Self-Regulatory Organizations; The Depository Trust Company; Order Approving a Proposed Rule Change To Require Confirmation of Cybersecurity Program, 68269-68272 [2019-26845]

Download as PDF Federal Register / Vol. 84, No. 240 / Friday, December 13, 2019 / Notices jbell on DSKJLSW7X2PROD with NOTICES and nature of their cybersecurity programs. The Cybersecurity Confirmations should provide FICC with useful information regarding the cybersecurity programs of the submitting entities. By conditioning an entity’s connectivity to FICC via the SMART network or other means on the submission of a Cybersecurity Confirmation, FICC should be better enabled to reduce the cyber risks of electronically connecting to entities that have not confirmed the existence and nature of their cybersecurity programs. Accordingly, the proposed Cybersecurity Confirmation requirement should provide FICC with information to better identify its exposure to cyber risks and to take steps to mitigate those risks. If not adequately addressed, the risk of cyberattacks and other cyber vulnerabilities could affect FICC’s network and FICC’s ability to clear and settle securities transactions, or to safeguard the securities and funds which are in FICC’s custody or control, or for which it is responsible. The proposed Cybersecurity Confirmation requirement is a tool designed to address those risks as described above. Therefore, the Commission finds the proposed Cybersecurity Confirmation requirement would promote the prompt and accurate clearance and settlement of securities transactions and assure the safeguarding of securities and funds which are in the custody or control of FICC or for which it is responsible, consistent with the requirements of Section 17A(b)(3)(F) of the Act.22 B. Consistency With Rule 17Ad– 22(e)(17)(i) Under the Act Rule 17Ad–22(e)(17)(i) under the Act requires that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency’s operational risks by identifying the plausible sources of operational risk, both internal and external, and mitigating their impact through the use of appropriate systems, policies, procedures, and controls.23 FICC’s operational risks include protecting its electronic systems from cyber risks. As described above, entities connect electronically to FICC via the SMART network or other means. The proposed Cybersecurity Confirmation requirement should reduce cyber risks to FICC by requiring members and applicants for membership to confirm that they have defined and maintain cybersecurity 22 Id. 23 17 programs and frameworks that meet standard industry best practices and guidelines. The representations in each submitting entity’s Cybersecurity Confirmation would provide information that should help FICC to mitigate its exposure to cyber risks, and thereby decrease the operational risks presented to FICC by its connections to such entities. Thus, the proposed Cybersecurity Confirmations should enable FICC to better identify potential sources of external operational risks and mitigate the possible impacts of those risks. Because the proposed changes would help FICC identify and mitigate plausible sources of external operational risk, the Commission finds the proposed changes are consistent with the requirements of Rule 17Ad–22(e)(17)(i) under the Act.24 C. Consistency With Rule 17Ad– 22(e)(17)(ii) Under the Act Rule 17Ad–22(e)(17)(ii) under the Act requires that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency’s operational risks by ensuring, in part, that systems have a high degree of security, resiliency, and operational reliability.25 As noted above, FICC’s operational risks include protecting its electronic systems from cyber risks. Although FICC believes that its members and applicants for membership may currently maintain robust cybersecurity programs, FICC currently does not require those entities to represent that they maintain a cybersecurity program as a condition for connecting to FICC via the SMART network or other means. FICC designed the proposed Cybersecurity Confirmation requirement to reduce cyber risks by requiring its members and applicants for membership to confirm that they have defined and maintain cybersecurity programs and frameworks that meet standard industry best practices and guidelines. The representations in each submitting entity’s Cybersecurity Confirmation would provide more security for FICC’s SMART network and other systems by providing FICC with information designed to help manage its cyberrelated operational risks, which in turn, would enable FICC to take steps necessary to strengthen the security of its network to mitigate those risks. Since the proposal would enhance FICC’s ability to ensure that its systems have a high degree of security, resiliency, and 24 Id. CFR 240.17Ad–22(e)(17)(i). VerDate Sep<11>2014 17:42 Dec 12, 2019 25 17 Jkt 250001 PO 00000 CFR 240.17Ad–22(e)(17)(ii). Frm 00170 Fmt 4703 Sfmt 4703 68269 operational reliability, the Commission finds the proposed changes are consistent with the requirements of Rule 17Ad–22(e)(17)(ii) under the Act.26 IV. Conclusion On the basis of the foregoing, the Commission finds that the proposed rule change is consistent with the requirements of the Act and, in particular, with the requirements of Section 17A of the Act 27 and the rules and regulations promulgated thereunder. It is therefore ordered, pursuant to Section 19(b)(2) of the Act 28 that proposed rule change SR–FICC–2019– 005, be, and hereby is, APPROVED.29 For the Commission, by the Division of Trading and Markets, pursuant to delegated authority.30 Jill M. Peterson, Assistant Secretary. [FR Doc. 2019–26844 Filed 12–12–19; 8:45 am] BILLING CODE 8011–01–P SECURITIES AND EXCHANGE COMMISSION [Release No. 34–87698; File No. SR–DTC– 2019–008] Self-Regulatory Organizations; The Depository Trust Company; Order Approving a Proposed Rule Change To Require Confirmation of Cybersecurity Program December 9, 2019. I. Introduction On October 15, 2019, The Depository Trust Company (‘‘DTC’’) filed with the Securities and Exchange Commission (‘‘Commission’’), pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (‘‘Act’’) 1 and Rule 19b–4 thereunder,2 proposed rule change SR– DTC–2019–008. The proposed rule change was published for comment in the Federal Register on October 30, 2019.3 The Commission did not receive any comment letters on the proposed rule change. For the reasons discussed 26 Id. 27 15 U.S.C. 78q–1. U.S.C. 78s(b)(2). 29 In approving the proposed rule change, the Commission considered the proposals’ impact on efficiency, competition, and capital formation. 15 U.S.C. 78c(f). 30 17 CFR 200.30–3(a)(12). 1 15 U.S.C. 78s(b)(1). 2 17 CFR 240.19b–4. 3 Securities Exchange Act Release No. 87393 (October 24, 2019), 84 FR 58189 (October 30, 2019) (SR–DTC–2019–008) (‘‘Notice’’). 