Self-Regulatory Organizations; National Securities Clearing Corporation; Notice of Filing and Extension of Review Period of Advance Notice To Host Certain Core Clearance and Settlement Systems in a Public Cloud, 71991-72009 [2024-19761]
Download as PDF
Federal Register / Vol. 89, No. 171 / Wednesday, September 4, 2024 / Notices
become effective pursuant to Section
19(b)(3)(A)(iii) of the Act 22 and
subparagraph (f)(6) of Rule 19b–4
thereunder.23
At any time within 60 days of the
filing of the proposed rule change, the
Commission summarily may
temporarily suspend such rule change if
it appears to the Commission that such
action is necessary or appropriate in the
public interest, for the protection of
investors, or otherwise in furtherance of
the purposes of the Act. If the
Commission takes such action, the
Commission shall institute proceedings
to determine whether the proposed rule
should be approved or disapproved.
IV. Solicitation of Comments
Interested persons are invited to
submit written data, views and
arguments concerning the foregoing,
including whether the proposed rule
change is consistent with the Act.
Comments may be submitted by any of
the following methods:
Electronic Comments
• Use the Commission’s internet
comment form (https://www.sec.gov/
rules/sro.shtml); or
• Send an email to rule-comments@
sec.gov. Please include file number SR–
NASDAQ–2024–048 on the subject line.
Paper Comments
ddrumheller on DSK120RN23PROD with NOTICES1
• Send paper comments in triplicate
to Secretary, Securities and Exchange
Commission, 100 F Street NE,
Washington, DC 20549–1090.
All submissions should refer to file
number SR–NASDAQ–2024–048. This
file number should be included on the
subject line if email is used. To help the
Commission process and review your
comments more efficiently, please use
only one method. The Commission will
post all comments on the Commission’s
internet website (https://www.sec.gov/
rules/sro.shtml). Copies of the
submission, all subsequent
amendments, all written statements
with respect to the proposed rule
change that are filed with the
Commission, and all written
communications relating to the
proposed rule change between the
Commission and any person, other than
those that may be withheld from the
public in accordance with the
22 15
U.S.C. 78s(b)(3)(A)(iii).
CFR 240.19b–4(f)(6). In addition, Rule 19b–
4(f)(6) requires a self-regulatory organization to give
the Commission written notice of its intent to file
the proposed rule change at least five business days
prior to the date of filing of the proposed rule
change, or such shorter time as designated by the
Commission. The Exchange has satisfied this
requirement.
provisions of 5 U.S.C. 552, will be
available for website viewing and
printing in the Commission’s Public
Reference Room, 100 F Street NE,
Washington, DC 20549, on official
business days between the hours of 10
a.m. and 3 p.m. Copies of the filing also
will be available for inspection and
copying at the principal office of the
Exchange. Do not include personal
identifiable information in submissions;
you should submit only information
that you wish to make available
publicly. We may redact in part or
withhold entirely from publication
submitted material that is obscene or
subject to copyright protection. All
submissions should refer to file number
SR–NASDAQ–2024–048 and should be
submitted on or before September 25,
2024.
For the Commission, by the Division of
Trading and Markets, pursuant to delegated
authority.24
Sherry R. Haywood,
Assistant Secretary.
[FR Doc. 2024–19768 Filed 9–3–24; 8:45 am]
BILLING CODE 8011–01–P
SECURITIES AND EXCHANGE
COMMISSION
Sunshine Act Meetings
FEDERAL REGISTER CITATION OF PREVIOUS
ANNOUNCEMENT: Publishing in the FR of
September 3, 2024.
PREVIOUSLY ANNOUNCED TIME AND DATE OF
THE MEETING: Thursday, September 5,
2024, at 2:00 p.m.
The Closed
Meeting scheduled for Thursday,
September 5, 2024, at 2:00 p.m., has
been changed to Thursday, September 5,
2024, at 1:00 p.m.
CHANGES IN THE MEETING:
CONTACT PERSON FOR MORE INFORMATION:
For further information; please contact
Vanessa A. Countryman from the Office
of the Secretary at (202) 551–5400.
(Authority: 5 U.S.C. 552b)
Dated: August 30, 2024.
Sherry R. Haywood,
Assistant Secretary.
[FR Doc. 2024–20050 Filed 8–30–24; 4:15 pm]
BILLING CODE 8011–01–P
23 17
VerDate Sep<11>2014
21:26 Sep 03, 2024
Jkt 262001
SECURITIES AND EXCHANGE
COMMISSION
[Release No. 34–100851; File No. SR–
NSCC–2024–801]
Self-Regulatory Organizations;
National Securities Clearing
Corporation; Notice of Filing and
Extension of Review Period of
Advance Notice To Host Certain Core
Clearance and Settlement Systems in a
Public Cloud
August 28, 2024.
Pursuant to Section 806(e)(1) of Title
VIII of the Dodd-Frank Wall Street
Reform and Consumer Protection Act,
entitled Payment, Clearing and
Settlement Supervision Act of 2010
(‘‘Clearing Supervision Act’’) 1 and Rule
19b–4(n)(1)(i) 2 under the Securities
Exchange Act of 1934 (‘‘Act’’),3 notice is
hereby given that on August 14, 2024,
National Securities Clearing Corporation
(‘‘NSCC’’) filed with the Securities and
Exchange Commission (‘‘Commission’’)
an advance notice as described in Items
I, II and III below, which Items have
been prepared primarily by the clearing
agency. The Commission is publishing
this notice to solicit comments on the
advance notice from interested persons
and to extend the review period of the
advance notice.
I. Clearing Agency’s Statement of the
Terms of Substance of the Advance
Notice
NSCC files this advance notice
seeking no objection to host a specified
set of core clearance, settlement, and
risk applications, including any
Regulation Systems Compliance and
Integrity (‘‘Reg. SCI’’) systems and
Critical SCI systems,4 (‘‘Core C&S
Systems’’) on an on-demand network of
configurable information technology
resources running on a public cloud
infrastructure (‘‘Cloud’’ or ‘‘Cloud
Infrastructure’’) hosted by a single,
third-party service provider (‘‘Cloud
Service Provider’’ or ‘‘CSP’’) (altogether,
the ‘‘Cloud Proposal’’), as described in
greater detail below.
II. Clearing Agency’s Statement of the
Purpose of, and Statutory Basis for, the
Advance Notice
In its filing with the Commission, the
clearing agency included statements
concerning the purpose of and basis for
the advance notice and discussed any
comments it received on the advance
notice. The text of these statements may
1 12
U.S.C. 5465(e)(1).
CFR 240.19b–4(n)(1)(i).
3 15 U.S.C. 78a et seq.
4 17 CFR 242.1000 et seq.
2 17
24 17
PO 00000
CFR 200.30–3(a)(12).
Frm 00114
Fmt 4703
Sfmt 4703
71991
E:\FR\FM\04SEN1.SGM
04SEN1
71992
Federal Register / Vol. 89, No. 171 / Wednesday, September 4, 2024 / Notices
be examined at the places specified in
Item IV below. The clearing agency has
prepared summaries, set forth in
sections A and B below, of the most
significant aspects of such statements.
(A) Clearing Agency’s Statement on
Comments on the Advance Notice
Received From Members, Participants or
Others
NSCC has not received or solicited
any written comments relating to this
proposal. If any written comments are
received, NSCC will amend this filing to
publicly file such comments as an
Exhibit 2 to this filing, as required by
Form 19b–4 and the General
Instructions thereto.
Persons submitting written comments
are cautioned that, according to Section
IV (Solicitation of Comments) of the
Exhibit 1A in the General Instructions to
Form 19b–4, the Securities and
Exchange Commission (‘‘Commission’’)
does not edit personal identifying
information from comment submissions.
Commenters should submit only
information that they wish to make
available publicly, including their
name, email address, and any other
identifying information.
All prospective commenters should
follow the Commission’s instructions on
How to Submit Comments, available at
www.sec.gov/regulatory-actions/how-tosubmitcomments. General questions
regarding the rule filing process or
logistical questions regarding this filing
should be directed to the Main Office of
the Commission’s Division of Trading
and Markets at tradingandmarkets@
sec.gov or 202–551–5777.
NSCC reserves the right to not
respond to any comments received.
ddrumheller on DSK120RN23PROD with NOTICES1
(B) Advance Notices Filed Pursuant to
Section 806(e) of the Clearing, and
Settlement Supervision Act
I. Description of the Proposal
Pursuant to the Clearing Supervision
Act and Rule 19b–4(n)(1)(i) under the
Exchange Act,5 NSCC files this advance
notice seeking no objection to the Cloud
Proposal, as described herein.
The specified set of Core C&S Systems
that the Clearing Agencies intend to
host in the Cloud, and the transition
schedule for such hosting, are listed in
Exhibit 3 to this advance notice filing.6
However, the Clearing Agencies
recognize that it may become necessary
5 17
CFR 240.19b–4(n)(1)(i).
Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the proposed transition
schedule (i.e., the Core C&S Systems to Move to
Cloud). The Clearing Agencies have provided this
schedule in confidential Exhibit 3 to this advance
notice filing.
6 The
VerDate Sep<11>2014
21:26 Sep 03, 2024
Jkt 262001
to deviate from the proposed transition
schedule as risks change over time and
the proposed implementation would
occur over several years. The Clearing
Agencies’ process for monitoring,
assessing, and escalating such risks,
which may result in a deviation, is
described in Section I.D, below. If the
Clearing Agencies would need to
deviate from that schedule, they would
provide Commission staff notice of such
deviation, the reason for the deviation,
and how the implementation schedule
would be updated to account for the
deviation. Further, the Clearing
Agencies recognize that deviating from
the proposed transition schedule would
necessitate a separate analysis to
determine whether such deviation could
materially affect the nature or level of
risk posed by each of the Clearing
Agencies.
NSCC’s two affiliate clearing agencies,
Fixed Income Clearing Corporation
(‘‘FICC’’) and The Depository Trust
Company (‘‘DTC’’ and together with
NSCC and FICC, the ‘‘Clearing
Agencies’’) 7 have each filed with the
Commission advance notices to adopt
the same Cloud Proposal. Accordingly,
each respective advance notice filing is
written from the perspective of the
Clearing Agencies, collectively, instead
of NSCC, FICC, and DTC individually.8
A. The Current System and Summary of
Proposed Change
Today, the Clearing Agencies’ Core
C&S Systems are hosted using
Compute,9 Storage and Networking, as
defined below, running in private data
centers (i.e., on-premises). The current
data-center footprint consists of a single
data center in each of two regions. Each
regional data center has a corresponding
data bunker used for synchronous data
protection and restoration.10
The Clearing Agencies view the
proposed transition to using a Cloud
Infrastructure to host the specified set of
Core C&S Systems as a natural
progression of the Clearing Agencies’
information technology strategy that
7 The Clearing Agencies are each a subsidiary of
The Depository Trust & Clearing Corporation
(‘‘DTCC’’). DTCC operates on a shared service
model with respect to the Clearing Agencies. Most
corporate functions are established and managed on
an enterprise-wide basis pursuant to intercompany
agreements under which it is generally DTCC that
provides relevant services to the Clearing Agencies.
8 Capitalized terms not otherwise defined herein
have the meaning as set forth in respective rules of
the Clearing Agencies, available at https://
www.dtcc.com/legal/rules-and-procedures.
9 The existing Compute platform consists of both
on-premises mainframe and private cloud
platforms.
10 Note: The data bunkers cannot run
applications, as they are only for data protection
and restoration.
PO 00000
Frm 00115
Fmt 4703
Sfmt 4703
aligns with their overall corporate
strategy—to deliver on modernization
and maximize the value of their
platforms for stakeholders and continue
to invest in risk management excellence.
For over 11 years, the Clearing
Agencies have honed their expertise in
operating non-Core C&S Systems within
the Cloud.11 Throughout that time, the
Clearing Agencies have continually
refined their capabilities across
technical, risk, legal, and compliance
dimensions, in tandem with the Cloud’s
own evolution and the industry’s
increasing adoption of it. Given this
extensive maturity and development
over the past decade, the Clearing
Agencies believe that hosting Core C&S
Systems in the Cloud, via a single CSP,
is now appropriate and essential. By
consolidating resources under a single
CSP, the Clearing Agencies can optimize
efficiency, reduce costs, mitigate risks,
and maintain a cohesive environment
for seamless collaboration and
operation.
As described in greater detail in this
advance notice, the Clearing Agencies
propose to provision, within a single
CSP, logically segregated sections of the
Cloud Infrastructure that would provide
the Clearing Agencies with the virtual
equivalent of physical data center
resources, including scalable resources
that can (i) handle various
computationally intensive applications
with load-balancing and resource
management (‘‘Compute’’); (ii) provide
configurable storage (‘‘Storage’’); and
(iii) provide network resources and
services (‘‘Network’’). These resources
would be logically segregated from other
customers of the CSP. The Clearing
Agencies would leverage the CSP’s IaaS
(i.e., infrastructure as a service) and
PaaS (i.e., platform as a service) services
for building and running Core C&S
Systems.
The Clearing Agencies do not propose
to transition all Core C&S Systems
entirely out of their regional data
centers at this time, but rather, to host
a specified set of Core C&S Systems in
11 Some of the non-Core C&S Systems already
operating in Cloud include systems that support
risk analysis, various reporting engines, and shared
infrastructure capabilities. More specifically, for
risk analysis, there are applications for certain risk
testing and calculations used to assess industry risk
postures for various Clearing Agency clients, as
well as warehousing large sets of risk data for
quantitative analytics. For the various report
engines, there are applications that provide publicly
disseminatable data sets and documentation,
certificate imaging, as well as certain archival
storage capabilities. For shared infrastructure
capabilities, there are applications that support the
Clearing Agencies’ engineering and development
departments for dev-op capabilities such as code
scanning, code repositories, and infrastructure-ascode deployment pipelines.
E:\FR\FM\04SEN1.SGM
04SEN1
ddrumheller on DSK120RN23PROD with NOTICES1
Federal Register / Vol. 89, No. 171 / Wednesday, September 4, 2024 / Notices
a Cloud Infrastructure while
maintaining the remaining applications
in the Clearing Agencies’ regional data
centers for the near term. The proposed
transition would be achieved
incrementally over a course of several
years and would result in the Clearing
Agencies hosting some Core C&S
Systems on-premises and others in a
Cloud Infrastructure.12
This phased approach to transitioning
to Cloud is to reduce risk. The Clearing
Agencies believe that a ‘‘big-bang’’
approach of moving all applications at
once introduces significant execution
risk, primarily driven by the sheer scale
and scope of such an effort. Moreover,
many clearance and settlement
applications on the Clearing Agencies’
mainframe are still tightly coupled
together. Even after such applications
are modernized, many could experience
latency dependencies with other
applications that have not yet been
modernized, hence the need to keep
some applications in the Clearing
Agencies’ existing data centers for the
near term. However, applications with
little to no coupling, particularly those
applications that have already been
modernized, are ripe for Cloud
transition and the subject of this Cloud
Proposal. As for the remaining clearance
and settlement applications that are not
part of this proposal and would
continue to be hosted on-premises, the
Clearing Agencies have not thoroughly
assessed when those applications would
transition to Cloud, which may take
several years, or whether such transition
would be the subject of a later, separate
advance notice proposal.
Integration between on-premises and
Cloud-based Core C&S Systems would,
as it is for non-Core C&S Systems that
are already hosted in private and public
cloud, leverage existing patterns and
processes. The primary methods of
application integration are application
program interfaces (a/k/a APIs),
messaging queues (a/k/a MQ
messaging), and file transfer. All three
are used to integrate internal and client
applications, and all three methods
provide interoperability between
applications running on mainframe,
private cloud, and public cloud.
For these reasons, the Clearing
Agencies strongly believe that the
phased approach enables the Clearing
Agencies to best approach the transition
to Cloud, safely and confidently.
12 A result of the Cloud Proposal would be that
the Clearing Agencies would operate Reg. SCI and
Critical SCI systems both on-premises and on a
Cloud Infrastructure.
VerDate Sep<11>2014
21:26 Sep 03, 2024
Jkt 262001
B. Why Use Cloud
The Clearing Agencies believe there
are very strong and compelling reasons
to use Cloud as part of their diverse,
platform strategy, including, as
discussed below, the waning of the onpremises industry, improved resilience,
expanded security capabilities, and
increased scalability.
1. Waning On-Premises Industry
Although on-premises mainframes
have been a stalwart for hosting critical
applications for many years, it is the
Clearing Agencies’ experience that
industry investment and development
in on-premises platforms is waning, and
the ability to source skilled and
experienced staff to operate such
platforms is increasingly challenging.
Meanwhile, vendor consolidations are
beginning to negatively affect
investment and innovation in the
private cloud space.13 As investment
dollars are increasingly allocated to
Cloud, vendor choice, innovation, and
support will continue to diminish for
on-premises platforms. This poses a
growing risk to the Clearing Agencies,
who today continue to rely primarily
upon on-premises mainframes and
private cloud solutions from a resiliency
perspective.14 The Clearing Agencies
believe the best way to manage against
this risk at this time is to leverage a
diverse platform strategy that will
increase the use of and reliance upon
Cloud. The use of Cloud, as part of a
broader platform strategy, serves as an
important tool in enabling the Clearing
Agencies to anticipate and manage these
and other risks more effectively.
2. Improved Resilience
The Clearing Agencies must ensure
that any Core C&S Systems in the Cloud
have resiliency and recovery
capabilities commensurate with the
Clearing Agencies’ importance to the
functioning of the U.S. financial
markets. As explained in detail below,
the Clearing Agencies believe that Cloud
will enhance the resiliency of their Core
C&S Systems by virtue of the Clearing
13 For example, the VBlock platform, which has
been the core, private cloud distributed hosting
platform of the Clearing Agencies for over a decade,
is no longer available for purchase. Another
example is the continued consolidation in the
private cloud software space, which has
concentrated the industry and reduce aggregate
investment in innovation.
14 In this context, ‘‘resiliency’’ is the ‘‘ability to
anticipate, withstand, recover from, and adapt to
adverse conditions, stresses, attacks, or
compromises on systems that include cyber
resources.’’ Systems Security Engineering: Cyber
Resiliency Considerations for Engineering of
Trustworthy Secure Systems, Spec. Publ. NIST SP
No. 800–160, vol. 2 (2018).
PO 00000
Frm 00116
Fmt 4703
Sfmt 4703
71993
Agencies’ architectural design
decisions, and the Cloud’s redundancy,
availability, and the Clearing Agencies’
disciplined approach to deployment of
Core C&S Systems to Cloud. In
particular, the Clearing Agencies believe
that Cloud will enhance their ability to
withstand and recover from adverse
conditions by provisioning redundant
Compute, Storage, and Network
resources in three availability zones, in
each of two autonomous and
geographically diverse regions, for a
total of six availability zones that are
comprised of many data centers.
The primary/hot region would be
operational and accepting traffic, while
the secondary/warm region would
receive replicated data from the hot
region with applications on stand-by.
This solution significantly reduces
operational complexity, mitigates the
risk of human error by providing tools
for automating routine tasks and
orchestrating complex workflows,
thereby reducing the need for manual
intervention,15 and provides resiliency
and assured capacity (although, the
Clearing Agencies would continue to
periodically review the CSP’s capacity
planning process through quarterly
reviews).16
The Clearing Agencies are assured of
adequate capacity with the proposed
hot/warm architecture because the
Compute resources of the warm,
‘‘recovery’’ region would be already
running with needed capacity.
Additionally, the Clearing Agencies
have reviewed the effect of a large,
regional outage with the CSP, which
indicated that a vast majority of the
CSP’s customers are not configured to
use the secondary region as a failover
region; thus, they would not be using
capacity in that region. Moreover, a
review of data from two large outages in
the primary region did not show a
change in capacity availability in the
secondary region.
The Clearing Agencies also believe
that Cloud reduces capacitymanagement risks when compared with
on-premises platforms in three
important ways: (1) capacity in Cloud
can be added almost instantly; (2) such
capacity can be added at magnitudes
greater than what is possible with
traditional, on-premises platforms; and
15 The CSP’s built-in security features in its Cloud
Infrastructure also can reduce the risk of security
breaches caused by human error, such as
misconfigurations or improper access controls.
16 The Clearing Agencies would continue to
perform periodic business continuity and disaster
recovery tests to verify business continuity plans
and disaster recovery infrastructure will support a
two-hour recovery time objective for critical
systems.
E:\FR\FM\04SEN1.SGM
04SEN1
71994
Federal Register / Vol. 89, No. 171 / Wednesday, September 4, 2024 / Notices
ddrumheller on DSK120RN23PROD with NOTICES1
(3) the risk of a supply chain effect on
capacity realization (i.e., the risks
associated with receiving and deploying
servers necessary to create more
capacity) is greatly reduced.
The proposed hot/warm configuration
also enables application rotation
between regions. The Clearing Agencies
would have the ability to operationally
rotate either a single application, groups
of applications, or all applications to the
warm region for both planned and
unplanned events. Collectively, the
proposed design of the Cloud
Infrastructure helps ensure that the
Clearing Agencies can meet any
applicable two-hour recovery time
objective.
Each availability zone, in each of the
two regions, would be comprised of
multiple physical data centers. Each
data center would have its own distinct
physical infrastructure with separate
staff and dedicated connections to
utility power, standalone backup power
sources, independent mechanical
services, and independent network
connectivity.
Although not dependent on each
other, availability zones of a region are
connected to each other with private,
fiber-optic networking, enabling Core
C&S Systems to automatically failover
between a region’s availability zones
without interruption. Since each
availability zone can operate
independently, but failover capability is
nearly instantaneous, a loss of one
availability zone would not affect
operation in another; therefore, no Core
C&S System would be reliant on the
functioning of a single availability
zone.17
Altogether, the proposed Cloud
Infrastructure would afford the Clearing
Agencies six levels of redundancy (i.e.,
three availability zones, made up of
many data centers, in each of the two
regions), with primary/secondary
regions running in a hot/warm
configuration, respectively, in
geographically separate and segregated
locations, and with each region
containing multiple copies of the data.
Thus, even if an availability zone is lost
in the primary region, the Cloud can
continue to seamlessly operate Core
C&S Systems in the primary region,
17 To further ensure the resiliency of the
Compute, Storage, and Network capabilities, the
CSP’s services are divided into ‘‘data plane’’ and
‘‘control plane’’ services. The Clearing Agencies’
applications would run using data plane services,
while control plane services are used to configure
the environment. Resources and requests are further
partitioned into cells, or multiple instantiations of
a service that are segregated from each other and
invisible to the CSP’s customers, on each plane,
again minimizing the effect of a potential incident
to the smallest footprint possible.
VerDate Sep<11>2014
21:26 Sep 03, 2024
Jkt 262001
thereby significantly reducing
availability risk and any attendant
consequences for the Clearing Agencies’
participants and customers. As a result,
the Cloud Infrastructure offers the
Clearing Agencies multiple
redundancies within which to run Core
C&S Systems, limits the effect of an
incident at the CSP to the smallest
footprint possible, and mitigates the
possibility of the Clearing Agencies
suffering an intra-, inter-, or multiregion outage.
By comparison, the Clearing
Agencies’ current on-premises hosting
capabilities, both mainframe and private
cloud, are operating on one primary
data center in one region, with a second,
recovery data center in a second region
(excluding data bunkers, which do not
have Compute capabilities). In other
words, it is many times less likely that
an unplanned, out of region failover
would be needed for Core C&S Systems
hosted in Cloud than currently hosted
on-premises. (Even in the unlikely event
that the Clearing Agencies needed to fail
over to the secondary Cloud region, the
decision and process of doing so would
continue to be in the sole discretion of
the Clearing Agencies.) This increased
redundancy represents a material
improvement in resiliency for the
Clearing Agencies and a material
reduction in risk for the industry.
Additionally, transitioning to Cloud
offers the Clearing Agencies a more
effective strategy for avoiding technical
debt and system degradation because
the CSP, in its role as such, would be
performing regular system upgrades and
maintenance, helping to ensure the
Cloud’s resiliency. Unlike on-premises
solutions that may struggle to keep pace
with evolving technology, due in part to
the waning demand for on-premises
infrastructure, CSPs take on the
responsibility of regularly updating and
maintaining their cloud infrastructure,
which they do in a competitive
environment. This approach helps
ensure that the CSP’s cloud
infrastructure remains up to date,
secure, and performs at its best,
minimizing the likelihood of
accumulating technical debt and
preventing the decline of system
capabilities and resiliency over time.
This is not to say that on-premises
infrastructures are not updated or
maintained today but, instead, that the
CSP does it better and faster. CSPs excel
in ensuring that systems remain up to
date, secure, and perform at their best
by leveraging automation, scalability,
built-in security measures, service level
agreements (‘‘SLAs’’), economies of
scale, and continuous monitoring and
improvement processes. These
PO 00000
Frm 00117
Fmt 4703
Sfmt 4703
advantages collectively enable CSPs to
provide more reliable, resilient, and
high-performance services compared to
traditional on-premises environments.
3. Expanded Security Capabilities
Hosting Core C&S Systems in Cloud
would not change the physical and
cybersecurity standards to which the
Clearing Agencies currently align—the
National Institute of Standards and
Technology (‘‘NIST’’) 18 and Center for
internet Security (‘‘CIS’’).19 Application
of NIST is considered a best practice for
financial services use of cloud.20
Moreover, as discussed further below,
the Clearing Agencies would continue
to apply existing security processes and
standards to include network and
identity and access management
(‘‘IAM’’) controls, security governance
and controls for sensitive data, security
configuration, provisioning, logging and
monitoring, and security testing and
validations.
By hosting in Cloud through the CSP
that the Clearing Agencies have
engaged, the Clearing Agencies would
be able to add cloud-specific security
capabilities and measures provided by
the CSP, as well as third-party tools. For
example, such capabilities and
measures would include automation,
monitoring, and security incident
response capabilities, as well as default
separation between Reg. SCI and nonReg. SCI operating domains, and
ubiquitous encryption, all of which are
not available in the current on-premises
data centers. Similarly, microsegmentation of applications and
infrastructure provided by the CSP,
which also is not available in the
Clearing Agencies data centers, limits
the effect of a security incident and
reduces the time to detection and
recovery.21
18 National Institute of Standards and Technology
(2023) The NIST Cybersecurity Framework 2.0.
(National Institute of Standards and Technology,
Gaithersburg, MD), NIST Cybersecurity White Paper
(NIST CSWP) 29 ipd, Released August 8, 2023.
https://doi.org/10.6028/NIST.CSWP.29.ipd.
19 Center for internet Security Benchmarks,
cisecurity.org/cis-benchmarks.
20 U.S. Department of the Treasury, The Financial
Services Sector’s Adoption of Cloud Services
(February 8, 2024), available at https://
home.treasury.gov/system/files/136/TreasuryCloud-Report.pdf.
21 For example, the CSP provides infrastructure
capable of withstanding Distributed Denial of
Service (‘‘DDoS’’) attacks at far greater magnitudes
than the Clearing Agencies’ current capabilities, as
the CSP has exponentially more internet
bandwidth, given their business function, than the
Clearing Agencies. (DDoS is a cyberattack in which
the attacker floods a server with illegitimate traffic/
requests to prevent legitimate users from accessing
online services, websites, or computers connected
to the attacked server.)
E:\FR\FM\04SEN1.SGM
04SEN1
Federal Register / Vol. 89, No. 171 / Wednesday, September 4, 2024 / Notices
ddrumheller on DSK120RN23PROD with NOTICES1
4. Increased Scalability
Cloud implementation would allow
for greater scalability of Compute,
Storage, and Network resources that
support Core C&S Systems.22 With a
Cloud Infrastructure, the Clearing
Agencies could quickly provision or deprovision Compute, Storage, or Network
resources to meet demands, including
elevated trade volumes, and provide
more flexibility to create development
and test environments, as well as other
system development needs.23 For
example, the CSP could support elastic
workloads and scale dynamically
without the need for the Clearing
Agencies to procure, test, and install
additional servers, storage, or other
hardware.
The Clearing Agencies would preprovision Compute and Storage
resources proactively, in addition to
scaling resources on-demand. This
means that the Clearing Agencies would
be able to increase Compute capacity in
one or both regions via manual or
automated processes for Core C&S
Systems. The rapid deployment of
Compute capacity would allow the
Clearing Agencies to obtain access to
resources far more quickly than with onpremises data centers. The Clearing
Agencies would combine the preprovisioning of primary capacity with
regular capacity stress testing to verify
that the underlying Compute can
sustain required business volumes. The
stress testing data would be used to
determine the base levels of preprovisioned capacity.
The ability to quickly scale workloads
materially improves the Clearing
Agencies ability to respond to
22 The Clearing Agencies would continue to
follow existing policies and procedures regarding
capacity planning and change management. The
Clearing Agencies have separately submitted a
request for confidential treatment to the
Commission regarding the Change Management
Policy and the Technology Capacity and Demand
Assessment Policy. The Clearing Agencies have
provided these documents in confidential Exhibit 3
to this advance notice filing.
23 The Clearing Agencies periodically perform
capacity and availability planning analyses that
result in capacity baselines and forecasts, as an
input to technology delivery and strategic planning
to ensure cost-justifiable support of operational
business needs. These analyses are based on the
collection of performance data, trending, scenarios,
and periodic high-volume capacity stress tests and
include storage capacity for log and record
retention. Results are reported to senior technology
management as inputs to performance management
and investment planning. In addition, each quarter,
the Clearing Agencies review the CSP’s capacity
planning accuracy for the prior quarter and review
the upcoming quarter’s forecast, along with
providing input to the CSP for anticipated major
changes in the Clearing Agencies’ proposed use of
resources. The Clearing Agencies’ IT Governance
Committee is the designated escalation point for
handling capacity management issues.
VerDate Sep<11>2014
00:41 Sep 04, 2024
Jkt 262001
unexpected market events and external
scenarios, such as a global pandemic.24
This capability also enables the Clearing
Agencies to run risk calculations more
frequently, at greater speeds, and with
more compute-intensive models than is
economically feasible compared to the
Clearing Agencies’ on-premises
infrastructure.
In sum, transitioning to Cloud not
only enhances scalability but also
significantly improves agility beyond
the Clearing Agencies’ on-premises
capabilities. The on-demand resources
provided by the CSP enable dynamic
scalability, helping to ensure optimal
performance during peak times, efficient
resource allocation during periods of
lower demand, and the ability to
innovate faster to meet evolving
business requirements.
C. Why a Single CSP is Appropriate
The Clearing Agencies strongly
believe that hosting Core C&S Systems
with a single CSP is appropriate. The
Clearing Agencies have assessed the
capabilities of the CSP in adherence
with the Clearing Agency Risk
Management Framework,25 which
requires the respective Board of
Directors of the Clearing Agencies to
approve policies governing
relationships with service providers,
such as the CSP, thus helping to ensure
alignment with the Clearing Agencies’
risk management principles.
