Self-Regulatory Organizations; The Options Clearing Corporation; Notice of Partial Amendment No. 1 to Proposed Rule Change by The Options Clearing Corporation Concerning Clearing Member Cybersecurity Obligations, 36351-36353 [2023-11714]
Download as PDF
<![CDATA[
Federal Register / Vol. 88, No. 106 / Friday, June 2, 2023 / Notices
and thereafter allow the Exchange and
its Members additional time to prepare
and test the new ISE functionality.
2. Statutory Basis
The Exchange believes that its
proposal is consistent with section 6(b)
of the Act,8 in general, and furthers the
objectives of section 6(b)(5) of the Act,9
in particular, in that it is designed to
promote just and equitable principles of
trade and to protect investors and the
public interest for the reasons discussed
below. The Exchange proposes to delay
the implementation of the Impacted
Rule Changes, which all relate to ISE’s
upcoming technology migration, to
allow the GEMX migration to
complete 10 and thereafter allow the
Exchange and its Members additional
time to prepare and test the new
functionality. The Exchange believes
that the delay is consistent with the Act
because the additional time will allow
the Exchange to ensure a successful ISE
migration while protecting investors
and the public interest by allowing the
Exchange and Members more time to
prepare and test.
The Exchange notes that the
substance of the impacted rules is not
changing, only the implementation
timeline is changing with this proposal.
B. Self-Regulatory Organization’s
Statement on Burden on Competition
The Exchange does not believe that
the proposed rule change will impose
any burden on competition not
necessary or appropriate in furtherance
of the purposes of the Act. The
Exchange’s proposal to delay the
implementation of the Impacted Rule
Changes does not impose an undue
burden on competition. The proposed
delay will allow the GEMX migration to
complete 11 and thereafter allow the
Exchange and its Members additional
time to prepare and test the new
functionality.
C. Self-Regulatory Organization’s
Statement on Comments on the
Proposed Rule Change Received From
Members, Participants, or Others
No written comments were either
solicited or received.
lotter on DSK11XQN23PROD with NOTICES1
III. Date of Effectiveness of the
Proposed Rule Change and Timing for
Commission Action
Because the foregoing proposed rule
change does not: (i) significantly affect
the protection of investors or the public
8 15
U.S.C. 78f(b).
U.S.C. 78f(b)(5).
10 See note 7.
11 See note 7.
9 15
VerDate Sep<11>2014
17:34 Jun 01, 2023
Jkt 259001
interest; (ii) impose any significant
burden on competition; and (iii) become
operative for 30 days from the date on
which it was filed, or such shorter time
as the Commission may designate, it has
become effective pursuant to section
19(b)(3)(A)(iii) of the Act 12 and
subparagraph (f)(6) of Rule 19b–4
thereunder.13
At any time within 60 days of the
filing of the proposed rule change, the
Commission summarily may
temporarily suspend such rule change if
it appears to the Commission that such
action is necessary or appropriate in the
public interest, for the protection of
investors, or otherwise in furtherance of
the purposes of the Act. If the
Commission takes such action, the
Commission shall institute proceedings
to determine whether the proposed rule
should be approved or disapproved.
IV. Solicitation of Comments
36351
communications relating to the
proposed rule change between the
Commission and any person, other than
those that may be withheld from the
public in accordance with the
provisions of 5 U.S.C. 552, will be
available for website viewing and
printing in the Commission’s Public
Reference Room, 100 F Street NE,
Washington, DC 20549, on official
business days between the hours of
10:00 a.m. and 3:00 p.m. Copies of such
filing also will be available for
inspection and copying at the principal
office of the Exchange. Do not include
personal identifiable information in
submissions; you should submit only
information that you wish to make
available publicly. We may redact in
part or withhold entirely from
publication submitted material that is
obscene or subject to copyright
protection. All submissions should refer
to File Number SR–ISE–2023–10 and
should be submitted on or before June
23, 2023.
Interested persons are invited to
submit written data, views and
arguments concerning the foregoing,
including whether the proposed rule
change is consistent with the Act.