28 15 E:\FR\FM\13DEN1.SGM 13DEN1 68270 Federal Register / Vol. 84, No. 240 / Friday, December 13, 2019 / Notices below, the Commission is approving the proposed rule change. II. Description of the Proposed Rule Change DTC proposes to modify the Rules, By-Laws and Organization Certificate of DTC (‘‘Rules’’) 4 in order to (1) define the term ‘‘Cybersecurity Confirmation’’ as a written representation that addresses a submitting entity’s cybersecurity program (described more fully below); and (2) require DTC’s Participants, Pledgees, and applicants for membership as a Participant or Pledgee (‘‘Applicants’’) to submit to DTC a Cybersecurity Confirmation (both as part of an initial application for membership and on an ongoing basis for Participants and Pledgees, at least every two years). A. Background jbell on DSKJLSW7X2PROD with NOTICES DTC serves as the central securities depository for substantially all corporate and municipal debt and equity securities available for trading in the United States.5 DTC provides depository services and asset servicing for a wide range of security types such as money market instruments, equities, warrants, rights, corporate debt and notes, municipal bonds, government securities, asset-backed securities, and collateralized mortgage obligations.6 DTC’s custodial services include the safekeeping, record keeping, book entry transfer, and pledge of securities among its Participants and Pledgees.7 DTC also provides services to securities issuers, such as maintaining current ownership records and distributing payments to shareholders.8 In light of DTC’s critical role in the marketplace, DTC was designated a Systemically Important Financial Market Utility (‘‘SIFMU’’) under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.9 Due to DTC’s unique position in the marketplace, a failure or a disruption to DTC could, among other things, increase the risk of significant liquidity problems spreading among financial institutions or markets, and thereby threaten the stability of the financial system in the United States.10 4 Capitalized terms not defined herein are defined in the Rules, available at http://www.dtcc.com/ legal/rules-and-procedures. 5 See Financial Stability Oversight Counsel 2012 Annual Report, Appendix A (‘‘FSOC 2012 Report’’), available at http://www.treasury.gov/initiatives/ fsoc/Documents/2012%20Annual%20Report.pdf. 6 Id. 7 Id. 8 Id. 9 12 U.S.C. 5465(e)(1). See FSOC 2012 Report, supra note 5. 10 See FSOC 2012 Report, supra note 5. VerDate Sep<11>2014 17:42 Dec 12, 2019 Jkt 250001 DTC’s Participants and Pledgees connect to DTC, either through the Securely Managed and Reliable Technology (‘‘SMART’’) network or through other electronic means, such as a third party service provider, service bureau, network, or the internet. The SMART network is a technology managed by DTC’s parent company, The Depository Trust & Clearing Corporation (‘‘DTCC’’), that connects a nationwide complex of networks, processing centers, and control facilities. Currently, DTC does not require its Participants, Pledgees, or Applicants to represent that they maintain a cybersecurity program as a condition for connecting to DTC via the SMART network or other means. DTC states that many of its Participants, Pledgees, and Applicants may currently be subject to regulations that are designed, in part, to protect against cyberattacks.11 Accordingly, such entities would currently be required to follow standards established by national or international organizations focused on information security management, and they would currently maintain protocols for their senior management to verify the existence of cybersecurity programs sufficient to meet regulatory obligations. DTC further believes that some of its Participants, Pledgees, and Applicants might also currently follow protocols substantially similar to the regulations referred to earlier in this paragraph in order to meet the evolving cybersecurity expectations of regulators and/or their own institutional customers.12 Although DTC believes that its Participants, Pledgees, and Applicants may currently maintain robust cybersecurity programs, DTC seeks to better ensure the protection of its network by requiring its Participants, Pledgees, and Applicants to confirm that they are meeting certain cybersecurity standards in order to connect to DTC via the SMART network or other means. Therefore, DTC 11 For example, depending on the type of entity, DTC states that its members may be subject to one or more of the following regulations: (1) Regulation S–ID, which requires ‘‘financial institutions’’ or ‘‘creditors’’ under the rule to adopt programs to identify and address the risk of identity theft of individuals (17 CFR 248.201–202); (2) Regulation S–P, which requires broker-dealers, investment companies, and investment advisers to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information (17 CFR 248.1–30); and (3) Rule 15c3– 5 under the Act, known as the ‘‘Market Access Rule,’’ which requires broker-dealers to establish, document, and maintain a system for regularly reviewing the effectiveness of its management controls and supervisory procedures (17 CFR 240.15c3–5). Notice, supra note 3, at 58190. 12 Id. PO 00000 Frm 00171 Fmt 4703 Sfmt 4703 proposes to require all Participants, Pledgees, and Applicants to submit a written Cybersecurity Confirmation that includes specific representations regarding the submitting entity’s cybersecurity program and framework. DTC states that the information contained in the Cybersecurity Confirmation would help DTC to better understand the cybersecurity programs and frameworks of entities seeking to connect to DTC, and thereby identify possible cyber risk exposures.13 As a result, DTC would be better able to establish appropriate controls to mitigate such risks and their possible impacts on DTC’s operations. B. Proposed Changes DTC proposes to modify its Rules to: (1) Provide a detailed definition of the Cybersecurity Confirmation; and (2) require DTC’s Participants, Pledgees, and Applicants to submit to DTC a Cybersecurity Confirmation (both as part of an initial application for membership, and on an ongoing basis for members, at least every two years). Each of these proposed rule changes is described in greater detail below. 1. Cybersecurity Confirmation DTC proposes to define the term ‘‘Cybersecurity Confirmation’’ to mean a written form, in a format provided by DTC and signed by the submitting entity’s designated senior executive with the authority to attest to the cybersecurity matters contained in the form.14 The form would contain specific representations regarding the submitting entity’s cybersecurity program and framework. Such representations would cover the two years prior to the date of the most recently provided Cybersecurity Confirmation. The Cybersecurity Confirmation would include the following representations: • The submitting entity has defined and maintains a comprehensive cybersecurity program and framework that considers potential cyber threats that impact the submitting entity’s organization, and protects the confidentiality, integrity, and availability requirements of its systems and information. • The submitting entity has implemented and maintains a written enterprise cybersecurity policy or policies approved by the submitting entity’s senior management or board of directors, and the submitting entity’s 13 Id. 14 Notice, supra note 3, at 58191. See also DTC Cybersecurity Confirmation Form, submitted as Exhibit 3 to SR–DTC–2019–008, available at https://www.sec.gov/rules/sro/dtc/2019/34-87393ex3.pdf. E:\FR\FM\13DEN1.SGM 13DEN1 Federal Register / Vol. 84, No. 240 / Friday, December 13, 2019 / Notices jbell on