Beyond simply being a well-known,
reputable, industry-leading, and capable
CSP, the Clearing Agencies and the CSP
have spent several years discussing the
Clearing Agencies’ needs, including
operational, legal, and regulatory
obligations; what-if scenarios; and
commercial implications. That
extensive effort led to a number of
benefits, including the CSP introducing
new products 26 and the establishment
24 Supply chain challenges during the Covid-19
pandemic highlighted a lack of resiliency and
scalability in traditional IT vendors’ abilities to
deliver resources when needed. Lead times of up
to 18 months were experienced and delayed many
efforts to expand capacity. This was not the case
with CSPs, which did not experience capacity
constraints or an ability to meet demand. This
further demonstrates how the option to host Core
C&S Systems in Cloud is a critical risk mitigation
tool for managing against the long-term risk of a
waning on-premises industry.
25 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the Clearing Agency Risk
Management Framework. The Clearing Agencies
have provided this document in confidential
Exhibit 3 to this advance notice filing.
26 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding two examples of CSP
Whitepapers. The Clearing Agencies have provided
these documents in confidential Exhibit 3 to this
advance notice filing.
PO 00000
Frm 00118
Fmt 4703
Sfmt 4703
71995
of an exhaustive contractual agreement
between the Clearing Agencies and the
CSP that addresses the Clearing
Agencies’ needs for hosting Core C&S
Systems in Cloud (‘‘Cloud
Agreement’’).27 28
Meanwhile, it is generally understood
that in the present environment adding
a secondary CSP or an on-premises
backup introduces significant
complexity, costs, and risks that
outweigh expected benefits.29 An onpremises or secondary CSP backup
would require the Clearing Agencies to
engineer their primary Cloud
Infrastructure to the lowest common
denominator, so that the systems
operating on the primary infrastructure
also could run on a completely separate
and distinct secondary, backup
infrastructure. This approach would
severely reduce the value that Cloud
provides, introduce significant cost with
little benefit, and greatly increase
operational complexity, all of which
would result in negative consequences
for the efficiency and resiliency of the
Clearing Agencies, their participants,
and the industry.
Notwithstanding the extensive
benefits from moving to Cloud, the
Clearing Agencies fully appreciate and
are committed to managing the risks
presented in relying on a single CSP, as
identified and discussed in Section II.A,
further below.
D. Transition Timeframe
The Clearing Agencies believe that
transitioning certain Core C&S Systems
to the Cloud is critical to managing the
risks that are inherent in technology and
vendor selection. However, as stated
above in Section I.A, the intent of the
27 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the Cloud Agreement. The
Clearing Agencies have provided this document in
confidential Exhibit 3 to this advance notice filing.
28 Among other things, the Cloud Agreement sets
forth the CSP’s responsibility to maintain the
hardware, software, networking, and facilities that
run Cloud services. See also the separately
submitted Table of Reg. SCI Provisions provided in
confidential Exhibit 3 to this advance notice filing
that provides a summary of the terms and
conditions of the Cloud Agreement that the Clearing
Agencies believe help enable their compliance with
Reg. SCI.
29 As noted in the U.S. Department of Treasury’s
report, The Financial Services Sector’s Adoption of
Cloud Services, ‘‘No financial institution reported
the capability to [run applications across multiple
CSPs] for more complex use cases, such as running
core operations on multiple public clouds. Running
an application across multiple CSPs at the same
time may also be less desirable, given the costs,
staffing, and complexity involved in doing so,
particularly given the complexity associated with
identifying and managing risk across multiple cloud
environments.’’ Available at https://
home.treasury.gov/system/files/136/TreasuryCloud-Report.pdf at 6.
E:\FR\FM\04SEN1.SGM
04SEN1
71996
Federal Register / Vol. 89, No. 171 / Wednesday, September 4, 2024 / Notices
Cloud Proposal is not to move all Core
C&S Systems to Cloud at one time. The
Clearing Agencies believe that a ‘‘bigbang’’ transition would introduce
unnecessary execution risk, primarily
driven by the sheer scale and scope of
such an effort. Moreover, many
applications on the mainframe are still
tightly coupled together and not ready
to be moved to public cloud. Rather, at
this time, the Clearing Agencies are
proposing to move only a subset of the
Core C&S Systems to the Cloud and to
do so on an incremental basis, in
consideration of the specifics of each
application and the needs of the
Clearing Agencies.30 This approach
helps enable the hosting of Core C&S
Systems on the most appropriate
platform, at the most appropriate time,
in an efficient and secure manner.
The subset of Core C&S Systems
selected for this proposal have been
initially identified based on several
preliminary criteria, including, but not
limited to, whether:
• the application would benefit from
the presence of data sets already present
in Cloud;
• the application would benefit from
elasticity enabled by Cloud (e.g., user
interfaces); and
• the application already meets
certain architectural patterns for Cloud
(e.g., the application has already been
modernized and currently hosted in
private cloud and/or is a siloed
application—little to no coupling with
other applications).
Assuming the Clearing Agencies
would receive no regulatory objection to
this advance notice, each application of
the proposed subset of Core C&S
Systems then would undergo an indepth, architectural review that would
follow the Clearing Agencies’
governance process, governed by the
System Delivery Process.31 The
governance process includes, where
applicable, a detailed review and
approval by the Information Technology
ddrumheller on DSK120RN23PROD with NOTICES1
30 The
Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the DTCC Global Business
Continuity and Resilience Policy and Standards,
which defines the governance structure, high-level
roles and responsibilities, and the framework for
business continuity and resilience processes at the
Clearing Agencies. The Clearing Agencies have
provided this document in confidential Exhibit 3 to
this advance notice filing.
31 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the DTCC System Delivery
Policy. The System Delivery Policy defines
requirements that support adherence to the System
Delivery Process for application development
projects. The Clearing Agencies have provided this
document in confidential Exhibit 3 to this advance
notice filing.
VerDate Sep<11>2014
21:26 Sep 03, 2024
Jkt 262001
Architecture Review Board (‘‘ARB’’),32
the New Initiatives process,33 to include
the Business Case Council and the Risk
Assessment Council that vet the
financials and risks of the proposed
move, and the Investment Management
Committee.34 Further escalations would
be made to the Executive Committee
and applicable Board of Directors of the
Clearing Agencies, as needed. Replatforming efforts also would be
communicated to regulators in
accordance with the change reporting
requirements of Section 1003(a)(1) of
Reg. SCI, as applicable.35
The above-described governance
process does not include a specific set
of criteria or thresholds for the ultimate
determination on whether an
application should or should not be
moved to Cloud—it is not a formulaic
decision. Rather, the Clearing Agencies
employ a more qualitative evaluation
process that involves various reviews
and considers high-level architectural
principles that may be applicable to
more than one application. However, at
this time, none of the Core C&S Systems
that have been initially identified as
part of the Cloud Proposal, based on the
preliminary criteria listed above, have
completed that more detailed
governance review process. Given the
extensiveness of the process, it would
not begin until after the Clearing
Agencies would receive no regulatory
objection to this advance notice.
Although the Clearing Agencies do
not anticipate needing to deviate from
the proposed transition schedule for the
selected Core C&S Systems, the Clearing
Agencies recognize that deviation may
be necessary, given that the more indepth governance review process has
not completed and because risks could
change over the proposed, multiyear
implementation period. For example, a
deviation may be necessary to address a
business need or a change in industry or
regulatory requirements or standards.
32 The
Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the IT Architecture Policy
(‘‘ITA Policy’’). The ITA Policy provides a set of
controls that must be followed to adequately
address applicable risks. The Clearing Agencies
have provided this document in confidential
Exhibit 3 to this advance notice filing.
33 The Clearing Agencies also have separately
submitted a request for confidential treatment to the
Commission regarding the New Initiatives Policy.
The New Initiatives Policy provides the governance
and oversight structure for the Clearing Agencies to
bring initiatives to market timely and efficiently
while minimizing risk. The Clearing Agencies have
provided this document in confidential Exhibit 3 to
this advance notice filing.
34 Such reviews and decisions are based on highlevel architectural principles that may be applicable
to more than one application.
35 17 CFR 242.1003, et seq.
PO 00000
Frm 00119
Fmt 4703
Sfmt 4703
Regardless, any deviation would follow
the same detailed governance process,
and the Clearing Agencies would
provide notice of such deviation to
Commission staff, the reason for the
deviation, and how the proposed
implementation schedule would be
updated to account for the deviation.
Further, the Clearing Agencies recognize
that deviating from the proposed
transition schedule would necessitate a
separate analysis to determine whether
such deviation could materially affect
the nature or level of risk posed by each
of the Clearing Agencies.
Even though certain on-premises
infrastructure components would be
decommissioned after applications are
moved to Cloud, the Clearing Agencies’
private cloud, mainframe services, and
data-center facilities would remain
available for no less than five more
years to help facilitate exit plans from
Cloud that rely on an on-premises
option. However, to be clear, the onpremises option would not be available
to address short-term disruptions, where
the Cloud is temporarily unavailable.
Management of such disruptions is
discussed in Section II.B, further below.
II. Expected Effects on Risks to the
Clearing Agencies, Their Participants,
or the Market
Although the Clearing Agencies are
not proposing to transition all Core C&S
Systems to Cloud for the reasons
described in Sections I.A and D, above,
transitioning the proposed subset of
Core C&S Systems from an on-premises
infrastructure supported by a
consolidating industry, as described in
Section I.B.1, above, to a new Cloud
Infrastructure maintained by an
industry-leading CSP provides
numerous advantages, as described in
Sections I.B.2–4 and C, above. However,
such transition is not without risk, as
discussed below.
A. Risks Presented by the Cloud
Proposal
1. Concentration Risk
The Clearing Agencies appreciate that
reliance on a single CSP for hosting the
subset of Core C&S Systems that are the
subject of this proposal creates
concentration risk, particularly in the
event of the CSP choosing to terminate
its services (i.e., commercial risk) or is
unexpectedly unavailable (i.e.,
operational risk). The Clearing Agencies
also appreciate that they would have
some reliance on the CSP to help meet
certain regulatory obligations of the
Clearing Agencies (i.e., regulatory risk),
thus introducing the familiar concept of
concentration risk in a relatively new
E:\FR\FM\04SEN1.SGM
04SEN1
Federal Register / Vol. 89, No. 171 / Wednesday, September 4, 2024 / Notices
context. However, concentration risk
exists today as the Clearing Agencies are
dependent on a single mainframe
provider, a single database provider for
the mainframe, and a single
virtualization provider for private cloud.
Moreover, the Clearing Agencies believe
that they have adequately addressed
these risks, as discussed throughout
Sections II.B.1–4., below.
2. Cloud Management Risk
Managing the applicable subset of
Core C&S Systems hosted on a Cloud
Infrastructure presents different risks
and challenges than managing such
systems hosted on-premises because
many activities and services previously
provided by the Clearing Agencies
would now be provided by the CSP. For
example, the Clearing Agencies would
be dependent upon the CSP for fulfilling
all of its contractual obligations,
including security of the Cloud, proper
capacity planning, and protection of
Cloud services from prolonged
operational outages. As such, overseeing
the CSP becomes a critical activity to
ensure the CSP is delivering services
that meet or exceed the Clearing
Agencies’ requirements for operating
those select Core C&S Systems. As
discussed in Sections II.B.1–4, below,
the Clearing Agencies believe that they
have adequately addressed this risk.
B. Management and Mitigation of
Identified Risks
1. Cloud Agreement
The Clearing Agencies believe that the
Cloud Agreement, including all its
amendments and addendums, is a
strong tool in helping to effectively
mitigate the commercial and regulatory
risks borne from the concentration risk,
as described in Section II.A.1, above, as
well as risks in managing the CSP that
would host the subset of selected Core
C&S Systems in the Cloud, as described
in Section II.A.2, above. Following is a
summary of some of the key terms and
conditions covered in the agreement
and how they help mitigate these risks.
ddrumheller on DSK120RN23PROD with NOTICES1
i. Adequate Notice
Under the Cloud Agreement, the CSP
may not unilaterally terminate the
relationship with the Clearing Agencies
absent good cause or without sufficient
notice to allow the Clearing Agencies to
transition their applications elsewhere.
Specifically, the CSP must provide an
extensive notice if it wishes to terminate
the Cloud Agreement for convenience or
if it wishes to terminate an individual
CSP service offering or lower an existing
VerDate Sep<11>2014
21:26 Sep 03, 2024
Jkt 262001
SLA on which the Clearing Agencies
rely.36
The CSP is permitted to terminate the
Cloud Agreement with shorter notice
periods in the event of a critical
breach 37 or an uncured material
breach 38 39 of the Cloud Agreement. In
the highly unlikely event that a critical
breach or uncured material breach
occurs, the Clearing Agencies would
have sufficient notice to shift their
operations away from the CSP. Contract
provisions that allow a party to
terminate for uncured material breaches
are designed to limit the types of actions
that could lead to contract termination
and to establish a period of time to
resolve an aggrieved party’s claim (often
30 days) followed by an additional
extended period in which to remediate
the claim. This gives the parties time
and incentive to address the problem
without having to resort to termination.
In other words, even if the CSP notifies
the Clearing Agencies of an alleged
breach (material or critical), termination
of services is not immediate.
Additionally, regardless of the need to
shift operations elsewhere—
convenience or breach—the Cloud
Agreement provides for the parties to
work together and for the CSP to
provide professional services to assist
with such a shift.40
The Clearing Agencies believe the risk
of termination under the above36 The Cloud Agreement permits an exception to
this sufficient notice provision in the event the CSP
must terminate the individual service offering if
necessary to comply with the law or requests of a
government entity or to respond to claims,
litigation, or loss of license rights related to thirdparty intellectual property rights. In this event, the
CSP must provide reasonable notice to the Clearing
Agencies of the termination of the individual
service offering. See Reg. SCI Addendum, Section
10 Termination. The Clearing Agencies have
provided this document in confidential Exhibit 3 to
this advance notice filing.
37 Critical breaches are material breaches (i) for
which the Clearing Agencies knew their behavior
would cause a material breach (such as a willful
violation of Cloud Agreement terms); (ii) that cause
ongoing material harm to the CSP, its services, or
its customers (e.g., criminal misuse of the services);
or (iii) for undisputed non-payment under the
Cloud Agreement. See Reg. SCI Addendum, Section
10 Termination. The Clearing Agencies have
provided this document in confidential Exhibit 3 to
this advance notice filing.
38 Typically, a breach is considered material only
if it goes to the root of the agreement between the
parties or is so substantial that it defeats the object
of the parties in making the contract. See Reg. SCI
Addendum, Section 10 Termination. The Clearing
Agencies have provided this document in
confidential Exhibit 3 to this advance notice filing.
39 See Reg. SCI Addendum, Section 10
Termination. The Clearing Agencies have provided
this document in confidential Exhibit 3 to this
advance notice filing.
40 See Reg. SCI Addendum, Section 11 PostTermination Services. The Clearing Agencies have
provided this document in confidential Exhibit 3 to
this advance notice filing.
PO 00000
Frm 00120
Fmt 4703
Sfmt 4703
71997
discussed shorter notice period is
minimal. In all cases of an alleged
breach, the CSP must notify the Clearing
Agencies in writing and provide time
for them to cure the alleged breach
(‘‘Notice Period’’).41 With respect to an
alleged material breach, which requires
the CSP to extend the Notice Period if
the Clearing Agencies demonstrate a
good faith effort to cure the alleged
material breach, the Clearing Agencies
would use the Notice Period to attempt
to cure the alleged material breach
while also preparing to transition
elsewhere. As a result, it is highly
unlikely that a critical breach or a
material breach would remain uncured
beyond the Notice Period. If one does
remain uncured, however, the CSP can
only terminate the rights or accounts
associated with the breach, not the
entire Cloud Agreement; 42 meanwhile,
and the Clearing Agencies would have
ample notice to shift operations to avoid
a disruption to Core C&S Systems, if
needed.
As explained above, adequate notice
under the Cloud Agreement plays an
important role in managing
concentration risk by providing the
Clearing Agencies with advance
warning of potential disruptions or
changes in the agreement or services
thereunder, which would allow the
Clearing Agencies to take proactive
measures in mitigating the potential
impact of commercial and regulatory
risk, thereby reducing concentration
risk.
ii. Regulatory Compliance and CSP
Oversight
The Clearing Agencies’ transition to
Cloud does not alter their responsibility
to maintain compliance with applicable
regulations. Consistent with FFIEC
Guidance (as defined and discussed
further below), the Clearing Agencies’
will continue to fully comply with all
applicable regulatory obligations,
particularly Reg. SCI.43
The Clearing Agencies believe the
combination of the following would
provide them with reasonable assurance
that the proposed transition to Cloud
41 See Reg. SCI Addendum, Section 10
Termination. The Clearing Agencies have provided
this document in confidential Exhibit 3 to this
advance notice filing.
42 See Amendment 1 Section 8 Temporary
Suspension, of the Cloud Agreement. The Clearing
Agencies have provided this document in
confidential Exhibit 3 to this advance notice filing.
43 Reg. SCI imposes certain information security
and incident reporting standards on the Clearing
Agencies and requires them to adopt an information
technology governance framework reasonably
designed to ensure that ‘‘SCI systems,’’ and for
purpose of security, ‘‘indirect SCI systems,’’ have
adequate levels of capacity, integrity, resiliency,
availability, and security. 17 CFR 242.1000 et seq.
E:\FR\FM\04SEN1.SGM
04SEN1
71998
Federal Register / Vol. 89, No. 171 / Wednesday, September 4, 2024 / Notices
would enable them to continue to fully
satisfy their regulatory obligations,
including Reg. SCI, thus helping to
mitigate the regulatory risk highlighted
in Section II.A.1, above: (i) the Cloud
Agreement; (ii) the CSP’s compliance
programs as described in its
whitepapers 44 and publicly available
policies (e.g., its Penetration Testing
Policy),45 46 47 48 and user guides; (iii) the
CSP’s SLAs; 49 50 51 (iv) the CSP’s
44 Supra
note 25.
Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the Operational &
Technology Risk Technology Risk Management
(‘‘OTR CS&TRM’’) Procedure—Application
Penetration Test which describes the application
penetration test procedures for the Clearing
Agencies’ web applications and supports
compliance with the Information Systems
Acquisition Policy, Development and Maintenance
Policy Security Control Standards, and Ethical
Application Penetration Testing (‘‘EAPT’’) Control
Standards. The Clearing Agencies have provided
this document in confidential Exhibit 3 to this
advance notice filing.
46 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the EAPT Control Standards.
The Clearing Agencies have provided this
document in confidential Exhibit 3 to this advance
notice filing.
47 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the DTCC Information
Security—Systems Acquisition Development and
Maintenance Policy and Control Standards, which
governs the security aspects of information systems
acquisition, development, and maintenance for
DTCC and its subsidiaries. The Clearing Agencies
have provided this document in confidential
Exhibit 3 to this advance notice filing.
48 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the DTCC Information
Security—Communications and Operations Policy
and Control Standards, which helps ensure the
correct and secure operation of information
processing facilities. The Clearing Agencies have
provided this document in confidential Exhibit 3
The Clearing Agencies have provided this
document in confidential Exhibit 3to this advance
notice filing.
49 The Clearing Agencies have provided the CSP’s
SLAs in confidential Exhibit 3 to this advance
notice filing.
50 Amendment 2, Section 2.2 To the Service Level
Agreements of the Cloud Agreement provides that
the CSP may change its SLAs from time to time but
must provide prior notice to the Clearing Agencies
before material reducing the benefits offered under
the SLAs. The Clearing Agencies have provided
Cloud Agreement in confidential Exhibit 3 to this
advance notice filing.
51 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the DTCC Legal Review of
Third Party Vendor Contracts Policy, which (1)
defines the scope of Vendor Contracts, (2) clarifies
what agreements fall outside the scope and are
excluded from the definition of Vendor Contracts,
(3) details the process the Clearing Agencies follow
when receiving requests to review Vendor Contracts
and related materials from CPS Contracts, and (4)
establishes the requirements around the creation,
maintenance, update, review, and use of contract
templates and negotiation guidelines for third party
relationships. The Clearing Agencies have provided
this document in confidential Exhibit 3 to this
advance notice filing.
ddrumheller on DSK120RN23PROD with NOTICES1
45 The
VerDate Sep<11>2014
21:26 Sep 03, 2024
Jkt 262001
Systems Organization Controls reports
(e.g., SOC 1, SOC 2, SOC 3) 52 and
International Organization for
Standardization (‘‘ISO’’) certifications
(e.g., ISO 27001); 53 (v) the CSP’s size,
scale, and ability to deploy extensive
resources to protect and secure its
facilities and services; and (vi) the CSP’s
commercial incentive to perform.
Moreover, as noted in Section II.B.ii.,
above, oversight of the CSP relationship
and services has become a standing
practice of the Clearing Agencies to
ensure that the CSP is meeting or
exceeding its contractual obligations,
including helping the Clearing Agencies
demonstrate their regulatory
compliance. Such oversight, which also
helps mitigate the cloud management
risk raised in Section II.A.2, above,
would include a strong relationship
between the CSP and the Clearing
Agencies, including between their
senior management. Within the Cloud
Agreement itself, there are established
obligations on the CSP to provide the
Clearing Agencies’ information
necessary for the Clearing Agencies to
satisfy certain compliance and
regulatory requirements, particularly
Reg. SCI. For example, the Cloud
Agreement obligates the CSP to provide
the Clearing Agencies with immediate
notification where a systems intrusion
by an unauthorized party or a systems
disruption is suspected.54 The
agreement also provides for detailed
quarterly briefing meetings between the
Clearing Agencies and the CSP, during
which the Clearing Agencies would be
provided information on and could
review service level performance,
material systems changes, capacity
management, SLA updates, and
important security notices.55
The Cloud Agreement permits the
Clearing Agencies to perform an annual
review of the CSP’s documentation and
services to gain comfort that the CSP is
meeting its contractual requirements
and that the notification procedures are
in place to allow the Clearing Agencies
to meet their regulatory requirements,
52 The FFIEC Guidance provides that the Clearing
Agencies may obtain SOC reports, other
independent audits, or ISO certification reports to
gain assurance that the CSP’s controls are operating
effectively. See FFIEC, Security in a Cloud
Computing Environment at 7. The Clearing
Agencies review the CSP’s SOC–2 on an annual
basis.
53 The CSP has certifications for the following
frameworks: NIST, Cloud Security Alliance, Control
Objectives for Information and Related Technology
(‘‘COBIT’’), ISO, and the Federal Information
Security Management Act (‘‘FISMA’’).
54 See Reg. SCI Addendum, Sections 8.1 Systems
Intrusion Notification and 4 Briefing Meetings. The
Clearing Agencies have provided this document in
confidential Exhibit 3 to this advance notice filing.
55 Id.
PO 00000
Frm 00121
Fmt 4703
Sfmt 4703
particularly Reg. SCI. The agreement
also allows a regulator of the Clearing
Agencies to receive information about
the Clearing Agencies’ usage of the CSP
services, and it allows the regulator to
perform its own on-site review, if
requested.56
2. Cloud Architecture
To mitigate operational risk
associated with the concentration risk
from relying on a single CSP, the
Clearing Agencies would architect the
Cloud Infrastructure hosting their Core
C&S Systems to be highly resilient,
improving the availability of such
systems and related Clearing Agency
services during any degradation in CSP
services:
• Use of multiple availability zones
per region. The Clearing Agencies
would use at least three availability
zones, in each of the two CSP regions,
with each availability zone made up of
multiple data centers.
• Multi-regions. In the event of a
primary region outage, the Clearing
Agencies would recover in the
secondary region. Out-of-region
recovery would be tested annually by
the Clearing Agencies, and a primary/
secondary (i.e., hot/warm) model would
be used to ensure continuous data
replication and recovery is achieved.57
Recovery exercises of non-Core C&S
Systems currently hosted in cloud
demonstrate the ability to recover
applications within required recovery
time objectives, including meeting a 2hour recovery time objective for relevant
applications in the event of an out-ofregion recovery.
• Multi-node, high availability
clusters across availability zones.
Clusters (i.e., three or more servers or
nodes) protect against local hardware
and service failures providing
uninterrupted operations. Each cluster
would be distributed across three
availability zones. Clusters
synchronously replicate data across all
nodes to protect against data loss and
provide continuous availability.
• Static stability and static capacity
models. Static capacity would be preprovisioned for compute, storage, and
memory for applications based on
capacity stress testing results and
capacity requirements. The Clearing
Agencies would pre-provision capacity
56 See Reg. SCI Addendum, Sections 3 Customer
Right of Access and Audit and 4 Briefing Meetings.
The Clearing Agencies have provided this
document in confidential Exhibit 3 to this advance
notice filing.
57 See Reg. SCI Addendum, Section 5 Customer
Testing of CSP Systems. The Clearing Agencies
have provided this document in confidential
Exhibit 3 to this advance notice filing.
E:\FR\FM\04SEN1.SGM
04SEN1
Federal Register / Vol. 89, No. 171 / Wednesday, September 4, 2024 / Notices
ddrumheller on DSK120RN23PROD with NOTICES1
needed for applications and services
and would not rely on capacity ondemand models, thus reducing the risk
of running out of capacity.
• Exit plans. The Clearing Agencies’
existing policies require that all
applications hosted in Cloud have
documented exit plans, with each plan
updated annually.58 The Clearing
Agencies’ Cloud architecture also
reduces ‘‘vendor lock-in’’ by using
capabilities such as ‘‘containers’’ 59 that
can exist in both the public and private
cloud, where appropriate and
applicable. For the foreseeable future,
the Clearing Agencies plan to continue
to own or lease private data center space
to host private cloud and mainframe
capabilities. The Clearing Agencies
private, on-premises data centers help
enable a long-term exit plan from Cloud,
if needed. However, such data centers
would not be a means to address a
short-term incident at the CSP.
Additionally, for the second CSP that
the Clearing Agencies already have
contracted and connected with for
hosting non-Core C&S Systems, they are
now working on the contractual and
operational requirements that would be
necessary to possibly host Core C&S
Systems in its Cloud to further enable
exit plans from the primary CSP.
• Regional Isolation Architecture. A
cross-regional outage is highly unlikely
at the CSP, as the CSP has designed and
implemented a series of controls to
ensure that defects cannot be introduced
to more than a single region at a time.60
Services are regionally isolated with a
single exception—the IAM service. The
IAM service is not regionally isolated
and depends on a single region. If the
primary region for the IAM service fails,
the service will continue to operate but
as read-only. To mitigate this risk, the
Clearing Agencies would architect
applications and infrastructure services
in such a manner that they would not
require updates (i.e., writes) to the IAM
service in order to rotate out of region.
In summary, cloud architecture helps
mitigate operational risk borne from
concentration risk, as raised in Section
II.A.1, above, by providing resilient
infrastructure, scalable resources, robust
security measures, and disaster recovery
capabilities, all of which assist in
minimizing the impact of disruptions.
58 Supra
note 29.
container is a standard unit of software that
packages up code and all its dependencies, so the
application runs reliably from one computing
environment to another (e.g., public and private
clouds).
60 The CSP owns the control and has provided
documentation of the control to the Clearing
Agencies.
59 A
VerDate Sep<11>2014
21:26 Sep 03, 2024
Jkt 262001
3. Standing Risk Management Practices
The Clearing Agencies’ standing risk
management practices also help
minimize operational risk by
systemically identifying, assessing,
mitigating, monitoring, and responding
to risk. For example, the Clearing
Agencies have considered the
possibility of the CSP being completely
and unexpectedly unavailable, whether
due to technical issues or other reasons.
The parallel risk exists today with
respect to the Clearing Agencies’
existing infrastructure. Just like with the
CSP, it is possible that the Clearing
Agencies’ two existing data centers—
one primary and one backup—become
completely and unexpectedly
unavailable. In fact, it is more likely that
those two data centers become
unavailable than the CSP’s data centers
because the CSP has so many more data
centers for each availability zone, in
both its primary and secondary regions,
with each data center, not just the
associated region or availability zone,
having its own physical infrastructure,
staff, power, backup power, mechanical
services, and network connectivity, as
discussed in Section I.B.2, above. Even
for the CSP’s IAM service that runs
cross regions, the applications in each
region operate off read-only versions of
the IAM roles and responsibilities, such
that loss of the primary would not affect
operation of those applications.
Nevertheless, to help manage a crisis
event, such as the Clearing Agencies’ or
the CSP’s data centers becoming
unavailable, the Clearing Agencies have
standing risk management plans and
practices already in place, as described
below.61
In the very unlikely event of an
unexpected single- or multi-region
outage in which the Clearing Agencies
operate, or a complete and unexpected
CSP outage, the Clearing Agencies
would initiate the existing Major
Incident Management (‘‘MIM’’) process,
which is an existing process that
involves evaluating the technical impact
of the event, and if the event is deemed
to have a material impact to the
business, the Business Incident
Management System (‘‘BIMS’’) 62 would
61 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the Operational Response
Capabilities Matrix. The Clearing Agencies have
provided these documents in confidential Exhibit 3
to this advance notice filing.
62 MIM is part of the IT organization that manages
technology specific incidents at the Clearing
Agencies that are typically resolved at the
application or hardware level with support from the
appropriate subject matter experts (‘‘SMEs’’).
Incidents that have a business impact are escalated
to BIMS and appropriate SMEs are added to manage
the impact, which includes Business Continuity
PO 00000
Frm 00122
Fmt 4703
Sfmt 4703
71999
be activated. Depending on the severity
of the event, the DTCC Global Business
Continuity and Resilience (‘‘BCR’’)
Policy would provide a predictable
structure to be utilized during crises and
could be leveraged to address, respond
to, and manage an outage.63 In addition
to internal risk management practices,
the Clearing Agencies have plans to
help address various outage scenarios
and the potential effects of an outage.64
The BCR Policy and Standards is
structured to employ existing DTCC and
Clearing Agency teams and committees,
which become the tactical leadership to
react, respond, and manage a crisis
situation.65 The teams are comprised of
the following:
• Crisis Management Team.
Comprised of the Management
Committee, site General Managers, Head
of the Board Risk Committee,66 and
other SMEs, as needed.
• Crisis Response Teams.
and Resilience. BIMS participants can request the
Crisis Management Team be activated if the
incident requires discussion or has escalated to a
potential disaster that may require a declaration of
disaster.
63 The Clearing Agencies are taking into
consideration the forthcoming requirements of
adopted and effective Rule 17ad–25(i) under the
Exchange Act, 17 CFR 240.17ad–25(i), and
anticipate that the Clearing Agencies’ approach in
managing the risk presented by a CSP outage for
Core C&S Systems would be consistent with those
requirements.