Comments may be submitted by any of
the following methods:
For the Commission, by the Division of
Trading and Markets, pursuant to delegated
authority.14
J. Lynn Taylor,
Assistant Secretary.
Electronic Comments
[FR Doc. 2023–11715 Filed 6–1–23; 8:45 am]
• Use the Commission’s internet
comment form (https://www.sec.gov/
rules/sro.shtml); or
• Send an email to rule-comments@
sec.gov. Please include File Number SR–
ISE–2023–10 on the subject line.
BILLING CODE 8011–01–P
Paper Comments
• Send paper comments in triplicate
to Secretary, Securities and Exchange
Commission, 100 F Street NE,
Washington, DC 20549–1090.
All submissions should refer to File
Number SR–ISE–2023–10. This file
number should be included on the
subject line if email is used. To help the
Commission process and review your
comments more efficiently, please use
only one method. The Commission will
post all comments on the Commission’s
internet website (https://www.sec.gov/
rules/sro.shtml). Copies of the
submission, all subsequent
amendments, all written statements
with respect to the proposed rule
change that are filed with the
Commission, and all written
12 15
U.S.C. 78s(b)(3)(A)(iii).
CFR 240.19b–4(f)(6). In addition, Rule 19b–
4(f)(6) requires a self-regulatory organization to give
the Commission written notice of its intent to file
the proposed rule change at least five business days
prior to the date of filing of the proposed rule
change, or such shorter time as designated by the
Commission. The Exchange has satisfied this
requirement.
13 17
PO 00000
Frm 00080
Fmt 4703
Sfmt 4703
SECURITIES AND EXCHANGE
COMMISSION
[Release No. 34–97602; File No. SR–OCC–
2023–003]
Self-Regulatory Organizations; The
Options Clearing Corporation; Notice
of Partial Amendment No. 1 to
Proposed Rule Change by The Options
Clearing Corporation Concerning
Clearing Member Cybersecurity
Obligations
May 26, 2023.
On March 21, 2023, the Options
Clearing Corporation (‘‘OCC’’) filed with
the Securities and Exchange
Commission (‘‘Commission’’) the
proposed rule change SR–OCC–2023–
003 pursuant to Section 19(b) of the
Securities Exchange Act of 1934
(‘‘Exchange Act’’) 1 and Rule 19b–4 2
thereunder to amend certain provisions
in OCC’s Rules relating to Clearing
Member cybersecurity obligations to
address the occurrence of a cyberrelated disruption or intrusion of a
Clearing Member (‘‘Security Incident’’).
The proposed rule change was
published for public comment in the
14 17
CFR 200.30–3(a)(12).
U.S.C. 78s(b)(1).
2 17 CFR 240.19b–4.
1 15
E:\FR\FM\02JNN1.SGM
02JNN1
36352
Federal Register / Vol. 88, No. 106 / Friday, June 2, 2023 / Notices
Federal Register on April 5, 2023.3 The
Commission has received comments
regarding the proposal described in the
proposed rule change.4 On May 24,
2023, OCC filed Partial Amendment No.
1 to the proposed rule change. Pursuant
to Section 19(b)(1) of the Act 5 and Rule
19b–4 thereunder,6 the Commission is
publishing notice of this Partial
Amendment No.1 to the proposed rule
change as described in Item I below,
which has been prepared primarily by
OCC. The Commission is publishing
this notice to solicit comment on Partial
Amendment No. 1 from interested
persons.
I. Clearing Agency’s Statement of the
Terms of Substance of the Proposed
Rule Change Partial Amendment No. 1
The Options Clearing Corporation
(‘‘OCC’’) hereby submits this partial
amendment, constituting Amendment
No. 1 [sic], to its proposed rule change
SR–OCC–2023–003 (the ‘‘Initial
Filing’’), in which OCC proposed new
sections (d) and (e) to existing Rule 219,
which Rule subsequently was
renumbered to Rule 213. The Proposal
requires Clearing Members to notify
OCC about the occurrence of a ‘‘Security
Incident’’, and in the event of a
disconnection from OCC, obligates the
Clearing Member to provide an
attestation to OCC before reconnecting.