DSKJLSW7X2PROD with NOTICES cybersecurity framework is in alignment with standard industry best practices and guidelines.15 • If the submitting entity uses a third party service provider or service bureau(s) to connect or transact business or to manage the connection with DTC, the submitting entity has an appropriate program to evaluate the cyber risks and impact of these third parties and to review the third party assurance reports. • The submitting entity’s cybersecurity program and framework protects the segment of its system that connects to and/or interacts with DTC. • The submitting entity has in place an established process to remediate cyber issues identified to meet its regulatory and/or statutory requirements. • The submitting entity periodically updates the risk processes of its cybersecurity program and framework based on a risk assessment or changes to technology, business, threat ecosystem, and/or regulatory environment. • The submitting entity’s cybersecurity program and framework has been reviewed by one of the following: (1) The submitting entity, if it has filed and maintains a current Certification of Compliance with the Superintendent of the New York State Department of Financial Services confirming compliance with its Cybersecurity Requirements for Financial Services Companies; 16 (2) a regulator who assesses the submitting entity’s cybersecurity program and framework against an industry cybersecurity framework or industry standard, including those that are listed on the Cybersecurity Confirmation form and in an Important Notice that is 15 Examples of recognized frameworks, guidelines and standards that DTC believes are adequate include the Financial Services Sector Coordinating Council Cybersecurity Profile, the National Institute of Standards and Technology Cybersecurity Framework (‘‘NIST CSF’’), International Organization for Standardization (‘‘ISO’’) standard 27001/27002 (‘‘ISO 27001’’), Federal Financial Institutions Examination Council (‘‘FFIEC’’) Cybersecurity Assessment Tool, Critical Security Controls Top 20, and Control Objectives for Information and Related Technologies. DTC would identify recognized frameworks, guidelines and standards in the form of Cybersecurity Confirmation and in an Important Notice that DTC would issue from time to time. DTC would also consider accepting other standards upon request. Notice, supra note 3, at 58191. 16 23 N.Y. Comp. Codes R. & Regs. tit. 23, § 500 et seq. (2017). DTC states that this regulation requires entities to confirm that they have comprehensive cybersecurity programs as described in the regulation, and DTC believes this regime is sufficient to meet the objectives of the proposed Cybersecurity Confirmation. Notice, supra note 3, at 58191. VerDate Sep<11>2014 17:42 Dec 12, 2019 Jkt 250001 issued by DTC from time to time; 17 (3) an independent external entity with cybersecurity domain expertise in relevant industry standards and practices, including those that are listed on the Cybersecurity Confirmation form and in an Important Notice that is issued by DTC from time to time; 18 or (4) an independent internal audit function reporting directly to the submitting entity’s board of directors or designated board of directors committee, such that the findings of that review are shared with these governance bodies. DTC states that it designed the representations in the Cybersecurity Confirmation to provide information on how each submitting entity manages cybersecurity with respect to its connectivity to DTC.19 DTC believes that by requiring these representations from Participants, Pledgees, and Applicants, the proposed Cybersecurity Confirmation would provide useful information designed to enable DTC to make informed decisions about risks or threats, perform additional monitoring, target potential vulnerabilities, and otherwise protect the DTC network.20 2. Initial and Ongoing Membership Requirement DTC proposes to require new Applicants to submit a Cybersecurity Confirmation as part of their application materials. DTC also proposes to require all DTC Participants and Pledgees to submit a Cybersecurity Confirmation at least every two years. With respect to the requirement to submit a Cybersecurity Confirmation at least every two years, DTC would provide all Participants and Pledgees with notice of the date on which the Cybersecurity Confirmation would be due no later than 180 calendar days prior to the due date. 17 DTC states that current industry cybersecurity frameworks and industry standards could include, for example, the Office of the Comptroller of the Currency or the FFIEC Cybersecurity Assessment Tool. DTC would identify acceptable industry cybersecurity frameworks and standards in the Cybersecurity Confirmation form and in an Important Notice that DTC would issue from time to time. DTC would also consider accepting other industry cybersecurity frameworks and standards upon request. Notice, supra note 3, at 58191. 18 DTC states that a third party with cybersecurity domain expertise is one that follows and understands applicable industry standards, practices, and regulations, such as ISO 27001 certification or NIST CSF assessment. DTC would identify acceptable industry standards and practices in the Cybersecurity Confirmation form and in an Important Notice that DTC would issue from time to time. DTC would also consider accepting other industry standards and practices upon request. Notice, supra note 3, at 58191. 19 Id. 20 Id. PO 00000 Frm 00172 Fmt 4703 Sfmt 4703 68271 C. Implementation Timeframe The proposed rule change would be effective upon Commission approval. New Applicants would be required to submit a Cybersecurity Confirmation as part of their application materials. The requirement to submit a Cybersecurity Confirmation would also apply to Applicants whose applications are pending with DTC at the time the Commission approves the proposed rule change. For existing DTC Participants and Pledgees, DTC would provide notice of the due date to submit a Cybersecurity Confirmation, not later than 180 days prior to the due date. Finally, DTC would provide such notice to its Participants and Pledgees at least every two years going forward. III. Discussion and Commission Findings Section 19(b)(2)(C) of the Act 21 directs the Commission to approve a proposed rule change of a selfregulatory organization if it finds that such proposed rule change is consistent with the requirements of the Act and rules and regulations thereunder applicable to such organization. After carefully considering the proposed rule change, the Commission finds that the proposed rule change is consistent with the requirements of the Act and the rules and regulations thereunder applicable to DTC. In particular, the Commission finds that the proposed rule change is consistent with Section 17A(b)(3)(F) of the Act,22 and Rules 17Ad–22(e)(17)(i) and (e)(17)(ii) promulgated under the Act,23 for the reasons described below. A. Consistency With Section 17A(b)(3)(F) of the Act Section 17A(b)(3)(F) of the Act requires that the rules of a clearing agency be designed to, among other things, promote the prompt and accurate clearance and settlement of securities transactions and assure the safeguarding of securities and funds which are in the custody or control of the clearing agency or for which it is responsible.24 As described above, DTC proposes to require its Participants, Pledgees, and Applicants to submit a Cybersecurity Confirmation, confirming the existence and nature of their cybersecurity programs. The Cybersecurity Confirmations should provide DTC with useful information regarding the cybersecurity programs of the 21 15 U.S.C. 78s(b)(2)(C). U.S.C. 78q–1(b)(3)(F). 