64For example, there is an existing plan to
manage a Fedwire protracted outage. A Fedwire
protracted outage is an interruption or outage of
Federal Reserve Bank hardware or software that
prevents the bank from processing payment orders
online and that is not expected to be resolved before
the bank’s next Fedwire Funds Service Funds
Transfer Business Day. In the event of such an
outage, the Clearing Agencies will assess the
situation and employ, as needed and applicable, the
steps outlined in the BCR Policy and Standards, the
Federal Reserve Banks Operating Circulars (see,
e.g., Operating Circular No. 6, available at https://
www.frbservices.org/binaries/content/assets/
crsocms/resources/rules-regulations/070123operating-circular-6.pdf), and any other regulatory
guidance.
65 The Clearing Agencies have established a list
of situations that are covered under the BCR Policy
and Standards, any of which could escalate to a
disaster and trigger use of the Standards. The
technology events include (i) infrastructure outage,
(ii) external hosting provider service outage, and
(iii) loss of logical access to a Clearing Agency
facility. The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the BCR Policy and
Standards which define the governance structure,
high-level roles and responsibilities, and the
framework for business continuity and resilience
processes at the Clearing Agencies. The Clearing
Agencies have provided this document in
confidential Exhibit 3 to this advance notice filing.
66 The Board Risk Committee is a Board level
committee established by the Boards of the Clearing
Agencies to assist their respective Boards in
fulfilling their responsibilities for oversight of risk
management activities at the Clearing Agencies.
This includes oversight of credit, market, liquidity,
operational, and systemic risks.
E:\FR\FM\04SEN1.SGM
04SEN1
ddrumheller on DSK120RN23PROD with NOTICES1
72000
Federal Register / Vol. 89, No. 171 / Wednesday, September 4, 2024 / Notices
Æ Business Continuity Coordinators
and Plan Approvers—These are
individuals who manage business
continuity at a plan level.
• Fair and Orderly Markets Groups—
These are crisis teams comprised of
internal stakeholders and top executives
from external firms deemed necessary to
ensure a fair and orderly market. They
would be activated (based on impact to
the legal entity) to gather information
during a large systemic event when
operational coordination is required
with clients and the sector.
• IT Management Team—Comprised
of Information Technology managing
directors and SMEs.
• Management Risk Committee—
Comprised of senior members across the
enterprise.
• Senior Site Management Team
(‘‘SSMT’’)—Each DTCC office with a
facility level resilience plan (‘‘FLRP’’)
has an SSMT, that is comprised of
senior leadership from the site.
• Site Assessment Team (‘‘SAT’’)—
Sites with an FLRP have a SAT that
responds to site-specific events. This
team is comprised of a primary/back-up
site General Manager and
representatives from BCR, IT,
Workplace Design and Service, Global
Security Management, and Human
Resources. A Data Center Services
representative also is added for sites
that have a data center.
• MIM and BIMS Teams—Part of the
IT organization that manages technology
specific and are typically resolved at the
application or hardware level with
support from the appropriate SMEs.
• Crisis Communication Team. The
Crisis Communication Team is
comprised of officer-level members from
Marketing and Communication, Human
Resources, General Counsel’s Office,
and Regulatory Relations, as well as
members of their staffs, as applicable.
The Clearing Agencies believe that
these standing risk management
practices are key to managing the
operational risk borne from
concentration risk outlined in Section
II.A.1, above, by helping to promote
proactive risk management culture,
enhancing operational resilience, and
enabling the Clearing Agencies to better
navigate uncertainties and maintain
business continuity.
VerDate Sep<11>2014
21:26 Sep 03, 2024
Jkt 262001
4. Industry Standards for Cloud
Management
i. Cloud Management: Federal Financial
Institutions Examination Council Cloud
Computing Guidance (‘‘FFIEC’’)
On April 30, 2020, FFIEC 67 issued a
joint statement to address the use of
Cloud computing services and security
risk management principles in the
financial services sector (‘‘FFIEC
Guidance’’).68 While the FFIEC
Guidance does not contain regulatory
obligations, it highlights risk
management practices that financial
institutions should adopt for the safe
and sound use of Cloud computing
services in five broad areas (‘‘FFIEC Risk
Management Categories’’): Governance,
Cloud Security Management, Change
Management, Resilience and Recovery,
and Audit and Control Assessment. As
discussed below, the Clearing Agencies
would implement practices consistent
with the FFIEC Risk Management
Categories for Core C&S Systems
operated in Cloud to help address cloud
management risk, as highlighted in
Section II.A.2, above, by providing
frameworks, guidelines, and best
practices, that enhance transparency,
reliability, and security.
(a) Governance
The Clearing Agencies and the CSP
rely on a shared responsibility model
that differentiates between security ‘‘of’’
the Cloud and security ‘‘in’’ the Cloud.69
This model is not specific to the
agreement between the Clearing
Agencies and the CSP; rather, it is a
more universally followed model for
public cloud services. Under the model,
the CSP maintains sole responsibility
and control over the security and
resiliency ‘‘of’’ the Cloud, and their
customers are responsible for the
security and resiliency ‘‘in’’ the Cloud
(i.e., security and resiliency of hosted
applications and data). This means that
the Clearing Agencies must manage
their own application architectures, data
67 FFIEC is a formal interagency body empowered
to prescribe uniform principles, standards, and
report forms for the federal examination of financial
institutions by the Board of Governors of the
Federal Reserve System, the Federal Deposit
Insurance Corporation, the National Credit Union
Administration, the Office of the Comptroller of the
Currency, and the Consumer Financial Protection
Bureau, and to make recommendations to promote
uniformity in the supervision of financial
institutions.
68 Available at https://www.ffiec.gov/press/
pr043020.htm.
69 ‘‘Shared responsibility’’ conveys the
responsibility of the Clearing Agencies and the CSP
vis-à-vis each other from a business operations
perspective. It does not mean that the CSP has taken
on or that the Clearing Agencies have relinquished
any of their Reg. SCI compliance requirements.
PO 00000
Frm 00123
Fmt 4703
Sfmt 4703
backups, change management controls,
network configurations within
applications, and response to
application failures. In addition, the
Clearing Agencies must manage their
own data usage and data-at-rest
encryption configuration, IAM access
policies and roles, operating system
upkeep, security group configurations,
and network traffic encryption in transit
configurations. The Clearing Agencies
also manage how they place workloads
onto the CSP’s platform.
Meanwhile, the CSP must manage
backend hardware services for Compute,
Storage, Networking, database, and
global architectures such as regions,
availability zones, data centers, power,
and HVAC, as well as backend security
services that protect core
infrastructures. The CSP manages the
underlying infrastructure and upkeep,
so that the Clearing Agencies (and other
customers) can place workloads on the
CSP platform with proper security and
separation without having to manage
these traditional data center tasks. The
Clearing Agencies review the CSP’s
policies and procedures for these
functions during the quarterly reviews
and during annual risk assessments.
When looking more closely at
hardware management, the Clearing
Agencies believe there are benefits in
how the CSP manages hardware for
Cloud compared to how the Clearing
Agencies manage hardware for their
own data centers. For example, with onpremises data centers, the Clearing
Agencies must oversee a multifaceted
supply chain, involving many vendors
to obtain and administer physical
Compute, Storage, and Network
capacity. Delivery times may fluctuate,
and scarcities can affect project
outcomes, as seen during the Covid–19
pandemic. In contrast, with the
proposed Cloud Infrastructure, the CSP
controls the hardware supply chain and
even partakes in key areas of the
manufacturing process to circumvent
typical problems such as chip shortages.
Moreover, the Clearing Agencies get to
review the CSP’s equipment forecast for
each upcoming quarter, affording the
Clearing Agencies the opportunity to
address potential supply chain
difficulties, if any, without jeopardizing
their access to adequate capacity, by
leveraging capabilities such as reserved
capacity. Altogether, the Clearing
Agencies believe the CSP’s management
of Cloud hardware will be a benefit to
them.
The CSP would perform its own risk
and vulnerability assessments of the
CSP infrastructure on which the
Clearing Agencies would run their Core
C&S Systems. In published
E:\FR\FM\04SEN1.SGM
04SEN1
Federal Register / Vol. 89, No. 171 / Wednesday, September 4, 2024 / Notices
ddrumheller on DSK120RN23PROD with NOTICES1
documentation and in meetings
conducted with the CSP, the CSP asserts
that it maintains an industry-leading
automated test system, with strong
executive oversight, and conducts fullscope assessments of its hardware,
infrastructure, internal threats, and
application software. The CSP asserts
that it has an aggressive program for
conducting internal adversarial
assessments (‘‘Red Team’’) designed not
only to evaluate system security but also
the processes used to monitor and
defend its infrastructure. The CSP also
uses external, third-party assessments as
a cross-check against its own results and
to ensure that testing is conducted in an
independent fashion. Pursuant to the
CSP’s documentation, results of these
processes are reviewed weekly by the
CSP’s Chief Information Security Officer
and the Chief Executive Officer with
senior CSP leaders to discuss security
and action plans.70
The Clearing Agencies have the
responsibility to perform risk
assessments and technical security
testing, including control validation,
penetration testing, and adversarial
testing of their applications running on
the Cloud Infrastructure. This includes
testing of the application interface layer
of some CSP provided services such as
storage and key management.
As mentioned, the Clearing Agencies’
testing includes assessing the
configuration of the CSP provided
services. The Clearing Agencies’
Technology Risk Management staff
would work with the Clearing Agencies’
Information Technology staff to ensure
that the CSP tools are configured to
appropriately manage and mitigate
potential sources of risk and will assess
the effectiveness of those
configurations.71 The Technology Risk
70 The CSP does not provide assessment results to
its customers, as doing so would constitute a breach
of generally accepted security best practices.
Instead, the CSP provides its customers with
industry-standard reports—such as SOC2 Type II—
prepared by an independent third-party auditor to
provide relevant contextual information to its
customers. The CSP also conducts periodic audit
meetings specifically designed to discuss security
concerns with its customers discussed later during
the ‘‘CSP Audit Symposium.’’ Additionally, the
Clearing Agencies have certain audit rights
(pursuant to Section 3 Customer Rights of Access
and Audit of the Reg. SCI Addendum) to review
information about the nature and scope of the CSP’s
vulnerability management program.
71 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the OTR TRM Core Process
Procedure—Security Configuration Violation Rules,
which is used to manage enterprise information
security risk by ensuring a consistent configuration
violation scoring process that provides timely
identification of configuration violations and their
severity ratings. The Clearing Agencies have
provided this document in confidential Exhibit 3 to
this advance notice filing.
VerDate Sep<11>2014
21:26 Sep 03, 2024
Jkt 262001
Management staff has developed an
application, Cloud Governance Insights
(‘‘CGI’’), to continuously monitor all
Cloud Infrastructure for alignment to
security baselines and configurations
best practices.72 The CGI dashboard
allows Information Technology and
Technology Risk Management staff to
understand the environment risk
posture and reporting of key risk
indicators (‘‘KRIs’’). The Clearing
Agencies’ Red Team would operate
freely ‘‘in the Cloud,’’ attempting to
subvert or circumvent controls.73 The
testing would include probing of the
CSP provided services to look for
weaknesses in the Clearing Agencies’
deployment of those tools.
Technology Risk Management staff
would routinely report test results to the
Technology Risk Management Steering
Committee and the Management Risk
Committee, appropriate functional
Operations and Information Technology
management, senior management, and
the Board of Directors of the Clearing
Agencies.74 75 Automated vulnerability
scanning reports, source code analysis,
and results of specific assessments
would be risk-rated and assigned a
priority for remediation in accordance
with Clearing Agency Information
Security Program requirements.76 77
Management and oversight of the
Cloud implementation follows the
Clearing Agencies’ standard governing
72 CGI is the Clearing Agencies’ internally
developed solution to perform Cloud Security
Posture Management and assess Cloud
Infrastructure compliance against TRM Control
Standards and Security Baselines in near real-time.
73 Supra note 47.
74 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the DTCC Information
Security—Information Security Management Policy
and Control Standards, which defines the roles,
responsibilities, and accountabilities for DTCC’s
security practices and organization structure suited
to protect DTCC’s critical systems and business
assets. Information Security Management evaluates
DTCC’s information security program’s overall
effectiveness, and establishes, maintains,
communicates, and periodically reassesses
information security policies and a comprehensive
information security program that are approved by
management. The Clearing Agencies have provided
this document in confidential Exhibit 3 to this
advance notice filing.75 The Clearing Agencies have
separately submitted a request for confidential
treatment to the Commission regarding the DTCC
Information Security—Risk Management Policy and
Control Standards, which provides (i) requirements
for establishing, implementing, maintaining, and
continually improving the information risk
management program, (ii) a governance structure
utilized for the escalation of information risks to an
appropriate management level, and (iii)
organizational roles and responsibilities for the
delivery of comprehensive information security and
technology risk management program. The Clearing
Agencies have provided this document in
confidential Exhibit 3 to this advance notice filing.
76 Supra note 46.
77 Supra note 47.
PO 00000
Frm 00124
Fmt 4703
Sfmt 4703
72001
principles for large information
technology projects.78 To maintain
accountability over the CSP’s
performance, regular reporting to the
Boards of the Clearing Agencies by
senior management is essential and
required, pursuant to the DTCC Third
Party Risk Procedures.79 Such reporting
helps ensure that senior management
takes appropriate actions to address
significant performance deterioration,
changing risks, or material issues
identified through ongoing monitoring,
thereby helping to ensure proactive risk
management and continuous
improvement.80 The Clearing Agencies’
Board of Directors has established a
Technology and Cyber Committee to
assist the Board of Directors in
overseeing information technology and
cybersecurity strategy and capabilities.
Information Technology and the
Enterprise Program Management Office
(‘‘EPMO’’) are responsible for the
identification, management, monitoring,
and reporting on the risks associated
with the modernization and migration
of applications to Cloud. To that end,
reports on the status and progress of
these efforts are reported to applicable
Clearing Agency committees based on
escalation criteria in the EPMO
Procedure.81 These reports include
overall risk and issue summaries and
analysis of key risk indicators for the
migration of applications to the public
cloud.
Finally, the Clearing Agencies’
Internal Audit Department (‘‘IAD’’), as
the independent third line of defense, is
responsible for assessing and
challenging the firm’s control
environment and risk management and
control frameworks, which include
those related to the Cloud, including,
but not limited to, security controls and
configurations, and report the results of
78 Supra
note 32.
Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the DTCC Third Party Risk
Procedures, which establish the standards and
practices to be used by certain business line
departments and/or functional units to manage the
potential risks associated with engaging with an
external service provider. The Clearing Agencies
have provided these documents in confidential
Exhibit 3 to this advance notice filing.
80 Supra note 62.
81 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the Enterprise Program
Management Office Procedure, which outlines the
minimum standards and practices the Clearing
Agencies use to manage, measure, and monitor the
performance of key processes aligned to the
Enterprise Program Management Office Policy. The
Clearing Agencies have provided these documents
in confidential Exhibit 3 to this advance notice
filing.
79 The
E:\FR\FM\04SEN1.SGM
04SEN1
72002
Federal Register / Vol. 89, No. 171 / Wednesday, September 4, 2024 / Notices
those assessments to management and
the Audit Committee of the Board.82
Ultimately, there is no primary/
secondary relationship, as the Clearing
Agencies and the CSP each have their
own set of responsibilities which, when
combined, address the entire risk space.
ddrumheller on DSK120RN23PROD with NOTICES1
(b) Cloud Security Management
The Clearing Agencies have
established a robust Cloud security
program to (i) manage the security of the
Core C&S Systems that would be
running on the Cloud Infrastructure
hosted by the CSP, and (ii) assess and
monitor the CSP management of
security of the Cloud Infrastructure that
it operates. The security program is built
upon Clearing Agency Information
Security Policies and Control Standards
that establish requirements that apply to
any technology system as well as any
tool that provides technology
services.83 84 85 86 Below describes
elements of the Clearing Agencies’
Cloud security management in the areas
of (i) IAM controls (i.e., determining
who is accessing the systems, granting
access to the applications, and then
controlling what information they can
access); (ii) security governance and
controls for sensitive data; (iii) security
82 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the Internal Audit
Department Policies and Procedures, which
contains the policies and guidance that direct the
activities of the Clearing Agencies’ IAD. The
Clearing Agencies have provided this document in
confidential Exhibit 3 to this advance notice filing.
83 Supra notes 46–47, 73–74.
84 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the DTCC Information
Security—Asset Security Policy and Control
Standards, which governs management of security
for the information assets of the Clearing Agencies.
The Clearing Agencies have provided this
document in confidential Exhibit 3 to this advance
notice filing.
85 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the DTCC Information
Security—Monitoring and Incident Management
Policy and Control Standards, which governs
DTCC’s information security monitoring and
incident management and specifies requirements
for (i) detecting unauthorized information
processing activities, (ii) ensuring information
security events and weaknesses associated with
information systems are communicated in a manner
allowing timely corrective action to be taken, and
(iii) ensuring a consistent and effective approach is
applied to the management of information security
incidents. The Clearing Agencies have provided
this document in confidential Exhibit 3 to this
advance notice filing.
86 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the DTCC Information
Security—Asset Access Control Policy and
Standards, which governs management of security
for the information assets of the DTCC and its
subsidiaries. The Clearing Agencies have provided
this document in confidential Exhibit 3 to this
advance notice filing.
VerDate Sep<11>2014
21:26 Sep 03, 2024
Jkt 262001
configuration, provisioning, logging,
and monitoring; and (iv) security
testing.
(1) Network and IAM Controls
The Clearing Agencies recognize that
robust network security configuration
and IAM would provide reasonable
assurance that users—including
Clearing Agency employees, market
participants, and service accounts for
systems 87—are granted least-privileged
access 88 to the network, applications,
and data in the Cloud. The Clearing
Agencies would use third-party tools to
automate appropriate role-based access
to the Core C&S Systems running in the
Cloud. By enforcing strict separation of
duties and least-privileged access for
infrastructure, applications, and data,
the Clearing Agencies would protect the
confidentiality, availability, and
integrity of the data in the Cloud.
The Clearing Agencies have
established IAM requirements that build
upon the least-privileged model.89 As
part of the IAM program, all users must
be assigned an appropriate enterprise
identification. Additionally, the
Clearing Agencies have established
Highly Privileged Access Management
capabilities and policies to further
restrict highly privileged access to be
used only in pre-determined scenarios
that must be tied to a change, incident,
request, or release records.90
Cloud users would be granted access
to systems via a standardized and
auditable approval process. The user
identifications and granted access
would be managed through their full
lifecycle from a centralized IAM system
maintained and administered by the
Clearing Agencies. Role-, attribute-, and
context-based access controls would be
used as defined by internal standards 91
consistent with industry recommended
practices to promote the principles of
least-privileged access and separation of
duties.92
The Clearing Agencies would use and
manage third-party tools not otherwise
provided by nor managed by the CSP for
87 Service accounts are non-interactive accounts
that permit application access to support activities
such as monitoring, logging, or backup. Service
accounts are also used for machine-to-machine
communications.
88 Least-privileged access means users only have
the permission needed to perform their work, and
no more.
89 Supra note 85.
90 Id.
91 Id.
92 (1) ISO/IEC 27002:2013—Information
technology—Security techniques—Code of practice
for information security controls; (2) NIST
Cybersecurity Framework (CSF) Version 1.1; (3)
NIST Special Publication 800–53 Revision 4—
Security and Privacy Controls for Federal
Information Systems and Organizations.
PO 00000
Frm 00125
Fmt 4703
Sfmt 4703
single sign-on and least-privileged
access.93 The network also would
include hardware and software to limit
and monitor ingress and egress traffic,
encrypt data in transmission, and isolate
traffic between the Clearing Agencies
and the Cloud.94 Since the Clearing
Agencies would continue to provide
cryptographic services, including key
management, the CSP and other
network service providers would not be
able to decrypt Clearing Agency data
either at rest or while in transit.
(2) Security Governance and Controls
for Sensitive Data
The Clearing Agencies’ data
governance framework that would apply
to Cloud implementation is identified
within the Clearing Agency Information
Security Policies and Control
Standards.95 The Clearing Agency
Information Security Policies and
Control Standards address data moving
between systems within the Cloud as
well as data transiting and traversing
both trusted and untrusted networks.
For example, the Clearing Agencies’
Information Security Policies and
Control Standards require a system or
Software as a Service (i.e., SaaS) to (i)
store data and information, including all
copies of data and information in the
system, in the U.S., throughout its
lifecycle; (ii) be able to retrieve and
access the data and information
throughout its lifecycle; (iii) for data in
the system hosted in the Cloud, encrypt
such data with key pairs kept and
owned by the Clearing Agencies; (iv)
comply with U.S. federal and applicable
state data regulations regarding data
location; and (v) enable secure
disposition of non-records in
accordance with the Clearing Agencies’
Information Governance Policy.96
Furthermore, the Clearing Agencies’
policies establish the overall data
governance framework applied to the
management, use, and governance of
Clearing Agency information to include
digital instantiations, storage media, or
whether the information is located,
processed, stored, or transmitted on the
Clearing Agencies’ information systems
and networks; public, private, or hybrid
93 For example, the Clearing Agencies currently
use Bravura Security Privileged Access
Management (a/k/a PAM) for highly privileged
access management.
94 Supra notes 47, 84–85.
95 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the DTCC Data Risk
Management Policy, which establishes
requirements for the sound management of data risk
across the data lifecycle. The Clearing Agencies
have provided this document in confidential
Exhibit 3 to this advance notice filing.
96 Supra note 85.
E:\FR\FM\04SEN1.SGM
04SEN1
ddrumheller on DSK120RN23PROD with NOTICES1
Federal Register / Vol. 89, No. 171 / Wednesday, September 4, 2024 / Notices
cloud infrastructures; third-party data
centers and data repositories; or SaaS
applications.97 The Information
Classification and Handling Policy 98
classifies the Clearing Agencies’
information into categories. System
owners of technology that enable
classification and/or labeling of
information are responsible for ensuring
the correct classification level is
designated in the system of record and
the applicable controls are enforced. All
information requiring disposal is
required to be disposed of securely in
accordance with all applicable
procedures. Sensitive data must be
handled in a manner consistent with
requirements in the Information
Classification and Handling Policy.
The Clearing Agencies would
implement key security components,
namely ubiquitous authentication, and
encryption via use of an automated
public key infrastructure, coupled with
responsive, highly available
authentication, authorization tools, and
key management strategies to ensure
appropriate industry standard security
controls are in place for sensitive data
both in transit to and at rest in Cloud.99
External connectivity to the Clearing
Agencies’ systems hosted by the CSP
would be provided, as it is now, through
dedicated private circuits or over
encrypted tunnels through the internet.
These network links also would have
additional security controls, including
encryption during transmission and
restrictions on network access to and
from the Cloud. Additionally, the
Clearing Agencies would use dedicated
redundant private network connections
between the Clearing Agencies data
centers and the CSP infrastructure. The
Clearing Agencies currently maintains
two data centers and will do so in the
near term to provide redundant,
geographically diverse connectivity for
market participants.
All network communications between
the Clearing Agencies and the Cloud
Infrastructure would rely on industry
standard encryption for traffic while in
transit. Data at rest would be
safeguarded through pervasive
encryption. The Clearing Agencies’
Encryption Standards 100 describe
requirements for implementation of the
minimum required strengths,
encryption at rest, and cryptographic
algorithms approved for use in
cryptographic technology deployments
across the Clearing Agencies. All
Clearing Agency identifying data is
97 Supra
note 46.
98 Supra note 83.
99 Supra note 47.
100 Supra note 91.
VerDate Sep<11>2014
21:26 Sep 03, 2024
Jkt 262001
encrypted in transit using industry
standard methods. The Key
Management Service (‘‘KMS’’)
Strategy 101 dictates that all CSP
endpoints support HTTPS for
encrypting data in transit. The Clearing
Agencies also secure connections to the
endpoint service by using virtual private
computer endpoints and ensures client
applications are properly configured to
ensure encapsulation between
minimum and maximum Transport
Layer Security versions pursuant to the
Clearing Agencies’ encryption standard.
The Clearing Agencies would have
exclusive control over the encryption
keys; only Clearing Agency authorized
users and approved third parties would
be able to access Clearing Agency data.
The CSP systems and staff would not
have access to the Clearing Agencies’
certificates or keys.102 The Clearing
Agencies would be responsible for the
application architecture, software,
configuration, and use of the CSP
services, and for the maintenance of the
environment, including ongoing
monitoring of the application
environment to achieve the appropriate
security posture. To do this, the
Clearing Agencies would follow (i)
existing security design and controls;
(ii) Cloud-specific information security
controls defined in the Clearing
Agencies’ Information Security Policies
and Control Standards; 103 and (iii)
regulatory compliance requirements
detailed in sources or information
technology practices that are widely
available and issued by an authoritative
body that is a U.S. governmental entity
or agency including NIST–CSF,104
COBIT,105 and the FFIEC Guidelines.106
The Clearing Agencies would use
third-party and custom developed tools
for CSP security compliance monitoring,
security scanning, and reporting. Alerts
and all API-level actions would be
gathered using both CSP provided,
Clearing Agency developed, and thirdparty monitoring tools. The CSP
provided monitoring tool would be
enabled by default at the organization
101 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the DTCC Information
Security—Public Key Infrastructure Policy and
Control Standards, which governs the public key
infrastructures implemented and used within DTCC
and its subsidiaries. The Clearing Agencies have
provided this document in confidential Exhibit 3 to
this advance notice filing.
102 Certificate management is the process of
creating, monitoring, and handling digital keys
(certificates) to encrypt communications.
103 Supra note 91.
104 NIST Cybersecurity Framework Version 1.1.
105 COBIT 2019 Framework: Governance and
Management Objectives.
106 FFIEC Information Technology Examination
Handbook—Information Security (September 2016).
PO 00000
Frm 00126
Fmt 4703
Sfmt 4703
72003
level to monitor all CSP services
activity. Centralized logging provides
near real-time analysis of events and
contains information about all aspects of
user and role management, detection of
unauthorized, security relevant
configuration changes, and inbound and
outbound communication.
As discussed just above, the Clearing
Agencies would use a KMS Strategy to
encrypt data in transit and at rest in the
Cloud. KMS is designed so that no one,
including CSP employees, can retrieve
customer plaintext keys and use them.
The Federal Information Processing
Standards 140–2 validated Host
Security Modules (‘‘HSMs’’) in KMS
protect the confidentiality and integrity
of Clearing Agency customer keys.107
Customer plaintext keys are not written
to disk and are only used in protected,
volatile memory of the HSMs for the
time needed to perform the customer’s
requested cryptographic operation. KMS
keys are not transmitted outside of
Cloud regions in which they were
created. Updates to the KMS HSM
firmware will be controlled by quorumbased access control 108 that is audited
and reviewed by an independent group
within the CSP.
(3) Security Configuration, Provisioning,
Logging, and Monitoring
Automated delivery of business and
security capability via the use of
‘‘Infrastructure as Code’’ and continuous
integration/continuous deployment
pipeline methods would permit security
controls to be consistently and
transparently deployed on-demand. The
Clearing Agencies would provision
Cloud Infrastructure using preestablished system configurations that
are deployed through Infrastructure as
Code, then scanned for compliance to
secure baseline configuration standards.
The Clearing Agencies also would
employ continuous configuration
monitoring and periodic vulnerability
scanning. The Clearing Agencies would
perform regular reviews and testing of
Clearing Agency systems running in
Cloud while relying upon information
provided by the CSP through the CSP’s
SOC2 and Audit Symposiums. Finally,
configuration, security incident, and
event monitoring would rely on a blend
of CSP native and third-party solutions.
The Clearing Agencies also plan to
use tools offered by the CSP, developed
by the Clearing Agencies, and third
parties to monitor the Core C&S Systems
107 The HSM is analogous to a safe to which only
the Clearing Agencies have the combination and the
ability to access the keys to locks stored within.
108 A quorum-based access mechanism requires
multiple users to provide credentials over a fixed
period in order to obtain access.
E:\FR\FM\04SEN1.SGM
04SEN1
ddrumheller on DSK120RN23PROD with NOTICES1
72004
Federal Register / Vol. 89, No. 171 / Wednesday, September 4, 2024 / Notices
running in Cloud. The Clearing
Agencies would track metrics, monitor
log files, set alarms, and have the ability
to act on changes to Core C&S Systems
and the environment in which they
operate. The CSP would provide a
dashboard to reflect-general health (e.g.,
up/down status of a region and CSP
provided services running in that
region) but would not give additional
insights into performance of services
and applications which run on those
services. The Clearing Agencies’
centralized logging system would
provide for a single frame of reference
for log aggregation, access, and
workflow management by ingesting the
CSP’s logs coming from native detective
tools and the Clearing Agencies’
instrumented controls for logging,
monitoring, and vulnerability
management. This instrumentation
would give the Clearing Agencies a realtime view into the availability of Cloud
services as well as the ability to track
historical data. By using the enterprise
monitoring tools that the Clearing
Agencies have in place, the Clearing
Agencies would be able to integrate the
availability and capacity management of
Cloud into the Clearing Agencies’
existing processes, hosted in Cloud, to
respond to issues in a timely manner.
The Clearing Agencies also would use
specialized third-party tools, as
discussed just above, to
programmatically configure Cloud
services and securely deploy
infrastructure. This automation of
configuration and deployment would
help ensure that Cloud services are
repeatably and consistently configured
securely and validated. Change
detection tools providing event logs into
the incident management system also
are vital for reacting to and investigating
unexpected changes to the environment.
The Clearing Agencies would
implement tools for the Core C&S
Systems and back-office environments
that would be hosted on the Cloud
Infrastructure, notably, IAM, monitoring
and Security Information and Event
Management systems, the workflow
system of record for incident handling,
KMS, and enterprise Data Loss
Prevention.
Finally, the CSP prioritizes assurance
programs and certifications,
underscoring its ability to comply with
financial services regulations and
standards and to provide the Clearing
Agencies with a secure Cloud
Infrastructure.109
(4) Security Testing and Verification
Security testing is integrated into
business-as-usual processes as outlined
in relevant policy and procedures.110
These documents define how testing is
initiated, executed, and tracked.
For new assets and application (or
code) releases, Technology Risk
Management determines whether and
what type of security testing is required
through a risk-based analysis.111 If
required, testing would be conducted
prior to implementation. The different
testing techniques are outlined below:
• Automated Security Testing. Using
industry standard security testing tools
and/or other security engineering
techniques specifically configured for
each test, the Clearing Agencies would
test to identify vulnerabilities and
deliver payloads with the intent to
break, change, or gain access to
unauthorized areas within an
application, data, or system.
• Manual Penetration Testing. Using
information gathered from automated
testing and/or other information
sources, the Clearing Agencies would
manually test to identify vulnerabilities
and deliver payloads with the intent to
break, change, or gain access to the
unauthorized area within an application
or system.