OCC intends to amend Proposed Rules
213(d) and 213(e) to clarify the
definition of the term ‘‘Security
Incident’’, the threshold conditions for
disconnection of a Clearing Member,
and the process for a Clearing Member’s
reconnection.
As originally proposed in the Initial
Filing, Proposed Rules 213(d) and
213(e) are as follows:
lotter on DSK11XQN23PROD with NOTICES1
(d) Occurrence of a Security Incident. A
Clearing Member must notify the Corporation
immediately, and shall promptly confirm
such notice in writing, if there has been an
incident, or an incident is occurring,
involving a cyber-related disruption or
intrusion of the Clearing Member, including,
but not limited to, any disruption or
degradation of the normal operation of the
Clearing Member’s systems or any
unauthorized entry into the Clearing
Member’s systems (‘‘Security Incident’’).
Upon such notice, or if the Corporation has
a reasonable basis to believe that a Security
Incident has occurred, or is occurring, the
Corporation may take actions reasonably
necessary to mitigate any effects to its
3 Securities Exchange Act Release No. 97225
(Mar. 30, 2023), 88 FR 20195 (Apr. 5, 2023) (File
No. SR–OCC–2023–003).
4 Comments on the proposed rule change are
available at https://www.sec.gov/comments/sr-occ2023-003/srocc2023003.htm.
5 15 U.S.C. 78s(b)(1)
6 17 CFR 240.19b–4.
VerDate Sep<11>2014
17:34 Jun 01, 2023
Jkt 259001
operations, including the right to disconnect
access, or to modify the scope and
specifications of access, of the Clearing
Member to the Corporation’s information and
data systems.
(e) Procedures for Connecting Following a
Security Incident. After a Clearing Member
reports a Security Incident, upon the request
of the Corporation, the Clearing Member
must complete and submit a form that
describes the Security Incident and includes
required representations as determined by
the Corporation (‘‘Reconnection Attestation’’)
and an associated checklist that describes
remediation efforts and provides required
information as determined by the
Corporation (‘‘Reconnection Checklist’’), both
as provided by the Corporation from time to
time.
OCC is submitting this partial
amendment in response to comments
received on the scope of the proposed
definition of ‘‘Security Incident’’ and
potential conflicts with other existing
and proposed Securities and Exchange
Commission (‘‘SEC’’) rules.
Accordingly, OCC has determined to
clarify what constitutes a Security
Incident for purposes of new Rule
213(d). Such clarification would specify
that only occurrences that have an
impact on OCC’s system(s) and/or
operations are considered a Security
Incident. In addition, OCC proposes to
clarify that a Clearing Member must
notify OCC if the Clearing Member
becomes aware or should be aware that
such incident has occurred or is
occurring.
OCC also is submitting this partial
amendment in response to comments
about (i) the requirement that Clearing
Members provide immediate notice of a
Security Incident to OCC, (ii) the
standards OCC would apply when
determining whether to disconnect a
Clearing Member from OCC, and (iii) the
process for reconnection following a
Security Incident that results in
disconnection.
As a systemically important financial
market utility, and the sole clearing
agency providing clearing services for
listed options in the U.S., it is vital that
OCC’s clearing systems remain
functional and unaffected by Security
Incidents. Any risk or threat to OCC’s
system(s) or operations could have a
severe impact on the listed options
markets. Therefore, time is of the
essence with respect to any notification
by a Clearing Member of the occurrence
of a Security Incident. OCC intends to
provide a dedicated OCC email address
directly to Clearing Members for use in
notifying OCC of a Security Incident,
but without specifying the form of the
notice. Accordingly, a Clearing Member
can share information they believe is
relevant, and OCC can follow up
PO 00000
Frm 00081
Fmt 4703
Sfmt 4703
directly with the affected Clearing
Member as needed.
Because of the innumerable
circumstances that could lead to a
Security Incident, OCC’s determination
to disconnect a Clearing Member will be
based on the facts and circumstances
related to any specific Security Incident.
