[Federal Register Volume 84, Number 240 (Friday, December 13, 2019)]
[Notices]
[Pages 68269-68272]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-26845]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-87698; File No. SR-DTC-2019-008]
Self-Regulatory Organizations; The Depository Trust Company;
Order Approving a Proposed Rule Change To Require Confirmation of
Cybersecurity Program
December 9, 2019.
I. Introduction
On October 15, 2019, The Depository Trust Company (``DTC'') filed
with the Securities and Exchange Commission (``Commission''), pursuant
to Section 19(b)(1) of the Securities Exchange Act of 1934 (``Act'')
\1\ and Rule 19b-4 thereunder,\2\ proposed rule change SR-DTC-2019-008.
The proposed rule change was published for comment in the Federal
Register on October 30, 2019.\3\ The Commission did not receive any
comment letters on the proposed rule change. For the reasons discussed
[[Page 68270]]
below, the Commission is approving the proposed rule change.
---------------------------------------------------------------------------
\1\ 15 U.S.C. 78s(b)(1).
\2\ 17 CFR 240.19b-4.
\3\ Securities Exchange Act Release No. 87393 (October 24,
2019), 84 FR 58189 (October 30, 2019) (SR-DTC-2019-008)
(``Notice'').
---------------------------------------------------------------------------
II. Description of the Proposed Rule Change
DTC proposes to modify the Rules, By-Laws and Organization
Certificate of DTC (``Rules'') \4\ in order to (1) define the term
``Cybersecurity Confirmation'' as a written representation that
addresses a submitting entity's cybersecurity program (described more
fully below); and (2) require DTC's Participants, Pledgees, and
applicants for membership as a Participant or Pledgee (``Applicants'')
to submit to DTC a Cybersecurity Confirmation (both as part of an
initial application for membership and on an ongoing basis for
Participants and Pledgees, at least every two years).
---------------------------------------------------------------------------
\4\ Capitalized terms not defined herein are defined in the
Rules, available at http://www.dtcc.com/legal/rules-and-procedures.
---------------------------------------------------------------------------
A. Background
DTC serves as the central securities depository for substantially
all corporate and municipal debt and equity securities available for
trading in the United States.\5\ DTC provides depository services and
asset servicing for a wide range of security types such as money market
instruments, equities, warrants, rights, corporate debt and notes,
municipal bonds, government securities, asset-backed securities, and
collateralized mortgage obligations.\6\ DTC's custodial services
include the safekeeping, record keeping, book entry transfer, and
pledge of securities among its Participants and Pledgees.\7\ DTC also
provides services to securities issuers, such as maintaining current
ownership records and distributing payments to shareholders.\8\ In
light of DTC's critical role in the marketplace, DTC was designated a
Systemically Important Financial Market Utility (``SIFMU'') under Title
VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act
of 2010.\9\ Due to DTC's unique position in the marketplace, a failure
or a disruption to DTC could, among other things, increase the risk of
significant liquidity problems spreading among financial institutions
or markets, and thereby threaten the stability of the financial system
in the United States.\10\
---------------------------------------------------------------------------
\5\ See Financial Stability Oversight Counsel 2012 Annual
Report, Appendix A (``FSOC 2012 Report''), available at http://www.treasury.gov/initiatives/fsoc/Documents/2012%20Annual%20Report.pdf.
\6\ Id.
\7\ Id.
\8\ Id.
\9\ 12 U.S.C. 5465(e)(1). See FSOC 2012 Report, supra note 5.
\10\ See FSOC 2012 Report, supra note 5.
---------------------------------------------------------------------------
DTC's Participants and Pledgees connect to DTC, either through the
Securely Managed and Reliable Technology (``SMART'') network or through
other electronic means, such as a third party service provider, service
bureau, network, or the internet. The SMART network is a technology
managed by DTC's parent company, The Depository Trust & Clearing
Corporation (``DTCC''), that connects a nationwide complex of networks,
processing centers, and control facilities. Currently, DTC does not
require its Participants, Pledgees, or Applicants to represent that
they maintain a cybersecurity program as a condition for connecting to
DTC via the SMART network or other means.