• Blue Team Testing. The Blue Team
identifies security threats and risks in
the operating environment and analyzes
the network, system, and SaaS
environments and their current state of
security readiness. Blue Team
assessment results guide risk mitigation
and remediation, validate the
effectiveness of controls, and provide
evidence to support authorization or
approval decisions. Blue Team testing
ensures that the Clearing Agencies’
networks, systems, and SaaS solutions
are as secure as possible before
deploying to a production environment.
The results of the Clearing Agencies’
security controls testing are risk-rated
and managed to remediation via two
separate control standards.112
(c) Change Management: Software
Development and Release Process
Consistent with FFIEC Guidance, the
Clearing Agencies’ use of Cloud would
have sufficient change management
controls in place to effectively transition
systems and information assets to Cloud
and would help ensure the security and
reliability of applications in Cloud.113
The Clearing Agencies’ enterprise
software development lifecycle
114 Id.
110 Supra
109 The
CSP has certifications for the following
frameworks: NIST, Cloud Security Alliance, COBIT,
ISO, and FISMA.
VerDate Sep<11>2014
21:26 Sep 03, 2024
Jkt 262001
processes 114 would help ensure the
same control environment for all
Clearing Agency resources. The Clearing
Agencies would establish baselines for
design inputs and control requirements
and enforce workload isolation and
segregation through Cloud using
existing Cloud native technical controls
and added new tools. The Clearing
Agencies also would plan to use other
specialized platform monitoring tools
for logging, scanning of configuration,
and systems process scanning. The
Clearing Agencies also would have
oversight as the code owner and would
have final review and approval for
related changes and code merges before
deployment into production. Finally,
the Clearing Agencies would
periodically conduct static code
scanning and perform vulnerability
scanning for external dependencies
prior to deployment in production,
along with manual penetration testing of
the provided application code. In
addition, the Clearing Agencies would
perform routine scans of Compute
resources with the existing enterprise
scanning tools. Any identified
vulnerabilities would be reviewed for
severity, prioritized, and logged for
remediation tracking in upcoming
development releases.
The Clearing Agencies would create a
‘‘user acceptance plan’’ prior to
promoting code to Cloud production.
This user acceptance plan would
include tests of all major functions,
processes, and interfacing systems, as
well as security tests. Through
acceptance tests, the Clearing Agencies’
users would be able to simulate
complete application functionality of
the live environment. The change would
move to the next stage of the Clearing
Agencies’ delivery model only after
satisfying the criteria for this phase.115
The Clearing Agencies would have
internal projects that would address
change management of the various
applications and services. In particular,
the Clearing Agencies would run a suite
of supporting services that enable
building, running, scaling, and
monitoring of the Clearing Agencies’
business applications in Cloud, in an
automated, resilient, and secure
manner.116 The application platform
relies on various CSP and third-party
tools for different components,
including IaaS, Infrastructure as Code,
CI/CD, Container as a Service,
note 46.
111 Supra note 30.
112 Supra notes 46–47.
113 Supra note 30.
PO 00000
Frm 00127
Fmt 4703
115 The ‘‘user acceptance plan’’ represents only
one aspect of the overall change management
program at the Clearing Agencies.
116 Supra note 30.
Sfmt 4703
E:\FR\FM\04SEN1.SGM
04SEN1
Federal Register / Vol. 89, No. 171 / Wednesday, September 4, 2024 / Notices
Continuous Delivery, and Platform
Monitoring.
With respect to software development
in Cloud, the Clearing Agencies would
establish a closed, non-production
Cloud environment that would enable
the Clearing Agencies to develop, test,
and integrate new capabilities,
including those related to security
capabilities. This non-production Cloud
environment would focus on the
foundational security, operations, and
infrastructure requirements with the
intent to take lessons learned to
implement into future production. The
Clearing Agencies would maintain a
Cloud Reference Architecture that
defines necessary capabilities and
controls required to securely host Core
C&S Systems. The minimum
foundational security requirements
would be based on the NIST–CSF and
CIS benchmarks and include the design
and implementation requirements of a
secure Cloud account structure within a
multi-region Cloud environment. The
Clearing Agencies would maintain
enterprise security requirements that
provide structure for current and future
development. As the Cloud
environment is further developed and
expanded, there would be a
comprehensive process to identify any
incremental risks and develop and
implement controls to manage and
mitigate those risks.
ddrumheller on DSK120RN23PROD with NOTICES1
(d) Resilience and Recovery
As noted earlier, given the Clearing
Agencies’ roles as systemically
important financial market utilities, it is
vital that operations moved to the Cloud
have appropriately robust resilience and
recovery capabilities. As discussed in
Section II.B.ii.2, above, the Cloud
Infrastructure would be architected to
include (i) two autonomous and
geographically diverse regions; (ii) three
availability zones per region, with each
availability zone comprised of multiple
data centers; (iii) multi-node, high
availability clusters across each
availability zone; (iv) static stability and
static capacity models; and (v) regional
isolation, all to help ensure the
persistent availability of Compute,
Storage, and Network capabilities in
Cloud.
Additionally, the CSP’s practice in
deploying service updates to Cloud
would help ensure that the
consequences of any incidents would be
limited to the fullest extent possible.117
The CSP achieves this by (i) fully
117 The Clearing Agencies would continue to
retain responsibility for patching, configuration,
and monitoring of the operating systems and
applications in Cloud.
VerDate Sep<11>2014
21:26 Sep 03, 2024
Jkt 262001
automating the build and deployment
process and (ii) deploying services to
production in a phased manner.
CSP service updates are first deployed
to cells, which minimizes the chance
that a disruption from a service update
in one cell would disrupt other cells.
Following a successful cell-based
deployment, service updates are next
deployed to a specific availability zone,
which limits any potential disruption to
that zone. Following a successful
availability zone deployment, service
updates are then deployed in a staged
manner to other availability zones,
starting with the same region and later
within other regions until the process is
complete.
The Clearing Agencies would meet
regularly with the CSP, in addition to
formal quarterly briefing meetings with
the CSP, as described in the Reg. SCI
Addendum.118 The informal discussions
and quarterly briefing meetings would
permit the Clearing Agencies to gather
information in advance of the quarterly
systems change report. Most reportable
systems changes would continue to
occur based on changes to Compute,
Storage, Network, or applications
controlled by the Clearing Agencies.
(e) Audit Controls and Assessment
The Clearing Agencies would
regularly test security controls and
configurations, including by monitoring
the CSP’s technical, administrative, and
physical security controls that support
the Clearing Agencies’ systems in the
Cloud Infrastructure.
(1) Internal Risk Assessments
As part of their existing third-party
vendor risk activities, the Clearing
Agencies’ Third-Party Risk department
(‘‘TPR’’) would assess the operational
risks of the CSP as a critical vendor
annually.119 120 121 Additionally, as a
118 See Reg. SCI Addendum, Section 4 Briefing
Meetings. The Clearing Agencies have provided this
document in confidential Exhibit 3 to this advance
notice filing.
119 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the DTCC Third Party Risk
Governance & Monitoring Procedures, which
describes the minimum requirements for practices
and standards to be used by business owners to
monitor and manage third party relationships for
DTCC and its subsidiaries. The Clearing Agencies
have provided this document in confidential
Exhibit 3 to this advance notice filing.
120 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the DTCC Third Party Risk
Policy and the DTCC Third Party Risk Procedures,
which establish the standards and practices to be
used by certain business line departments and/or
functional units to manage the potential risks
associated with engaging with an external service
provider. The Clearing Agencies have provided
these documents in confidential Exhibit 3 to this
advance notice filing.
PO 00000
Frm 00128
Fmt 4703
Sfmt 4703
72005
critical vendor, the CSP is subject to
heightened risk management
requirements, as defined in the DTCC
Third Party Risk CriticalPlus Program
Procedures,122 which include an
executive sponsor that must be at the
Managing Director level or higher,
documented annual meetings, quarterly
reporting, and monthly notifications.
Issues rated moderate or above, negative
news, performance concerns or
remediations are directly escalated to
the Management Risk Committee
monthly.123
(2) Internal Audit Department
As mentioned in Section II.B.ii.4.(a),
above, the Clearing Agencies’ IAD, as
the third line of defense, is independent
from the Clearing Agencies’ business
lines, support areas, and controls
functions, and promotes resiliency and
security through the assessment of risk
management and control frameworks to
raise awareness of control risks and
changes for improving controls and
governance processes.
IAD assesses the risks of the Clearing
Agencies, at least annually, as part of
the development of the risk-based audit
plan, which is reviewed and refreshed,
as needed, on a quarterly basis.124 The
development of the audit plan includes
the consideration of IADs risk
assessment results, which informs cycle
coverage requirements for Cloud.
Additional considerations include, but
are not limited to, regulatory
requirements and expectations,
initiatives, and institutional and
industry risk trends, including risks
associated with technology and cloudbased processes.
IAD’s specific reviews of Cloud
Infrastructure have not identified any
material deficiencies and the scope of
the reviews have included, but are not
limited to, consideration of governance
and oversight, contagion risk and logical
separation, access management, security
configuration and monitoring,
121 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the Third Party Risk—
Technology and Resilience Procedure, which
supplements the ‘‘DTCC Third Party Risk Policy’’,
‘‘DTCC Third Party Risk Procedures’’, and ‘‘DTCC
Third Party Risk Governance and Monitoring
Procedures’’ and covers the following: standard
technology risk assessments (e.g., due diligence),
fourth party reviews, NYDFS cyber security
assessments, and onsite assessments. The Clearing
Agencies have provided this document in
confidential Exhibit 3 to this advance notice filing.
122 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the DTCC Third Party Risk
CriticalPlus Program Procedures. The Clearing
Agencies have provided this document in
confidential Exhibit 3 to this advance notice filing.
123 Supra note 62.
124 Supra note 81.
E:\FR\FM\04SEN1.SGM
04SEN1
72006
Federal Register / Vol. 89, No. 171 / Wednesday, September 4, 2024 / Notices
concentration risk, exit strategy,
business continuity and disaster
recovery. IAD also has assessed the
design of controls for a cloud platform
scheduled for use in 2024 and is
proposing a Cloud Security audit for
2024.125
(3) Key Risk and Key Performance
Indicators 126
ddrumheller on DSK120RN23PROD with NOTICES1
The Clearing Agencies have
established processes to evaluate the
Clearing Agencies’ management of
CSPs. Cloud vendors are rated through
a quarterly TPR survey. If a survey
results in a poor rating, then it is
reported to the Management Risk
Committee (‘‘MRC’’).127 TPR is
responsible for the timely reporting and
escalation of third-party risks. On a
regular basis, TPR will review all active
assessments to identify any high risks or
potential issues that may require further
discussion or escalation to senior
management, Corporate Procurement
Services (‘‘CPS’’), or internal
stakeholders. The DTCC Third Party
Risk Procedures provide a list of events
that must be presented to the MRC.128
The Clearing Agencies have
developed key performance indicators
(‘‘KPIs’’) for Cloud and socialized these
KPIs internally. The KRIs already exist
for Core C&S Systems and are aligned to
overall systems availability, capacity,
data integrity, and security.129 The CSP
KPIs would feed into existing KRIs and
would be used to evaluate the CSP’s
performance after Cloud
implementation. KPIs would be added
to monitor the performance and risks of
the CSP services for which the Clearing
Agencies have contracted. These postCloud implementation KRIs and KPIs
would allow the Clearing Agencies to
assess their ongoing use of the CSP
against their operational and security
requirements and would help
demonstrate the effectiveness of risk
controls and the CSP’s performance
against commitments in the SLAs, and
will be reported on a regular basis to the
Clearing Agencies’ Management
Committee, Board of Directors, and
125 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the Clearing Agencies’ Cloud
Platform Internal Audit Report. The Clearing
Agencies have provided this document in
confidential Exhibit 3 to this advance notice filing.
126 Supra note 62.
127 Supra note 119.
128 Supra note 78.
129 The Clearing Agencies have separately
submitted a request for confidential treatment to the
Commission regarding the IT–Q4 2023 Risk
Tolerance. The Clearing Agencies have provided
this document in confidential Exhibit 3 to this
advance notice filing.
VerDate Sep<11>2014
21:26 Sep 03, 2024
Jkt 262001
Technology and Risk Committees of the
Board of Directors.
(4) Auditing the CSP and Access
Rights 130
The CSP hosts an annual Audit
Symposium. The Cloud Agreement
gives the Clearing Agencies the right to
attend the symposium so that the
Clearing Agencies may inspect and
verify evidence of the design and
effectiveness of the CSP’s control
environment.131 The CSP also hosts an
annual Cloud security conference
focused on security, governance, risk
and compliance, which the Clearing
Agencies would attend. Through
preparation for and attendance at these
events, the Clearing Agencies could
provide feedback and make requests of
the CSP for future modifications of its
control environment.
The Clearing Agencies’ Information
Technology staff currently meets with
CSP representatives weekly to focus on
technical issues related to the Clearing
Agencies’ proposed Cloud environment.
As required under the Cloud
Agreement, the Clearing Agencies hold
quarterly compliance briefings with the
CSP, wherein the Clearing Agencies
receive information, including any
necessary documentation, from the CSP
to help assure the Clearing Agencies
that the CSP is meeting its
obligations.132 The information
provided includes updates to services
and SLAs, CSP performance, and details
that help the Clearing Agencies meet
their reporting obligations under
Section 1003(a)(1) of Reg. SCI. The
Clearing Agencies’ management,
including Security, Information
Technology, TPR, and the Internal
Audit Department, coordinate to ensure
appropriate representation during such
briefings. The CSP is required under
Cloud Agreement to maintain records
showing its compliance with the
agreements for a period of five years.133
The CSP would be required to
maintain an information security
program, including controls and
certifications, that is as protective as the
program evidenced by the CSP’s SOC–
2 report. The CSP must make available
on demand to the Clearing Agencies its
SOC–2 report as well as the CSP’s other
certifications from accreditation bodies
130 Supra
note 62.
Reg. SCI Addendum, Section 3 Customer
Right of Access and Audit. The Clearing Agencies
have provided this document in confidential
Exhibit 3 to this advance notice filing.
132 Supra note 117.
133 See Reg. SCI Addendum, Section 7.3 CSP
Records. The Clearing Agencies have provided this
document in confidential Exhibit 3 to this advance
notice filing.
131 See
PO 00000
Frm 00129
Fmt 4703
Sfmt 4703
and information on its alignment with
various frameworks, including NIST–
CSF, and ISO.134
As part of the annual risk assessment
of the CSP, TPR collects risk and control
related assurance documents from the
CSP and coordinates review with the
Clearing Agencies’ respective subject
matters specialists. TPR, Security, and
Business Continuity would determine
the adequacy and reasonableness of the
documentation received to complete the
Third-Party Risk Assessment. Finally,
the Cloud Agreement provides that the
Clearing Agencies’ and their regulators
may visit the facilities of the CSP under
specified conditions. TPR would help
coordinate bi-annual visits of the data
centers.135
The Clearing Agencies plan to use the
CSP’s services combined with
additional third-party tools to monitor
systems deployed by ingesting logs into
a security incident and event
monitoring tool to provide a ‘‘single
pane of glass’’ view into the Cloud
Infrastructure. When incidents are
detected, the Clearing Agencies would
follow their existing incident response
governance to identify, detect, contain,
eradicate, and recover from incidents.
III. Consistency With the Clearing
Supervision Act
The stated purpose of the Clearing
Supervision Act is to mitigate systemic
risk in the financial system and promote
financial stability by, among other
things, promoting uniform risk
management standards for systemically
important financial market utilities and
strengthening the liquidity of
systemically important financial market
utilities.136 Section 805(a)(2) of the
Clearing Supervision Act 137 also
authorizes the Commission to prescribe
risk management standards for the
134 The FFIEC Guidance provides that the
Clearing Agencies may obtain SOC reports, other
independent audits, or ISO certification reports to
gain assurance that the CSP’s controls are operating
effectively. See FFIEC, Security in a Cloud
Computing Environment, at 7. The Clearing
Agencies review the CSP’s SOC–2 on an annual
basis. See Reg. SCI Addendum, Section 2 CSP
Information Security Program. The SOC reports,
along with other artifacts showing compliance with
these sections, are available to the Clearing
Agencies on demand. In addition, during each
Briefing Meeting (See Reg. SCI Addendum Section
4 Briefing Meetings), updates are provided on any
material changes to certification standards, policies,
procedures, controls or security standards at the
CSP. The Clearing Agencies have provided this
document in confidential Exhibit 3 to this advance
notice filing.
135 See Reg. SCI Addendum, Sections 3 Customer
Right of Access and Audit and 9 Regulatory
Supervision. The Clearing Agencies have provided
this document in confidential Exhibit 3 to this
advance notice filing.
136 12 U.S.C. 5461(b).
137 12 U.S.C. 5464(a)(2).
E:\FR\FM\04SEN1.SGM
04SEN1
Federal Register / Vol. 89, No. 171 / Wednesday, September 4, 2024 / Notices
payment, clearing and settlement
activities of designated clearing entities,
like the Clearing Agencies, for which
the Commission is the supervisory
agency. Section 805(b) of the Clearing
Supervision Act 138 states that the
objectives and principles for risk
management standards prescribed under
Section 805(a) shall be to:
• promote robust risk management;
• promote safety and soundness;
• reduce systemic risks; and
• support the stability of the broader
financial system.
The Commission adopted Rule 17ad–
22 under Section 805(a)(2) of the
Clearing Supervision Act and the
Exchange Act in furtherance of these
objectives and principles.139 Rule 17ad–
22 under the Exchange requires covered
clearing agencies, like the Clearing
Agencies, to establish, implement,
maintain, and enforce written policies
and procedures that are reasonably
designed to meet certain minimum
requirements for their operations and
risk management practices on an
ongoing basis.140
The Clearing Agencies believe that the
Cloud Proposal is consistent with
Section 805(b)(1) of the Clearing
Supervision Act 141 and the
requirements of Rules 17ad–22(e)(17)(ii)
under the Exchange Act.142
A. Consistency With Section 805(b)(1) of
the Clearing Supervision Act
ddrumheller on DSK120RN23PROD with NOTICES1
Promote Robust Risk Management. As
described above, the Clearing Agencies
believe that the Cloud Proposal
promotes robust risk management,
specifically operational risk
management, by providing scalable and
secure infrastructure for hosting Core
C&S Systems. The Cloud Proposal
would add additional security
capabilities, allow for regular updates
and maintenance of applications, and
reduce the risk of data breaches while
also ensuring compliance with industry
standards. Additionally, transitioning to
Cloud would offer flexibility in scaling
resources, which can enable the
Clearing Agencies to adapt quickly to
changing security needs and allocate
resources more efficiently.
Today, the Clearing Agencies’ ability
to risk manage extreme market events is
directly tied to their ability to scale their
138 12
U.S.C. 5464(b).
CFR 240.17ad–22. Exchange Act Release
Nos. 68080 (October 22, 2012), 77 FR 66220
(November 2, 2012) (S7–08–11) (Clearing Agency
Standards); 78961 (September 28, 2016), 81 FR
70786 (October 13, 2016) (S7–03–14) (Standards for
Covered Clearing Agencies).
140 17 CFR 240.17ad–22.
141 12 U.S.C. 5464(b)(1).
142 17 CFR 240.17ad–22(e)(17)(ii).
139 17
VerDate Sep<11>2014
21:26 Sep 03, 2024
Jkt 262001
on-premises resource during such
events, which is directly tied to the
Clearing Agencies having previously
expended enough capital to build
enough capacity based on earlier
performance testing of their applications
to withstand such extreme market
events. Although the Clearing Agencies
would continue to performance test
their applications regardless of where
the applications are hosted, by hosting
the applications in Cloud, the number of
scalable resources is already available,
when needed, without the Clearing
Agencies having to pre-purchase it or
build it. This level of nearly unbounded,
on-demand scalability provides a muchwelcomed risk-management feature for
extreme events, such as a global
pandemic as noted above.
Overall, risk management is
inherently strengthened by hosting in
Cloud through advanced security
features, real-time monitoring, ondemand scalability, and compliance
standards implemented by the CSP. By
leveraging these capabilities, the
Clearing Agencies can better proactively
identify and address risks, ensuring data
integrity and regulatory compliance.
Promote Safety and Soundness. The
Clearing Agencies also believe that the
Cloud Proposal promotes safety and
soundness. As discussed above,
transitioning to Cloud provides
centralized management and improved
scalability. The CSP provides cloudspecific security capabilities, including
encryption, access controls, and regular
updates, reducing the risk of security
breaches. Centralized monitoring allows
for better visibility into potential
threats, enabling quick response and
mitigation. The agility afforded by
Cloud would allow the Clearing
Agencies to respond to performance
challenges more efficiently and
effectively. For instance, as noted above,
in the face of unexpected surges in
demand, Cloud scalability would allow
the Clearing Agencies to seamlessly
adjust resources, helping to prevent
service disruptions and loss of
operations. Such agility not only
enhances the effectiveness of operations
but also mitigates the risks associated
with unexpected fluctuations in
workload performance. These benefits
improve the Clearing Agencies abilities
to maintain operational continuity and
resilience, which help promote safety
and soundness.
Reduce Systemic Risk. The Clearing
Agencies also believe that the Cloud
Proposal would reduce systemic risk by
improving overall resilience and
security. As described above, hosting
Core C&S Systems in Cloud would
provide distributed infrastructure and
PO 00000
Frm 00130
Fmt 4703
Sfmt 4703
72007
data redundancy (i.e., multiple
availability zones, supported by many
data centers, across two regions),
making the systems less susceptible to
single points of failure. Moreover,
disaster recovery would be streamlined,
minimizing the effect of potential
disruptions, while automatic backup
systems, geographic redundancy, and
faster data recovery mechanisms would
all contribute to a more resilient
infrastructure. In the event of a localized
issue, the distributed nature of Cloud
would help prevent widespread
disruptions.
Production resiliency also is greatly
improved in Cloud compared to the
Clearing Agencies’ on-premises
capabilities, where a single location
hosts an application, on a single copy of
primary storage. Instead, Cloud would
host an application across three primary
availability zones, made of up of many
data centers, each of which contain
actively running instances and
synchronous copies of the data. If the
Clearing Agencies’ primary, on-premises
data center fails, an out of region
recovery will be necessary and will
likely result in approximately two hours
of downtime. By comparison, in Cloud,
even if an entire availability zone fails
(meaning the failure of multiple data
centers), Core C&S Systems would
continue to operate within the region,
thus avoiding an out of region recovery
and any downtime.
The Clearing Agencies would employ
meaningful security capabilities and
measures provided by the CSP and
third-party tools to further enhance the
security of the Clearing Agencies’ Core
C&S Systems. This approach to security
would help reduce systemic risks
associated with operational outages and
significantly reduce the risk associated
with data loss or downtime.
Additionally, the Cloud environment
facilitates regular updates and patch
management, ensuring that security
measures stay current. This proactive
maintenance helps mitigate
vulnerabilities that could otherwise
contribute to systemic risk. Overall, the
adoption of Cloud enhances the stability
and security of IT infrastructure,
contributing to a reduction in systemic
risks.
Altogether, the Clearing Agencies
believe that the benefits afford from
operating in a Cloud Infrastructure
would help the Clearing Agencies
reduce systemic risk.
Support the Stability of the Broader
Financial System. The Clearing
Agencies believe that the Cloud
Proposal supports the stability of the
broader financial system by enhancing
efficiency, resilience, and security of the
E:\FR\FM\04SEN1.SGM
04SEN1
72008
Federal Register / Vol. 89, No. 171 / Wednesday, September 4, 2024 / Notices
ddrumheller on DSK120RN23PROD with NOTICES1
Clearing Agencies’ Core C&S Systems.
Cloud services would provide the
Clearing Agencies with scalable and
flexible infrastructure, allowing for
more efficient resource allocation and
cost management, which supports
operational resiliency and stability.
With the ability to rapidly deploy new
applications and services, the Clearing
Agencies would become more agile in
adapting to market trends and
participant and customer needs.
In terms of resilience, the Cloud
Infrastructure offers distributed data
storage and failover solutions, reducing
the impact of localized disruptions and
improving recovery capabilities. This
resilience is crucial for the Clearing
Agencies’ Core C&S Systems to continue
functioning even in the face of
unforeseen events. Moreover, the CSP’s
strengthened security capabilities help
protect sensitive data, mitigating the
risk of cyberattack or data breaches that
could undermine the stability of the
financial system. Overall, the transition
to Cloud fosters improved operational
efficiency, resilience, and robust
security practices, contributing to the
stability of the broader financial system.
Accordingly, the proposed changes
provided in this Cloud Proposal are
consistent with (i) promoting robust risk
management; (ii) promoting safety and
soundness; (iii) reducing systemic risks;
and (iv) promoting the stability of the
broader financial system, all in support
of the objectives and principles of
Section 805(b) of the Clearing
Supervision Act.143
B. Consistency With Rule 17ad–
22(e)(17)(ii) Under the Exchange Act
Rule 17ad–22(e)(17)(ii) requires the
Clearing Agencies to establish,
implement, maintain, and enforce
written policies and procedures
reasonably designed to manage the
Clearing Agencies’ operational risk by
‘‘ensuring that systems have a high
degree of security, resiliency,
operational reliability, and adequate,
scalable capacity.’’ 144
Security. As described above and in
policies and procedures confidentially
filed, the Clearing Agencies have
established a robust Cloud security
program to manage the security of the
Core C&S Systems that would be
running in Cloud and to monitor the
CSP’s management of security of the
143 12
U.S.C. 5464(b).
CFR 240.17ad–22(e)(17)(ii). The Clearing
Agencies maintain several policies specifically
designed to manage the risks associated with
maintaining adequate levels of system functionality,
confidentiality, integrity, availability, capacity, and
resiliency for systems that support core clearing,
risk management, and data management services.
144 17
VerDate Sep<11>2014
21:26 Sep 03, 2024
Jkt 262001
Cloud Infrastructure that it operates.
Processes are formally defined,
automated to the fullest extent,
repeatable with minimal variation,
accessible, adhered to, and timely. The
enterprise security program
encompasses all of the Clearing
Agencies’ assets existing in the Clearing
Agencies’ offices, data centers, and
within the Cloud Infrastructure, and
IAM controls ensure least-privileged
user access to applications in Cloud.
The Clearing Agencies have appropriate
controls in place to help ensure the
security of confidential information intransit between the Clearing Agencies’
data centers and the Cloud
Infrastructure, between systems within
the Cloud Infrastructure, and at-rest. All
network communications between the
Clearing Agencies and Cloud would rely
on industry standard encryption for
traffic while in transit, and data at rest
would be safeguarded through pervasive
encryption. Finally, automated delivery
of business and security capability via
the use of the Infrastructure as Code,
Cloud agnostic tools, and continuous
integration/continuous deployment
pipeline methods help ensure security
controls are consistently and
transparently deployed.
Resiliency and Operational
Reliability. As stated above, resiliency
and operational reliability of the Cloud
Infrastructure is built into the system
with functionality for the Clearing
Agencies’ Core C&S Systems to run in
multiple availability zones within
multiple regions. Regions are segregated
from one another and are designed to
minimize the possibility of a multiregion outage. The Clearing Agencies
have designed their Cloud Infrastructure
to have primary (hot)/secondary (warm)
regions, at all times, ensuring Compute,
Storage, and Network resources would
be available in a new redundant region
in the event of a primary region failure.
As a result, the Cloud Infrastructure
offers the Clearing Agencies multiple
redundancies within which to run Core
C&S Systems, while simultaneously
restricting the effect of an incident at the
CSP to the smallest footprint possible.
Scalability. As described above, since
additional computing power can be
launched on demand, the scalability in
a Cloud computing environment is
considerable and instantaneous. The
Clearing Agencies could provision or
de-provision Compute, Storage, and
Network resources to meet demand at
any given point in time. In the current
on-premises environment, immediate
scalability is limited by the capacity of
the on-premises hardware. Additional
physical servers and network equipment
would be needed to scale beyond the
PO 00000
Frm 00131
Fmt 4703
Sfmt 4703
limits of the on-premises hardware,
potentially affecting the ability to
quickly adapt to evolving market
conditions, including spikes in trading
volume.
For these reasons, the Clearing
Agencies believe that the Cloud
Proposal would help ensure that the
Clearing Agencies’ systems have a high
degree of security, resiliency,
operational reliability, and adequate,
scalable capacity, consistent with Rule
17ad–22(e)(17)(ii) under the Exchange
Act.145
III. Date of Effectiveness of the Advance
Notice
The proposed change may be
implemented if the Commission does
not object to the proposed change
within 60 days of the later of (i) the date
the proposed change was filed with the
Commission or (ii) the date any
additional information requested by the
Commission is received.146 The clearing
agency shall not implement the
proposed change if the Commission has
any objection to the proposed change.147
The clearing agency shall post notice
on its website of proposed changes that
are implemented. The proposal shall not
take effect until all regulatory actions
required with respect to the proposal are
completed.
IV. Solicitation of Comments
Interested persons are invited to
submit written data, views, and
arguments concerning the foregoing,
including whether the advance notice is
consistent with the Clearing
Supervision Act. Comments may be
submitted by any of the following
methods:
Electronic Comments
• Use the Commission’s internet
comment form (https://www.sec.gov/
rules/sro.shtml); or
• Send an email to rule-comments@
sec.gov. Please include file number
NSCC–2024–801 on the subject line.
Paper Comments
• Send paper comments in triplicate
to Secretary, Securities and Exchange
Commission, 100 F Street NE,
Washington, DC 20549–1090.
All submissions should refer to file
number SR–NSCC–2024–801. This file
number should be included on the
subject line if email is used. To help the
Commission process and review your
comments more efficiently, please use
only one method. The Commission will
145 17
CFR 240.17ad–22(e)(17)(ii).
U.S.C. 5465(e)(1)(G).
147 12 U.S.C. 5465(e)(1)(F).
146 12
E:\FR\FM\04SEN1.SGM
04SEN1
Federal Register / Vol. 89, No. 171 / Wednesday, September 4, 2024 / Notices
ddrumheller on DSK120RN23PROD with NOTICES1
post all comments on the Commission’s
internet website (https://www.sec.gov/
rules/sro.shtml). Copies of the
submission, all subsequent
amendments, all written statements
with respect to the advance notice that
are filed with the Commission, and all
written communications relating to the
advance notice between the
Commission and any person, other than
those that may be withheld from the
public in accordance with the
provisions of 5 U.S.C. 552, will be
available for website viewing and
printing in the Commission’s Public
Reference Room, 100 F Street NE,
Washington, DC 20549 on official
business days between the hours of 10
a.m. and 3 p.m. Copies of the filing also
will be available for inspection and
copying at the principal office of NSCC
and on DTCC’s website (dtcc.com/legal/
sec-rule-filings). Do not include
personal identifiable information in
submissions; you should submit only
information that you wish to make
available publicly. We may redact in
part or withhold entirely from
publication submitted material that is
obscene or subject to copyright
protection. All submissions should refer
to File Number SR–NSCC–2024–801
and should be submitted on or before
September 25, 2024.