Accordingly, OCC may consider any one
or more of the following in determining
whether or not to disconnect a member:
the potential loss of control by a
Clearing Member of its internal
system(s), the potential loss of OCC’s
confidential data, the potential strain on
or loss of OCC’s resources due to OCC’s
inability to perform clearance and
settlement functions, and the overall
severity of the threat to OCC’s security
and operations. It is OCC’s belief that
not all Security Incident notifications
will result in a Clearing Member
disconnection. Finally, OCC also added
clarification that in the event of a
disconnection, a Clearing Member will
remain responsible for its obligations to
OCC, e.g., a Clearing Member remains
responsible for the payment of margin to
OCC.
With respect to the process for
reconnection following a Security
Incident that results in disconnection,
OCC proposes to clarify that only in the
event OCC disconnects a Clearing
Member will the Clearing Member be
required to complete the Reconnection
Attestation and Reconnection Checklist.
OCC also made additional edits to
clarify the process for reconnection.
The text below reflects the proposed
changes to the originally proposed Rules
213(d) and 213(e) in the Initial Filing.
Italicized text indicates new text, and
bracketed text indicates deleted text.
(d) Occurrence of a Security Incident. A
Clearing Member must notify the Corporation
immediately, and shall promptly confirm
such notice in writing, if the Clearing
Member becomes aware or should be aware
that there has been an incident, or an
incident is occurring, involving a cyberrelated disruption or intrusion of the Clearing
Member’s system(s) that is reasonably likely
to pose an imminent risk or threat to the
Corporation’s operations. Such occurrence
may include, but is not limited to [including,
but not limited to], any disruption or
degradation of the normal operation of the
Clearing Member’s system(s) or any
unauthorized entry into the Clearing
Member’s system(s) that would result in loss
of the Corporation’s data or system integrity,
unauthorized disclosure of sensitive
information related to the Corporation, or the
inability of the Corporation to conduct
essential clearance and settlement functions
(‘‘Security Incident’’). Upon such notice, or if
the Corporation has a reasonable basis to
believe that a Security Incident has occurred,
or is occurring, the Corporation may take
actions reasonably necessary to mitigate any
E:\FR\FM\02JNN1.SGM
02JNN1
Federal Register / Vol. 88, No. 106 / Friday, June 2, 2023 / Notices
effects to its operations, including the right
to disconnect access, or to modify the scope
and specifications of access, of the Clearing
Member to the Corporation’s information and
data systems. In determining whether to
disconnect a Clearing Member, the
Corporation will evaluate the facts and
circumstances related to the Security
Incident. The Corporation may take into
consideration a number of factors, including,
but not limited to, the potential loss of
control by a Clearing Member of its internal
system(s), the potential loss of the
Corporation’s confidential data, the potential
strain on or loss of the Corporation’s
resources due to the Corporation’s inability
to perform clearance and settlement
functions, and the overall severity of the
threat to the security and operations of the
Corporation. If the Corporation determines
that disconnection of a Clearing Member is
necessary, the Clearing Member must
continue to meet its obligations to the
Corporation, notwithstanding disconnection
from the Corporation’s systems.
(e) Procedures for Connecting Following a
Security Incident that Results in
Disconnection. [After a Clearing Member
reports a Security Incident] In the event OCC
disconnects a Clearing Member that has
reported a Security Incident, upon the
request of the Corporation, the Clearing
Member must complete and submit a form as
provided by the Corporation that describes
the Security Incident and includes required
representations [as determined by the
Corporation] (‘‘Reconnection Attestation’’).
The Clearing Member also will be required to
complete [and] an associated checklist as
provided by the Corporation that describes
remediation efforts [and provides required
information as determined by the
Corporation] (‘‘Reconnection Checklist’’)[,
both as provided by the Corporation from
time to time].
The partial amendment would not
change the purpose of, or statutory basis
for the proposed rule change. All other
representations in the Initial Filing
remain as stated therein and no other
changes are being made.
lotter on DSK11XQN23PROD with NOTICES1
II. Solicitation of Comments
Interested persons are invited to
submit written data, views and
arguments concerning the foregoing,
including whether the proposed rule
change is consistent with the Exchange
Act. Comments may be submitted by
any of the following methods:
Electronic Comments
• Use the Commission’s internet
comment form (https://www.sec.gov/
rules/sro.shtml); or
• Send an email to rule-comments@
sec.gov. Please include File Number SR–
OCC–2023–003 on the subject line.
