1) The submitting
entity, if it has filed and maintains a current Certification of
Compliance with the Superintendent of the New York State Department of
Financial Services confirming compliance with its Cybersecurity
Requirements for Financial Services Companies; \13\ (2) a regulator who
assesses the submitting entity's cybersecurity program and framework
against an industry cybersecurity framework or industry standard,
including those that are listed on the Cybersecurity Confirmation form
and in an Important Notice that is issued by NSCC from time to time;
\14\ (3) an independent external entity with cybersecurity domain
expertise in relevant industry standards and practices, including those
that are listed on the Cybersecurity Confirmation form and in an
Important Notice that is issued by NSCC from time to time; \15\ or (4)
an independent internal audit function reporting directly to the
submitting entity's board of directors or designated board of directors
committee, such that the findings of that review are shared with these
governance bodies.
---------------------------------------------------------------------------
\13\ 23 N.Y. Comp. Codes R. & Regs. tit. 23, Sec. 500 et seq.
(2017). NSCC states that this regulation requires entities to
confirm that they have comprehensive cybersecurity programs as
described in the regulation, and NSCC believes this regime is
sufficient to meet the objectives of the proposed Cybersecurity
Confirmation. Notice, supra note 3, at 58184.
\14\ NSCC states that current industry cybersecurity frameworks
and industry standards could include, for example, the Office of the
Comptroller of the Currency or the FFIEC Cybersecurity Assessment
Tool. NSCC would identify acceptable industry cybersecurity
frameworks and standards in the Cybersecurity Confirmation form and
in an Important Notice that NSCC would issue from time to time. NSCC
would also consider accepting other industry cybersecurity
frameworks and standards upon request. Notice, supra note 3, at
58185.
\15\ NSCC states that a third party with cybersecurity domain
expertise is one that follows and understands applicable industry
standards, practices, and regulations, such as ISO 27001
certification or NIST CSF assessment. NSCC would identify acceptable
industry standards and practices in the Cybersecurity Confirmation
form and in an Important Notice that NSCC would issue from time to
time. NSCC would also consider accepting other industry standards
and practices upon request. Notice, supra note 3, at 58185.
---------------------------------------------------------------------------
NSCC states that it designed the representations in the
Cybersecurity Confirmation to provide information on how each
submitting entity manages cybersecurity with respect to its
connectivity to NSCC.\16\ NSCC believes that by requiring these
representations from members, applicants for membership, and trade data
reporting organizations, the proposed Cybersecurity Confirmation would
provide useful information designed to enable NSCC to make informed
decisions about risks or threats, perform additional monitoring, target
potential vulnerabilities, and otherwise protect the NSCC network.\17\
---------------------------------------------------------------------------
\16\ Notice, supra note 3, at 58185.
\17\ Id.
---------------------------------------------------------------------------
2. Initial and Ongoing Membership Requirement
NSCC proposes to require new applicants for NSCC membership to
submit a Cybersecurity Confirmation as part of their application
materials. NSCC also proposes to require all NSCC members to submit a
Cybersecurity Confirmation at least every two years. With respect to
the requirement to submit a Cybersecurity Confirmation at least every
two years, NSCC would provide all members with notice of the date on
which the Cybersecurity Confirmation would be due no later than 180
calendar days prior to the due date.
3. Organizations Reporting Trade Data to NSCC
NSCC proposes to modify the Rules to provide that, when determining
whether to accept trade data from an organization for comparison and
trade recording,\18\ NSCC may require the organization to submit a
Cybersecurity Confirmation. Since such organizations are not NSCC
members, contracts (i.e., separate from the Rules) govern the
relationships between NSCC and such organizations. NSCC states that
this proposal would provide transparency regarding the steps NSCC may
take when determining whether to accept trade data from such
organizations.\19\
---------------------------------------------------------------------------
\18\ See Rule 7 (Comparison and Trade Recording Operation),
supra note 4.
\19\ Notice, supra note 3, at 58185.