23 17 CFR 240.17Ad–22(e)(17)(i) and (e)(17)(ii). 24 15 U.S.C. 78q–1(b)(3)(F). 22 15 E:\FR\FM\13DEN1.SGM 13DEN1 68272 Federal Register / Vol. 84, No. 240 / Friday, December 13, 2019 / Notices jbell on DSKJLSW7X2PROD with NOTICES submitting entities. By conditioning an entity’s connectivity to DTC via the SMART network or other means on the submission of a Cybersecurity Confirmation, DTC should be better enabled to reduce the cyber risks of electronically connecting to entities that have not confirmed the existence and nature of their cybersecurity programs. Accordingly, the proposed Cybersecurity Confirmation requirement should provide DTC with information to better identify its exposure to cyber risks and to take steps to mitigate those risks. If not adequately addressed, the risk of cyberattacks and other cyber vulnerabilities could affect DTC’s network and DTC’s ability to clear and settle securities transactions, or to safeguard the securities and funds which are in DTC’s custody or control, or for which it is responsible. The proposed Cybersecurity Confirmation requirement is a tool designed to address those risks as described above. Therefore, the Commission finds the proposed Cybersecurity Confirmation requirement would promote the prompt and accurate clearance and settlement of securities transactions and assure the safeguarding of securities and funds which are in the custody or control of DTC or for which it is responsible, consistent with the requirements of Section 17A(b)(3)(F) of the Act.25 B. Consistency With Rule 17Ad– 22(e)(17)(i) Under the Act Rule 17Ad–22(e)(17)(i) under the Act requires that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency’s operational risks by identifying the plausible sources of operational risk, both internal and external, and mitigating their impact through the use of appropriate systems, policies, procedures, and controls.26 DTC’s operational risks include protecting its electronic systems from cyber risks. As described above, entities connect electronically to DTC via the SMART network or other means. The proposed Cybersecurity Confirmation requirement should reduce cyber risks to DTC by requiring Participants, Pledgees, and Applicants to confirm that they have defined and maintain cybersecurity programs and frameworks that meet standard industry best practices and guidelines. The representations in each submitting entity’s Cybersecurity Confirmation would provide information that should help DTC to mitigate its exposure to cyber risks, and thereby decrease the operational risks presented to DTC by its connections to such entities. Thus, the proposed Cybersecurity Confirmations should enable DTC to better identify potential sources of external operational risks and mitigate the possible impacts of those risks. Because the proposed changes would help DTC identify and mitigate plausible sources of external operational risk, the Commission finds the proposed changes are consistent with the requirements of Rule 17Ad–22(e)(17)(i) under the Act.27 C. Consistency With Rule 17Ad– 22(e)(17)(ii) Under the Act Rule 17Ad–22(e)(17)(ii) under the Act requires that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency’s operational risks by ensuring, in part, that systems have a high degree of security, resiliency, and operational reliability.28 As noted above, DTC’s operational risks include protecting its electronic systems from cyber risks. Although DTC believes that its Participants, Pledgees, and Applicants may currently maintain robust cybersecurity programs, DTC currently does not require those entities to represent that they maintain a cybersecurity program as a condition for connecting to DTC via the SMART network or other means. DTC designed the proposed Cybersecurity Confirmation requirement to reduce cyber risks by requiring its Participants, Pledgees, and Applicants to confirm that they have defined and maintain cybersecurity programs and frameworks that meet standard industry best practices and guidelines. The representations in each submitting entity’s Cybersecurity Confirmation would provide more security for DTC’s SMART network and other systems by providing DTC with information designed to help manage its cyberrelated operational risks, which in turn, would enable DTC to take steps necessary to strengthen the security of its network to mitigate those risks. Since the proposal would enhance DTC’s ability to ensure that its systems have a high degree of security, resiliency, and operational reliability, the Commission finds the proposed changes are consistent with the requirements of Rule 17Ad–22(e)(17)(ii) under the Act.29 27 Id. 25 Id. 26 17 28 17 CFR 240.17Ad–22(e)(17)(i). VerDate Sep<11>2014 17:42 Dec 12, 2019 CFR 240.17Ad–22(e)(17)(ii). 29 Id. Jkt 250001 PO 00000 Frm 00173 Fmt 4703 Sfmt 4703 IV. Conclusion On the basis of the foregoing, the Commission finds that the proposed rule change is consistent with the requirements of the Act and, in particular, with the requirements of Section 17A of the Act 30 and the rules and regulations promulgated thereunder. It is therefore ordered, pursuant to Section 19(b)(2) of the Act 31 that proposed rule change SR–DTC–2019– 008, be, and hereby is, approved.32 For the Commission, by the Division of Trading and Markets, pursuant to delegated authority.33 Jill M. Peterson, Assistant Secretary. [FR Doc. 2019–26845 Filed 12–12–19; 8:45 am] BILLING CODE 8011–01–P SMALL BUSINESS ADMINISTRATION [Disaster Declaration #16216 and #16217; MISSISSIPPI Disaster Number MS–00117] Presidential Declaration of a Major Disaster for Public Assistance Only for the State of Mississippi U.S. Small Business Administration. ACTION: Notice. AGENCY: This is a Notice of the Presidential declaration of a major disaster for Public Assistance Only for the State of Mississippi (FEMA–4470– DR), dated 12/06/2019. Incident: Severe Storm, Straight-line Winds, and Flooding. Incident Period: 10/26/2019. DATES: Issued on 12/06/2019. Physical Loan Application Deadline Date: 02/04/2020. Economic Injury (EIDL) Loan Application Deadline Date: 09/08/2020. ADDRESSES: Submit completed loan applications to: U.S. Small Business Administration, Processing and Disbursement Center, 14925 Kingsport Road, Fort Worth, TX 76155. FOR FURTHER INFORMATION CONTACT: A. Escobar, Office of Disaster Assistance, U.S. Small Business Administration, 409 3rd Street SW, Suite 6050, Washington, DC 20416, (202) 205–6734. SUPPLEMENTARY INFORMATION: Notice is hereby given that as a result of the President’s major disaster declaration on SUMMARY: 30 15 U.S.C. 78q–1. U.S.C. 78s(b)(2). 32 In approving the proposed rule change, the Commission considered the proposals’ impact on efficiency, competition, and capital formation. 15 U.S.C. 78c(f). 33 17 CFR 200.30–3(a)(12). 31 15 E:\FR\FM\13DEN1.SGM 13DEN1