Paper Comments
• Send paper comments in triplicate
to Vanessa Countryman, Secretary,
Securities and Exchange Commission,
VerDate Sep<11>2014
17:34 Jun 01, 2023
Jkt 259001
100 F Street NE, Washington, DC
20549–1090.
All submissions should refer to File
Number SR–OCC–2023–003. This file
number should be included on the
subject line if email is used. To help the
Commission process and review your
comments more efficiently, please use
only one method. The Commission will
post all comments on the Commission’s
internet website (https://www.sec.gov/
rules/sro.shtml). Copies of the
submission, all subsequent
amendments, all written statements
with respect to the proposed rule
change that are filed with the
Commission, and all written
communications relating to the
proposed rule change between the
Commission and any person, other than
those that may be withheld from the
public in accordance with the
provisions of 5 U.S.C. 552, will be
available for website viewing and
printing in the Commission’s Public
Reference Room, 100 F Street NE,
Washington, DC 20549, on official
business days between the hours of
10:00 a.m. and 3:00 p.m. Copies of such
filing also will be available for
inspection and copying at the principal
office of OCC and on OCC’s website at
https://www.theocc.com/CompanyInformation/Documents-and-Archives/
By-Laws-and-Rules.
Do not include personal identifiable
information in submissions; you should
submit only information that you wish
to make available publicly. We may
redact in part or withhold entirely from
publication submitted material that is
obscene or subject to copyright
protection.
All submissions should refer to File
Number SR–OCC–2023–003 and should
be submitted on or before June 23, 2023.
For the Commission, by the Division of
Trading and Markets, pursuant to delegated
authority.7
J. Lynn Taylor,
Assistant Secretary.
[FR Doc. 2023–11714 Filed 6–1–23; 8:45 am]
BILLING CODE 8011–01–P
36353
Notice of applications for
deregistration under section 8(f) of the
Investment Company Act of 1940.
ACTION:
The following is a notice of
applications for deregistration under
section 8(f) of the Investment Company
Act of 1940 for the month of May 2023.
A copy of each application may be
obtained via the Commission’s website
by searching for the applicable file
number listed below, or for an applicant
using the Company name search field,
on the SEC’s EDGAR system. The SEC’s
EDGAR system may be searched at
https://www.sec.gov/edgar/searchedgar/
legacy/companysearch.html. You may
also call the SEC’s Public Reference
Room at (202) 551–8090. An order
granting each application will be issued
unless the SEC orders a hearing.
Interested persons may request a
hearing on any application by emailing
the SEC’s Secretary at SecretarysOffice@sec.gov and serving the relevant
applicant with a copy of the request by
email, if an email address is listed for
the relevant applicant below, or
personally or by mail, if a physical
address is listed for the relevant
applicant below. Hearing requests
should be received by the SEC by 5:30
p.m. on June 20, 2023, and should be
accompanied by proof of service on
applicants, in the form of an affidavit or,
for lawyers, a certificate of service.
Pursuant to Rule 0–5 under the Act,
hearing requests should state the nature
of the writer’s interest, any facts bearing
upon the desirability of a hearing on the
matter, the reason for the request, and
the issues contested. Persons who wish
to be notified of a hearing may request
notification by writing to the
Commission’s Secretary at SecretarysOffice@sec.gov.
ADDRESSES: The Commission:
Secretarys-Office@sec.gov.
FOR FURTHER INFORMATION CONTACT:
Shawn Davis, Assistant Director, at
(202) 551–6413 or Chief Counsel’s
Office at (202) 551–6821; SEC, Division
of Investment Management, Chief
Counsel’s Office, 100 F Street NE,
Washington, DC 20549–8010.
SECURITIES AND EXCHANGE
COMMISSION
Clough Funds Trust [File No. 811–
23059]
[Investment Company Act Release No.