DTC states that many of its Participants, Pledgees, and Applicants
may currently be subject to regulations that are designed, in part, to
protect against cyberattacks.\11\
---------------------------------------------------------------------------
\11\ For example, depending on the type of entity, DTC states
that its members may be subject to one or more of the following
regulations: (1) Regulation S-ID, which requires ``financial
institutions'' or ``creditors'' under the rule to adopt programs to
identify and address the risk of identity theft of individuals (17
CFR 248.201-202); (2) Regulation S-P, which requires broker-dealers,
investment companies, and investment advisers to adopt written
policies and procedures that address administrative, technical, and
physical safeguards for the protection of customer records and
information (17 CFR 248.1-30); and (3) Rule 15c3-5 under the Act,
known as the ``Market Access Rule,'' which requires broker-dealers
to establish, document, and maintain a system for regularly
reviewing the effectiveness of its management controls and
supervisory procedures (17 CFR 240.15c3-5). Notice, supra note 3, at
58190.
---------------------------------------------------------------------------
Accordingly, such entities would currently be required to follow
standards established by national or international organizations
focused on information security management, and they would currently
maintain protocols for their senior management to verify the existence
of cybersecurity programs sufficient to meet regulatory obligations.
DTC further believes that some of its Participants, Pledgees, and
Applicants might also currently follow protocols substantially similar
to the regulations referred to earlier in this paragraph in order to
meet the evolving cybersecurity expectations of regulators and/or their
own institutional customers.\12\
---------------------------------------------------------------------------
\12\ Id.
---------------------------------------------------------------------------
Although DTC believes that its Participants, Pledgees, and
Applicants may currently maintain robust cybersecurity programs, DTC
seeks to better ensure the protection of its network by requiring its
Participants, Pledgees, and Applicants to confirm that they are meeting
certain cybersecurity standards in order to connect to DTC via the
SMART network or other means. Therefore, DTC proposes to require all
Participants, Pledgees, and Applicants to submit a written
Cybersecurity Confirmation that includes specific representations
regarding the submitting entity's cybersecurity program and framework.
DTC states that the information contained in the Cybersecurity
Confirmation would help DTC to better understand the cybersecurity
programs and frameworks of entities seeking to connect to DTC, and
thereby identify possible cyber risk exposures.\13\ As a result, DTC
would be better able to establish appropriate controls to mitigate such
risks and their possible impacts on DTC's operations.
---------------------------------------------------------------------------
\13\ Id.
---------------------------------------------------------------------------
B. Proposed Changes
DTC proposes to modify its Rules to: (1) Provide a detailed
definition of the Cybersecurity Confirmation; and (2) require DTC's
Participants, Pledgees, and Applicants to submit to DTC a Cybersecurity
Confirmation (both as part of an initial application for membership,
and on an ongoing basis for members, at least every two years). Each of
these proposed rule changes is described in greater detail below.
1. Cybersecurity Confirmation
DTC proposes to define the term ``Cybersecurity Confirmation'' to
mean a written form, in a format provided by DTC and signed by the
submitting entity's designated senior executive with the authority to
attest to the cybersecurity matters contained in the form.\14\ The form
would contain specific representations regarding the submitting
entity's cybersecurity program and framework. Such representations
would cover the two years prior to the date of the most recently
provided Cybersecurity Confirmation. The Cybersecurity Confirmation
would include the following representations:
---------------------------------------------------------------------------
\14\ Notice, supra note 3, at 58191. See also DTC Cybersecurity
Confirmation Form, submitted as Exhibit 3 to SR-DTC-2019-008,
available at https://www.sec.gov/rules/sro/dtc/2019/34-87393-ex3.pdf.
---------------------------------------------------------------------------
The submitting entity has defined and maintains a
comprehensive cybersecurity program and framework that considers
potential cyber threats that impact the submitting entity's
organization, and protects the confidentiality, integrity, and
availability requirements of its systems and information.