V. Date of Timing for Commission
Action
Section 806(e)(1)(G) of the Clearing
Supervision Act provides that NSCC
may implement the changes if it has not
received an objection to the proposed
changes within 60 days of the later of (i)
the date that the Commission receives
the Advance Notice or (ii) the date that
any additional information requested by
the Commission is received,148 unless
extended as described below.
Pursuant to Section 806(e)(1)(H) of the
Clearing Supervision Act, the
Commission may extend the review
period of an advance notice for an
additional 60 days, if the changes
proposed in the advance notice raise
novel or complex issues, subject to the
Commission providing the clearing
agency with prompt written notice of
the extension.149
Here, as the Commission has not
requested any additional information,
the date that is 60 days after NSCC filed
the Advance Notice with the
Commission is October 13, 2024.
However, the Commission believes that
the changes proposed in the Advance
Notice raise novel and complex issues.
The Commission finds the issues novel
because NSCC proposes a gradual
migration of a specified set of Core C&S
Systems to a public cloud infrastructure
hosted by a single, third-party service
provider. The Commission also finds
the issues raised by the Advance Notice
complex because the selection of the
subset of applications proposed for
migration involves a detailed
governance review process that would
require careful scrutiny and
consideration of its associated risks.
Therefore, the Commission finds it
appropriate to extend the review period
of the Advance Notice for an additional
60 days under Section 806(e)(1)(H) of
the Clearing Supervision Act.150
Accordingly, the Commission,
pursuant to Section 806(e)(1)(H) of the
Clearing Supervision Act,151 extends the
review period for an additional 60 days
so that the Commission shall have until
December 12, 2024 to issue an objection
or non-objection to advance notice SR–
NSCC–2024–801.
All submissions should refer to File
Number SR–NSCC–2024–801 and
should be submitted on or before
September 25, 2024.
For the Commission, by the Division of
Trading and Markets, pursuant to delegated
authority.152
Sherry R. Haywood,
Assistant Secretary.
[FR Doc. 2024–19761 Filed 9–3–24; 8:45 am]
BILLING CODE 8011–01–P
SECURITIES AND EXCHANGE
COMMISSION
[Release No. 34–100866; File No. SR–
GEMX–2024–29]
Self-Regulatory Organizations; Nasdaq
GEMX, LLC.; Notice of Filing and
Immediate Effectiveness of Proposed
Rule Change To Establish Fees
Related to Certain Prospective Costs
of the National Market System Plan
Governing the Consolidated Audit Trail
August 28, 2024.
Pursuant to Section 19(b)(1) under the
Securities Exchange Act of 1934 (the
‘‘Act’’) 1 and Rule 19b–4 thereunder,2
notice is hereby given that on August
15, 2024, Nasdaq GEMX, LLC (‘‘GEMX’’
or ‘‘Exchange’’) filed with the Securities
and Exchange Commission (‘‘SEC’’ or
‘‘Commission’’) the proposed rule
change as described in Items I and II
below, which Items have been prepared
by the self-regulatory organization. The
150 Id.
151 Id.
152 17
CFR 200.30–3(a)(91).
U.S.C. 78s(b)(1).
2 17 CFR 240.19b–4.
148 12
U.S.C. 5465(e)(1)(G).
149 12 U.S.C. 5465(e)(1)(H).
VerDate Sep<11>2014
21:26 Sep 03, 2024
1 15
Jkt 262001
PO 00000
Frm 00132
Fmt 4703
Sfmt 4703
72009
Commission is publishing this notice to
solicit comments on the proposed rule
change from interested persons.
I. Self-Regulatory Organization’s
Statement of the Terms of Substance of
the Proposed Rule Change
The Exchange proposes to establish
fees for Industry Members 3 related to
reasonably budgeted CAT costs of the
National Market System Plan Governing
the Consolidated Audit Trail (the ‘‘CAT
NMS Plan’’ or ‘‘Plan’’) for the period
from July 16, 2024 through December
31, 2024, as described further below.
The text of the proposed rule change
is available on the Exchange’s website at
https://listingcenter.nasdaq.com/
rulebook/nasdaq/rules, at the principal
office of the Exchange, and at the
Commission’s Public Reference Room.
II. Self-Regulatory Organization’s
Statement of the Purpose of, and
Statutory Basis for, the Proposed Rule
Change
In its filing with the Commission, the
self-regulatory organization included
statements concerning the purpose of,
and basis for, the proposed rule change
and discussed any comments it received
on the proposed rule change. The text
of those statements may be examined at
the places specified in Item IV below.
The Exchange has prepared summaries,
set forth in sections A, B, and C below,
of the most significant parts of such
statements.
A. Self-Regulatory Organization’s
Statement of the Purpose of, and
Statutory Basis for, the Proposed Rule
Change
1. Purpose
On July 11, 2012, the Commission
adopted Rule 613 of Regulation NMS,
which required the self-regulatory
organizations (‘‘SROs’’) to submit a
national market system (‘‘NMS’’) plan to
create, implement and maintain a
consolidated audit trail that would
capture customer and order event
information for orders in NMS securities
across all markets, from the time of
order inception through routing,
cancellation, modification or
3 An ‘‘Industry Member’’ is defined as ‘‘a member
of a national securities exchange or a member of a
national securities association.’’ See Nasdaq Rule
General 7(u) (GEMX General 7 incorporates The
Nasdaq Stock Market LLC Rule General 7 by
reference); see also Section 1.1 of the CAT NMS
Plan. Unless otherwise specified, capitalized terms
used in this rule filing are defined as set forth in
the CAT NMS Plan and/or the CAT Compliance
Rule. Nasdaq Rule General 7 (Consolidated Audit
Trail Compliance).
E:\FR\FM\04SEN1.SGM
04SEN1
Agencies
[Federal Register Volume 89, Number 171 (Wednesday, September 4, 2024)]
[Notices]
[Pages 71991-72009]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-19761]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-100851; File No. SR-NSCC-2024-801]
Self-Regulatory Organizations; National Securities Clearing
Corporation; Notice of Filing and Extension of Review Period of Advance
Notice To Host Certain Core Clearance and Settlement Systems in a
Public Cloud
August 28, 2024.
Pursuant to Section 806(e)(1) of Title VIII of the Dodd-Frank Wall
Street Reform and Consumer Protection Act, entitled Payment, Clearing
and Settlement Supervision Act of 2010 (``Clearing Supervision Act'')
\1\ and Rule 19b-4(n)(1)(i) \2\ under the Securities Exchange Act of
1934 (``Act''),\3\ notice is hereby given that on August 14, 2024,
National Securities Clearing Corporation (``NSCC'') filed with the
Securities and Exchange Commission (``Commission'') an advance notice
as described in Items I, II and III below, which Items have been
prepared primarily by the clearing agency. The Commission is publishing
this notice to solicit comments on the advance notice from interested
persons and to extend the review period of the advance notice.
---------------------------------------------------------------------------
\1\ 12 U.S.C. 5465(e)(1).
\2\ 17 CFR 240.19b-4(n)(1)(i).
\3\ 15 U.S.C. 78a et seq.
---------------------------------------------------------------------------
I. Clearing Agency's Statement of the Terms of Substance of the Advance
Notice
NSCC files this advance notice seeking no objection to host a
specified set of core clearance, settlement, and risk applications,
including any Regulation Systems Compliance and Integrity (``Reg.
SCI'') systems and Critical SCI systems,\4\ (``Core C&S Systems'') on
an on-demand network of configurable information technology resources
running on a public cloud infrastructure (``Cloud'' or ``Cloud
Infrastructure'') hosted by a single, third-party service provider
(``Cloud Service Provider'' or ``CSP'') (altogether, the ``Cloud
Proposal''), as described in greater detail below.
---------------------------------------------------------------------------
\4\ 17 CFR 242.1000 et seq.
---------------------------------------------------------------------------
II. Clearing Agency's Statement of the Purpose of, and Statutory Basis
for, the Advance Notice
In its filing with the Commission, the clearing agency included
statements concerning the purpose of and basis for the advance notice
and discussed any comments it received on the advance notice. The text
of these statements may
[[Page 71992]]
be examined at the places specified in Item IV below. The clearing
agency has prepared summaries, set forth in sections A and B below, of
the most significant aspects of such statements.
(A) Clearing Agency's Statement on Comments on the Advance Notice
Received From Members, Participants or Others
NSCC has not received or solicited any written comments relating to
this proposal. If any written comments are received, NSCC will amend
this filing to publicly file such comments as an Exhibit 2 to this
filing, as required by Form 19b-4 and the General Instructions thereto.
Persons submitting written comments are cautioned that, according
to Section IV (Solicitation of Comments) of the Exhibit 1A in the
General Instructions to Form 19b-4, the Securities and Exchange
Commission (``Commission'') does not edit personal identifying
information from comment submissions. Commenters should submit only
information that they wish to make available publicly, including their
name, email address, and any other identifying information.
All prospective commenters should follow the Commission's
instructions on How to Submit Comments, available at www.sec.gov/regulatory-actions/how-to-submitcomments. General questions regarding
the rule filing process or logistical questions regarding this filing
should be directed to the Main Office of the Commission's Division of
Trading and Markets at [email protected] or 202-551-5777.
NSCC reserves the right to not respond to any comments received.
(B) Advance Notices Filed Pursuant to Section 806(e) of the Clearing,
and Settlement Supervision Act
I. Description of the Proposal
Pursuant to the Clearing Supervision Act and Rule 19b-4(n)(1)(i)
under the Exchange Act,\5\ NSCC files this advance notice seeking no
objection to the Cloud Proposal, as described herein.
---------------------------------------------------------------------------
\5\ 17 CFR 240.19b-4(n)(1)(i).
---------------------------------------------------------------------------
The specified set of Core C&S Systems that the Clearing Agencies
intend to host in the Cloud, and the transition schedule for such
hosting, are listed in Exhibit 3 to this advance notice filing.\6\
However, the Clearing Agencies recognize that it may become necessary
to deviate from the proposed transition schedule as risks change over
time and the proposed implementation would occur over several years.
The Clearing Agencies' process for monitoring, assessing, and
escalating such risks, which may result in a deviation, is described in
Section I.D, below. If the Clearing Agencies would need to deviate from
that schedule, they would provide Commission staff notice of such
deviation, the reason for the deviation, and how the implementation
schedule would be updated to account for the deviation. Further, the
Clearing Agencies recognize that deviating from the proposed transition
schedule would necessitate a separate analysis to determine whether
such deviation could materially affect the nature or level of risk
posed by each of the Clearing Agencies.
---------------------------------------------------------------------------
\6\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the proposed
transition schedule (i.e., the Core C&S Systems to Move to Cloud).
The Clearing Agencies have provided this schedule in confidential
Exhibit 3 to this advance notice filing.
---------------------------------------------------------------------------
NSCC's two affiliate clearing agencies, Fixed Income Clearing
Corporation (``FICC'') and The Depository Trust Company (``DTC'' and
together with NSCC and FICC, the ``Clearing Agencies'') \7\ have each
filed with the Commission advance notices to adopt the same Cloud
Proposal. Accordingly, each respective advance notice filing is written
from the perspective of the Clearing Agencies, collectively, instead of
NSCC, FICC, and DTC individually.\8\
---------------------------------------------------------------------------
\7\ The Clearing Agencies are each a subsidiary of The
Depository Trust & Clearing Corporation (``DTCC''). DTCC operates on
a shared service model with respect to the Clearing Agencies. Most
corporate functions are established and managed on an enterprise-
wide basis pursuant to intercompany agreements under which it is
generally DTCC that provides relevant services to the Clearing
Agencies.
\8\ Capitalized terms not otherwise defined herein have the
meaning as set forth in respective rules of the Clearing Agencies,
available at https://www.dtcc.com/legal/rules-and-procedures.
---------------------------------------------------------------------------
A. The Current System and Summary of Proposed Change
Today, the Clearing Agencies' Core C&S Systems are hosted using
Compute,\9\ Storage and Networking, as defined below, running in
private data centers (i.e., on-premises). The current data-center
footprint consists of a single data center in each of two regions. Each
regional data center has a corresponding data bunker used for
synchronous data protection and restoration.\10\
---------------------------------------------------------------------------
\9\ The existing Compute platform consists of both on-premises
mainframe and private cloud platforms.
\10\ Note: The data bunkers cannot run applications, as they are
only for data protection and restoration.
---------------------------------------------------------------------------
The Clearing Agencies view the proposed transition to using a Cloud
Infrastructure to host the specified set of Core C&S Systems as a
natural progression of the Clearing Agencies' information technology
strategy that aligns with their overall corporate strategy--to deliver
on modernization and maximize the value of their platforms for
stakeholders and continue to invest in risk management excellence.
For over 11 years, the Clearing Agencies have honed their expertise
in operating non-Core C&S Systems within the Cloud.\11\ Throughout that
time, the Clearing Agencies have continually refined their capabilities
across technical, risk, legal, and compliance dimensions, in tandem
with the Cloud's own evolution and the industry's increasing adoption
of it. Given this extensive maturity and development over the past
decade, the Clearing Agencies believe that hosting Core C&S Systems in
the Cloud, via a single CSP, is now appropriate and essential. By
consolidating resources under a single CSP, the Clearing Agencies can
optimize efficiency, reduce costs, mitigate risks, and maintain a
cohesive environment for seamless collaboration and operation.
---------------------------------------------------------------------------
\11\ Some of the non-Core C&S Systems already operating in Cloud
include systems that support risk analysis, various reporting
engines, and shared infrastructure capabilities. More specifically,
for risk analysis, there are applications for certain risk testing
and calculations used to assess industry risk postures for various
Clearing Agency clients, as well as warehousing large sets of risk
data for quantitative analytics. For the various report engines,
there are applications that provide publicly disseminatable data
sets and documentation, certificate imaging, as well as certain
archival storage capabilities. For shared infrastructure
capabilities, there are applications that support the Clearing
Agencies' engineering and development departments for dev-op
capabilities such as code scanning, code repositories, and
infrastructure-as-code deployment pipelines.
---------------------------------------------------------------------------
As described in greater detail in this advance notice, the Clearing
Agencies propose to provision, within a single CSP, logically
segregated sections of the Cloud Infrastructure that would provide the
Clearing Agencies with the virtual equivalent of physical data center
resources, including scalable resources that can (i) handle various
computationally intensive applications with load-balancing and resource
management (``Compute''); (ii) provide configurable storage
(``Storage''); and (iii) provide network resources and services
(``Network''). These resources would be logically segregated from other
customers of the CSP. The Clearing Agencies would leverage the CSP's
IaaS (i.e., infrastructure as a service) and PaaS (i.e., platform as a
service) services for building and running Core C&S Systems.
The Clearing Agencies do not propose to transition all Core C&S
Systems entirely out of their regional data centers at this time, but
rather, to host a specified set of Core C&S Systems in
[[Page 71993]]
a Cloud Infrastructure while maintaining the remaining applications in
the Clearing Agencies' regional data centers for the near term. The
proposed transition would be achieved incrementally over a course of
several years and would result in the Clearing Agencies hosting some
Core C&S Systems on-premises and others in a Cloud Infrastructure.\12\
---------------------------------------------------------------------------
\12\ A result of the Cloud Proposal would be that the Clearing
Agencies would operate Reg. SCI and Critical SCI systems both on-
premises and on a Cloud Infrastructure.
---------------------------------------------------------------------------
This phased approach to transitioning to Cloud is to reduce risk.
The Clearing Agencies believe that a ``big-bang'' approach of moving
all applications at once introduces significant execution risk,
primarily driven by the sheer scale and scope of such an effort.
Moreover, many clearance and settlement applications on the Clearing
Agencies' mainframe are still tightly coupled together. Even after such
applications are modernized, many could experience latency dependencies
with other applications that have not yet been modernized, hence the
need to keep some applications in the Clearing Agencies' existing data
centers for the near term. However, applications with little to no
coupling, particularly those applications that have already been
modernized, are ripe for Cloud transition and the subject of this Cloud
Proposal. As for the remaining clearance and settlement applications
that are not part of this proposal and would continue to be hosted on-
premises, the Clearing Agencies have not thoroughly assessed when those
applications would transition to Cloud, which may take several years,
or whether such transition would be the subject of a later, separate
advance notice proposal.
Integration between on-premises and Cloud-based Core C&S Systems
would, as it is for non-Core C&S Systems that are already hosted in
private and public cloud, leverage existing patterns and processes. The
primary methods of application integration are application program
interfaces (a/k/a APIs), messaging queues (a/k/a MQ messaging), and
file transfer. All three are used to integrate internal and client
applications, and all three methods provide interoperability between
applications running on mainframe, private cloud, and public cloud.
For these reasons, the Clearing Agencies strongly believe that the
phased approach enables the Clearing Agencies to best approach the
transition to Cloud, safely and confidently.
B. Why Use Cloud
The Clearing Agencies believe there are very strong and compelling
reasons to use Cloud as part of their diverse, platform strategy,
including, as discussed below, the waning of the on-premises industry,
improved resilience, expanded security capabilities, and increased
scalability.
1. Waning On-Premises Industry
Although on-premises mainframes have been a stalwart for hosting
critical applications for many years, it is the Clearing Agencies'
experience that industry investment and development in on-premises
platforms is waning, and the ability to source skilled and experienced
staff to operate such platforms is increasingly challenging. Meanwhile,
vendor consolidations are beginning to negatively affect investment and
innovation in the private cloud space.\13\ As investment dollars are
increasingly allocated to Cloud, vendor choice, innovation, and support
will continue to diminish for on-premises platforms. This poses a
growing risk to the Clearing Agencies, who today continue to rely
primarily upon on-premises mainframes and private cloud solutions from
a resiliency perspective.\14\ The Clearing Agencies believe the best
way to manage against this risk at this time is to leverage a diverse
platform strategy that will increase the use of and reliance upon
Cloud. The use of Cloud, as part of a broader platform strategy, serves
as an important tool in enabling the Clearing Agencies to anticipate
and manage these and other risks more effectively.
---------------------------------------------------------------------------
\13\ For example, the VBlock platform, which has been the core,
private cloud distributed hosting platform of the Clearing Agencies
for over a decade, is no longer available for purchase. Another
example is the continued consolidation in the private cloud software
space, which has concentrated the industry and reduce aggregate
investment in innovation.
\14\ In this context, ``resiliency'' is the ``ability to
anticipate, withstand, recover from, and adapt to adverse
conditions, stresses, attacks, or compromises on systems that
include cyber resources.'' Systems Security Engineering: Cyber
Resiliency Considerations for Engineering of Trustworthy Secure
Systems, Spec. Publ. NIST SP No. 800-160, vol. 2 (2018).
---------------------------------------------------------------------------
2. Improved Resilience
The Clearing Agencies must ensure that any Core C&S Systems in the
Cloud have resiliency and recovery capabilities commensurate with the
Clearing Agencies' importance to the functioning of the U.S. financial
markets. As explained in detail below, the Clearing Agencies believe
that Cloud will enhance the resiliency of their Core C&S Systems by
virtue of the Clearing Agencies' architectural design decisions, and
the Cloud's redundancy, availability, and the Clearing Agencies'
disciplined approach to deployment of Core C&S Systems to Cloud. In
particular, the Clearing Agencies believe that Cloud will enhance their
ability to withstand and recover from adverse conditions by
provisioning redundant Compute, Storage, and Network resources in three
availability zones, in each of two autonomous and geographically
diverse regions, for a total of six availability zones that are
comprised of many data centers.
The primary/hot region would be operational and accepting traffic,
while the secondary/warm region would receive replicated data from the
hot region with applications on stand-by. This solution significantly
reduces operational complexity, mitigates the risk of human error by
providing tools for automating routine tasks and orchestrating complex
workflows, thereby reducing the need for manual intervention,\15\ and
provides resiliency and assured capacity (although, the Clearing
Agencies would continue to periodically review the CSP's capacity
planning process through quarterly reviews).\16\
---------------------------------------------------------------------------
\15\ The CSP's built-in security features in its Cloud
Infrastructure also can reduce the risk of security breaches caused
by human error, such as misconfigurations or improper access
controls.
\16\ The Clearing Agencies would continue to perform periodic
business continuity and disaster recovery tests to verify business
continuity plans and disaster recovery infrastructure will support a
two-hour recovery time objective for critical systems.
---------------------------------------------------------------------------
The Clearing Agencies are assured of adequate capacity with the
proposed hot/warm architecture because the Compute resources of the
warm, ``recovery'' region would be already running with needed
capacity. Additionally, the Clearing Agencies have reviewed the effect
of a large, regional outage with the CSP, which indicated that a vast
majority of the CSP's customers are not configured to use the secondary
region as a failover region; thus, they would not be using capacity in
that region. Moreover, a review of data from two large outages in the
primary region did not show a change in capacity availability in the
secondary region.
The Clearing Agencies also believe that Cloud reduces capacity-
management risks when compared with on-premises platforms in three
important ways: (1) capacity in Cloud can be added almost instantly;
(2) such capacity can be added at magnitudes greater than what is
possible with traditional, on-premises platforms; and
[[Page 71994]]
(3) the risk of a supply chain effect on capacity realization (i.e.,
the risks associated with receiving and deploying servers necessary to
create more capacity) is greatly reduced.
The proposed hot/warm configuration also enables application
rotation between regions. The Clearing Agencies would have the ability
to operationally rotate either a single application, groups of
applications, or all applications to the warm region for both planned
and unplanned events. Collectively, the proposed design of the Cloud
Infrastructure helps ensure that the Clearing Agencies can meet any
applicable two-hour recovery time objective.
Each availability zone, in each of the two regions, would be
comprised of multiple physical data centers. Each data center would
have its own distinct physical infrastructure with separate staff and
dedicated connections to utility power, standalone backup power
sources, independent mechanical services, and independent network
connectivity.
Although not dependent on each other, availability zones of a
region are connected to each other with private, fiber-optic
networking, enabling Core C&S Systems to automatically failover between
a region's availability zones without interruption. Since each
availability zone can operate independently, but failover capability is
nearly instantaneous, a loss of one availability zone would not affect
operation in another; therefore, no Core C&S System would be reliant on
the functioning of a single availability zone.\17\
---------------------------------------------------------------------------
\17\ To further ensure the resiliency of the Compute, Storage,
and Network capabilities, the CSP's services are divided into ``data
plane'' and ``control plane'' services. The Clearing Agencies'
applications would run using data plane services, while control
plane services are used to configure the environment. Resources and
requests are further partitioned into cells, or multiple
instantiations of a service that are segregated from each other and
invisible to the CSP's customers, on each plane, again minimizing
the effect of a potential incident to the smallest footprint
possible.
---------------------------------------------------------------------------
Altogether, the proposed Cloud Infrastructure would afford the
Clearing Agencies six levels of redundancy (i.e., three availability
zones, made up of many data centers, in each of the two regions), with
primary/secondary regions running in a hot/warm configuration,
respectively, in geographically separate and segregated locations, and
with each region containing multiple copies of the data. Thus, even if
an availability zone is lost in the primary region, the Cloud can
continue to seamlessly operate Core C&S Systems in the primary region,
thereby significantly reducing availability risk and any attendant
consequences for the Clearing Agencies' participants and customers. As
a result, the Cloud Infrastructure offers the Clearing Agencies
multiple redundancies within which to run Core C&S Systems, limits the
effect of an incident at the CSP to the smallest footprint possible,
and mitigates the possibility of the Clearing Agencies suffering an
intra-, inter-, or multi-region outage.
By comparison, the Clearing Agencies' current on-premises hosting
capabilities, both mainframe and private cloud, are operating on one
primary data center in one region, with a second, recovery data center
in a second region (excluding data bunkers, which do not have Compute
capabilities). In other words, it is many times less likely that an
unplanned, out of region failover would be needed for Core C&S Systems
hosted in Cloud than currently hosted on-premises. (Even in the
unlikely event that the Clearing Agencies needed to fail over to the
secondary Cloud region, the decision and process of doing so would
continue to be in the sole discretion of the Clearing Agencies.) This
increased redundancy represents a material improvement in resiliency
for the Clearing Agencies and a material reduction in risk for the
industry.
Additionally, transitioning to Cloud offers the Clearing Agencies a
more effective strategy for avoiding technical debt and system
degradation because the CSP, in its role as such, would be performing
regular system upgrades and maintenance, helping to ensure the Cloud's
resiliency. Unlike on-premises solutions that may struggle to keep pace
with evolving technology, due in part to the waning demand for on-
premises infrastructure, CSPs take on the responsibility of regularly
updating and maintaining their cloud infrastructure, which they do in a
competitive environment. This approach helps ensure that the CSP's
cloud infrastructure remains up to date, secure, and performs at its
best, minimizing the likelihood of accumulating technical debt and
preventing the decline of system capabilities and resiliency over time.
This is not to say that on-premises infrastructures are not updated or
maintained today but, instead, that the CSP does it better and faster.
CSPs excel in ensuring that systems remain up to date, secure, and
perform at their best by leveraging automation, scalability, built-in
security measures, service level agreements (``SLAs''), economies of
scale, and continuous monitoring and improvement processes. These
advantages collectively enable CSPs to provide more reliable,
resilient, and high-performance services compared to traditional on-
premises environments.
3. Expanded Security Capabilities
Hosting Core C&S Systems in Cloud would not change the physical and
cybersecurity standards to which the Clearing Agencies currently
align--the National Institute of Standards and Technology (``NIST'')
\18\ and Center for internet Security (``CIS'').\19\ Application of
NIST is considered a best practice for financial services use of
cloud.\20\ Moreover, as discussed further below, the Clearing Agencies
would continue to apply existing security processes and standards to
include network and identity and access management (``IAM'') controls,
security governance and controls for sensitive data, security
configuration, provisioning, logging and monitoring, and security
testing and validations.
---------------------------------------------------------------------------
\18\ National Institute of Standards and Technology (2023) The
NIST Cybersecurity Framework 2.0. (National Institute of Standards
and Technology, Gaithersburg, MD), NIST Cybersecurity White Paper
(NIST CSWP) 29 ipd, Released August 8, 2023. https://doi.org/10.6028/NIST.CSWP.29.ipd.
\19\ Center for internet Security Benchmarks, cisecurity.org/cis-benchmarks.
\20\ U.S. Department of the Treasury, The Financial Services
Sector's Adoption of Cloud Services (February 8, 2024), available at
https://home.treasury.gov/system/files/136/Treasury-Cloud-Report.pdf.
---------------------------------------------------------------------------
By hosting in Cloud through the CSP that the Clearing Agencies have
engaged, the Clearing Agencies would be able to add cloud-specific
security capabilities and measures provided by the CSP, as well as
third-party tools. For example, such capabilities and measures would
include automation, monitoring, and security incident response
capabilities, as well as default separation between Reg. SCI and non-
Reg. SCI operating domains, and ubiquitous encryption, all of which are
not available in the current on-premises data centers. Similarly,
micro-segmentation of applications and infrastructure provided by the
CSP, which also is not available in the Clearing Agencies data centers,
limits the effect of a security incident and reduces the time to
detection and recovery.\21\
---------------------------------------------------------------------------
\21\ For example, the CSP provides infrastructure capable of
withstanding Distributed Denial of Service (``DDoS'') attacks at far
greater magnitudes than the Clearing Agencies' current capabilities,
as the CSP has exponentially more internet bandwidth, given their
business function, than the Clearing Agencies. (DDoS is a
cyberattack in which the attacker floods a server with illegitimate
traffic/requests to prevent legitimate users from accessing online
services, websites, or computers connected to the attacked server.)
---------------------------------------------------------------------------
[[Page 71995]]
4. Increased Scalability
Cloud implementation would allow for greater scalability of
Compute, Storage, and Network resources that support Core C&S
Systems.\22\ With a Cloud Infrastructure, the Clearing Agencies could
quickly provision or de-provision Compute, Storage, or Network
resources to meet demands, including elevated trade volumes, and
provide more flexibility to create development and test environments,
as well as other system development needs.\23\ For example, the CSP
could support elastic workloads and scale dynamically without the need
for the Clearing Agencies to procure, test, and install additional
servers, storage, or other hardware.
---------------------------------------------------------------------------
\22\ The Clearing Agencies would continue to follow existing
policies and procedures regarding capacity planning and change
management. The Clearing Agencies have separately submitted a
request for confidential treatment to the Commission regarding the
Change Management Policy and the Technology Capacity and Demand
Assessment Policy. The Clearing Agencies have provided these
documents in confidential Exhibit 3 to this advance notice filing.
\23\ The Clearing Agencies periodically perform capacity and
availability planning analyses that result in capacity baselines and
forecasts, as an input to technology delivery and strategic planning
to ensure cost-justifiable support of operational business needs.
These analyses are based on the collection of performance data,
trending, scenarios, and periodic high-volume capacity stress tests
and include storage capacity for log and record retention. Results
are reported to senior technology management as inputs to
performance management and investment planning. In addition, each
quarter, the Clearing Agencies review the CSP's capacity planning
accuracy for the prior quarter and review the upcoming quarter's
forecast, along with providing input to the CSP for anticipated
major changes in the Clearing Agencies' proposed use of resources.
The Clearing Agencies' IT Governance Committee is the designated
escalation point for handling capacity management issues.
---------------------------------------------------------------------------
The Clearing Agencies would pre-provision Compute and Storage
resources proactively, in addition to scaling resources on-demand. This
means that the Clearing Agencies would be able to increase Compute
capacity in one or both regions via manual or automated processes for
Core C&S Systems. The rapid deployment of Compute capacity would allow
the Clearing Agencies to obtain access to resources far more quickly
than with on-premises data centers. The Clearing Agencies would combine
the pre-provisioning of primary capacity with regular capacity stress
testing to verify that the underlying Compute can sustain required
business volumes. The stress testing data would be used to determine
the base levels of pre-provisioned capacity.
The ability to quickly scale workloads materially improves the
Clearing Agencies ability to respond to unexpected market events and
external scenarios, such as a global pandemic.\24\ This capability also
enables the Clearing Agencies to run risk calculations more frequently,
at greater speeds, and with more compute-intensive models than is
economically feasible compared to the Clearing Agencies' on-premises
infrastructure.
---------------------------------------------------------------------------
\24\ Supply chain challenges during the Covid-19 pandemic
highlighted a lack of resiliency and scalability in traditional IT
vendors' abilities to deliver resources when needed. Lead times of
up to 18 months were experienced and delayed many efforts to expand
capacity. This was not the case with CSPs, which did not experience
capacity constraints or an ability to meet demand. This further
demonstrates how the option to host Core C&S Systems in Cloud is a
critical risk mitigation tool for managing against the long-term
risk of a waning on-premises industry.