34931]
Summary: Applicant seeks an order
declaring that it has ceased to be an
investment company. On April 24,
2023, applicant made a liquidating
distribution to its shareholders based on
net asset value. Expenses of $89,867.03
incurred in connection with the
liquidation were paid by the applicant’s
investment adviser. Applicant also has
retained $101,347.27 for the purpose of
Deregistration Under Section 8(f) of the
Investment Company Act of 1940
May 26, 2023.
Securities and Exchange
Commission (‘‘Commission’’ or ‘‘SEC’’).
AGENCY:
7 17
PO 00000
CFR 200.30–3(a)(31).
Frm 00082
Fmt 4703
Sfmt 4703
E:\FR\FM\02JNN1.SGM
02JNN1
]]>Agencies
[Federal Register Volume 88, Number 106 (Friday, June 2, 2023)]
[Notices]
[Pages 36351-36353]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-11714]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-97602; File No. SR-OCC-2023-003]
Self-Regulatory Organizations; The Options Clearing Corporation;
Notice of Partial Amendment No. 1 to Proposed Rule Change by The
Options Clearing Corporation Concerning Clearing Member Cybersecurity
Obligations
May 26, 2023.
On March 21, 2023, the Options Clearing Corporation (``OCC'') filed
with the Securities and Exchange Commission (``Commission'') the
proposed rule change SR-OCC-2023-003 pursuant to Section 19(b) of the
Securities Exchange Act of 1934 (``Exchange Act'') \1\ and Rule 19b-4
\2\ thereunder to amend certain provisions in OCC's Rules relating to
Clearing Member cybersecurity obligations to address the occurrence of
a cyber-related disruption or intrusion of a Clearing Member
(``Security Incident''). The proposed rule change was published for
public comment in the
[[Page 36352]]
Federal Register on April 5, 2023.\3\ The Commission has received
comments regarding the proposal described in the proposed rule
change.\4\ On May 24, 2023, OCC filed Partial Amendment No. 1 to the
proposed rule change. Pursuant to Section 19(b)(1) of the Act \5\ and
Rule 19b-4 thereunder,\6\ the Commission is publishing notice of this
Partial Amendment No.1 to the proposed rule change as described in Item
I below, which has been prepared primarily by OCC. The Commission is
publishing this notice to solicit comment on Partial Amendment No. 1
from interested persons.
---------------------------------------------------------------------------
\1\ 15 U.S.C. 78s(b)(1).
\2\ 17 CFR 240.19b-4.
\3\ Securities Exchange Act Release No. 97225 (Mar. 30, 2023),
88 FR 20195 (Apr. 5, 2023) (File No. SR-OCC-2023-003).
\4\ Comments on the proposed rule change are available at
https://www.sec.gov/comments/sr-occ-2023-003/srocc2023003.htm.
\5\ 15 U.S.C. 78s(b)(1)
\6\ 17 CFR 240.19b-4.
---------------------------------------------------------------------------
I. Clearing Agency's Statement of the Terms of Substance of the
Proposed Rule Change Partial Amendment No. 1
The Options Clearing Corporation (``OCC'') hereby submits this
partial amendment, constituting Amendment No. 1 [sic], to its proposed
rule change SR-OCC-2023-003 (the ``Initial Filing''), in which OCC
proposed new sections (d) and (e) to existing Rule 219, which Rule
subsequently was renumbered to Rule 213. The Proposal requires Clearing
Members to notify OCC about the occurrence of a ``Security Incident'',
and in the event of a disconnection from OCC, obligates the Clearing
Member to provide an attestation to OCC before reconnecting. OCC
intends to amend Proposed Rules 213(d) and 213(e) to clarify the
definition of the term ``Security Incident'', the threshold conditions
for disconnection of a Clearing Member, and the process for a Clearing
Member's reconnection.
As originally proposed in the Initial Filing, Proposed Rules 213(d)
and 213(e) are as follows:
(d) Occurrence of a Security Incident. A Clearing Member must
notify the Corporation immediately, and shall promptly confirm such
notice in writing, if there has been an incident, or an incident is
occurring, involving a cyber-related disruption or intrusion of the
Clearing Member, including, but not limited to, any disruption or
degradation of the normal operation of the Clearing Member's systems
or any unauthorized entry into the Clearing Member's systems
(``Security Incident''). Upon such notice, or if the Corporation has
a reasonable basis to believe that a Security Incident has occurred,
or is occurring, the Corporation may take actions reasonably
necessary to mitigate any effects to its operations, including the
right to disconnect access, or to modify the scope and
specifications of access, of the Clearing Member to the
Corporation's information and data systems.