Agencies

[Federal Register Volume 84, Number 240 (Friday, December 13, 2019)]
[Notices]
[Pages 68269-68272]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-26845]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-87698; File No. SR-DTC-2019-008]


Self-Regulatory Organizations; The Depository Trust Company; 
Order Approving a Proposed Rule Change To Require Confirmation of 
Cybersecurity Program

December 9, 2019.

I. Introduction

    On October 15, 2019, The Depository Trust Company (``DTC'') filed 
with the Securities and Exchange Commission (``Commission''), pursuant 
to Section 19(b)(1) of the Securities Exchange Act of 1934 (``Act'') 
\1\ and Rule 19b-4 thereunder,\2\ proposed rule change SR-DTC-2019-008. 
The proposed rule change was published for comment in the Federal 
Register on October 30, 2019.\3\ The Commission did not receive any 
comment letters on the proposed rule change. For the reasons discussed

[[Page 68270]]

below, the Commission is approving the proposed rule change.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
    \3\ Securities Exchange Act Release No. 87393 (October 24, 
2019), 84 FR 58189 (October 30, 2019) (SR-DTC-2019-008) 
(``Notice'').
---------------------------------------------------------------------------

II. Description of the Proposed Rule Change

    DTC proposes to modify the Rules, By-Laws and Organization 
Certificate of DTC (``Rules'') \4\ in order to (1) define the term 
``Cybersecurity Confirmation'' as a written representation that 
addresses a submitting entity's cybersecurity program (described more 
fully below); and (2) require DTC's Participants, Pledgees, and 
applicants for membership as a Participant or Pledgee (``Applicants'') 
to submit to DTC a Cybersecurity Confirmation (both as part of an 
initial application for membership and on an ongoing basis for 
Participants and Pledgees, at least every two years).
---------------------------------------------------------------------------

    \4\ Capitalized terms not defined herein are defined in the 
Rules, available at http://www.dtcc.com/legal/rules-and-procedures.
---------------------------------------------------------------------------

A. Background

    DTC serves as the central securities depository for substantially 
all corporate and municipal debt and equity securities available for 
trading in the United States.\5\ DTC provides depository services and 
asset servicing for a wide range of security types such as money market 
instruments, equities, warrants, rights, corporate debt and notes, 
municipal bonds, government securities, asset-backed securities, and 
collateralized mortgage obligations.\6\ DTC's custodial services 
include the safekeeping, record keeping, book entry transfer, and 
pledge of securities among its Participants and Pledgees.\7\ DTC also 
provides services to securities issuers, such as maintaining current 
ownership records and distributing payments to shareholders.\8\ In 
light of DTC's critical role in the marketplace, DTC was designated a 
Systemically Important Financial Market Utility (``SIFMU'') under Title 
VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act 
of 2010.\9\ Due to DTC's unique position in the marketplace, a failure 
or a disruption to DTC could, among other things, increase the risk of 
significant liquidity problems spreading among financial institutions 
or markets, and thereby threaten the stability of the financial system 
in the United States.\10\
---------------------------------------------------------------------------

    \5\ See Financial Stability Oversight Counsel 2012 Annual 
Report, Appendix A (``FSOC 2012 Report''), available at http://www.treasury.gov/initiatives/fsoc/Documents/2012%20Annual%20Report.pdf.
    \6\ Id.
    \7\ Id.
    \8\ Id.
    \9\ 12 U.S.C. 5465(e)(1). See FSOC 2012 Report, supra note 5.
    \10\ See FSOC 2012 Report, supra note 5.
---------------------------------------------------------------------------

