Title 17

SECTION 39.18

39.18 System safeguards.

§ 39.18 System safeguards.

(a) Definitions. For purposes of this section and § 39.34:

Controls mean the safeguards or countermeasures employed by the derivatives clearing organization in order to protect the reliability, security, or capacity of its automated systems or the confidentiality, integrity, or availability of its data and information, and in order to enable the derivatives clearing organization to fulfill its statutory and regulatory responsibilities.

Controls testing means assessment of the derivatives clearing organization's controls to determine whether such controls are implemented correctly, are operating as intended, and are enabling the derivatives clearing organization to meet the requirements established by this section.

Enterprise technology risk assessment means a written assessment that includes, but is not limited to, an analysis of threats and vulnerabilities in the context of mitigating controls. An enterprise technology risk assessment identifies, estimates, and prioritizes risks to a derivatives clearing organization's operations or assets, or to market participants, individuals, or other entities, resulting from impairment of the confidentiality, integrity, or availability of data and information or the reliability, security, or capacity of automated systems.

External penetration testing means attempts to penetrate a derivatives clearing organization's automated systems from outside the systems' boundaries to identify and exploit vulnerabilities. Methods of conducting external penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.

Internal penetration testing means attempts to penetrate a derivatives clearing organization's automated systems from inside the systems' boundaries to identify and exploit vulnerabilities. Methods of conducting internal penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.

Key controls means those controls that an appropriate risk analysis determines are either critically important for effective system safeguards or intended to address risks that evolve or change more frequently and therefore require more frequent review to ensure their continuing effectiveness in addressing such risks.

Recovery time objective means the time period within which a derivatives clearing organization should be able to achieve recovery and resumption of processing, clearing, and settlement of transactions, after those capabilities become temporarily inoperable for any reason up to or including a wide-scale disruption.

Relevant area means the metropolitan or other geographic area within which a derivatives clearing organization has physical infrastructure or personnel necessary for it to conduct activities necessary to the processing, clearing, and settlement of transactions. The term “relevant area” also includes communities economically integrated with, adjacent to, or within normal commuting distance of that metropolitan or other geographic area.

Security incident means a cybersecurity or physical security event that actually jeopardizes or has a significant likelihood of jeopardizing automated system operation, reliability, security, or capacity, or the availability, confidentiality or integrity of data.

Security incident response plan means a written plan documenting the derivatives clearing organization's policies, controls, procedures, and resources for identifying, responding to, mitigating, and recovering from security incidents, and the roles and responsibilities of its management, staff, and independent contractors in responding to security incidents. A security incident response plan may be a separate document or a business continuity-disaster recovery plan section or appendix dedicated to security incident response.

Security incident response plan testing means testing of a derivatives clearing organization's security incident response plan to determine the plan's effectiveness, identify its potential weaknesses or deficiencies, enable regular plan updating and improvement, and maintain organizational preparedness and resiliency with respect to security incidents. Methods of conducting security incident response plan testing may include, but are not limited to, checklist completion, walk-through or table-top exercises, simulations, and comprehensive exercises.

Vulnerability testing means testing of a derivatives clearing organization's automated systems to determine what information may be discoverable through a reconnaissance analysis of those systems and what vulnerabilities may be present on those systems.

Wide-scale disruption means an event that causes a severe disruption or destruction of transportation, telecommunications, power, water, or other critical infrastructure components in a relevant area, or an event that results in an evacuation or unavailability of the population in a relevant area.

(b) Program of risk analysis and oversight - (1) General. A derivatives clearing organization shall establish and maintain a program of risk analysis and oversight with respect to its operations and automated systems to identify and minimize sources of operational risk through:

(i) The development of appropriate controls and procedures; and

(ii) The development of automated systems that are reliable, secure, and have adequate scalable capacity.