(e) Procedures for Connecting Following a Security Incident.
After a Clearing Member reports a Security Incident, upon the
request of the Corporation, the Clearing Member must complete and
submit a form that describes the Security Incident and includes
required representations as determined by the Corporation
(``Reconnection Attestation'') and an associated checklist that
describes remediation efforts and provides required information as
determined by the Corporation (``Reconnection Checklist''), both as
provided by the Corporation from time to time.
OCC is submitting this partial amendment in response to comments
received on the scope of the proposed definition of ``Security
Incident'' and potential conflicts with other existing and proposed
Securities and Exchange Commission (``SEC'') rules. Accordingly, OCC
has determined to clarify what constitutes a Security Incident for
purposes of new Rule 213(d). Such clarification would specify that only
occurrences that have an impact on OCC's system(s) and/or operations
are considered a Security Incident. In addition, OCC proposes to
clarify that a Clearing Member must notify OCC if the Clearing Member
becomes aware or should be aware that such incident has occurred or is
occurring.
OCC also is submitting this partial amendment in response to
comments about (i) the requirement that Clearing Members provide
immediate notice of a Security Incident to OCC, (ii) the standards OCC
would apply when determining whether to disconnect a Clearing Member
from OCC, and (iii) the process for reconnection following a Security
Incident that results in disconnection.
As a systemically important financial market utility, and the sole
clearing agency providing clearing services for listed options in the
U.S., it is vital that OCC's clearing systems remain functional and
unaffected by Security Incidents. Any risk or threat to OCC's system(s)
or operations could have a severe impact on the listed options markets.
Therefore, time is of the essence with respect to any notification by a
Clearing Member of the occurrence of a Security Incident. OCC intends
to provide a dedicated OCC email address directly to Clearing Members
for use in notifying OCC of a Security Incident, but without specifying
the form of the notice. Accordingly, a Clearing Member can share
information they believe is relevant, and OCC can follow up directly
with the affected Clearing Member as needed.
Because of the innumerable circumstances that could lead to a
Security Incident, OCC's determination to disconnect a Clearing Member
will be based on the facts and circumstances related to any specific
Security Incident. Accordingly, OCC may consider any one or more of the
following in determining whether or not to disconnect a member: the
potential loss of control by a Clearing Member of its internal
system(s), the potential loss of OCC's confidential data, the potential
strain on or loss of OCC's resources due to OCC's inability to perform
clearance and settlement functions, and the overall severity of the
threat to OCC's security and operations. It is OCC's belief that not
all Security Incident notifications will result in a Clearing Member
disconnection. Finally, OCC also added clarification that in the event
of a disconnection, a Clearing Member will remain responsible for its
obligations to OCC, e.g., a Clearing Member remains responsible for the
payment of margin to OCC.
With respect to the process for reconnection following a Security
Incident that results in disconnection, OCC proposes to clarify that
only in the event OCC disconnects a Clearing Member will the Clearing
Member be required to complete the Reconnection Attestation and
Reconnection Checklist. OCC also made additional edits to clarify the
process for reconnection.
The text below reflects the proposed changes to the originally
proposed Rules 213(d) and 213(e) in the Initial Filing. Italicized text
indicates new text, and bracketed text indicates deleted text.