The submitting entity has implemented and maintains a
written enterprise cybersecurity policy or policies approved by the
submitting entity's senior management or board of directors, and the
submitting entity's
[[Page 68271]]
cybersecurity framework is in alignment with standard industry best
practices and guidelines.\15\
---------------------------------------------------------------------------
\15\ Examples of recognized frameworks, guidelines and standards
that DTC believes are adequate include the Financial Services Sector
Coordinating Council Cybersecurity Profile, the National Institute
of Standards and Technology Cybersecurity Framework (``NIST CSF''),
International Organization for Standardization (``ISO'') standard
27001/27002 (``ISO 27001''), Federal Financial Institutions
Examination Council (``FFIEC'') Cybersecurity Assessment Tool,
Critical Security Controls Top 20, and Control Objectives for
Information and Related Technologies. DTC would identify recognized
frameworks, guidelines and standards in the form of Cybersecurity
Confirmation and in an Important Notice that DTC would issue from
time to time. DTC would also consider accepting other standards upon
request. Notice, supra note 3, at 58191.
---------------------------------------------------------------------------
If the submitting entity uses a third party service
provider or service bureau(s) to connect or transact business or to
manage the connection with DTC, the submitting entity has an
appropriate program to evaluate the cyber risks and impact of these
third parties and to review the third party assurance reports.
The submitting entity's cybersecurity program and
framework protects the segment of its system that connects to and/or
interacts with DTC.
The submitting entity has in place an established process
to remediate cyber issues identified to meet its regulatory and/or
statutory requirements.
The submitting entity periodically updates the risk
processes of its cybersecurity program and framework based on a risk
assessment or changes to technology, business, threat ecosystem, and/or
regulatory environment.
The submitting entity's cybersecurity program and
framework has been reviewed by one of the following: (1) The submitting
entity, if it has filed and maintains a current Certification of
Compliance with the Superintendent of the New York State Department of
Financial Services confirming compliance with its Cybersecurity
Requirements for Financial Services Companies; \16\ (2) a regulator who
assesses the submitting entity's cybersecurity program and framework
against an industry cybersecurity framework or industry standard,
including those that are listed on the Cybersecurity Confirmation form
and in an Important Notice that is issued by DTC from time to time;
\17\ (3) an independent external entity with cybersecurity domain
expertise in relevant industry standards and practices, including those
that are listed on the Cybersecurity Confirmation form and in an
Important Notice that is issued by DTC from time to time; \18\ or (4)
an independent internal audit function reporting directly to the
submitting entity's board of directors or designated board of directors
committee, such that the findings of that review are shared with these
governance bodies.
---------------------------------------------------------------------------
\16\ 23 N.Y. Comp. Codes R. & Regs. tit. 23, Sec. 500 et seq.
(2017). DTC states that this regulation requires entities to confirm
that they have comprehensive cybersecurity programs as described in
the regulation, and DTC believes this regime is sufficient to meet
the objectives of the proposed Cybersecurity Confirmation. Notice,
supra note 3, at 58191.
\17\ DTC states that current industry cybersecurity frameworks
and industry standards could include, for example, the Office of the
Comptroller of the Currency or the FFIEC Cybersecurity Assessment
Tool. DTC would identify acceptable industry cybersecurity
frameworks and standards in the Cybersecurity Confirmation form and
in an Important Notice that DTC would issue from time to time. DTC
would also consider accepting other industry cybersecurity
frameworks and standards upon request. Notice, supra note 3, at
58191.
\18\ DTC states that a third party with cybersecurity domain
expertise is one that follows and understands applicable industry
standards, practices, and regulations, such as ISO 27001
certification or NIST CSF assessment. DTC would identify acceptable
industry standards and practices in the Cybersecurity Confirmation
form and in an Important Notice that DTC would issue from time to
time. DTC would also consider accepting other industry standards and
practices upon request. Notice, supra note 3, at 58191.
---------------------------------------------------------------------------
DTC states that it designed the representations in the
Cybersecurity Confirmation to provide information on how each
submitting entity manages cybersecurity with respect to its
connectivity to DTC.\19\ DTC believes that by requiring these
representations from Participants, Pledgees, and Applicants, the
proposed Cybersecurity Confirmation would provide useful information
designed to enable DTC to make informed decisions about risks or
threats, perform additional monitoring, target potential
vulnerabilities, and otherwise protect the DTC network.\20\
---------------------------------------------------------------------------
\19\ Id.
\20\ Id.