(2) Elements of program. A derivatives clearing organization's program of risk analysis and oversight with respect to its operations and automated systems, as described in paragraph (b)(1) of this section, shall address each of the following elements:

(i) Information security, including, but not limited to, controls relating to: Access to systems and data (including, least privilege, separation of duties, account monitoring and control); user and device identification and authentication; security awareness training; audit log maintenance, monitoring, and analysis; media protection; personnel security and screening; automated system and communications protection (including, network port control, boundary defenses, encryption); system and information integrity (including, malware defenses, software integrity monitoring); vulnerability management; penetration testing; security incident response and management; and any other elements of information security included in generally accepted best practices;

(ii) Business continuity and disaster recovery planning and resources, including, but not limited to the controls and capabilities described in paragraph (c) of this section; and any other elements of business continuity and disaster recovery planning and resources included in generally accepted best practices;

(iii) Capacity and performance planning, including, but not limited to, controls for monitoring the derivatives clearing organization's systems to ensure adequate scalable capacity (including, testing, monitoring, and analysis of current and projected future capacity and performance, and of possible capacity degradation due to planned automated system changes); and any other elements of capacity and performance planning included in generally accepted best practices;

(iv) Systems operations, including, but not limited to, system maintenance; configuration management (including, baseline configuration, configuration change and patch management, least functionality, inventory of authorized and unauthorized devices and software); event and problem response and management; and any other elements of system operations included in generally accepted best practices;

(v) Systems development and quality assurance, including, but not limited to, requirements development; pre-production and regression testing; change management procedures and approvals; outsourcing and vendor management; training in secure coding practices; and any other elements of systems development and quality assurance included in generally accepted best practices; and

(vi) Physical security and environmental controls, including, but not limited to, physical access and monitoring; power, telecommunication, and environmental controls; fire protection; and any other elements of physical security and environmental controls included in generally accepted best practices.

(3) Standards for program. In addressing the elements listed under paragraph (b)(2) of this section, a derivatives clearing organization shall follow generally accepted standards and industry best practices with respect to the development, operation, reliability, security, and capacity of automated systems.

(4) Resources. A derivatives clearing organization shall establish and maintain resources that allow for the fulfillment of each obligation and responsibility of the derivatives clearing organization, including the daily processing, clearing, and settlement of transactions, in light of any risk to its operations and automated systems. The derivatives clearing organization shall periodically verify the adequacy of such resources.

(c) Business continuity and disaster recovery - (1) General. A derivatives clearing organization shall establish and maintain a business continuity and disaster recovery plan, emergency procedures, and physical, technological, and personnel resources sufficient to enable the timely recovery and resumption of operations and the fulfillment of each obligation and responsibility of the derivatives clearing organization, including, but not limited to, the daily processing, clearing, and settlement of transactions, following any disruption of its operations.

(2) Recovery time objective. A derivatives clearing organization's business continuity and disaster recovery plan, as described in paragraph (c)(1) of this section, shall have, and the derivatives clearing organization shall maintain physical, technological, and personnel resources sufficient to meet, a recovery time objective of no later than the next business day following a disruption.

(3) Coordination of plans. A derivatives clearing organization shall, to the extent practicable:

(i) Coordinate its business continuity and disaster recovery plan with those of its clearing members, in a manner adequate to enable effective resumption of daily processing, clearing, and settlement of transactions following a disruption;

(ii) Initiate and coordinate periodic, synchronized testing of its business continuity and disaster recovery plan with those of its clearing members; and

(iii) Ensure that its business continuity and disaster recovery plan takes into account the plans of its providers of essential services, including telecommunications, power, and water.

(d) Outsourcing. (1) A derivatives clearing organization shall maintain the resources required under paragraphs (b)(4) and (c)(1) of this section either:

(i) Using its own employees as personnel, and property that it owns, licenses, or leases; or

(ii) Through written contractual arrangements with another derivatives clearing organization or other service provider.

(2) Retention of responsibility. A derivatives clearing organization that enters into a contractual outsourcing arrangement shall retain complete responsibility for any failure to meet the requirements specified in paragraphs (b) and (c) of this section. The derivatives clearing organization must employ personnel with the expertise necessary to enable it to supervise the service provider's delivery of the services.