---------------------------------------------------------------------------
In sum, transitioning to Cloud not only enhances scalability but
also significantly improves agility beyond the Clearing Agencies' on-
premises capabilities. The on-demand resources provided by the CSP
enable dynamic scalability, helping to ensure optimal performance
during peak times, efficient resource allocation during periods of
lower demand, and the ability to innovate faster to meet evolving
business requirements.
C. Why a Single CSP is Appropriate
The Clearing Agencies strongly believe that hosting Core C&S
Systems with a single CSP is appropriate. The Clearing Agencies have
assessed the capabilities of the CSP in adherence with the Clearing
Agency Risk Management Framework,\25\ which requires the respective
Board of Directors of the Clearing Agencies to approve policies
governing relationships with service providers, such as the CSP, thus
helping to ensure alignment with the Clearing Agencies' risk management
principles.
---------------------------------------------------------------------------
\25\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the Clearing
Agency Risk Management Framework. The Clearing Agencies have
provided this document in confidential Exhibit 3 to this advance
notice filing.
---------------------------------------------------------------------------
Beyond simply being a well-known, reputable, industry-leading, and
capable CSP, the Clearing Agencies and the CSP have spent several years
discussing the Clearing Agencies' needs, including operational, legal,
and regulatory obligations; what-if scenarios; and commercial
implications. That extensive effort led to a number of benefits,
including the CSP introducing new products \26\ and the establishment
of an exhaustive contractual agreement between the Clearing Agencies
and the CSP that addresses the Clearing Agencies' needs for hosting
Core C&S Systems in Cloud (``Cloud Agreement'').27 28
---------------------------------------------------------------------------
\26\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding two examples
of CSP Whitepapers. The Clearing Agencies have provided these
documents in confidential Exhibit 3 to this advance notice filing.
\27\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the Cloud
Agreement. The Clearing Agencies have provided this document in
confidential Exhibit 3 to this advance notice filing.
\28\ Among other things, the Cloud Agreement sets forth the
CSP's responsibility to maintain the hardware, software, networking,
and facilities that run Cloud services. See also the separately
submitted Table of Reg. SCI Provisions provided in confidential
Exhibit 3 to this advance notice filing that provides a summary of
the terms and conditions of the Cloud Agreement that the Clearing
Agencies believe help enable their compliance with Reg. SCI.
---------------------------------------------------------------------------
Meanwhile, it is generally understood that in the present
environment adding a secondary CSP or an on-premises backup introduces
significant complexity, costs, and risks that outweigh expected
benefits.\29\ An on-premises or secondary CSP backup would require the
Clearing Agencies to engineer their primary Cloud Infrastructure to the
lowest common denominator, so that the systems operating on the primary
infrastructure also could run on a completely separate and distinct
secondary, backup infrastructure. This approach would severely reduce
the value that Cloud provides, introduce significant cost with little
benefit, and greatly increase operational complexity, all of which
would result in negative consequences for the efficiency and resiliency
of the Clearing Agencies, their participants, and the industry.
---------------------------------------------------------------------------
\29\ As noted in the U.S. Department of Treasury's report, The
Financial Services Sector's Adoption of Cloud Services, ``No
financial institution reported the capability to [run applications
across multiple CSPs] for more complex use cases, such as running
core operations on multiple public clouds. Running an application
across multiple CSPs at the same time may also be less desirable,
given the costs, staffing, and complexity involved in doing so,
particularly given the complexity associated with identifying and
managing risk across multiple cloud environments.'' Available at
https://home.treasury.gov/system/files/136/Treasury-Cloud-Report.pdf
at 6.
---------------------------------------------------------------------------
Notwithstanding the extensive benefits from moving to Cloud, the
Clearing Agencies fully appreciate and are committed to managing the
risks presented in relying on a single CSP, as identified and discussed
in Section II.A, further below.
D. Transition Timeframe
The Clearing Agencies believe that transitioning certain Core C&S
Systems to the Cloud is critical to managing the risks that are
inherent in technology and vendor selection. However, as stated above
in Section I.A, the intent of the
[[Page 71996]]
Cloud Proposal is not to move all Core C&S Systems to Cloud at one
time. The Clearing Agencies believe that a ``big-bang'' transition
would introduce unnecessary execution risk, primarily driven by the
sheer scale and scope of such an effort. Moreover, many applications on
the mainframe are still tightly coupled together and not ready to be
moved to public cloud. Rather, at this time, the Clearing Agencies are
proposing to move only a subset of the Core C&S Systems to the Cloud
and to do so on an incremental basis, in consideration of the specifics
of each application and the needs of the Clearing Agencies.\30\ This
approach helps enable the hosting of Core C&S Systems on the most
appropriate platform, at the most appropriate time, in an efficient and
secure manner.
---------------------------------------------------------------------------
\30\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the DTCC
Global Business Continuity and Resilience Policy and Standards,
which defines the governance structure, high-level roles and
responsibilities, and the framework for business continuity and
resilience processes at the Clearing Agencies. The Clearing Agencies
have provided this document in confidential Exhibit 3 to this
advance notice filing.
---------------------------------------------------------------------------
The subset of Core C&S Systems selected for this proposal have been
initially identified based on several preliminary criteria, including,
but not limited to, whether:
the application would benefit from the presence of data
sets already present in Cloud;
the application would benefit from elasticity enabled by
Cloud (e.g., user interfaces); and
the application already meets certain architectural
patterns for Cloud (e.g., the application has already been modernized
and currently hosted in private cloud and/or is a siloed application--
little to no coupling with other applications).
Assuming the Clearing Agencies would receive no regulatory
objection to this advance notice, each application of the proposed
subset of Core C&S Systems then would undergo an in-depth,
architectural review that would follow the Clearing Agencies'
governance process, governed by the System Delivery Process.\31\ The
governance process includes, where applicable, a detailed review and
approval by the Information Technology Architecture Review Board
(``ARB''),\32\ the New Initiatives process,\33\ to include the Business
Case Council and the Risk Assessment Council that vet the financials
and risks of the proposed move, and the Investment Management
Committee.\34\ Further escalations would be made to the Executive
Committee and applicable Board of Directors of the Clearing Agencies,
as needed. Re-platforming efforts also would be communicated to
regulators in accordance with the change reporting requirements of
Section 1003(a)(1) of Reg. SCI, as applicable.\35\
---------------------------------------------------------------------------
\31\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the DTCC
System Delivery Policy. The System Delivery Policy defines
requirements that support adherence to the System Delivery Process
for application development projects. The Clearing Agencies have
provided this document in confidential Exhibit 3 to this advance
notice filing.
\32\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the IT
Architecture Policy (``ITA Policy''). The ITA Policy provides a set
of controls that must be followed to adequately address applicable
risks. The Clearing Agencies have provided this document in
confidential Exhibit 3 to this advance notice filing.
\33\ The Clearing Agencies also have separately submitted a
request for confidential treatment to the Commission regarding the
New Initiatives Policy. The New Initiatives Policy provides the
governance and oversight structure for the Clearing Agencies to
bring initiatives to market timely and efficiently while minimizing
risk. The Clearing Agencies have provided this document in
confidential Exhibit 3 to this advance notice filing.
\34\ Such reviews and decisions are based on high-level
architectural principles that may be applicable to more than one
application.
\35\ 17 CFR 242.1003, et seq.
---------------------------------------------------------------------------
The above-described governance process does not include a specific
set of criteria or thresholds for the ultimate determination on whether
an application should or should not be moved to Cloud--it is not a
formulaic decision. Rather, the Clearing Agencies employ a more
qualitative evaluation process that involves various reviews and
considers high-level architectural principles that may be applicable to
more than one application. However, at this time, none of the Core C&S
Systems that have been initially identified as part of the Cloud
Proposal, based on the preliminary criteria listed above, have
completed that more detailed governance review process. Given the
extensiveness of the process, it would not begin until after the
Clearing Agencies would receive no regulatory objection to this advance
notice.
Although the Clearing Agencies do not anticipate needing to deviate
from the proposed transition schedule for the selected Core C&S
Systems, the Clearing Agencies recognize that deviation may be
necessary, given that the more in-depth governance review process has
not completed and because risks could change over the proposed,
multiyear implementation period. For example, a deviation may be
necessary to address a business need or a change in industry or
regulatory requirements or standards. Regardless, any deviation would
follow the same detailed governance process, and the Clearing Agencies
would provide notice of such deviation to Commission staff, the reason
for the deviation, and how the proposed implementation schedule would
be updated to account for the deviation. Further, the Clearing Agencies
recognize that deviating from the proposed transition schedule would
necessitate a separate analysis to determine whether such deviation
could materially affect the nature or level of risk posed by each of
the Clearing Agencies.
Even though certain on-premises infrastructure components would be
decommissioned after applications are moved to Cloud, the Clearing
Agencies' private cloud, mainframe services, and data-center facilities
would remain available for no less than five more years to help
facilitate exit plans from Cloud that rely on an on-premises option.
However, to be clear, the on-premises option would not be available to
address short-term disruptions, where the Cloud is temporarily
unavailable. Management of such disruptions is discussed in Section
II.B, further below.
II. Expected Effects on Risks to the Clearing Agencies, Their
Participants, or the Market
Although the Clearing Agencies are not proposing to transition all
Core C&S Systems to Cloud for the reasons described in Sections I.A and
D, above, transitioning the proposed subset of Core C&S Systems from an
on-premises infrastructure supported by a consolidating industry, as
described in Section I.B.1, above, to a new Cloud Infrastructure
maintained by an industry-leading CSP provides numerous advantages, as
described in Sections I.B.2-4 and C, above. However, such transition is
not without risk, as discussed below.
A. Risks Presented by the Cloud Proposal
1. Concentration Risk
The Clearing Agencies appreciate that reliance on a single CSP for
hosting the subset of Core C&S Systems that are the subject of this
proposal creates concentration risk, particularly in the event of the
CSP choosing to terminate its services (i.e., commercial risk) or is
unexpectedly unavailable (i.e., operational risk). The Clearing
Agencies also appreciate that they would have some reliance on the CSP
to help meet certain regulatory obligations of the Clearing Agencies
(i.e., regulatory risk), thus introducing the familiar concept of
concentration risk in a relatively new
[[Page 71997]]
context. However, concentration risk exists today as the Clearing
Agencies are dependent on a single mainframe provider, a single
database provider for the mainframe, and a single virtualization
provider for private cloud. Moreover, the Clearing Agencies believe
that they have adequately addressed these risks, as discussed
throughout Sections II.B.1-4., below.
2. Cloud Management Risk
Managing the applicable subset of Core C&S Systems hosted on a
Cloud Infrastructure presents different risks and challenges than
managing such systems hosted on-premises because many activities and
services previously provided by the Clearing Agencies would now be
provided by the CSP. For example, the Clearing Agencies would be
dependent upon the CSP for fulfilling all of its contractual
obligations, including security of the Cloud, proper capacity planning,
and protection of Cloud services from prolonged operational outages. As
such, overseeing the CSP becomes a critical activity to ensure the CSP
is delivering services that meet or exceed the Clearing Agencies'
requirements for operating those select Core C&S Systems. As discussed
in Sections II.B.1-4, below, the Clearing Agencies believe that they
have adequately addressed this risk.
B. Management and Mitigation of Identified Risks
1. Cloud Agreement
The Clearing Agencies believe that the Cloud Agreement, including
all its amendments and addendums, is a strong tool in helping to
effectively mitigate the commercial and regulatory risks borne from the
concentration risk, as described in Section II.A.1, above, as well as
risks in managing the CSP that would host the subset of selected Core
C&S Systems in the Cloud, as described in Section II.A.2, above.
Following is a summary of some of the key terms and conditions covered
in the agreement and how they help mitigate these risks.
i. Adequate Notice
Under the Cloud Agreement, the CSP may not unilaterally terminate
the relationship with the Clearing Agencies absent good cause or
without sufficient notice to allow the Clearing Agencies to transition
their applications elsewhere. Specifically, the CSP must provide an
extensive notice if it wishes to terminate the Cloud Agreement for
convenience or if it wishes to terminate an individual CSP service
offering or lower an existing SLA on which the Clearing Agencies
rely.\36\
---------------------------------------------------------------------------
\36\ The Cloud Agreement permits an exception to this sufficient
notice provision in the event the CSP must terminate the individual
service offering if necessary to comply with the law or requests of
a government entity or to respond to claims, litigation, or loss of
license rights related to third-party intellectual property rights.
In this event, the CSP must provide reasonable notice to the
Clearing Agencies of the termination of the individual service
offering. See Reg. SCI Addendum, Section 10 Termination. The
Clearing Agencies have provided this document in confidential
Exhibit 3 to this advance notice filing.
---------------------------------------------------------------------------
The CSP is permitted to terminate the Cloud Agreement with shorter
notice periods in the event of a critical breach \37\ or an uncured
material breach 38 39 of the Cloud Agreement. In the highly
unlikely event that a critical breach or uncured material breach
occurs, the Clearing Agencies would have sufficient notice to shift
their operations away from the CSP. Contract provisions that allow a
party to terminate for uncured material breaches are designed to limit
the types of actions that could lead to contract termination and to
establish a period of time to resolve an aggrieved party's claim (often
30 days) followed by an additional extended period in which to
remediate the claim. This gives the parties time and incentive to
address the problem without having to resort to termination. In other
words, even if the CSP notifies the Clearing Agencies of an alleged
breach (material or critical), termination of services is not
immediate. Additionally, regardless of the need to shift operations
elsewhere--convenience or breach--the Cloud Agreement provides for the
parties to work together and for the CSP to provide professional
services to assist with such a shift.\40\
---------------------------------------------------------------------------
\37\ Critical breaches are material breaches (i) for which the
Clearing Agencies knew their behavior would cause a material breach
(such as a willful violation of Cloud Agreement terms); (ii) that
cause ongoing material harm to the CSP, its services, or its
customers (e.g., criminal misuse of the services); or (iii) for
undisputed non-payment under the Cloud Agreement. See Reg. SCI
Addendum, Section 10 Termination. The Clearing Agencies have
provided this document in confidential Exhibit 3 to this advance
notice filing.
\38\ Typically, a breach is considered material only if it goes
to the root of the agreement between the parties or is so
substantial that it defeats the object of the parties in making the
contract. See Reg. SCI Addendum, Section 10 Termination. The
Clearing Agencies have provided this document in confidential
Exhibit 3 to this advance notice filing.
\39\ See Reg. SCI Addendum, Section 10 Termination. The Clearing
Agencies have provided this document in confidential Exhibit 3 to
this advance notice filing.
\40\ See Reg. SCI Addendum, Section 11 Post-Termination
Services. The Clearing Agencies have provided this document in
confidential Exhibit 3 to this advance notice filing.
---------------------------------------------------------------------------
The Clearing Agencies believe the risk of termination under the
above-discussed shorter notice period is minimal. In all cases of an
alleged breach, the CSP must notify the Clearing Agencies in writing
and provide time for them to cure the alleged breach (``Notice
Period'').\41\ With respect to an alleged material breach, which
requires the CSP to extend the Notice Period if the Clearing Agencies
demonstrate a good faith effort to cure the alleged material breach,
the Clearing Agencies would use the Notice Period to attempt to cure
the alleged material breach while also preparing to transition
elsewhere. As a result, it is highly unlikely that a critical breach or
a material breach would remain uncured beyond the Notice Period. If one
does remain uncured, however, the CSP can only terminate the rights or
accounts associated with the breach, not the entire Cloud Agreement;
\42\ meanwhile, and the Clearing Agencies would have ample notice to
shift operations to avoid a disruption to Core C&S Systems, if needed.
---------------------------------------------------------------------------
\41\ See Reg. SCI Addendum, Section 10 Termination. The Clearing
Agencies have provided this document in confidential Exhibit 3 to
this advance notice filing.
\42\ See Amendment 1 Section 8 Temporary Suspension, of the
Cloud Agreement. The Clearing Agencies have provided this document
in confidential Exhibit 3 to this advance notice filing.
---------------------------------------------------------------------------
As explained above, adequate notice under the Cloud Agreement plays
an important role in managing concentration risk by providing the
Clearing Agencies with advance warning of potential disruptions or
changes in the agreement or services thereunder, which would allow the
Clearing Agencies to take proactive measures in mitigating the
potential impact of commercial and regulatory risk, thereby reducing
concentration risk.
ii. Regulatory Compliance and CSP Oversight
The Clearing Agencies' transition to Cloud does not alter their
responsibility to maintain compliance with applicable regulations.
Consistent with FFIEC Guidance (as defined and discussed further
below), the Clearing Agencies' will continue to fully comply with all
applicable regulatory obligations, particularly Reg. SCI.\43\
---------------------------------------------------------------------------
\43\ Reg. SCI imposes certain information security and incident
reporting standards on the Clearing Agencies and requires them to
adopt an information technology governance framework reasonably
designed to ensure that ``SCI systems,'' and for purpose of
security, ``indirect SCI systems,'' have adequate levels of
capacity, integrity, resiliency, availability, and security. 17 CFR
242.1000 et seq.
---------------------------------------------------------------------------
The Clearing Agencies believe the combination of the following
would provide them with reasonable assurance that the proposed
transition to Cloud
[[Page 71998]]
would enable them to continue to fully satisfy their regulatory
obligations, including Reg. SCI, thus helping to mitigate the
regulatory risk highlighted in Section II.A.1, above: (i) the Cloud
Agreement; (ii) the CSP's compliance programs as described in its
whitepapers \44\ and publicly available policies (e.g., its Penetration
Testing Policy),45 46 47 48 and user guides; (iii) the CSP's
SLAs; 49 50 51 (iv) the CSP's Systems Organization Controls
reports (e.g., SOC 1, SOC 2, SOC 3) \52\ and International Organization
for Standardization (``ISO'') certifications (e.g., ISO 27001); \53\
(v) the CSP's size, scale, and ability to deploy extensive resources to
protect and secure its facilities and services; and (vi) the CSP's
commercial incentive to perform.
---------------------------------------------------------------------------
\44\ Supra note 25.
\45\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the
Operational & Technology Risk Technology Risk Management (``OTR
CS&TRM'') Procedure--Application Penetration Test which describes
the application penetration test procedures for the Clearing
Agencies' web applications and supports compliance with the
Information Systems Acquisition Policy, Development and Maintenance
Policy Security Control Standards, and Ethical Application
Penetration Testing (``EAPT'') Control Standards. The Clearing
Agencies have provided this document in confidential Exhibit 3 to
this advance notice filing.
\46\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the EAPT
Control Standards. The Clearing Agencies have provided this document
in confidential Exhibit 3 to this advance notice filing.
\47\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the DTCC
Information Security--Systems Acquisition Development and
Maintenance Policy and Control Standards, which governs the security
aspects of information systems acquisition, development, and
maintenance for DTCC and its subsidiaries. The Clearing Agencies
have provided this document in confidential Exhibit 3 to this
advance notice filing.
\48\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the DTCC
Information Security--Communications and Operations Policy and
Control Standards, which helps ensure the correct and secure
operation of information processing facilities. The Clearing
Agencies have provided this document in confidential Exhibit 3 The
Clearing Agencies have provided this document in confidential
Exhibit 3to this advance notice filing.
\49\ The Clearing Agencies have provided the CSP's SLAs in
confidential Exhibit 3 to this advance notice filing.
\50\ Amendment 2, Section 2.2 To the Service Level Agreements of
the Cloud Agreement provides that the CSP may change its SLAs from
time to time but must provide prior notice to the Clearing Agencies
before material reducing the benefits offered under the SLAs. The
Clearing Agencies have provided Cloud Agreement in confidential
Exhibit 3 to this advance notice filing.
\51\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the DTCC
Legal Review of Third Party Vendor Contracts Policy, which (1)
defines the scope of Vendor Contracts, (2) clarifies what agreements
fall outside the scope and are excluded from the definition of
Vendor Contracts, (3) details the process the Clearing Agencies
follow when receiving requests to review Vendor Contracts and
related materials from CPS Contracts, and (4) establishes the
requirements around the creation, maintenance, update, review, and
use of contract templates and negotiation guidelines for third party
relationships. The Clearing Agencies have provided this document in
confidential Exhibit 3 to this advance notice filing.
\52\ The FFIEC Guidance provides that the Clearing Agencies may
obtain SOC reports, other independent audits, or ISO certification
reports to gain assurance that the CSP's controls are operating
effectively. See FFIEC, Security in a Cloud Computing Environment at
7. The Clearing Agencies review the CSP's SOC-2 on an annual basis.
\53\ The CSP has certifications for the following frameworks:
NIST, Cloud Security Alliance, Control Objectives for Information
and Related Technology (``COBIT''), ISO, and the Federal Information
Security Management Act (``FISMA'').
---------------------------------------------------------------------------
Moreover, as noted in Section II.B.ii., above, oversight of the CSP
relationship and services has become a standing practice of the
Clearing Agencies to ensure that the CSP is meeting or exceeding its
contractual obligations, including helping the Clearing Agencies
demonstrate their regulatory compliance. Such oversight, which also
helps mitigate the cloud management risk raised in Section II.A.2,
above, would include a strong relationship between the CSP and the
Clearing Agencies, including between their senior management. Within
the Cloud Agreement itself, there are established obligations on the
CSP to provide the Clearing Agencies' information necessary for the
Clearing Agencies to satisfy certain compliance and regulatory
requirements, particularly Reg. SCI. For example, the Cloud Agreement
obligates the CSP to provide the Clearing Agencies with immediate
notification where a systems intrusion by an unauthorized party or a
systems disruption is suspected.\54\ The agreement also provides for
detailed quarterly briefing meetings between the Clearing Agencies and
the CSP, during which the Clearing Agencies would be provided
information on and could review service level performance, material
systems changes, capacity management, SLA updates, and important
security notices.\55\
---------------------------------------------------------------------------
\54\ See Reg. SCI Addendum, Sections 8.1 Systems Intrusion
Notification and 4 Briefing Meetings. The Clearing Agencies have
provided this document in confidential Exhibit 3 to this advance
notice filing.
\55\ Id.
---------------------------------------------------------------------------
The Cloud Agreement permits the Clearing Agencies to perform an
annual review of the CSP's documentation and services to gain comfort
that the CSP is meeting its contractual requirements and that the
notification procedures are in place to allow the Clearing Agencies to
meet their regulatory requirements, particularly Reg. SCI. The
agreement also allows a regulator of the Clearing Agencies to receive
information about the Clearing Agencies' usage of the CSP services, and
it allows the regulator to perform its own on-site review, if
requested.\56\
---------------------------------------------------------------------------
\56\ See Reg. SCI Addendum, Sections 3 Customer Right of Access
and Audit and 4 Briefing Meetings. The Clearing Agencies have
provided this document in confidential Exhibit 3 to this advance
notice filing.
---------------------------------------------------------------------------
2. Cloud Architecture
To mitigate operational risk associated with the concentration risk
from relying on a single CSP, the Clearing Agencies would architect the
Cloud Infrastructure hosting their Core C&S Systems to be highly
resilient, improving the availability of such systems and related
Clearing Agency services during any degradation in CSP services:
Use of multiple availability zones per region. The
Clearing Agencies would use at least three availability zones, in each
of the two CSP regions, with each availability zone made up of multiple
data centers.
Multi-regions. In the event of a primary region outage,
the Clearing Agencies would recover in the secondary region. Out-of-
region recovery would be tested annually by the Clearing Agencies, and
a primary/secondary (i.e., hot/warm) model would be used to ensure
continuous data replication and recovery is achieved.\57\ Recovery
exercises of non-Core C&S Systems currently hosted in cloud demonstrate
the ability to recover applications within required recovery time
objectives, including meeting a 2-hour recovery time objective for
relevant applications in the event of an out-of-region recovery.
---------------------------------------------------------------------------
\57\ See Reg. SCI Addendum, Section 5 Customer Testing of CSP
Systems. The Clearing Agencies have provided this document in
confidential Exhibit 3 to this advance notice filing.
---------------------------------------------------------------------------
Multi-node, high availability clusters across availability
zones. Clusters (i.e., three or more servers or nodes) protect against
local hardware and service failures providing uninterrupted operations.
Each cluster would be distributed across three availability zones.
Clusters synchronously replicate data across all nodes to protect
against data loss and provide continuous availability.
Static stability and static capacity models. Static
capacity would be pre-provisioned for compute, storage, and memory for
applications based on capacity stress testing results and capacity
requirements. The Clearing Agencies would pre-provision capacity
[[Page 71999]]
needed for applications and services and would not rely on capacity on-
demand models, thus reducing the risk of running out of capacity.
Exit plans. The Clearing Agencies' existing policies
require that all applications hosted in Cloud have documented exit
plans, with each plan updated annually.\58\ The Clearing Agencies'
Cloud architecture also reduces ``vendor lock-in'' by using
capabilities such as ``containers'' \59\ that can exist in both the
public and private cloud, where appropriate and applicable. For the
foreseeable future, the Clearing Agencies plan to continue to own or
lease private data center space to host private cloud and mainframe
capabilities. The Clearing Agencies private, on-premises data centers
help enable a long-term exit plan from Cloud, if needed. However, such
data centers would not be a means to address a short-term incident at
the CSP. Additionally, for the second CSP that the Clearing Agencies
already have contracted and connected with for hosting non-Core C&S
Systems, they are now working on the contractual and operational
requirements that would be necessary to possibly host Core C&S Systems
in its Cloud to further enable exit plans from the primary CSP.
---------------------------------------------------------------------------
\58\ Supra note 29.
\59\ A container is a standard unit of software that packages up
code and all its dependencies, so the application runs reliably from
one computing environment to another (e.g., public and private
clouds).
---------------------------------------------------------------------------
Regional Isolation Architecture. A cross-regional outage
is highly unlikely at the CSP, as the CSP has designed and implemented
a series of controls to ensure that defects cannot be introduced to
more than a single region at a time.\60\ Services are regionally
isolated with a single exception--the IAM service. The IAM service is
not regionally isolated and depends on a single region. If the primary
region for the IAM service fails, the service will continue to operate
but as read-only. To mitigate this risk, the Clearing Agencies would
architect applications and infrastructure services in such a manner
that they would not require updates (i.e., writes) to the IAM service
in order to rotate out of region.
---------------------------------------------------------------------------
\60\ The CSP owns the control and has provided documentation of
the control to the Clearing Agencies.
---------------------------------------------------------------------------
In summary, cloud architecture helps mitigate operational risk
borne from concentration risk, as raised in Section II.A.1, above, by
providing resilient infrastructure, scalable resources, robust security
measures, and disaster recovery capabilities, all of which assist in
minimizing the impact of disruptions.
3. Standing Risk Management Practices
The Clearing Agencies' standing risk management practices also help
minimize operational risk by systemically identifying, assessing,
mitigating, monitoring, and responding to risk. For example, the
Clearing Agencies have considered the possibility of the CSP being
completely and unexpectedly unavailable, whether due to technical
issues or other reasons. The parallel risk exists today with respect to
the Clearing Agencies' existing infrastructure. Just like with the CSP,
it is possible that the Clearing Agencies' two existing data centers--
one primary and one backup--become completely and unexpectedly
unavailable. In fact, it is more likely that those two data centers
become unavailable than the CSP's data centers because the CSP has so
many more data centers for each availability zone, in both its primary
and secondary regions, with each data center, not just the associated
region or availability zone, having its own physical infrastructure,
staff, power, backup power, mechanical services, and network
connectivity, as discussed in Section I.B.2, above. Even for the CSP's
IAM service that runs cross regions, the applications in each region
operate off read-only versions of the IAM roles and responsibilities,
such that loss of the primary would not affect operation of those
applications. Nevertheless, to help manage a crisis event, such as the
Clearing Agencies' or the CSP's data centers becoming unavailable, the
Clearing Agencies have standing risk management plans and practices
already in place, as described below.\61\
---------------------------------------------------------------------------
\61\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the
Operational Response Capabilities Matrix. The Clearing Agencies have
provided these documents in confidential Exhibit 3 to this advance
notice filing.
---------------------------------------------------------------------------
In the very unlikely event of an unexpected single- or multi-region
outage in which the Clearing Agencies operate, or a complete and
unexpected CSP outage, the Clearing Agencies would initiate the
existing Major Incident Management (``MIM'') process, which is an
existing process that involves evaluating the technical impact of the
event, and if the event is deemed to have a material impact to the
business, the Business Incident Management System (``BIMS'') \62\ would
be activated. Depending on the severity of the event, the DTCC Global
Business Continuity and Resilience (``BCR'') Policy would provide a
predictable structure to be utilized during crises and could be
leveraged to address, respond to, and manage an outage.\63\ In addition
to internal risk management practices, the Clearing Agencies have plans
to help address various outage scenarios and the potential effects of
an outage.\64\
---------------------------------------------------------------------------
\62\ MIM is part of the IT organization that manages technology
specific incidents at the Clearing Agencies that are typically
resolved at the application or hardware level with support from the
appropriate subject matter experts (``SMEs''). Incidents that have a
business impact are escalated to BIMS and appropriate SMEs are added
to manage the impact, which includes Business Continuity and
Resilience. BIMS participants can request the Crisis Management Team
be activated if the incident requires discussion or has escalated to
a potential disaster that may require a declaration of disaster.
\63\ The Clearing Agencies are taking into consideration the
forthcoming requirements of adopted and effective Rule 17ad-25(i)
under the Exchange Act, 17 CFR 240.17ad-25(i), and anticipate that
the Clearing Agencies' approach in managing the risk presented by a
CSP outage for Core C&S Systems would be consistent with those
requirements.
\64\ For example, there is an existing plan to manage a Fedwire
protracted outage. A Fedwire protracted outage is an interruption or
outage of Federal Reserve Bank hardware or software that prevents
the bank from processing payment orders online and that is not
expected to be resolved before the bank's next Fedwire Funds Service
Funds Transfer Business Day. In the event of such an outage, the
Clearing Agencies will assess the situation and employ, as needed
and applicable, the steps outlined in the BCR Policy and Standards,
the Federal Reserve Banks Operating Circulars (see, e.g., Operating
Circular No. 6, available at https://www.frbservices.org/binaries/content/assets/crsocms/resources/rules-regulations/070123-operating-circular-6.pdf), and any other regulatory guidance.
---------------------------------------------------------------------------
The BCR Policy and Standards is structured to employ existing DTCC
and Clearing Agency teams and committees, which become the tactical
leadership to react, respond, and manage a crisis situation.\65\ The
teams are comprised of the following:
---------------------------------------------------------------------------
\65\ The Clearing Agencies have established a list of situations
that are covered under the BCR Policy and Standards, any of which
could escalate to a disaster and trigger use of the Standards. The
technology events include (i) infrastructure outage, (ii) external
hosting provider service outage, and (iii) loss of logical access to
a Clearing Agency facility. The Clearing Agencies have separately
submitted a request for confidential treatment to the Commission
regarding the BCR Policy and Standards which define the governance
structure, high-level roles and responsibilities, and the framework
for business continuity and resilience processes at the Clearing
Agencies. The Clearing Agencies have provided this document in
confidential Exhibit 3 to this advance notice filing.