---------------------------------------------------------------------------
2. Initial and Ongoing Membership Requirement
DTC proposes to require new Applicants to submit a Cybersecurity
Confirmation as part of their application materials. DTC also proposes
to require all DTC Participants and Pledgees to submit a Cybersecurity
Confirmation at least every two years. With respect to the requirement
to submit a Cybersecurity Confirmation at least every two years, DTC
would provide all Participants and Pledgees with notice of the date on
which the Cybersecurity Confirmation would be due no later than 180
calendar days prior to the due date.
C. Implementation Timeframe
The proposed rule change would be effective upon Commission
approval. New Applicants would be required to submit a Cybersecurity
Confirmation as part of their application materials. The requirement to
submit a Cybersecurity Confirmation would also apply to Applicants
whose applications are pending with DTC at the time the Commission
approves the proposed rule change. For existing DTC Participants and
Pledgees, DTC would provide notice of the due date to submit a
Cybersecurity Confirmation, not later than 180 days prior to the due
date. Finally, DTC would provide such notice to its Participants and
Pledgees at least every two years going forward.
III. Discussion and Commission Findings
Section 19(b)(2)(C) of the Act \21\ directs the Commission to
approve a proposed rule change of a self-regulatory organization if it
finds that such proposed rule change is consistent with the
requirements of the Act and rules and regulations thereunder applicable
to such organization. After carefully considering the proposed rule
change, the Commission finds that the proposed rule change is
consistent with the requirements of the Act and the rules and
regulations thereunder applicable to DTC. In particular, the Commission
finds that the proposed rule change is consistent with Section
17A(b)(3)(F) of the Act,\22\ and Rules 17Ad-22(e)(17)(i) and
(e)(17)(ii) promulgated under the Act,\23\ for the reasons described
below.
---------------------------------------------------------------------------
\21\ 15 U.S.C. 78s(b)(2)(C).
\22\ 15 U.S.C. 78q-1(b)(3)(F).
\23\ 17 CFR 240.17Ad-22(e)(17)(i) and (e)(17)(ii).
---------------------------------------------------------------------------
A. Consistency With Section 17A(b)(3)(F) of the Act
Section 17A(b)(3)(F) of the Act requires that the rules of a
clearing agency be designed to, among other things, promote the prompt
and accurate clearance and settlement of securities transactions and
assure the safeguarding of securities and funds which are in the
custody or control of the clearing agency or for which it is
responsible.\24\
---------------------------------------------------------------------------
\24\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
As described above, DTC proposes to require its Participants,
Pledgees, and Applicants to submit a Cybersecurity Confirmation,
confirming the existence and nature of their cybersecurity programs.
The Cybersecurity Confirmations should provide DTC with useful
information regarding the cybersecurity programs of the
[[Page 68272]]
submitting entities. By conditioning an entity's connectivity to DTC
via the SMART network or other means on the submission of a
Cybersecurity Confirmation, DTC should be better enabled to reduce the
cyber risks of electronically connecting to entities that have not
confirmed the existence and nature of their cybersecurity programs.
Accordingly, the proposed Cybersecurity Confirmation requirement should
provide DTC with information to better identify its exposure to cyber
risks and to take steps to mitigate those risks.
If not adequately addressed, the risk of cyberattacks and other
cyber vulnerabilities could affect DTC's network and DTC's ability to
clear and settle securities transactions, or to safeguard the
securities and funds which are in DTC's custody or control, or for
which it is responsible. The proposed Cybersecurity Confirmation
requirement is a tool designed to address those risks as described
above. Therefore, the Commission finds the proposed Cybersecurity
Confirmation requirement would promote the prompt and accurate
clearance and settlement of securities transactions and assure the
safeguarding of securities and funds which are in the custody or
control of DTC or for which it is responsible, consistent with the
requirements of Section 17A(b)(3)(F) of the Act.\25\
---------------------------------------------------------------------------
\25\ Id.