(3) Testing of resources. The testing referred to in paragraph (e) of this section shall apply to all of the derivatives clearing organization's own and outsourced resources, and shall verify that all such resources will work together effectively. Where testing is required to be conducted by an independent contractor, the derivatives clearing organization shall engage a contractor that is independent from both the derivatives clearing organization and any outside service provider used to design, develop, or maintain the resources being tested.

(e) Testing - (1) General. A derivatives clearing organization shall conduct regular, periodic, and objective testing and review of:

(i) Its automated systems to ensure that they are reliable, secure, and have adequate scalable capacity; and

(ii) Its business continuity and disaster recovery capabilities, using testing protocols adequate to ensure that the derivatives clearing organization's backup resources are sufficient to meet the requirements of paragraph (c) of this section.

(2) Vulnerability testing. A derivatives clearing organization shall conduct vulnerability testing of a scope sufficient to satisfy the requirements set forth in paragraph (e)(8) of this section.

(i) A derivatives clearing organization shall conduct such vulnerability testing at a frequency determined by an appropriate risk analysis, but no less frequently than quarterly.

(ii) Such vulnerability testing shall include automated vulnerability scanning, which shall follow generally accepted best practices.

(iii) A derivatives clearing organization shall conduct vulnerability testing by engaging independent contractors or by using employees of the derivatives clearing organization who are not responsible for development or operation of the systems or capabilities being tested.

(3) External penetration testing. A derivatives clearing organization shall conduct external penetration testing of a scope sufficient to satisfy the requirements set forth in paragraph (e)(8) of this section.

(i) A derivatives clearing organization shall conduct such external penetration testing at a frequency determined by an appropriate risk analysis, but no less frequently than annually.

(ii) A derivatives clearing organization shall engage independent contractors to conduct the required annual external penetration test. A derivatives clearing organization may conduct other external penetration testing by using employees of the derivatives clearing organization who are not responsible for development or operation of the systems or capabilities being tested.

(4) Internal penetration testing. A derivatives clearing organization shall conduct internal penetration testing of a scope sufficient to satisfy the requirements set forth in paragraph (e)(8) of this section.

(i) A derivatives clearing organization shall conduct such internal penetration testing at a frequency determined by an appropriate risk analysis, but no less frequently than annually.

(ii) A derivatives clearing organization shall conduct internal penetration testing by engaging independent contractors, or by using employees of the derivatives clearing organization who are not responsible for development or operation of the systems or capabilities being tested.

(5) Controls testing. A derivatives clearing organization shall conduct controls testing of a scope sufficient to satisfy the requirements set forth in paragraph (e)(8) of this section.

(i) A derivatives clearing organization shall conduct controls testing, which includes testing of each control included in its program of risk analysis and oversight, at a frequency determined by an appropriate risk analysis, but shall test and assess key controls no less frequently than every three years. A derivatives clearing organization may conduct such testing on a rolling basis over the course of the required period.

(ii) A derivatives clearing organization shall engage independent contractors to test and assess the key controls included in the derivatives clearing organization's program of risk analysis and oversight no less frequently than every three years. A derivatives clearing organization may conduct any other controls testing required by this section by using independent contractors or employees of the derivatives clearing organization who are not responsible for development or operation of the systems or capabilities being tested.

(6) Security incident response plan testing. A derivatives clearing organization shall conduct security incident response plan testing sufficient to satisfy the requirements set forth in paragraph (e)(8) of this section.

(i) The derivatives clearing organization shall conduct such security incident response plan testing at a frequency determined by an appropriate risk analysis, but no less frequently than annually.

(ii) The derivatives clearing organization's security incident response plan shall include, without limitation, the derivatives clearing organization's definition and classification of security incidents, its policies and procedures for reporting security incidents and for internal and external communication and information sharing regarding security incidents, and the hand-off and escalation points in its security incident response process.

(iii) The derivatives clearing organization may coordinate its security incident response plan testing with other testing required by this section or with testing of its other business continuity-disaster recovery and crisis management plans.

(iv) The derivatives clearing organization may conduct security incident response plan testing by engaging independent contractors or by using employees of the derivatives clearing organization.