---------------------------------------------------------------------------
Crisis Management Team. Comprised of the Management
Committee, site General Managers, Head of the Board Risk Committee,\66\
and other SMEs, as needed.
---------------------------------------------------------------------------
\66\ The Board Risk Committee is a Board level committee
established by the Boards of the Clearing Agencies to assist their
respective Boards in fulfilling their responsibilities for oversight
of risk management activities at the Clearing Agencies. This
includes oversight of credit, market, liquidity, operational, and
systemic risks.
---------------------------------------------------------------------------
Crisis Response Teams.
[[Page 72000]]
[cir] Business Continuity Coordinators and Plan Approvers--These
are individuals who manage business continuity at a plan level.
Fair and Orderly Markets Groups--These are crisis teams
comprised of internal stakeholders and top executives from external
firms deemed necessary to ensure a fair and orderly market. They would
be activated (based on impact to the legal entity) to gather
information during a large systemic event when operational coordination
is required with clients and the sector.
IT Management Team--Comprised of Information Technology
managing directors and SMEs.
Management Risk Committee--Comprised of senior members
across the enterprise.
Senior Site Management Team (``SSMT'')--Each DTCC office
with a facility level resilience plan (``FLRP'') has an SSMT, that is
comprised of senior leadership from the site.
Site Assessment Team (``SAT'')--Sites with an FLRP have a
SAT that responds to site-specific events. This team is comprised of a
primary/back-up site General Manager and representatives from BCR, IT,
Workplace Design and Service, Global Security Management, and Human
Resources. A Data Center Services representative also is added for
sites that have a data center.
MIM and BIMS Teams--Part of the IT organization that
manages technology specific and are typically resolved at the
application or hardware level with support from the appropriate SMEs.
Crisis Communication Team. The Crisis Communication Team
is comprised of officer-level members from Marketing and Communication,
Human Resources, General Counsel's Office, and Regulatory Relations, as
well as members of their staffs, as applicable.
The Clearing Agencies believe that these standing risk management
practices are key to managing the operational risk borne from
concentration risk outlined in Section II.A.1, above, by helping to
promote proactive risk management culture, enhancing operational
resilience, and enabling the Clearing Agencies to better navigate
uncertainties and maintain business continuity.
4. Industry Standards for Cloud Management
i. Cloud Management: Federal Financial Institutions Examination Council
Cloud Computing Guidance (``FFIEC'')
On April 30, 2020, FFIEC \67\ issued a joint statement to address
the use of Cloud computing services and security risk management
principles in the financial services sector (``FFIEC Guidance'').\68\
While the FFIEC Guidance does not contain regulatory obligations, it
highlights risk management practices that financial institutions should
adopt for the safe and sound use of Cloud computing services in five
broad areas (``FFIEC Risk Management Categories''): Governance, Cloud
Security Management, Change Management, Resilience and Recovery, and
Audit and Control Assessment. As discussed below, the Clearing Agencies
would implement practices consistent with the FFIEC Risk Management
Categories for Core C&S Systems operated in Cloud to help address cloud
management risk, as highlighted in Section II.A.2, above, by providing
frameworks, guidelines, and best practices, that enhance transparency,
reliability, and security.
---------------------------------------------------------------------------
\67\ FFIEC is a formal interagency body empowered to prescribe
uniform principles, standards, and report forms for the federal
examination of financial institutions by the Board of Governors of
the Federal Reserve System, the Federal Deposit Insurance
Corporation, the National Credit Union Administration, the Office of
the Comptroller of the Currency, and the Consumer Financial
Protection Bureau, and to make recommendations to promote uniformity
in the supervision of financial institutions.
\68\ Available at https://www.ffiec.gov/press/pr043020.htm.
---------------------------------------------------------------------------
(a) Governance
The Clearing Agencies and the CSP rely on a shared responsibility
model that differentiates between security ``of'' the Cloud and
security ``in'' the Cloud.\69\ This model is not specific to the
agreement between the Clearing Agencies and the CSP; rather, it is a
more universally followed model for public cloud services. Under the
model, the CSP maintains sole responsibility and control over the
security and resiliency ``of'' the Cloud, and their customers are
responsible for the security and resiliency ``in'' the Cloud (i.e.,
security and resiliency of hosted applications and data). This means
that the Clearing Agencies must manage their own application
architectures, data backups, change management controls, network
configurations within applications, and response to application
failures. In addition, the Clearing Agencies must manage their own data
usage and data-at-rest encryption configuration, IAM access policies
and roles, operating system upkeep, security group configurations, and
network traffic encryption in transit configurations. The Clearing
Agencies also manage how they place workloads onto the CSP's platform.
---------------------------------------------------------------------------
\69\ ``Shared responsibility'' conveys the responsibility of the
Clearing Agencies and the CSP vis-[agrave]-vis each other from a
business operations perspective. It does not mean that the CSP has
taken on or that the Clearing Agencies have relinquished any of
their Reg. SCI compliance requirements.
---------------------------------------------------------------------------
Meanwhile, the CSP must manage backend hardware services for
Compute, Storage, Networking, database, and global architectures such
as regions, availability zones, data centers, power, and HVAC, as well
as backend security services that protect core infrastructures. The CSP
manages the underlying infrastructure and upkeep, so that the Clearing
Agencies (and other customers) can place workloads on the CSP platform
with proper security and separation without having to manage these
traditional data center tasks. The Clearing Agencies review the CSP's
policies and procedures for these functions during the quarterly
reviews and during annual risk assessments.
When looking more closely at hardware management, the Clearing
Agencies believe there are benefits in how the CSP manages hardware for
Cloud compared to how the Clearing Agencies manage hardware for their
own data centers. For example, with on-premises data centers, the
Clearing Agencies must oversee a multifaceted supply chain, involving
many vendors to obtain and administer physical Compute, Storage, and
Network capacity. Delivery times may fluctuate, and scarcities can
affect project outcomes, as seen during the Covid-19 pandemic. In
contrast, with the proposed Cloud Infrastructure, the CSP controls the
hardware supply chain and even partakes in key areas of the
manufacturing process to circumvent typical problems such as chip
shortages. Moreover, the Clearing Agencies get to review the CSP's
equipment forecast for each upcoming quarter, affording the Clearing
Agencies the opportunity to address potential supply chain
difficulties, if any, without jeopardizing their access to adequate
capacity, by leveraging capabilities such as reserved capacity.
Altogether, the Clearing Agencies believe the CSP's management of Cloud
hardware will be a benefit to them.
The CSP would perform its own risk and vulnerability assessments of
the CSP infrastructure on which the Clearing Agencies would run their
Core C&S Systems. In published
[[Page 72001]]
documentation and in meetings conducted with the CSP, the CSP asserts
that it maintains an industry-leading automated test system, with
strong executive oversight, and conducts full-scope assessments of its
hardware, infrastructure, internal threats, and application software.
The CSP asserts that it has an aggressive program for conducting
internal adversarial assessments (``Red Team'') designed not only to
evaluate system security but also the processes used to monitor and
defend its infrastructure. The CSP also uses external, third-party
assessments as a cross-check against its own results and to ensure that
testing is conducted in an independent fashion. Pursuant to the CSP's
documentation, results of these processes are reviewed weekly by the
CSP's Chief Information Security Officer and the Chief Executive
Officer with senior CSP leaders to discuss security and action
plans.\70\
---------------------------------------------------------------------------
\70\ The CSP does not provide assessment results to its
customers, as doing so would constitute a breach of generally
accepted security best practices. Instead, the CSP provides its
customers with industry-standard reports--such as SOC2 Type II--
prepared by an independent third-party auditor to provide relevant
contextual information to its customers. The CSP also conducts
periodic audit meetings specifically designed to discuss security
concerns with its customers discussed later during the ``CSP Audit
Symposium.'' Additionally, the Clearing Agencies have certain audit
rights (pursuant to Section 3 Customer Rights of Access and Audit of
the Reg. SCI Addendum) to review information about the nature and
scope of the CSP's vulnerability management program.
---------------------------------------------------------------------------
The Clearing Agencies have the responsibility to perform risk
assessments and technical security testing, including control
validation, penetration testing, and adversarial testing of their
applications running on the Cloud Infrastructure. This includes testing
of the application interface layer of some CSP provided services such
as storage and key management.
As mentioned, the Clearing Agencies' testing includes assessing the
configuration of the CSP provided services. The Clearing Agencies'
Technology Risk Management staff would work with the Clearing Agencies'
Information Technology staff to ensure that the CSP tools are
configured to appropriately manage and mitigate potential sources of
risk and will assess the effectiveness of those configurations.\71\ The
Technology Risk Management staff has developed an application, Cloud
Governance Insights (``CGI''), to continuously monitor all Cloud
Infrastructure for alignment to security baselines and configurations
best practices.\72\ The CGI dashboard allows Information Technology and
Technology Risk Management staff to understand the environment risk
posture and reporting of key risk indicators (``KRIs''). The Clearing
Agencies' Red Team would operate freely ``in the Cloud,'' attempting to
subvert or circumvent controls.\73\ The testing would include probing
of the CSP provided services to look for weaknesses in the Clearing
Agencies' deployment of those tools.
---------------------------------------------------------------------------
\71\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the OTR TRM
Core Process Procedure--Security Configuration Violation Rules,
which is used to manage enterprise information security risk by
ensuring a consistent configuration violation scoring process that
provides timely identification of configuration violations and their
severity ratings. The Clearing Agencies have provided this document
in confidential Exhibit 3 to this advance notice filing.
\72\ CGI is the Clearing Agencies' internally developed solution
to perform Cloud Security Posture Management and assess Cloud
Infrastructure compliance against TRM Control Standards and Security
Baselines in near real-time.
\73\ Supra note 47.
---------------------------------------------------------------------------
Technology Risk Management staff would routinely report test
results to the Technology Risk Management Steering Committee and the
Management Risk Committee, appropriate functional Operations and
Information Technology management, senior management, and the Board of
Directors of the Clearing Agencies.74 75 Automated
vulnerability scanning reports, source code analysis, and results of
specific assessments would be risk-rated and assigned a priority for
remediation in accordance with Clearing Agency Information Security
Program requirements.76 77
---------------------------------------------------------------------------
\74\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the DTCC
Information Security--Information Security Management Policy and
Control Standards, which defines the roles, responsibilities, and
accountabilities for DTCC's security practices and organization
structure suited to protect DTCC's critical systems and business
assets. Information Security Management evaluates DTCC's information
security program's overall effectiveness, and establishes,
maintains, communicates, and periodically reassesses information
security policies and a comprehensive information security program
that are approved by management. The Clearing Agencies have provided
this document in confidential Exhibit 3 to this advance notice
filing.\75\ The Clearing Agencies have separately submitted a
request for confidential treatment to the Commission regarding the
DTCC Information Security--Risk Management Policy and Control
Standards, which provides (i) requirements for establishing,
implementing, maintaining, and continually improving the information
risk management program, (ii) a governance structure utilized for
the escalation of information risks to an appropriate management
level, and (iii) organizational roles and responsibilities for the
delivery of comprehensive information security and technology risk
management program. The Clearing Agencies have provided this
document in confidential Exhibit 3 to this advance notice filing.
\76\ Supra note 46.
\77\ Supra note 47.
---------------------------------------------------------------------------
Management and oversight of the Cloud implementation follows the
Clearing Agencies' standard governing principles for large information
technology projects.\78\ To maintain accountability over the CSP's
performance, regular reporting to the Boards of the Clearing Agencies
by senior management is essential and required, pursuant to the DTCC
Third Party Risk Procedures.\79\ Such reporting helps ensure that
senior management takes appropriate actions to address significant
performance deterioration, changing risks, or material issues
identified through ongoing monitoring, thereby helping to ensure
proactive risk management and continuous improvement.\80\ The Clearing
Agencies' Board of Directors has established a Technology and Cyber
Committee to assist the Board of Directors in overseeing information
technology and cybersecurity strategy and capabilities.
---------------------------------------------------------------------------
\78\ Supra note 32.
\79\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the DTCC
Third Party Risk Procedures, which establish the standards and
practices to be used by certain business line departments and/or
functional units to manage the potential risks associated with
engaging with an external service provider. The Clearing Agencies
have provided these documents in confidential Exhibit 3 to this
advance notice filing.
\80\ Supra note 62.
---------------------------------------------------------------------------
Information Technology and the Enterprise Program Management Office
(``EPMO'') are responsible for the identification, management,
monitoring, and reporting on the risks associated with the
modernization and migration of applications to Cloud. To that end,
reports on the status and progress of these efforts are reported to
applicable Clearing Agency committees based on escalation criteria in
the EPMO Procedure.\81\ These reports include overall risk and issue
summaries and analysis of key risk indicators for the migration of
applications to the public cloud.
---------------------------------------------------------------------------
\81\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the
Enterprise Program Management Office Procedure, which outlines the
minimum standards and practices the Clearing Agencies use to manage,
measure, and monitor the performance of key processes aligned to the
Enterprise Program Management Office Policy. The Clearing Agencies
have provided these documents in confidential Exhibit 3 to this
advance notice filing.
---------------------------------------------------------------------------
Finally, the Clearing Agencies' Internal Audit Department
(``IAD''), as the independent third line of defense, is responsible for
assessing and challenging the firm's control environment and risk
management and control frameworks, which include those related to the
Cloud, including, but not limited to, security controls and
configurations, and report the results of
[[Page 72002]]
those assessments to management and the Audit Committee of the
Board.\82\
---------------------------------------------------------------------------
\82\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the Internal
Audit Department Policies and Procedures, which contains the
policies and guidance that direct the activities of the Clearing
Agencies' IAD. The Clearing Agencies have provided this document in
confidential Exhibit 3 to this advance notice filing.
---------------------------------------------------------------------------
Ultimately, there is no primary/secondary relationship, as the
Clearing Agencies and the CSP each have their own set of
responsibilities which, when combined, address the entire risk space.
(b) Cloud Security Management
The Clearing Agencies have established a robust Cloud security
program to (i) manage the security of the Core C&S Systems that would
be running on the Cloud Infrastructure hosted by the CSP, and (ii)
assess and monitor the CSP management of security of the Cloud
Infrastructure that it operates. The security program is built upon
Clearing Agency Information Security Policies and Control Standards
that establish requirements that apply to any technology system as well
as any tool that provides technology services.83 84 85 86
Below describes elements of the Clearing Agencies' Cloud security
management in the areas of (i) IAM controls (i.e., determining who is
accessing the systems, granting access to the applications, and then
controlling what information they can access); (ii) security governance
and controls for sensitive data; (iii) security configuration,
provisioning, logging, and monitoring; and (iv) security testing.
---------------------------------------------------------------------------
\83\ Supra notes 46-47, 73-74.
\84\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the DTCC
Information Security--Asset Security Policy and Control Standards,
which governs management of security for the information assets of
the Clearing Agencies. The Clearing Agencies have provided this
document in confidential Exhibit 3 to this advance notice filing.
\85\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the DTCC
Information Security--Monitoring and Incident Management Policy and
Control Standards, which governs DTCC's information security
monitoring and incident management and specifies requirements for
(i) detecting unauthorized information processing activities, (ii)
ensuring information security events and weaknesses associated with
information systems are communicated in a manner allowing timely
corrective action to be taken, and (iii) ensuring a consistent and
effective approach is applied to the management of information
security incidents. The Clearing Agencies have provided this
document in confidential Exhibit 3 to this advance notice filing.
\86\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the DTCC
Information Security--Asset Access Control Policy and Standards,
which governs management of security for the information assets of
the DTCC and its subsidiaries. The Clearing Agencies have provided
this document in confidential Exhibit 3 to this advance notice
filing.
---------------------------------------------------------------------------
(1) Network and IAM Controls
The Clearing Agencies recognize that robust network security
configuration and IAM would provide reasonable assurance that users--
including Clearing Agency employees, market participants, and service
accounts for systems \87\--are granted least-privileged access \88\ to
the network, applications, and data in the Cloud. The Clearing Agencies
would use third-party tools to automate appropriate role-based access
to the Core C&S Systems running in the Cloud. By enforcing strict
separation of duties and least-privileged access for infrastructure,
applications, and data, the Clearing Agencies would protect the
confidentiality, availability, and integrity of the data in the Cloud.
---------------------------------------------------------------------------
\87\ Service accounts are non-interactive accounts that permit
application access to support activities such as monitoring,
logging, or backup. Service accounts are also used for machine-to-
machine communications.
\88\ Least-privileged access means users only have the
permission needed to perform their work, and no more.
---------------------------------------------------------------------------
The Clearing Agencies have established IAM requirements that build
upon the least-privileged model.\89\ As part of the IAM program, all
users must be assigned an appropriate enterprise identification.
Additionally, the Clearing Agencies have established Highly Privileged
Access Management capabilities and policies to further restrict highly
privileged access to be used only in pre-determined scenarios that must
be tied to a change, incident, request, or release records.\90\
---------------------------------------------------------------------------
\89\ Supra note 85.
\90\ Id.
---------------------------------------------------------------------------
Cloud users would be granted access to systems via a standardized
and auditable approval process. The user identifications and granted
access would be managed through their full lifecycle from a centralized
IAM system maintained and administered by the Clearing Agencies. Role-,
attribute-, and context-based access controls would be used as defined
by internal standards \91\ consistent with industry recommended
practices to promote the principles of least-privileged access and
separation of duties.\92\
---------------------------------------------------------------------------
\91\ Id.
\92\ (1) ISO/IEC 27002:2013--Information technology--Security
techniques--Code of practice for information security controls; (2)
NIST Cybersecurity Framework (CSF) Version 1.1; (3) NIST Special
Publication 800-53 Revision 4--Security and Privacy Controls for
Federal Information Systems and Organizations.
---------------------------------------------------------------------------
The Clearing Agencies would use and manage third-party tools not
otherwise provided by nor managed by the CSP for single sign-on and
least-privileged access.\93\ The network also would include hardware
and software to limit and monitor ingress and egress traffic, encrypt
data in transmission, and isolate traffic between the Clearing Agencies
and the Cloud.\94\ Since the Clearing Agencies would continue to
provide cryptographic services, including key management, the CSP and
other network service providers would not be able to decrypt Clearing
Agency data either at rest or while in transit.
---------------------------------------------------------------------------
\93\ For example, the Clearing Agencies currently use Bravura
Security Privileged Access Management (a/k/a PAM) for highly
privileged access management.
\94\ Supra notes 47, 84-85.
---------------------------------------------------------------------------
(2) Security Governance and Controls for Sensitive Data
The Clearing Agencies' data governance framework that would apply
to Cloud implementation is identified within the Clearing Agency
Information Security Policies and Control Standards.\95\ The Clearing
Agency Information Security Policies and Control Standards address data
moving between systems within the Cloud as well as data transiting and
traversing both trusted and untrusted networks. For example, the
Clearing Agencies' Information Security Policies and Control Standards
require a system or Software as a Service (i.e., SaaS) to (i) store
data and information, including all copies of data and information in
the system, in the U.S., throughout its lifecycle; (ii) be able to
retrieve and access the data and information throughout its lifecycle;
(iii) for data in the system hosted in the Cloud, encrypt such data
with key pairs kept and owned by the Clearing Agencies; (iv) comply
with U.S. federal and applicable state data regulations regarding data
location; and (v) enable secure disposition of non-records in
accordance with the Clearing Agencies' Information Governance
Policy.\96\
---------------------------------------------------------------------------
\95\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the DTCC Data
Risk Management Policy, which establishes requirements for the sound
management of data risk across the data lifecycle. The Clearing
Agencies have provided this document in confidential Exhibit 3 to
this advance notice filing.
\96\ Supra note 85.
---------------------------------------------------------------------------
Furthermore, the Clearing Agencies' policies establish the overall
data governance framework applied to the management, use, and
governance of Clearing Agency information to include digital
instantiations, storage media, or whether the information is located,
processed, stored, or transmitted on the Clearing Agencies' information
systems and networks; public, private, or hybrid
[[Page 72003]]
cloud infrastructures; third-party data centers and data repositories;
or SaaS applications.\97\ The Information Classification and Handling
Policy \98\ classifies the Clearing Agencies' information into
categories. System owners of technology that enable classification and/
or labeling of information are responsible for ensuring the correct
classification level is designated in the system of record and the
applicable controls are enforced. All information requiring disposal is
required to be disposed of securely in accordance with all applicable
procedures. Sensitive data must be handled in a manner consistent with
requirements in the Information Classification and Handling Policy.
---------------------------------------------------------------------------
\97\ Supra note 46.
\98\ Supra note 83.
---------------------------------------------------------------------------
The Clearing Agencies would implement key security components,
namely ubiquitous authentication, and encryption via use of an
automated public key infrastructure, coupled with responsive, highly
available authentication, authorization tools, and key management
strategies to ensure appropriate industry standard security controls
are in place for sensitive data both in transit to and at rest in
Cloud.\99\
---------------------------------------------------------------------------
\99\ Supra note 47.
---------------------------------------------------------------------------
External connectivity to the Clearing Agencies' systems hosted by
the CSP would be provided, as it is now, through dedicated private
circuits or over encrypted tunnels through the internet. These network
links also would have additional security controls, including
encryption during transmission and restrictions on network access to
and from the Cloud. Additionally, the Clearing Agencies would use
dedicated redundant private network connections between the Clearing
Agencies data centers and the CSP infrastructure. The Clearing Agencies
currently maintains two data centers and will do so in the near term to
provide redundant, geographically diverse connectivity for market
participants.
All network communications between the Clearing Agencies and the
Cloud Infrastructure would rely on industry standard encryption for
traffic while in transit. Data at rest would be safeguarded through
pervasive encryption. The Clearing Agencies' Encryption Standards \100\
describe requirements for implementation of the minimum required
strengths, encryption at rest, and cryptographic algorithms approved
for use in cryptographic technology deployments across the Clearing
Agencies. All Clearing Agency identifying data is encrypted in transit
using industry standard methods. The Key Management Service (``KMS'')
Strategy \101\ dictates that all CSP endpoints support HTTPS for
encrypting data in transit. The Clearing Agencies also secure
connections to the endpoint service by using virtual private computer
endpoints and ensures client applications are properly configured to
ensure encapsulation between minimum and maximum Transport Layer
Security versions pursuant to the Clearing Agencies' encryption
standard.
---------------------------------------------------------------------------
\100\ Supra note 91.
\101\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the DTCC
Information Security--Public Key Infrastructure Policy and Control
Standards, which governs the public key infrastructures implemented
and used within DTCC and its subsidiaries. The Clearing Agencies
have provided this document in confidential Exhibit 3 to this
advance notice filing.
---------------------------------------------------------------------------
The Clearing Agencies would have exclusive control over the
encryption keys; only Clearing Agency authorized users and approved
third parties would be able to access Clearing Agency data. The CSP
systems and staff would not have access to the Clearing Agencies'
certificates or keys.\102\ The Clearing Agencies would be responsible
for the application architecture, software, configuration, and use of
the CSP services, and for the maintenance of the environment, including
ongoing monitoring of the application environment to achieve the
appropriate security posture. To do this, the Clearing Agencies would
follow (i) existing security design and controls; (ii) Cloud-specific
information security controls defined in the Clearing Agencies'
Information Security Policies and Control Standards; \103\ and (iii)
regulatory compliance requirements detailed in sources or information
technology practices that are widely available and issued by an
authoritative body that is a U.S. governmental entity or agency
including NIST-CSF,\104\ COBIT,\105\ and the FFIEC Guidelines.\106\
---------------------------------------------------------------------------
\102\ Certificate management is the process of creating,
monitoring, and handling digital keys (certificates) to encrypt
communications.
\103\ Supra note 91.
\104\ NIST Cybersecurity Framework Version 1.1.
\105\ COBIT 2019 Framework: Governance and Management
Objectives.
\106\ FFIEC Information Technology Examination Handbook--
Information Security (September 2016).
---------------------------------------------------------------------------
The Clearing Agencies would use third-party and custom developed
tools for CSP security compliance monitoring, security scanning, and
reporting. Alerts and all API-level actions would be gathered using
both CSP provided, Clearing Agency developed, and third-party
monitoring tools. The CSP provided monitoring tool would be enabled by
default at the organization level to monitor all CSP services activity.
Centralized logging provides near real-time analysis of events and
contains information about all aspects of user and role management,
detection of unauthorized, security relevant configuration changes, and
inbound and outbound communication.
As discussed just above, the Clearing Agencies would use a KMS
Strategy to encrypt data in transit and at rest in the Cloud. KMS is
designed so that no one, including CSP employees, can retrieve customer
plaintext keys and use them. The Federal Information Processing
Standards 140-2 validated Host Security Modules (``HSMs'') in KMS
protect the confidentiality and integrity of Clearing Agency customer
keys.\107\ Customer plaintext keys are not written to disk and are only
used in protected, volatile memory of the HSMs for the time needed to
perform the customer's requested cryptographic operation. KMS keys are
not transmitted outside of Cloud regions in which they were created.
Updates to the KMS HSM firmware will be controlled by quorum-based
access control \108\ that is audited and reviewed by an independent
group within the CSP.
---------------------------------------------------------------------------
\107\ The HSM is analogous to a safe to which only the Clearing
Agencies have the combination and the ability to access the keys to
locks stored within.
\108\ A quorum-based access mechanism requires multiple users to
provide credentials over a fixed period in order to obtain access.
---------------------------------------------------------------------------
(3) Security Configuration, Provisioning, Logging, and Monitoring
Automated delivery of business and security capability via the use
of ``Infrastructure as Code'' and continuous integration/continuous
deployment pipeline methods would permit security controls to be
consistently and transparently deployed on-demand. The Clearing
Agencies would provision Cloud Infrastructure using pre-established
system configurations that are deployed through Infrastructure as Code,
then scanned for compliance to secure baseline configuration standards.
The Clearing Agencies also would employ continuous configuration
monitoring and periodic vulnerability scanning. The Clearing Agencies
would perform regular reviews and testing of Clearing Agency systems
running in Cloud while relying upon information provided by the CSP
through the CSP's SOC2 and Audit Symposiums. Finally, configuration,
security incident, and event monitoring would rely on a blend of CSP
native and third-party solutions.
The Clearing Agencies also plan to use tools offered by the CSP,
developed by the Clearing Agencies, and third parties to monitor the
Core C&S Systems
[[Page 72004]]
running in Cloud. The Clearing Agencies would track metrics, monitor
log files, set alarms, and have the ability to act on changes to Core
C&S Systems and the environment in which they operate. The CSP would
provide a dashboard to reflect-general health (e.g., up/down status of
a region and CSP provided services running in that region) but would
not give additional insights into performance of services and
applications which run on those services. The Clearing Agencies'
centralized logging system would provide for a single frame of
reference for log aggregation, access, and workflow management by
ingesting the CSP's logs coming from native detective tools and the
Clearing Agencies' instrumented controls for logging, monitoring, and
vulnerability management. This instrumentation would give the Clearing
Agencies a real-time view into the availability of Cloud services as
well as the ability to track historical data. By using the enterprise
monitoring tools that the Clearing Agencies have in place, the Clearing
Agencies would be able to integrate the availability and capacity
management of Cloud into the Clearing Agencies' existing processes,
hosted in Cloud, to respond to issues in a timely manner.
The Clearing Agencies also would use specialized third-party tools,
as discussed just above, to programmatically configure Cloud services
and securely deploy infrastructure. This automation of configuration
and deployment would help ensure that Cloud services are repeatably and
consistently configured securely and validated. Change detection tools
providing event logs into the incident management system also are vital
for reacting to and investigating unexpected changes to the
environment.
The Clearing Agencies would implement tools for the Core C&S
Systems and back-office environments that would be hosted on the Cloud
Infrastructure, notably, IAM, monitoring and Security Information and
Event Management systems, the workflow system of record for incident
handling, KMS, and enterprise Data Loss Prevention.
Finally, the CSP prioritizes assurance programs and certifications,
underscoring its ability to comply with financial services regulations
and standards and to provide the Clearing Agencies with a secure Cloud
Infrastructure.\109\
---------------------------------------------------------------------------
\109\ The CSP has certifications for the following frameworks:
NIST, Cloud Security Alliance, COBIT, ISO, and FISMA.
---------------------------------------------------------------------------
(4) Security Testing and Verification
Security testing is integrated into business-as-usual processes as
outlined in relevant policy and procedures.\110\ These documents define
how testing is initiated, executed, and tracked.
---------------------------------------------------------------------------
\110\ Supra note 46.
---------------------------------------------------------------------------
For new assets and application (or code) releases, Technology Risk
Management determines whether and what type of security testing is
required through a risk-based analysis.\111\ If required, testing would
be conducted prior to implementation. The different testing techniques
are outlined below:
---------------------------------------------------------------------------
\111\ Supra note 30.
---------------------------------------------------------------------------
Automated Security Testing. Using industry standard
security testing tools and/or other security engineering techniques
specifically configured for each test, the Clearing Agencies would test
to identify vulnerabilities and deliver payloads with the intent to
break, change, or gain access to unauthorized areas within an
application, data, or system.
Manual Penetration Testing. Using information gathered
from automated testing and/or other information sources, the Clearing
Agencies would manually test to identify vulnerabilities and deliver
payloads with the intent to break, change, or gain access to the
unauthorized area within an application or system.
Blue Team Testing. The Blue Team identifies security
threats and risks in the operating environment and analyzes the
network, system, and SaaS environments and their current state of
security readiness. Blue Team assessment results guide risk mitigation
and remediation, validate the effectiveness of controls, and provide
evidence to support authorization or approval decisions. Blue Team
testing ensures that the Clearing Agencies' networks, systems, and SaaS
solutions are as secure as possible before deploying to a production
environment.
The results of the Clearing Agencies' security controls testing are
risk-rated and managed to remediation via two separate control
standards.\112\
---------------------------------------------------------------------------
\112\ Supra notes 46-47.
---------------------------------------------------------------------------
(c) Change Management: Software Development and Release Process
Consistent with FFIEC Guidance, the Clearing Agencies' use of Cloud
would have sufficient change management controls in place to
effectively transition systems and information assets to Cloud and
would help ensure the security and reliability of applications in
Cloud.\113\ The Clearing Agencies' enterprise software development
lifecycle processes \114\ would help ensure the same control
environment for all Clearing Agency resources. The Clearing Agencies
would establish baselines for design inputs and control requirements
and enforce workload isolation and segregation through Cloud using
existing Cloud native technical controls and added new tools. The
Clearing Agencies also would plan to use other specialized platform
monitoring tools for logging, scanning of configuration, and systems
process scanning. The Clearing Agencies also would have oversight as
the code owner and would have final review and approval for related
changes and code merges before deployment into production. Finally, the
Clearing Agencies would periodically conduct static code scanning and
perform vulnerability scanning for external dependencies prior to
deployment in production, along with manual penetration testing of the
provided application code. In addition, the Clearing Agencies would
perform routine scans of Compute resources with the existing enterprise
scanning tools. Any identified vulnerabilities would be reviewed for
severity, prioritized, and logged for remediation tracking in upcoming
development releases.