    DTC's Participants and Pledgees connect to DTC, either through the 
Securely Managed and Reliable Technology (``SMART'') network or through 
other electronic means, such as a third party service provider, service 
bureau, network, or the internet. The SMART network is a technology 
managed by DTC's parent company, The Depository Trust & Clearing 
Corporation (``DTCC''), that connects a nationwide complex of networks, 
processing centers, and control facilities. Currently, DTC does not 
require its Participants, Pledgees, or Applicants to represent that 
they maintain a cybersecurity program as a condition for connecting to 
DTC via the SMART network or other means.
    DTC states that many of its Participants, Pledgees, and Applicants 
may currently be subject to regulations that are designed, in part, to 
protect against cyberattacks.\11\
---------------------------------------------------------------------------

    \11\ For example, depending on the type of entity, DTC states 
that its members may be subject to one or more of the following 
regulations: (1) Regulation S-ID, which requires ``financial 
institutions'' or ``creditors'' under the rule to adopt programs to 
identify and address the risk of identity theft of individuals (17 
CFR 248.201-202); (2) Regulation S-P, which requires broker-dealers, 
investment companies, and investment advisers to adopt written 
policies and procedures that address administrative, technical, and 
physical safeguards for the protection of customer records and 
information (17 CFR 248.1-30); and (3) Rule 15c3-5 under the Act, 
known as the ``Market Access Rule,'' which requires broker-dealers 
to establish, document, and maintain a system for regularly 
reviewing the effectiveness of its management controls and 
supervisory procedures (17 CFR 240.15c3-5). Notice, supra note 3, at 
58190.
---------------------------------------------------------------------------

    Accordingly, such entities would currently be required to follow 
standards established by national or international organizations 
focused on information security management, and they would currently 
maintain protocols for their senior management to verify the existence 
of cybersecurity programs sufficient to meet regulatory obligations. 
DTC further believes that some of its Participants, Pledgees, and 
Applicants might also currently follow protocols substantially similar 
to the regulations referred to earlier in this paragraph in order to 
meet the evolving cybersecurity expectations of regulators and/or their 
own institutional customers.\12\
---------------------------------------------------------------------------

    \12\ Id.
---------------------------------------------------------------------------

    Although DTC believes that its Participants, Pledgees, and 
Applicants may currently maintain robust cybersecurity programs, DTC 
seeks to better ensure the protection of its network by requiring its 
Participants, Pledgees, and Applicants to confirm that they are meeting 
certain cybersecurity standards in order to connect to DTC via the 
SMART network or other means. Therefore, DTC proposes to require all 
Participants, Pledgees, and Applicants to submit a written 
Cybersecurity Confirmation that includes specific representations 
regarding the submitting entity's cybersecurity program and framework. 
DTC states that the information contained in the Cybersecurity 
Confirmation would help DTC to better understand the cybersecurity 
programs and frameworks of entities seeking to connect to DTC, and 
thereby identify possible cyber risk exposures.\13\ As a result, DTC 
would be better able to establish appropriate controls to mitigate such 
risks and their possible impacts on DTC's operations.
---------------------------------------------------------------------------

    \13\ Id.
---------------------------------------------------------------------------

B. Proposed Changes

    DTC proposes to modify its Rules to: (1) Provide a detailed 
definition of the Cybersecurity Confirmation; and (2) require DTC's 
Participants, Pledgees, and Applicants to submit to DTC a Cybersecurity 
Confirmation (both as part of an initial application for membership, 
and on an ongoing basis for members, at least every two years). Each of 
these proposed rule changes is described in greater detail below.
1. Cybersecurity Confirmation
    DTC proposes to define the term ``Cybersecurity Confirmation'' to 
mean a written form, in a format provided by DTC and signed by the 
submitting entity's designated senior executive with the authority to 
attest to the cybersecurity matters contained in the form.\14\ The form 
would contain specific representations regarding the submitting 
entity's cybersecurity program and framework. Such representations 
would cover the two years prior to the date of the most recently 
provided Cybersecurity Confirmation. The Cybersecurity Confirmation 
would include the following representations:
---------------------------------------------------------------------------

    \14\ Notice, supra note 3, at 58191. See also DTC Cybersecurity 
Confirmation Form, submitted as Exhibit 3 to SR-DTC-2019-008, 
available at https://www.sec.gov/rules/sro/dtc/2019/34-87393-ex3.pdf.
---------------------------------------------------------------------------

     The submitting entity has defined and maintains a 
comprehensive cybersecurity program and framework that considers 
potential cyber threats that impact the submitting entity's 
organization, and protects the confidentiality, integrity, and 
availability requirements of its systems and information.
     The submitting entity has implemented and maintains a 
written enterprise cybersecurity policy or policies approved by the 
submitting entity's senior management or board of directors, and the 
submitting entity's

[[Page 68271]]

cybersecurity framework is in alignment with standard industry best 
practices and guidelines.\15\
---------------------------------------------------------------------------

    \15\ Examples of recognized frameworks, guidelines and standards 
that DTC believes are adequate include the Financial Services Sector 
Coordinating Council Cybersecurity Profile, the National Institute 
of Standards and Technology Cybersecurity Framework (``NIST CSF''), 
International Organization for Standardization (``ISO'') standard 
27001/27002 (``ISO 27001''), Federal Financial Institutions 
Examination Council (``FFIEC'') Cybersecurity Assessment Tool, 
Critical Security Controls Top 20, and Control Objectives for 
Information and Related Technologies. DTC would identify recognized 
frameworks, guidelines and standards in the form of Cybersecurity 
Confirmation and in an Important Notice that DTC would issue from 
time to time. DTC would also consider accepting other standards upon 
request. Notice, supra note 3, at 58191.
---------------------------------------------------------------------------