---------------------------------------------------------------------------
C. Implementation Timeframe
The proposed rule change would be effective upon Commission
approval. New applicants for NSCC membership would be required to
submit a Cybersecurity Confirmation as part of their application
materials. The requirement to submit a Cybersecurity Confirmation would
also apply to applicants whose applications are pending with NSCC at
the time the Commission approves the proposed rule change. For existing
NSCC members, NSCC would provide notice of the due date to submit a
Cybersecurity Confirmation, not later than 180 days prior to the due
date. Finally, NSCC would provide such notice to its members at least
every two years going forward.
III. Discussion and Commission Findings
Section 19(b)(2)(C) of the Act \20\ directs the Commission to
approve a proposed rule change of a self-regulatory organization if it
finds that such proposed rule change is consistent with the
requirements of the Act and rules and regulations thereunder applicable
to such organization. After carefully considering the proposed rule
change, the Commission finds that the proposed rule change is
consistent with the requirements of the Act and the rules and
regulations thereunder applicable to NSCC. In particular, the
Commission finds that the proposed rule change is consistent with
Section 17A(b)(3)(F) of the Act,\21\ and Rules 17Ad-22(e)(17)(i) and
(e)(17)(ii) promulgated under the Act,\22\ for the reasons described
below.
---------------------------------------------------------------------------
\20\ 15 U.S.C. 78s(b)(2)(C).
\21\ 15 U.S.C. 78q-1(b)(3)(F).
\22\ 17 CFR 240.17Ad-22(e)(17)(i) and (e)(17)(ii).
---------------------------------------------------------------------------
A. Consistency With Section 17A(b)(3)(F) of the Act
Section 17A(b)(3)(F) of the Act requires that the rules of a
clearing agency be designed to, among other things, promote the prompt
and accurate clearance and settlement of securities transactions and
assure the safeguarding of securities and funds which are in the
custody or control of
[[Page 68246]]
the clearing agency or for which it is responsible.\23\
---------------------------------------------------------------------------
\23\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
As described above, NSCC proposes to require its members,
applicants for membership, and trade data reporting organizations
seeking to connect to NSCC via the SMART network or other means, to
submit a Cybersecurity Confirmation, confirming the existence and
nature of their cybersecurity programs. The Cybersecurity Confirmations
should provide NSCC with useful information regarding the cybersecurity
programs of the submitting entities. By conditioning an entity's
connectivity to NSCC via the SMART network or other means on the
submission of a Cybersecurity Confirmation, NSCC should be better
enabled to reduce the cyber risks of electronically connecting to
entities that have not confirmed the existence and nature of their
cybersecurity programs. Accordingly, the proposed Cybersecurity
Confirmation requirement should provide NSCC with information to better
identify its exposure to cyber risks and to take steps to mitigate
those risks.
If not adequately addressed, the risk of cyberattacks and other
cyber vulnerabilities could affect NSCC's network and NSCC's ability to
clear and settle securities transactions, or to safeguard the
securities and funds which are in NSCC's custody or control, or for
which it is responsible. The proposed Cybersecurity Confirmation
requirement is a tool designed to address those risks as described
above. Therefore, the Commission finds the proposed Cybersecurity
Confirmation requirement would promote the prompt and accurate
clearance and settlement of securities transactions and assure the
safeguarding of securities and funds which are in the custody or
control of NSCC or for which it is responsible, consistent with the
requirements of Section 17A(b)(3)(F) of the Act.\24\
---------------------------------------------------------------------------
\24\ Id.
---------------------------------------------------------------------------
B. Consistency With Rule 17Ad-22(e)(17)(i) Under the Act
Rule 17Ad-22(e)(17)(i) under the Act requires that each covered
clearing agency establish, implement, maintain and enforce written
policies and procedures reasonably designed to manage the covered
clearing agency's operational risks by identifying the plausible
sources of operational risk, both internal and external, and mitigating
their impact through the use of appropriate systems, policies,
procedures, and controls.\25\ NSCC's operational risks include
protecting its electronic systems from cyber risks.