(7) Enterprise technology risk assessment. A derivatives clearing organization shall conduct enterprise technology risk assessments of a scope sufficient to satisfy the requirements set forth in paragraph (e)(8) of this section.

(i) A derivatives clearing organization shall conduct an enterprise technology risk assessment at a frequency determined by an appropriate risk analysis, but no less frequently than annually. A derivatives clearing organization that has conducted an enterprise technology risk assessment that complies with this section may conduct subsequent assessments by updating the previous assessment.

(ii) A derivatives clearing organization may conduct enterprise technology risk assessments by using independent contractors or employees of the derivatives clearing organization who are not responsible for development or operation of the systems or capabilities being assessed.

(8) Scope of testing and assessment. The scope of testing and assessment required by this section shall be broad enough to include the testing of automated systems and controls that a derivatives clearing organization's required program of risk analysis and oversight and its current cybersecurity threat analysis indicate is necessary to identify risks and vulnerabilities that could enable an intruder or unauthorized user or insider to:

(i) Interfere with the derivatives clearing organization's operations or with fulfillment of its statutory and regulatory responsibilities;

(ii) Impair or degrade the reliability, security, or capacity of the derivatives clearing organization's automated systems;

(iii) Add to, delete, modify, exfiltrate, or compromise the integrity of any data related to the derivatives clearing organization's regulated activities; or

(iv) Undertake any other unauthorized action affecting the derivatives clearing organization's regulated activities or the hardware or software used in connection with those activities.

(9) Internal reporting and review. Both the senior management and the board of directors of the derivatives clearing organization shall receive and review reports setting forth the results of the testing and assessment required by this section. The derivatives clearing organization shall establish and follow appropriate procedures for the remediation of issues identified through such review, as provided in paragraph (e)(10) of this section, and for evaluation of the effectiveness of testing and assessment protocols.

(10) Remediation. A derivatives clearing organization shall identify and document the vulnerabilities and deficiencies in its systems revealed by the testing and assessment required by this section. The derivatives clearing organization shall conduct and document an appropriate analysis of the risks presented by each vulnerability or deficiency to determine and document whether to remediate the vulnerability or deficiency or accept the associated risk. When a derivatives clearing organization determines to remediate a vulnerability or deficiency, it must remediate in a timely manner given the nature and magnitude of the associated risk.

(f) Recordkeeping. A derivatives clearing organization shall maintain, and provide to staff of the Division of Clearing and Risk, or any successor division, promptly upon request, pursuant to § 1.31 of this chapter:

(1) Current copies of the derivatives clearing organization's business continuity and disaster recovery plan and other emergency procedures. Such plan and procedures shall be updated at a frequency determined by an appropriate risk analysis, but no less frequently than annually;

(2) All assessments of the derivatives clearing organization's operational risks or system safeguards-related controls;

(3) All reports concerning testing and assessment required by this section, whether conducted by independent contractors or by employees of the derivatives clearing organization; and

(4) All other documents requested by staff of the Division of Clearing and Risk, or any successor division, in connection with Commission oversight of system safeguards pursuant to the Act or Commission regulations, or in connection with Commission maintenance of a current profile of the derivatives clearing organization's automated systems.

(5) Nothing in paragraph (f) of this section shall be interpreted as reducing or limiting in any way a derivatives clearing organization's obligation to comply with § 1.31 of this chapter.

(g) Notice of exceptional events. A derivatives clearing organization shall notify staff of the Division of Clearing and Risk, or any successor division, promptly of:

(1) Any hardware or software malfunction, security incident, or targeted threat that materially impairs, or creates a significant likelihood of material impairment, of automated system operation, reliability, security, or capacity; or

(2) Any activation of the derivatives clearing organization's business continuity and disaster recovery plan.

(h) Notice of planned changes. A derivatives clearing organization shall provide staff of the Division of Clearing and Risk, or any successor division, timely advance notice of all material:

(1) Planned changes to the derivatives clearing organization's automated systems that may impact the reliability, security, or capacity of such systems; and

(2) Planned changes to the derivatives clearing organization's program of risk analysis and oversight.

[81 FR 64336, Sept. 19, 2016]