     If the submitting entity uses a third party service 
provider or service bureau(s) to connect or transact business or to 
manage the connection with DTC, the submitting entity has an 
appropriate program to evaluate the cyber risks and impact of these 
third parties and to review the third party assurance reports.
     The submitting entity's cybersecurity program and 
framework protects the segment of its system that connects to and/or 
interacts with DTC.
     The submitting entity has in place an established process 
to remediate cyber issues identified to meet its regulatory and/or 
statutory requirements.
     The submitting entity periodically updates the risk 
processes of its cybersecurity program and framework based on a risk 
assessment or changes to technology, business, threat ecosystem, and/or 
regulatory environment.
     The submitting entity's cybersecurity program and 
framework has been reviewed by one of the following: (1) The submitting 
entity, if it has filed and maintains a current Certification of 
Compliance with the Superintendent of the New York State Department of 
Financial Services confirming compliance with its Cybersecurity 
Requirements for Financial Services Companies; \16\ (2) a regulator who 
assesses the submitting entity's cybersecurity program and framework 
against an industry cybersecurity framework or industry standard, 
including those that are listed on the Cybersecurity Confirmation form 
and in an Important Notice that is issued by DTC from time to time; 
\17\ (3) an independent external entity with cybersecurity domain 
expertise in relevant industry standards and practices, including those 
that are listed on the Cybersecurity Confirmation form and in an 
Important Notice that is issued by DTC from time to time; \18\ or (4) 
an independent internal audit function reporting directly to the 
submitting entity's board of directors or designated board of directors 
committee, such that the findings of that review are shared with these 
governance bodies.
---------------------------------------------------------------------------

    \16\ 23 N.Y. Comp. Codes R. & Regs. tit. 23, Sec.  500 et seq. 
(2017). DTC states that this regulation requires entities to confirm 
that they have comprehensive cybersecurity programs as described in 
the regulation, and DTC believes this regime is sufficient to meet 
the objectives of the proposed Cybersecurity Confirmation. Notice, 
supra note 3, at 58191.
    \17\ DTC states that current industry cybersecurity frameworks 
and industry standards could include, for example, the Office of the 
Comptroller of the Currency or the FFIEC Cybersecurity Assessment 
Tool. DTC would identify acceptable industry cybersecurity 
frameworks and standards in the Cybersecurity Confirmation form and 
in an Important Notice that DTC would issue from time to time. DTC 
would also consider accepting other industry cybersecurity 
frameworks and standards upon request. Notice, supra note 3, at 
58191.
    \18\ DTC states that a third party with cybersecurity domain 
expertise is one that follows and understands applicable industry 
standards, practices, and regulations, such as ISO 27001 
certification or NIST CSF assessment. DTC would identify acceptable 
industry standards and practices in the Cybersecurity Confirmation 
form and in an Important Notice that DTC would issue from time to 
time. DTC would also consider accepting other industry standards and 
practices upon request. Notice, supra note 3, at 58191.
---------------------------------------------------------------------------

    DTC states that it designed the representations in the 
Cybersecurity Confirmation to provide information on how each 
submitting entity manages cybersecurity with respect to its 
connectivity to DTC.\19\ DTC believes that by requiring these 
representations from Participants, Pledgees, and Applicants, the 
proposed Cybersecurity Confirmation would provide useful information 
designed to enable DTC to make informed decisions about risks or 
threats, perform additional monitoring, target potential 
vulnerabilities, and otherwise protect the DTC network.\20\
---------------------------------------------------------------------------

    \19\ Id.
    \20\ Id.
---------------------------------------------------------------------------

2. Initial and Ongoing Membership Requirement
    DTC proposes to require new Applicants to submit a Cybersecurity 
Confirmation as part of their application materials. DTC also proposes 
to require all DTC Participants and Pledgees to submit a Cybersecurity 
Confirmation at least every two years. With respect to the requirement 
to submit a Cybersecurity Confirmation at least every two years, DTC 
would provide all Participants and Pledgees with notice of the date on 
which the Cybersecurity Confirmation would be due no later than 180 
calendar days prior to the due date.

C. Implementation Timeframe

    The proposed rule change would be effective upon Commission 
approval. New Applicants would be required to submit a Cybersecurity 
Confirmation as part of their application materials. The requirement to 
submit a Cybersecurity Confirmation would also apply to Applicants 
whose applications are pending with DTC at the time the Commission 
approves the proposed rule change. For existing DTC Participants and 
Pledgees, DTC would provide notice of the due date to submit a 
Cybersecurity Confirmation, not later than 180 days prior to the due 
date. Finally, DTC would provide such notice to its Participants and 
Pledgees at least every two years going forward.

III. Discussion and Commission Findings

    Section 19(b)(2)(C) of the Act \21\ directs the Commission to 
approve a proposed rule change of a self-regulatory organization if it 
finds that such proposed rule change is consistent with the 
requirements of the Act and rules and regulations thereunder applicable 
to such organization. After carefully considering the proposed rule 
change, the Commission finds that the proposed rule change is 
consistent with the requirements of the Act and the rules and 
regulations thereunder applicable to DTC. In particular, the Commission 
finds that the proposed rule change is consistent with Section 
17A(b)(3)(F) of the Act,\22\ and Rules 17Ad-22(e)(17)(i) and 
(e)(17)(ii) promulgated under the Act,\23\ for the reasons described 
below.
---------------------------------------------------------------------------

    \21\ 15 U.S.C. 78s(b)(2)(C).
    \22\ 15 U.S.C. 78q-1(b)(3)(F).
    \23\ 17 CFR 240.17Ad-22(e)(17)(i) and (e)(17)(ii).
---------------------------------------------------------------------------

A. Consistency With Section 17A(b)(3)(F) of the Act

    Section 17A(b)(3)(F) of the Act requires that the rules of a 
clearing agency be designed to, among other things, promote the prompt 
and accurate clearance and settlement of securities transactions and 
assure the safeguarding of securities and funds which are in the 
custody or control of the clearing agency or for which it is 
responsible.\24\
---------------------------------------------------------------------------

