2019-23632. Self-Regulatory Organizations; National Securities Clearing Corporation; Notice of Filing of Proposed Rule Change To Require Confirmation of Cybersecurity Program  

  • Start Preamble October 24, 2019.

    Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (“Act”) [1] and Rule 19b-4 thereunder,[2] notice is hereby given that on October 15, 2019, National Securities Clearing Corporation (“NSCC”) filed with the Securities and Exchange Commission (“Commission”) the proposed rule change as described in Items I, II and III below, which Items have been prepared by the clearing agency. The Commission is publishing this notice to solicit comments on the proposed rule change from interested persons.

    I. Clearing Agency's Statement of the Terms of Substance of the Proposed Rule Change

    The proposed rule change consists of modifications to NSCC's Rules and Procedures (“Rules”) [3] in order to (1) define “Cybersecurity Confirmation” as a signed, written representation that addresses the submitting firm's cybersecurity program; (2) enhance the NSCC application requirements and ongoing requirements for Members to (a) require that a Cybersecurity Confirmation be provided as part of the application materials for all Members, and (b) require that all Members deliver to NSCC a complete, updated Cybersecurity Confirmation at least every two years; and (3) provide that NSCC may require a Cybersecurity Confirmation from organizations that report trade data to NSCC for comparison and trade recording, as described in greater detail below.

    II. Clearing Agency's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change

    In its filing with the Commission, the clearing agency included statements concerning the purpose of and basis for the proposed rule change and discussed any comments it received on the proposed rule change. The text of these statements may be examined at the places specified in Item IV below. The clearing agency has prepared summaries, set forth in sections A, B, and C below, of the most significant aspects of such statements.

    (A) Clearing Agency's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change

    1. Purpose

    (i) Overview

    NSCC is proposing to modify the Rules in order to (1) define “Cybersecurity Confirmation” as a signed, written representation that addresses the submitting firm's cybersecurity program; (2) enhance the NSCC application requirements and ongoing requirements for Members to (a) require that a Cybersecurity Confirmation be provided as part of the application materials for all Members, and (b) require that all Members deliver to NSCC a complete, updated Cybersecurity Confirmation at least every two years; and (3) provide that NSCC may require a Cybersecurity Confirmation from organizations that report trade data to NSCC for comparison and trade recording.

    The proposed change would require all Members and applicants to deliver to NSCC a signed, written Cybersecurity Confirmation, which includes representations regarding the submitting firm's cybersecurity program and framework. The Cybersecurity Confirmation would be required to be (1) delivered with the application materials for every applicant for membership, and (2) updated and re-delivered at least every two years by all Members. NSCC is also proposing to modify the Rules to provide that it may require any organization from which it may accept trade data for comparison and trade recording to deliver a Cybersecurity Confirmation.

    As described in more detail below, the Cybersecurity Confirmation would help NSCC to assess the cybersecurity risks that may be introduced to it by Members and other entities that connect to NSCC either through the Securely Managed and Reliable Technology (“SMART”) network [4] or through other connections. The proposed Cybersecurity Confirmation would allow NSCC to better understand its Members' cybersecurity programs and frameworks and identify possible cybersecurity risk exposures. Based on this information, NSCC would be able to establish appropriate controls to mitigate these risks and their possible impacts to NSCC's operations.

    (ii) Background of Proposal

    NSCC believes it is prudent to better understand the cybersecurity risks that it may face through its interconnections to Members. As a designated systemically important financial market utility, or “SIFMU,” NSCC occupies a unique position in the marketplace such that a failure or a disruption to NSCC could increase the risk of significant liquidity problems spreading among Start Printed Page 58184financial institutions or markets and thereby threaten the stability of the financial system in the United States.[5] Given its designation as a SIFMU, NSCC believes it is prudent to develop an enhanced endpoint security framework designed so that its SMART network or other connectivity is adequately protected against cyberattacks.

    Currently, NSCC does not obtain any information regarding the security of a firm's systems or cybersecurity program prior to permitting that firm to connect either directly to the SMART network or to NSCC through another means, such as through a third party service provider, service bureau, network, or the internet. Given NSCC's critical role in the marketplace, NSCC is proposing to address the risks that could be posed by these connections.

    Members may currently be subject to regulations that are designed, in part, to enhance the safeguards used by these entities to protect themselves against cyberattacks.[6] In order to comply with such regulations, Members and applicants would be required to follow standards established by national or international organizations focused on information security management, and would have already established protocols to allow their senior management to verify that they have sufficient cybersecurity programs in place to fulfill existing regulatory obligations. Other Members have established and follow substantially similar protocols because of evolving expectations by regulators or by institutional customers as to the sufficiency of their cyber safeguards. NSCC believes that it should require confirmation of the cybersecurity standards utilized by its Members and applicants that connect to its network.