(d) Occurrence of a Security Incident. A Clearing Member must
notify the Corporation immediately, and shall promptly confirm such
notice in writing, if the Clearing Member becomes aware or should be
aware that there has been an incident, or an incident is occurring,
involving a cyber-related disruption or intrusion of the Clearing
Member's system(s) that is reasonably likely to pose an imminent
risk or threat to the Corporation's operations. Such occurrence may
include, but is not limited to [including, but not limited to], any
disruption or degradation of the normal operation of the Clearing
Member's system(s) or any unauthorized entry into the Clearing
Member's system(s) that would result in loss of the Corporation's
data or system integrity, unauthorized disclosure of sensitive
information related to the Corporation, or the inability of the
Corporation to conduct essential clearance and settlement functions
(``Security Incident''). Upon such notice, or if the Corporation has
a reasonable basis to believe that a Security Incident has occurred,
or is occurring, the Corporation may take actions reasonably
necessary to mitigate any
[[Page 36353]]
effects to its operations, including the right to disconnect access,
or to modify the scope and specifications of access, of the Clearing
Member to the Corporation's information and data systems. In
determining whether to disconnect a Clearing Member, the Corporation
will evaluate the facts and circumstances related to the Security
Incident. The Corporation may take into consideration a number of
factors, including, but not limited to, the potential loss of
control by a Clearing Member of its internal system(s), the
potential loss of the Corporation's confidential data, the potential
strain on or loss of the Corporation's resources due to the
Corporation's inability to perform clearance and settlement
functions, and the overall severity of the threat to the security
and operations of the Corporation. If the Corporation determines
that disconnection of a Clearing Member is necessary, the Clearing
Member must continue to meet its obligations to the Corporation,
notwithstanding disconnection from the Corporation's systems.
(e) Procedures for Connecting Following a Security Incident that
Results in Disconnection. [After a Clearing Member reports a
Security Incident] In the event OCC disconnects a Clearing Member
that has reported a Security Incident, upon the request of the
Corporation, the Clearing Member must complete and submit a form as
provided by the Corporation that describes the Security Incident and
includes required representations [as determined by the Corporation]
(``Reconnection Attestation''). The Clearing Member also will be
required to complete [and] an associated checklist as provided by
the Corporation that describes remediation efforts [and provides
required information as determined by the Corporation]
(``Reconnection Checklist'')[, both as provided by the Corporation
from time to time].
The partial amendment would not change the purpose of, or statutory
basis for the proposed rule change. All other representations in the
Initial Filing remain as stated therein and no other changes are being
made.
II. Solicitation of Comments
Interested persons are invited to submit written data, views and
arguments concerning the foregoing, including whether the proposed rule
change is consistent with the Exchange Act. Comments may be submitted
by any of the following methods:
Electronic Comments
Use the Commission's internet comment form (https://www.sec.gov/rules/sro.shtml); or
Send an email to [email protected]. Please include
File Number SR-OCC-2023-003 on the subject line.
Paper Comments
Send paper comments in triplicate to Vanessa Countryman,
Secretary, Securities and Exchange Commission, 100 F Street NE,
Washington, DC 20549-1090.
All submissions should refer to File Number SR-OCC-2023-003. This file
number should be included on the subject line if email is used. To help
the Commission process and review your comments more efficiently,
please use only one method. The Commission will post all comments on
the Commission's internet website (https://www.sec.gov/rules/sro.shtml).
Copies of the submission, all subsequent amendments, all written
statements with respect to the proposed rule change that are filed with
the Commission, and all written communications relating to the proposed
rule change between the Commission and any person, other than those
that may be withheld from the public in accordance with the provisions
of 5 U.S.C. 552, will be available for website viewing and printing in
the Commission's Public Reference Room, 100 F Street NE, Washington, DC
20549, on official business days between the hours of 10:00 a.m. and
3:00 p.m. Copies of such filing also will be available for inspection
and copying at the principal office of OCC and on OCC's website at
https://www.theocc.com/Company-Information/Documents-and-Archives/By-Laws-and-Rules.
Do not include personal identifiable information in submissions;
you should submit only information that you wish to make available
publicly. We may redact in part or withhold entirely from publication
submitted material that is obscene or subject to copyright protection.
All submissions should refer to File Number SR-OCC-2023-003 and
should be submitted on or before June 23, 2023.
For the Commission, by the Division of Trading and Markets,
pursuant to delegated authority.\7\
---------------------------------------------------------------------------
\7\ 17 CFR 200.30-3(a)(31).
---------------------------------------------------------------------------
J. Lynn Taylor,
Assistant Secretary.
[FR Doc. 2023-11714 Filed 6-1-23; 8:45 am]
BILLING CODE 8011-01-P