    \24\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------

    As described above, DTC proposes to require its Participants, 
Pledgees, and Applicants to submit a Cybersecurity Confirmation, 
confirming the existence and nature of their cybersecurity programs. 
The Cybersecurity Confirmations should provide DTC with useful 
information regarding the cybersecurity programs of the

[[Page 68272]]

submitting entities. By conditioning an entity's connectivity to DTC 
via the SMART network or other means on the submission of a 
Cybersecurity Confirmation, DTC should be better enabled to reduce the 
cyber risks of electronically connecting to entities that have not 
confirmed the existence and nature of their cybersecurity programs. 
Accordingly, the proposed Cybersecurity Confirmation requirement should 
provide DTC with information to better identify its exposure to cyber 
risks and to take steps to mitigate those risks.
    If not adequately addressed, the risk of cyberattacks and other 
cyber vulnerabilities could affect DTC's network and DTC's ability to 
clear and settle securities transactions, or to safeguard the 
securities and funds which are in DTC's custody or control, or for 
which it is responsible. The proposed Cybersecurity Confirmation 
requirement is a tool designed to address those risks as described 
above. Therefore, the Commission finds the proposed Cybersecurity 
Confirmation requirement would promote the prompt and accurate 
clearance and settlement of securities transactions and assure the 
safeguarding of securities and funds which are in the custody or 
control of DTC or for which it is responsible, consistent with the 
requirements of Section 17A(b)(3)(F) of the Act.\25\
---------------------------------------------------------------------------

    \25\ Id.
---------------------------------------------------------------------------

B. Consistency With Rule 17Ad-22(e)(17)(i) Under the Act

    Rule 17Ad-22(e)(17)(i) under the Act requires that each covered 
clearing agency establish, implement, maintain and enforce written 
policies and procedures reasonably designed to manage the covered 
clearing agency's operational risks by identifying the plausible 
sources of operational risk, both internal and external, and mitigating 
their impact through the use of appropriate systems, policies, 
procedures, and controls.\26\ DTC's operational risks include 
protecting its electronic systems from cyber risks.
---------------------------------------------------------------------------

    \26\ 17 CFR 240.17Ad-22(e)(17)(i).
---------------------------------------------------------------------------

    As described above, entities connect electronically to DTC via the 
SMART network or other means. The proposed Cybersecurity Confirmation 
requirement should reduce cyber risks to DTC by requiring Participants, 
Pledgees, and Applicants to confirm that they have defined and maintain 
cybersecurity programs and frameworks that meet standard industry best 
practices and guidelines. The representations in each submitting 
entity's Cybersecurity Confirmation would provide information that 
should help DTC to mitigate its exposure to cyber risks, and thereby 
decrease the operational risks presented to DTC by its connections to 
such entities. Thus, the proposed Cybersecurity Confirmations should 
enable DTC to better identify potential sources of external operational 
risks and mitigate the possible impacts of those risks. Because the 
proposed changes would help DTC identify and mitigate plausible sources 
of external operational risk, the Commission finds the proposed changes 
are consistent with the requirements of Rule 17Ad-22(e)(17)(i) under 
the Act.\27\
---------------------------------------------------------------------------

    \27\ Id.
---------------------------------------------------------------------------

C. Consistency With Rule 17Ad-22(e)(17)(ii) Under the Act

    Rule 17Ad-22(e)(17)(ii) under the Act requires that each covered 
clearing agency establish, implement, maintain and enforce written 
policies and procedures reasonably designed to manage the covered 
clearing agency's operational risks by ensuring, in part, that systems 
have a high degree of security, resiliency, and operational 
reliability.\28\ As noted above, DTC's operational risks include 
protecting its electronic systems from cyber risks.
---------------------------------------------------------------------------

    \28\ 17 CFR 240.17Ad-22(e)(17)(ii).
---------------------------------------------------------------------------

    Although DTC believes that its Participants, Pledgees, and 
Applicants may currently maintain robust cybersecurity programs, DTC 
currently does not require those entities to represent that they 
maintain a cybersecurity program as a condition for connecting to DTC 
via the SMART network or other means. DTC designed the proposed 
Cybersecurity Confirmation requirement to reduce cyber risks by 
requiring its Participants, Pledgees, and Applicants to confirm that 
they have defined and maintain cybersecurity programs and frameworks 
that meet standard industry best practices and guidelines. The 
representations in each submitting entity's Cybersecurity Confirmation 
would provide more security for DTC's SMART network and other systems 
by providing DTC with information designed to help manage its cyber-
related operational risks, which in turn, would enable DTC to take 
steps necessary to strengthen the security of its network to mitigate 
those risks. Since the proposal would enhance DTC's ability to ensure 
that its systems have a high degree of security, resiliency, and 
operational reliability, the Commission finds the proposed changes are 
consistent with the requirements of Rule 17Ad-22(e)(17)(ii) under the 
Act.\29\
---------------------------------------------------------------------------

    \29\ Id.
---------------------------------------------------------------------------

IV. Conclusion

    On the basis of the foregoing, the Commission finds that the 
proposed rule change is consistent with the requirements of the Act 
and, in particular, with the requirements of Section 17A of the Act 
\30\ and the rules and regulations promulgated thereunder.
---------------------------------------------------------------------------

    \30\ 15 U.S.C. 78q-1.
---------------------------------------------------------------------------

    It is therefore ordered, pursuant to Section 19(b)(2) of the Act 
\31\ that proposed rule change SR-DTC-2019-008, be, and hereby is, 
approved.\32\
---------------------------------------------------------------------------

    \31\ 15 U.S.C. 78s(b)(2).
    \32\ In approving the proposed rule change, the Commission 
considered the proposals' impact on efficiency, competition, and 
capital formation. 15 U.S.C. 78c(f).

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\33\
---------------------------------------------------------------------------

    \33\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------

Jill M. Peterson,
Assistant Secretary.
[FR Doc. 2019-26845 Filed 12-12-19; 8:45 am]
 BILLING CODE 8011-01-P