    The proposed Cybersecurity Confirmation would require Members and applicants to represent that they have established adequate controls and security to help limit (1) cybersecurity risks to NSCC and to the other Members' networks and (2) access by unauthorized third parties while the firm is connected to NSCC either directly through the SMART network or through other connectivity such as a service provider, service bureau, network, or the internet.

    (iii) Proposed Rule Changes

    NSCC is proposing to modify its Rules to (1) define “Cybersecurity Confirmation;” (2) require that firms deliver a completed Cybersecurity Confirmation (a) as part of their initial application with NSCC, and (b) on an ongoing basis, at least every two years; and (3) provide that NSCC may require a Cybersecurity Confirmation from organizations that report trade data to NSCC. Each of these proposed rule changes is described in greater detail below.

    (1) Proposed Cybersecurity Confirmation

    NSCC is proposing to adopt a definition of “Cybersecurity Confirmation.” Each Cybersecurity Confirmation would be required to be in writing on a form provided by NSCC and signed by a designated senior executive of the submitting firm who is authorized to attest to these matters. Based on the form provided by NSCC, each Cybersecurity Confirmation would contain representations regarding the submitting firm's cybersecurity program and framework. Such representations by the submitting firm would cover the two years prior to the date of the most recently provided Cybersecurity Confirmation.

    NSCC is proposing to require that the following representations be included in the form of Cybersecurity Confirmation:

    First, the Cybersecurity Confirmation would include a representation that the submitting firm has defined and maintains a comprehensive cybersecurity program and framework that considers potential cyber threats that impact the organization and protects the confidentiality, integrity and availability requirements of its systems and information.

    Second, the Cybersecurity Confirmation would include a representation that the submitting firm has implemented and maintains a written enterprise cybersecurity policy or policies approved by the submitting firm's senior management or board of directors, and the organization's cybersecurity framework is in alignment with standard industry best practices and guidelines.[7]

    Third, the Cybersecurity Confirmation would include a representation that, if the submitting firm is using a third party service provider or service bureau(s) to connect or transact business or to manage the connection with NSCC, the submitting firm has an appropriate program to (a) evaluate the cyber risks and impact of these third parties, and (b) review the third party assurance reports.

    Fourth, the Cybersecurity Confirmation would include a representation that the submitting firm's cybersecurity program and framework protect the segment of their system that connects to and/or interacts with NSCC.

    Fifth, the Cybersecurity Confirmation would include a representation that the submitting firm has in place an established process to remediate cyber issues identified to fulfill the submitting firm's regulatory and/or statutory requirements.

    Sixth, the Cybersecurity Confirmation would include a representation that the submitting firm's cybersecurity program's and framework's risk processes are updated periodically based on a risk assessment or changes to technology, business, threat ecosystem, and/or regulatory environment.

    And, finally, the Cybersecurity Confirmation would include a representation that the review of the submitting firm's cybersecurity program and framework has been conducted by one of the following: (1) The submitting firm, if it has filed and maintains a current Certification of Compliance with the Superintendent of the New York State Department of Financial Services confirming compliance with its Cybersecurity Requirements for Financial Services Companies; [8] (2) a Start Printed Page 58185regulator who assesses the program against an industry cybersecurity framework or industry standard, including those that are listed on the form of Cybersecurity Confirmation and in an Important Notice that is issued by NSCC from time to time; [9] (3) an independent external entity with cybersecurity domain expertise in relevant industry standards and practices, including those that are listed on the form of Cybersecurity Confirmation and in an Important Notice that is issued by NSCC from time to time; [10] or (4) an independent internal audit function reporting directly to the submitting firm's board of directors or designated board of directors committee, such that the findings of that review are shared with these governance bodies.

    Together, the required representations are designed to provide NSCC with evidence of each Member's or applicant's management of cybersecurity with respect to their connectivity to NSCC. By requiring these representations from Members and applicants, the proposed Cybersecurity Confirmation would provide NSCC with information that it could use to make decisions about risks or threats, perform additional monitoring, target potential vulnerabilities, and protect the NSCC network.

    NSCC is proposing to amend Rule 1 (Definitions and Descriptions) of the Rules to include a definition of “Cybersecurity Confirmation” as described above.

    (2) Initial and Ongoing Membership Requirement

    NSCC is proposing to require that a Cybersecurity Confirmation be submitted to NSCC by any applicant, as part of their application materials, and at least every two years by all Members. With respect to the requirement to deliver a Cybersecurity Confirmation at least every two years, NSCC would provide all Members with notice of the date on which such Cybersecurity Confirmations would be due no later than 180 calendar days prior to such due date.