---------------------------------------------------------------------------
B. Consistency With Rule 17Ad-22(e)(17)(i) Under the Act
Rule 17Ad-22(e)(17)(i) under the Act requires that each covered
clearing agency establish, implement, maintain and enforce written
policies and procedures reasonably designed to manage the covered
clearing agency's operational risks by identifying the plausible
sources of operational risk, both internal and external, and mitigating
their impact through the use of appropriate systems, policies,
procedures, and controls.\26\ DTC's operational risks include
protecting its electronic systems from cyber risks.
---------------------------------------------------------------------------
\26\ 17 CFR 240.17Ad-22(e)(17)(i).
---------------------------------------------------------------------------
As described above, entities connect electronically to DTC via the
SMART network or other means. The proposed Cybersecurity Confirmation
requirement should reduce cyber risks to DTC by requiring Participants,
Pledgees, and Applicants to confirm that they have defined and maintain
cybersecurity programs and frameworks that meet standard industry best
practices and guidelines. The representations in each submitting
entity's Cybersecurity Confirmation would provide information that
should help DTC to mitigate its exposure to cyber risks, and thereby
decrease the operational risks presented to DTC by its connections to
such entities. Thus, the proposed Cybersecurity Confirmations should
enable DTC to better identify potential sources of external operational
risks and mitigate the possible impacts of those risks. Because the
proposed changes would help DTC identify and mitigate plausible sources
of external operational risk, the Commission finds the proposed changes
are consistent with the requirements of Rule 17Ad-22(e)(17)(i) under
the Act.\27\
---------------------------------------------------------------------------
\27\ Id.
---------------------------------------------------------------------------
C. Consistency With Rule 17Ad-22(e)(17)(ii) Under the Act
Rule 17Ad-22(e)(17)(ii) under the Act requires that each covered
clearing agency establish, implement, maintain and enforce written
policies and procedures reasonably designed to manage the covered
clearing agency's operational risks by ensuring, in part, that systems
have a high degree of security, resiliency, and operational
reliability.\28\ As noted above, DTC's operational risks include
protecting its electronic systems from cyber risks.
---------------------------------------------------------------------------
\28\ 17 CFR 240.17Ad-22(e)(17)(ii).
---------------------------------------------------------------------------
Although DTC believes that its Participants, Pledgees, and
Applicants may currently maintain robust cybersecurity programs, DTC
currently does not require those entities to represent that they
maintain a cybersecurity program as a condition for connecting to DTC
via the SMART network or other means. DTC designed the proposed
Cybersecurity Confirmation requirement to reduce cyber risks by
requiring its Participants, Pledgees, and Applicants to confirm that
they have defined and maintain cybersecurity programs and frameworks
that meet standard industry best practices and guidelines. The
representations in each submitting entity's Cybersecurity Confirmation
would provide more security for DTC's SMART network and other systems
by providing DTC with information designed to help manage its cyber-
related operational risks, which in turn, would enable DTC to take
steps necessary to strengthen the security of its network to mitigate
those risks. Since the proposal would enhance DTC's ability to ensure
that its systems have a high degree of security, resiliency, and
operational reliability, the Commission finds the proposed changes are
consistent with the requirements of Rule 17Ad-22(e)(17)(ii) under the
Act.\29\
---------------------------------------------------------------------------
\29\ Id.
---------------------------------------------------------------------------
IV. Conclusion
On the basis of the foregoing, the Commission finds that the
proposed rule change is consistent with the requirements of the Act
and, in particular, with the requirements of Section 17A of the Act
\30\ and the rules and regulations promulgated thereunder.
---------------------------------------------------------------------------
\30\ 15 U.S.C. 78q-1.
---------------------------------------------------------------------------
It is therefore ordered, pursuant to Section 19(b)(2) of the Act
\31\ that proposed rule change SR-DTC-2019-008, be, and hereby is,
approved.\32\
---------------------------------------------------------------------------
\31\ 15 U.S.C. 78s(b)(2).
\32\ In approving the proposed rule change, the Commission
considered the proposals' impact on efficiency, competition, and
capital formation. 15 U.S.C. 78c(f).
For the Commission, by the Division of Trading and Markets,
pursuant to delegated authority.\33\
---------------------------------------------------------------------------
\33\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------
Jill M. Peterson,
Assistant Secretary.
[FR Doc. 2019-26845 Filed 12-12-19; 8:45 am]
BILLING CODE 8011-01-P