---------------------------------------------------------------------------
\113\ Supra note 30.
\114\ Id.
---------------------------------------------------------------------------
The Clearing Agencies would create a ``user acceptance plan'' prior
to promoting code to Cloud production. This user acceptance plan would
include tests of all major functions, processes, and interfacing
systems, as well as security tests. Through acceptance tests, the
Clearing Agencies' users would be able to simulate complete application
functionality of the live environment. The change would move to the
next stage of the Clearing Agencies' delivery model only after
satisfying the criteria for this phase.\115\
---------------------------------------------------------------------------
\115\ The ``user acceptance plan'' represents only one aspect of
the overall change management program at the Clearing Agencies.
---------------------------------------------------------------------------
The Clearing Agencies would have internal projects that would
address change management of the various applications and services. In
particular, the Clearing Agencies would run a suite of supporting
services that enable building, running, scaling, and monitoring of the
Clearing Agencies' business applications in Cloud, in an automated,
resilient, and secure manner.\116\ The application platform relies on
various CSP and third-party tools for different components, including
IaaS, Infrastructure as Code, CI/CD, Container as a Service,
[[Page 72005]]
Continuous Delivery, and Platform Monitoring.
---------------------------------------------------------------------------
\116\ Supra note 30.
---------------------------------------------------------------------------
With respect to software development in Cloud, the Clearing
Agencies would establish a closed, non-production Cloud environment
that would enable the Clearing Agencies to develop, test, and integrate
new capabilities, including those related to security capabilities.
This non-production Cloud environment would focus on the foundational
security, operations, and infrastructure requirements with the intent
to take lessons learned to implement into future production. The
Clearing Agencies would maintain a Cloud Reference Architecture that
defines necessary capabilities and controls required to securely host
Core C&S Systems. The minimum foundational security requirements would
be based on the NIST-CSF and CIS benchmarks and include the design and
implementation requirements of a secure Cloud account structure within
a multi-region Cloud environment. The Clearing Agencies would maintain
enterprise security requirements that provide structure for current and
future development. As the Cloud environment is further developed and
expanded, there would be a comprehensive process to identify any
incremental risks and develop and implement controls to manage and
mitigate those risks.
(d) Resilience and Recovery
As noted earlier, given the Clearing Agencies' roles as
systemically important financial market utilities, it is vital that
operations moved to the Cloud have appropriately robust resilience and
recovery capabilities. As discussed in Section II.B.ii.2, above, the
Cloud Infrastructure would be architected to include (i) two autonomous
and geographically diverse regions; (ii) three availability zones per
region, with each availability zone comprised of multiple data centers;
(iii) multi-node, high availability clusters across each availability
zone; (iv) static stability and static capacity models; and (v)
regional isolation, all to help ensure the persistent availability of
Compute, Storage, and Network capabilities in Cloud.
Additionally, the CSP's practice in deploying service updates to
Cloud would help ensure that the consequences of any incidents would be
limited to the fullest extent possible.\117\ The CSP achieves this by
(i) fully automating the build and deployment process and (ii)
deploying services to production in a phased manner.
---------------------------------------------------------------------------
\117\ The Clearing Agencies would continue to retain
responsibility for patching, configuration, and monitoring of the
operating systems and applications in Cloud.
---------------------------------------------------------------------------
CSP service updates are first deployed to cells, which minimizes
the chance that a disruption from a service update in one cell would
disrupt other cells. Following a successful cell-based deployment,
service updates are next deployed to a specific availability zone,
which limits any potential disruption to that zone. Following a
successful availability zone deployment, service updates are then
deployed in a staged manner to other availability zones, starting with
the same region and later within other regions until the process is
complete.
The Clearing Agencies would meet regularly with the CSP, in
addition to formal quarterly briefing meetings with the CSP, as
described in the Reg. SCI Addendum.\118\ The informal discussions and
quarterly briefing meetings would permit the Clearing Agencies to
gather information in advance of the quarterly systems change report.
Most reportable systems changes would continue to occur based on
changes to Compute, Storage, Network, or applications controlled by the
Clearing Agencies.
---------------------------------------------------------------------------
\118\ See Reg. SCI Addendum, Section 4 Briefing Meetings. The
Clearing Agencies have provided this document in confidential
Exhibit 3 to this advance notice filing.
---------------------------------------------------------------------------
(e) Audit Controls and Assessment
The Clearing Agencies would regularly test security controls and
configurations, including by monitoring the CSP's technical,
administrative, and physical security controls that support the
Clearing Agencies' systems in the Cloud Infrastructure.
(1) Internal Risk Assessments
As part of their existing third-party vendor risk activities, the
Clearing Agencies' Third-Party Risk department (``TPR'') would assess
the operational risks of the CSP as a critical vendor
annually.119 120 121 Additionally, as a critical vendor, the
CSP is subject to heightened risk management requirements, as defined
in the DTCC Third Party Risk CriticalPlus Program Procedures,\122\
which include an executive sponsor that must be at the Managing
Director level or higher, documented annual meetings, quarterly
reporting, and monthly notifications. Issues rated moderate or above,
negative news, performance concerns or remediations are directly
escalated to the Management Risk Committee monthly.\123\
---------------------------------------------------------------------------
\119\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the DTCC
Third Party Risk Governance & Monitoring Procedures, which describes
the minimum requirements for practices and standards to be used by
business owners to monitor and manage third party relationships for
DTCC and its subsidiaries. The Clearing Agencies have provided this
document in confidential Exhibit 3 to this advance notice filing.
\120\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the DTCC
Third Party Risk Policy and the DTCC Third Party Risk Procedures,
which establish the standards and practices to be used by certain
business line departments and/or functional units to manage the
potential risks associated with engaging with an external service
provider. The Clearing Agencies have provided these documents in
confidential Exhibit 3 to this advance notice filing.
\121\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the Third
Party Risk--Technology and Resilience Procedure, which supplements
the ``DTCC Third Party Risk Policy'', ``DTCC Third Party Risk
Procedures'', and ``DTCC Third Party Risk Governance and Monitoring
Procedures'' and covers the following: standard technology risk
assessments (e.g., due diligence), fourth party reviews, NYDFS cyber
security assessments, and onsite assessments. The Clearing Agencies
have provided this document in confidential Exhibit 3 to this
advance notice filing.
\122\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the DTCC
Third Party Risk CriticalPlus Program Procedures. The Clearing
Agencies have provided this document in confidential Exhibit 3 to
this advance notice filing.
\123\ Supra note 62.
---------------------------------------------------------------------------
(2) Internal Audit Department
As mentioned in Section II.B.ii.4.(a), above, the Clearing
Agencies' IAD, as the third line of defense, is independent from the
Clearing Agencies' business lines, support areas, and controls
functions, and promotes resiliency and security through the assessment
of risk management and control frameworks to raise awareness of control
risks and changes for improving controls and governance processes.
IAD assesses the risks of the Clearing Agencies, at least annually,
as part of the development of the risk-based audit plan, which is
reviewed and refreshed, as needed, on a quarterly basis.\124\ The
development of the audit plan includes the consideration of IADs risk
assessment results, which informs cycle coverage requirements for
Cloud. Additional considerations include, but are not limited to,
regulatory requirements and expectations, initiatives, and
institutional and industry risk trends, including risks associated with
technology and cloud-based processes.
---------------------------------------------------------------------------
\124\ Supra note 81.
---------------------------------------------------------------------------
IAD's specific reviews of Cloud Infrastructure have not identified
any material deficiencies and the scope of the reviews have included,
but are not limited to, consideration of governance and oversight,
contagion risk and logical separation, access management, security
configuration and monitoring,
[[Page 72006]]
concentration risk, exit strategy, business continuity and disaster
recovery. IAD also has assessed the design of controls for a cloud
platform scheduled for use in 2024 and is proposing a Cloud Security
audit for 2024.\125\
---------------------------------------------------------------------------
\125\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the Clearing
Agencies' Cloud Platform Internal Audit Report. The Clearing
Agencies have provided this document in confidential Exhibit 3 to
this advance notice filing.
---------------------------------------------------------------------------
(3) Key Risk and Key Performance Indicators \126\
---------------------------------------------------------------------------
\126\ Supra note 62.
---------------------------------------------------------------------------
The Clearing Agencies have established processes to evaluate the
Clearing Agencies' management of CSPs. Cloud vendors are rated through
a quarterly TPR survey. If a survey results in a poor rating, then it
is reported to the Management Risk Committee (``MRC'').\127\ TPR is
responsible for the timely reporting and escalation of third-party
risks. On a regular basis, TPR will review all active assessments to
identify any high risks or potential issues that may require further
discussion or escalation to senior management, Corporate Procurement
Services (``CPS''), or internal stakeholders. The DTCC Third Party Risk
Procedures provide a list of events that must be presented to the
MRC.\128\
---------------------------------------------------------------------------
\127\ Supra note 119.
\128\ Supra note 78.
---------------------------------------------------------------------------
The Clearing Agencies have developed key performance indicators
(``KPIs'') for Cloud and socialized these KPIs internally. The KRIs
already exist for Core C&S Systems and are aligned to overall systems
availability, capacity, data integrity, and security.\129\ The CSP KPIs
would feed into existing KRIs and would be used to evaluate the CSP's
performance after Cloud implementation. KPIs would be added to monitor
the performance and risks of the CSP services for which the Clearing
Agencies have contracted. These post-Cloud implementation KRIs and KPIs
would allow the Clearing Agencies to assess their ongoing use of the
CSP against their operational and security requirements and would help
demonstrate the effectiveness of risk controls and the CSP's
performance against commitments in the SLAs, and will be reported on a
regular basis to the Clearing Agencies' Management Committee, Board of
Directors, and Technology and Risk Committees of the Board of
Directors.
---------------------------------------------------------------------------
\129\ The Clearing Agencies have separately submitted a request
for confidential treatment to the Commission regarding the IT-Q4
2023 Risk Tolerance. The Clearing Agencies have provided this
document in confidential Exhibit 3 to this advance notice filing.
---------------------------------------------------------------------------
(4) Auditing the CSP and Access Rights \130\
---------------------------------------------------------------------------
\130\ Supra note 62.
---------------------------------------------------------------------------
The CSP hosts an annual Audit Symposium. The Cloud Agreement gives
the Clearing Agencies the right to attend the symposium so that the
Clearing Agencies may inspect and verify evidence of the design and
effectiveness of the CSP's control environment.\131\ The CSP also hosts
an annual Cloud security conference focused on security, governance,
risk and compliance, which the Clearing Agencies would attend. Through
preparation for and attendance at these events, the Clearing Agencies
could provide feedback and make requests of the CSP for future
modifications of its control environment.
---------------------------------------------------------------------------
\131\ See Reg. SCI Addendum, Section 3 Customer Right of Access
and Audit. The Clearing Agencies have provided this document in
confidential Exhibit 3 to this advance notice filing.
---------------------------------------------------------------------------
The Clearing Agencies' Information Technology staff currently meets
with CSP representatives weekly to focus on technical issues related to
the Clearing Agencies' proposed Cloud environment. As required under
the Cloud Agreement, the Clearing Agencies hold quarterly compliance
briefings with the CSP, wherein the Clearing Agencies receive
information, including any necessary documentation, from the CSP to
help assure the Clearing Agencies that the CSP is meeting its
obligations.\132\ The information provided includes updates to services
and SLAs, CSP performance, and details that help the Clearing Agencies
meet their reporting obligations under Section 1003(a)(1) of Reg. SCI.
The Clearing Agencies' management, including Security, Information
Technology, TPR, and the Internal Audit Department, coordinate to
ensure appropriate representation during such briefings. The CSP is
required under Cloud Agreement to maintain records showing its
compliance with the agreements for a period of five years.\133\
---------------------------------------------------------------------------
\132\ Supra note 117.
\133\ See Reg. SCI Addendum, Section 7.3 CSP Records. The
Clearing Agencies have provided this document in confidential
Exhibit 3 to this advance notice filing.
---------------------------------------------------------------------------
The CSP would be required to maintain an information security
program, including controls and certifications, that is as protective
as the program evidenced by the CSP's SOC-2 report. The CSP must make
available on demand to the Clearing Agencies its SOC-2 report as well
as the CSP's other certifications from accreditation bodies and
information on its alignment with various frameworks, including NIST-
CSF, and ISO.\134\
---------------------------------------------------------------------------
\134\ The FFIEC Guidance provides that the Clearing Agencies may
obtain SOC reports, other independent audits, or ISO certification
reports to gain assurance that the CSP's controls are operating
effectively. See FFIEC, Security in a Cloud Computing Environment,
at 7. The Clearing Agencies review the CSP's SOC-2 on an annual
basis. See Reg. SCI Addendum, Section 2 CSP Information Security
Program. The SOC reports, along with other artifacts showing
compliance with these sections, are available to the Clearing
Agencies on demand. In addition, during each Briefing Meeting (See
Reg. SCI Addendum Section 4 Briefing Meetings), updates are provided
on any material changes to certification standards, policies,
procedures, controls or security standards at the CSP. The Clearing
Agencies have provided this document in confidential Exhibit 3 to
this advance notice filing.
---------------------------------------------------------------------------
As part of the annual risk assessment of the CSP, TPR collects risk
and control related assurance documents from the CSP and coordinates
review with the Clearing Agencies' respective subject matters
specialists. TPR, Security, and Business Continuity would determine the
adequacy and reasonableness of the documentation received to complete
the Third-Party Risk Assessment. Finally, the Cloud Agreement provides
that the Clearing Agencies' and their regulators may visit the
facilities of the CSP under specified conditions. TPR would help
coordinate bi-annual visits of the data centers.\135\
---------------------------------------------------------------------------
\135\ See Reg. SCI Addendum, Sections 3 Customer Right of Access
and Audit and 9 Regulatory Supervision. The Clearing Agencies have
provided this document in confidential Exhibit 3 to this advance
notice filing.
---------------------------------------------------------------------------
The Clearing Agencies plan to use the CSP's services combined with
additional third-party tools to monitor systems deployed by ingesting
logs into a security incident and event monitoring tool to provide a
``single pane of glass'' view into the Cloud Infrastructure. When
incidents are detected, the Clearing Agencies would follow their
existing incident response governance to identify, detect, contain,
eradicate, and recover from incidents.
III. Consistency With the Clearing Supervision Act
The stated purpose of the Clearing Supervision Act is to mitigate
systemic risk in the financial system and promote financial stability
by, among other things, promoting uniform risk management standards for
systemically important financial market utilities and strengthening the
liquidity of systemically important financial market utilities.\136\
Section 805(a)(2) of the Clearing Supervision Act \137\ also authorizes
the Commission to prescribe risk management standards for the
[[Page 72007]]
payment, clearing and settlement activities of designated clearing
entities, like the Clearing Agencies, for which the Commission is the
supervisory agency. Section 805(b) of the Clearing Supervision Act
\138\ states that the objectives and principles for risk management
standards prescribed under Section 805(a) shall be to:
---------------------------------------------------------------------------
\136\ 12 U.S.C. 5461(b).
\137\ 12 U.S.C. 5464(a)(2).
\138\ 12 U.S.C. 5464(b).
---------------------------------------------------------------------------
promote robust risk management;
promote safety and soundness;
reduce systemic risks; and
support the stability of the broader financial system.
The Commission adopted Rule 17ad-22 under Section 805(a)(2) of the
Clearing Supervision Act and the Exchange Act in furtherance of these
objectives and principles.\139\ Rule 17ad-22 under the Exchange
requires covered clearing agencies, like the Clearing Agencies, to
establish, implement, maintain, and enforce written policies and
procedures that are reasonably designed to meet certain minimum
requirements for their operations and risk management practices on an
ongoing basis.\140\
---------------------------------------------------------------------------
\139\ 17 CFR 240.17ad-22. Exchange Act Release Nos. 68080
(October 22, 2012), 77 FR 66220 (November 2, 2012) (S7-08-11)
(Clearing Agency Standards); 78961 (September 28, 2016), 81 FR 70786
(October 13, 2016) (S7-03-14) (Standards for Covered Clearing
Agencies).
\140\ 17 CFR 240.17ad-22.
---------------------------------------------------------------------------
The Clearing Agencies believe that the Cloud Proposal is consistent
with Section 805(b)(1) of the Clearing Supervision Act \141\ and the
requirements of Rules 17ad-22(e)(17)(ii) under the Exchange Act.\142\
---------------------------------------------------------------------------
\141\ 12 U.S.C. 5464(b)(1).
\142\ 17 CFR 240.17ad-22(e)(17)(ii).
---------------------------------------------------------------------------
A. Consistency With Section 805(b)(1) of the Clearing Supervision Act
Promote Robust Risk Management. As described above, the Clearing
Agencies believe that the Cloud Proposal promotes robust risk
management, specifically operational risk management, by providing
scalable and secure infrastructure for hosting Core C&S Systems. The
Cloud Proposal would add additional security capabilities, allow for
regular updates and maintenance of applications, and reduce the risk of
data breaches while also ensuring compliance with industry standards.
Additionally, transitioning to Cloud would offer flexibility in scaling
resources, which can enable the Clearing Agencies to adapt quickly to
changing security needs and allocate resources more efficiently.
Today, the Clearing Agencies' ability to risk manage extreme market
events is directly tied to their ability to scale their on-premises
resource during such events, which is directly tied to the Clearing
Agencies having previously expended enough capital to build enough
capacity based on earlier performance testing of their applications to
withstand such extreme market events. Although the Clearing Agencies
would continue to performance test their applications regardless of
where the applications are hosted, by hosting the applications in
Cloud, the number of scalable resources is already available, when
needed, without the Clearing Agencies having to pre-purchase it or
build it. This level of nearly unbounded, on-demand scalability
provides a much-welcomed risk-management feature for extreme events,
such as a global pandemic as noted above.
Overall, risk management is inherently strengthened by hosting in
Cloud through advanced security features, real-time monitoring, on-
demand scalability, and compliance standards implemented by the CSP. By
leveraging these capabilities, the Clearing Agencies can better
proactively identify and address risks, ensuring data integrity and
regulatory compliance.
Promote Safety and Soundness. The Clearing Agencies also believe
that the Cloud Proposal promotes safety and soundness. As discussed
above, transitioning to Cloud provides centralized management and
improved scalability. The CSP provides cloud-specific security
capabilities, including encryption, access controls, and regular
updates, reducing the risk of security breaches. Centralized monitoring
allows for better visibility into potential threats, enabling quick
response and mitigation. The agility afforded by Cloud would allow the
Clearing Agencies to respond to performance challenges more efficiently
and effectively. For instance, as noted above, in the face of
unexpected surges in demand, Cloud scalability would allow the Clearing
Agencies to seamlessly adjust resources, helping to prevent service
disruptions and loss of operations. Such agility not only enhances the
effectiveness of operations but also mitigates the risks associated
with unexpected fluctuations in workload performance. These benefits
improve the Clearing Agencies abilities to maintain operational
continuity and resilience, which help promote safety and soundness.
Reduce Systemic Risk. The Clearing Agencies also believe that the
Cloud Proposal would reduce systemic risk by improving overall
resilience and security. As described above, hosting Core C&S Systems
in Cloud would provide distributed infrastructure and data redundancy
(i.e., multiple availability zones, supported by many data centers,
across two regions), making the systems less susceptible to single
points of failure. Moreover, disaster recovery would be streamlined,
minimizing the effect of potential disruptions, while automatic backup
systems, geographic redundancy, and faster data recovery mechanisms
would all contribute to a more resilient infrastructure. In the event
of a localized issue, the distributed nature of Cloud would help
prevent widespread disruptions.
Production resiliency also is greatly improved in Cloud compared to
the Clearing Agencies' on-premises capabilities, where a single
location hosts an application, on a single copy of primary storage.
Instead, Cloud would host an application across three primary
availability zones, made of up of many data centers, each of which
contain actively running instances and synchronous copies of the data.
If the Clearing Agencies' primary, on-premises data center fails, an
out of region recovery will be necessary and will likely result in
approximately two hours of downtime. By comparison, in Cloud, even if
an entire availability zone fails (meaning the failure of multiple data
centers), Core C&S Systems would continue to operate within the region,
thus avoiding an out of region recovery and any downtime.
The Clearing Agencies would employ meaningful security capabilities
and measures provided by the CSP and third-party tools to further
enhance the security of the Clearing Agencies' Core C&S Systems. This
approach to security would help reduce systemic risks associated with
operational outages and significantly reduce the risk associated with
data loss or downtime. Additionally, the Cloud environment facilitates
regular updates and patch management, ensuring that security measures
stay current. This proactive maintenance helps mitigate vulnerabilities
that could otherwise contribute to systemic risk. Overall, the adoption
of Cloud enhances the stability and security of IT infrastructure,
contributing to a reduction in systemic risks.
Altogether, the Clearing Agencies believe that the benefits afford
from operating in a Cloud Infrastructure would help the Clearing
Agencies reduce systemic risk.
Support the Stability of the Broader Financial System. The Clearing
Agencies believe that the Cloud Proposal supports the stability of the
broader financial system by enhancing efficiency, resilience, and
security of the
[[Page 72008]]
Clearing Agencies' Core C&S Systems. Cloud services would provide the
Clearing Agencies with scalable and flexible infrastructure, allowing
for more efficient resource allocation and cost management, which
supports operational resiliency and stability. With the ability to
rapidly deploy new applications and services, the Clearing Agencies
would become more agile in adapting to market trends and participant
and customer needs.
In terms of resilience, the Cloud Infrastructure offers distributed
data storage and failover solutions, reducing the impact of localized
disruptions and improving recovery capabilities. This resilience is
crucial for the Clearing Agencies' Core C&S Systems to continue
functioning even in the face of unforeseen events. Moreover, the CSP's
strengthened security capabilities help protect sensitive data,
mitigating the risk of cyberattack or data breaches that could
undermine the stability of the financial system. Overall, the
transition to Cloud fosters improved operational efficiency,
resilience, and robust security practices, contributing to the
stability of the broader financial system.
Accordingly, the proposed changes provided in this Cloud Proposal
are consistent with (i) promoting robust risk management; (ii)
promoting safety and soundness; (iii) reducing systemic risks; and (iv)
promoting the stability of the broader financial system, all in support
of the objectives and principles of Section 805(b) of the Clearing
Supervision Act.\143\
---------------------------------------------------------------------------
\143\ 12 U.S.C. 5464(b).
---------------------------------------------------------------------------
B. Consistency With Rule 17ad-22(e)(17)(ii) Under the Exchange Act
Rule 17ad-22(e)(17)(ii) requires the Clearing Agencies to
establish, implement, maintain, and enforce written policies and
procedures reasonably designed to manage the Clearing Agencies'
operational risk by ``ensuring that systems have a high degree of
security, resiliency, operational reliability, and adequate, scalable
capacity.'' \144\
---------------------------------------------------------------------------
\144\ 17 CFR 240.17ad-22(e)(17)(ii). The Clearing Agencies
maintain several policies specifically designed to manage the risks
associated with maintaining adequate levels of system functionality,
confidentiality, integrity, availability, capacity, and resiliency
for systems that support core clearing, risk management, and data
management services.
---------------------------------------------------------------------------
Security. As described above and in policies and procedures
confidentially filed, the Clearing Agencies have established a robust
Cloud security program to manage the security of the Core C&S Systems
that would be running in Cloud and to monitor the CSP's management of
security of the Cloud Infrastructure that it operates. Processes are
formally defined, automated to the fullest extent, repeatable with
minimal variation, accessible, adhered to, and timely. The enterprise
security program encompasses all of the Clearing Agencies' assets
existing in the Clearing Agencies' offices, data centers, and within
the Cloud Infrastructure, and IAM controls ensure least-privileged user
access to applications in Cloud. The Clearing Agencies have appropriate
controls in place to help ensure the security of confidential
information in-transit between the Clearing Agencies' data centers and
the Cloud Infrastructure, between systems within the Cloud
Infrastructure, and at-rest. All network communications between the
Clearing Agencies and Cloud would rely on industry standard encryption
for traffic while in transit, and data at rest would be safeguarded
through pervasive encryption. Finally, automated delivery of business
and security capability via the use of the Infrastructure as Code,
Cloud agnostic tools, and continuous integration/continuous deployment
pipeline methods help ensure security controls are consistently and
transparently deployed.
Resiliency and Operational Reliability. As stated above, resiliency
and operational reliability of the Cloud Infrastructure is built into
the system with functionality for the Clearing Agencies' Core C&S
Systems to run in multiple availability zones within multiple regions.
Regions are segregated from one another and are designed to minimize
the possibility of a multi-region outage. The Clearing Agencies have
designed their Cloud Infrastructure to have primary (hot)/secondary
(warm) regions, at all times, ensuring Compute, Storage, and Network
resources would be available in a new redundant region in the event of
a primary region failure. As a result, the Cloud Infrastructure offers
the Clearing Agencies multiple redundancies within which to run Core
C&S Systems, while simultaneously restricting the effect of an incident
at the CSP to the smallest footprint possible.
Scalability. As described above, since additional computing power
can be launched on demand, the scalability in a Cloud computing
environment is considerable and instantaneous. The Clearing Agencies
could provision or de-provision Compute, Storage, and Network resources
to meet demand at any given point in time. In the current on-premises
environment, immediate scalability is limited by the capacity of the
on-premises hardware. Additional physical servers and network equipment
would be needed to scale beyond the limits of the on-premises hardware,
potentially affecting the ability to quickly adapt to evolving market
conditions, including spikes in trading volume.
For these reasons, the Clearing Agencies believe that the Cloud
Proposal would help ensure that the Clearing Agencies' systems have a
high degree of security, resiliency, operational reliability, and
adequate, scalable capacity, consistent with Rule 17ad-22(e)(17)(ii)
under the Exchange Act.\145\
---------------------------------------------------------------------------
\145\ 17 CFR 240.17ad-22(e)(17)(ii).
---------------------------------------------------------------------------
III. Date of Effectiveness of the Advance Notice
The proposed change may be implemented if the Commission does not
object to the proposed change within 60 days of the later of (i) the
date the proposed change was filed with the Commission or (ii) the date
any additional information requested by the Commission is
received.\146\ The clearing agency shall not implement the proposed
change if the Commission has any objection to the proposed change.\147\
---------------------------------------------------------------------------
\146\ 12 U.S.C. 5465(e)(1)(G).
\147\ 12 U.S.C. 5465(e)(1)(F).
---------------------------------------------------------------------------
The clearing agency shall post notice on its website of proposed
changes that are implemented. The proposal shall not take effect until
all regulatory actions required with respect to the proposal are
completed.
IV. Solicitation of Comments
Interested persons are invited to submit written data, views, and
arguments concerning the foregoing, including whether the advance
notice is consistent with the Clearing Supervision Act. Comments may be
submitted by any of the following methods:
Electronic Comments
Use the Commission's internet comment form (https://www.sec.gov/rules/sro.shtml); or
Send an email to [email protected]. Please include
file number NSCC-2024-801 on the subject line.
Paper Comments
Send paper comments in triplicate to Secretary, Securities
and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090.
All submissions should refer to file number SR-NSCC-2024-801. This file
number should be included on the subject line if email is used. To help
the Commission process and review your comments more efficiently,
please use only one method. The Commission will
[[Page 72009]]
post all comments on the Commission's internet website (https://www.sec.gov/rules/sro.shtml). Copies of the submission, all subsequent
amendments, all written statements with respect to the advance notice
that are filed with the Commission, and all written communications
relating to the advance notice between the Commission and any person,
other than those that may be withheld from the public in accordance
with the provisions of 5 U.S.C. 552, will be available for website
viewing and printing in the Commission's Public Reference Room, 100 F
Street NE, Washington, DC 20549 on official business days between the
hours of 10 a.m. and 3 p.m. Copies of the filing also will be available
for inspection and copying at the principal office of NSCC and on
DTCC's website (dtcc.com/legal/sec-rule-filings). Do not include
personal identifiable information in submissions; you should submit
only information that you wish to make available publicly. We may
redact in part or withhold entirely from publication submitted material
that is obscene or subject to copyright protection. All submissions
should refer to File Number SR-NSCC-2024-801 and should be submitted on
or before September 25, 2024.
V. Date of Timing for Commission Action
Section 806(e)(1)(G) of the Clearing Supervision Act provides that
NSCC may implement the changes if it has not received an objection to
the proposed changes within 60 days of the later of (i) the date that
the Commission receives the Advance Notice or (ii) the date that any
additional information requested by the Commission is received,\148\
unless extended as described below.
---------------------------------------------------------------------------
\148\ 12 U.S.C. 5465(e)(1)(G).
---------------------------------------------------------------------------
Pursuant to Section 806(e)(1)(H) of the Clearing Supervision Act,
the Commission may extend the review period of an advance notice for an
additional 60 days, if the changes proposed in the advance notice raise
novel or complex issues, subject to the Commission providing the
clearing agency with prompt written notice of the extension.\149\
---------------------------------------------------------------------------
\149\ 12 U.S.C. 5465(e)(1)(H).
---------------------------------------------------------------------------
Here, as the Commission has not requested any additional
information, the date that is 60 days after NSCC filed the Advance
Notice with the Commission is October 13, 2024. However, the Commission
believes that the changes proposed in the Advance Notice raise novel
and complex issues. The Commission finds the issues novel because NSCC
proposes a gradual migration of a specified set of Core C&S Systems to
a public cloud infrastructure hosted by a single, third-party service
provider. The Commission also finds the issues raised by the Advance
Notice complex because the selection of the subset of applications
proposed for migration involves a detailed governance review process
that would require careful scrutiny and consideration of its associated
risks. Therefore, the Commission finds it appropriate to extend the
review period of the Advance Notice for an additional 60 days under
Section 806(e)(1)(H) of the Clearing Supervision Act.\150\
---------------------------------------------------------------------------
\150\ Id.
---------------------------------------------------------------------------
Accordingly, the Commission, pursuant to Section 806(e)(1)(H) of
the Clearing Supervision Act,\151\ extends the review period for an
additional 60 days so that the Commission shall have until December 12,
2024 to issue an objection or non-objection to advance notice SR-NSCC-
2024-801.
---------------------------------------------------------------------------
\151\ Id.
---------------------------------------------------------------------------
All submissions should refer to File Number SR-NSCC-2024-801 and
should be submitted on or before September 25, 2024.
For the Commission, by the Division of Trading and Markets,
pursuant to delegated authority.\152\
---------------------------------------------------------------------------
\152\ 17 CFR 200.30-3(a)(91).
---------------------------------------------------------------------------
Sherry R. Haywood,
Assistant Secretary.
[FR Doc. 2024-19761 Filed 9-3-24; 8:45 am]
BILLING CODE 8011-01-P