---------------------------------------------------------------------------
\25\ 17 CFR 240.17Ad-22(e)(17)(i).
---------------------------------------------------------------------------
As described above, entities connect electronically to NSCC via the
SMART network or other means. The proposed Cybersecurity Confirmation
requirement should reduce cyber risks to NSCC by requiring members,
applicants for membership, and trade data reporting organizations to
confirm that they have defined and maintain cybersecurity programs and
frameworks that meet standard industry best practices and guidelines.
The representations in each submitting entity's Cybersecurity
Confirmation would provide information that should help NSCC to
mitigate its exposure to cyber risks, and thereby decrease the
operational risks presented to NSCC by its connections to such
entities. Thus, the proposed Cybersecurity Confirmations should enable
NSCC to better identify potential sources of external operational risks
and mitigate the possible impacts of those risks. Because the proposed
changes would help NSCC identify and mitigate plausible sources of
external operational risk, the Commission finds the proposed changes
are consistent with the requirements of Rule 17Ad-22(e)(17)(i) under
the Act.\26\
---------------------------------------------------------------------------
\26\ Id.
---------------------------------------------------------------------------
C. Consistency With Rule 17Ad-22(e)(17)(ii) Under the Act
Rule 17Ad-22(e)(17)(ii) under the Act requires that each covered
clearing agency establish, implement, maintain and enforce written
policies and procedures reasonably designed to manage the covered
clearing agency's operational risks by ensuring, in part, that systems
have a high degree of security, resiliency, and operational
reliability.\27\ As noted above, NSCC's operational risks include
protecting its electronic systems from cyber risks.
---------------------------------------------------------------------------
\27\ 17 CFR 240.17Ad-22(e)(17)(ii).
---------------------------------------------------------------------------
Although NSCC believes that its members, applicants for membership,
and trade data reporting organizations may currently maintain robust
cybersecurity programs, NSCC currently does not require those entities
to represent that they maintain a cybersecurity program as a condition
for connecting to NSCC via the SMART network or other means. NSCC
designed the proposed Cybersecurity Confirmation requirement to reduce
cyber risks by requiring its members, applicants, and trade data
reporting organizations to confirm that they have defined and maintain
cybersecurity programs and frameworks that meet standard industry best
practices and guidelines. The representations in each submitting
entity's Cybersecurity Confirmation would provide more security for
NSCC's SMART network and other systems by providing NSCC with
information designed to help manage its cyber-related operational
risks, which in turn, would enable NSCC to take steps necessary to
strengthen the security of its network to mitigate those risks. Since
the proposal would enhance NSCC's ability to ensure that its systems
have a high degree of security, resiliency, and operational
reliability, the Commission finds the proposed changes are consistent
with the requirements of Rule 17Ad-22(e)(17)(ii) under the Act.\28\
---------------------------------------------------------------------------
\28\ Id.
---------------------------------------------------------------------------
IV. Conclusion
On the basis of the foregoing, the Commission finds that the
proposed rule change is consistent with the requirements of the Act
and, in particular, with the requirements of Section 17A of the Act
\29\ and the rules and regulations promulgated thereunder.
---------------------------------------------------------------------------
\29\ 15 U.S.C. 78q-1.
---------------------------------------------------------------------------
It is therefore ordered, pursuant to Section 19(b)(2) of the Act
\30\ that proposed rule change SR-NSCC-2019-003, be, and hereby is,
approved.\31\
---------------------------------------------------------------------------
\30\ 15 U.S.C. 78s(b)(2).
\31\ In approving the proposed rule change, the Commission
considered the proposals' impact on efficiency, competition, and
capital formation. 15 U.S.C. 78c(f).
For the Commission, by the Division of Trading and Markets,
pursuant to delegated authority.\32\
---------------------------------------------------------------------------
\32\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------
Jill M. Peterson,
Assistant Secretary.
[FR Doc. 2019-26843 Filed 12-12-19; 8:45 am]
BILLING CODE 8011-01-P