    In order to implement these proposed changes, NSCC would amend Rule 2A (Initial Membership Requirements), Section 1.C of the Rules to require applicants to complete and deliver a Cybersecurity Confirmation as part of their application materials. Further, NSCC would amend Rule 2B (Ongoing Membership Requirements and Monitoring), Section 2.A of the Rules to require each Member to complete and deliver a Cybersecurity Confirmation at least every two years, on a date that is set by NSCC and following notice that is provided no later than 180 calendar days prior to such due date.

    (3) Organizations Reporting Trade Data to NSCC

    NSCC is also proposing to modify the Rules to provide that, when determining whether to accept trade data from an organization for comparison and trade recording, as provided for under Rule 7 (Comparison and Trade Recording Operation) of the Rules, NSCC may require such organization to provide a Cybersecurity Confirmation. These organizations are not Members of NSCC and, as such, NSCC's relationship with these organizations is governed by a contract that is separate from the Rules. Therefore, this change would provide transparency regarding the steps NSCC may take when determining whether to accept trade data from another organization.

    To implement this change, NSCC would amend Rule 7 (Comparison and Trade Recording Operation), Section 6 of the Rules to provide that NSCC may require organizations that deliver trade data to NSCC as described in that Rule to provide a Cybersecurity Confirmation before agreeing to accept such trade data.

    (iv) Implementation Timeframe

    Subject to approval by the Commission, the proposed rule change would become effective immediately. The proposed requirement that applicants deliver a Cybersecurity Confirmation with their application materials would be implemented immediately and would apply to applications that have been submitted at that time but have not yet been approved or rejected. Following the effective date of the proposed rule change, NSCC would provide Members with notice of the due date of their Cybersecurity Confirmations, no later than 180 days prior to such due date, and would provide such notice at least every two years going forward.

    2. Statutory Basis

    NSCC believes the proposed rule changes are consistent with the requirements of the Act and the rules and regulations thereunder applicable to a registered clearing agency. In particular, NSCC believes that the proposed rule changes are consistent with Section 17A(b)(3)(F) of the Act,[11] and Rules 17Ad-22(e)(17)(i) and (e)(17)(ii), each promulgated under the Act,[12] for the reasons described below.

    Section 17A(b)(3)(F) of the Act requires that the rules of NSCC be designed to, among other things, promote the prompt and accurate clearance and settlement of securities transactions and assure the safeguarding of securities and funds which are in the custody or control of the clearing agency or for which it is responsible.[13]

    As described above, the proposed requirement that Members and applicants provide a Cybersecurity Confirmation regarding their cybersecurity program that includes the representations described above would provide NSCC with evidence of each Member's or applicant's management of endpoint security with respect to the SMART network or other connectivity and would enhance the protection of NSCC against cyberattacks. The proposed Cybersecurity Confirmation would provide NSCC with information that it could use to make decisions about risks or threats, perform additional monitoring, target potential vulnerabilities, and protect the NSCC network. The proposed Cybersecurity Confirmation would give NSCC the ability to further identify its exposure and enable it to take steps to mitigate risks. These requirements would help reduce risk to NSCC's network with respect to its communications with Members and their submission of instructions and transactions to NSCC by requiring all entities connecting to NSCC to have appropriate cybersecurity programs in place.

    Risks, threats and potential vulnerabilities could impact NSCC's ability to clear and settle securities transactions, or to safeguard the securities and funds which are in its custody or control, or for which it is responsible. Therefore, by implementing a tool that would help to mitigate these risks, NSCC believes the proposal would Start Printed Page 58186promote the prompt and accurate clearance and settlement of securities transactions and assure the safeguarding of securities and funds which are in the custody or control of the clearing agency or for which it is responsible, consistent with the requirements of Section 17A(b)(3)(F) of the Act.[14]

    Rule 17Ad-22(e)(17)(i) under the Act requires that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency's operational risks by identifying the plausible sources of operational risk, both internal and external, and mitigating their impact through the use of appropriate systems, policies, procedures, and controls.[15] The proposed Cybersecurity Confirmation would reduce cybersecurity risks to NSCC by requiring all Members and applicants to confirm they have defined and maintain cybersecurity programs that meet standard industry best practices and guidelines. The proposed representations in the Cybersecurity Confirmations would help NSCC to mitigate its exposure to cybersecurity risk and, thereby, decrease the operational risks to NSCC that are presented by connections to NSCC through the SMART network or otherwise. The proposed Cybersecurity Confirmations would identify to NSCC potential sources of external operational risks and enable it to mitigate these risks and their possible impacts to NSCC's operations. As a result, NSCC believes the proposal is consistent with the requirements of Rule 17Ad-22(e)(17)(i) under the Act.[16]

    Rule 17Ad-22(e)(17)(ii) under the Act requires that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency's operational risks by ensuring, in part, that systems have a high degree of security, resiliency, and operational reliability.[17] The proposed Cybersecurity Confirmation would enhance the security, resiliency, and operational reliability of the endpoint security with respect to the SMART network or other connectivity because, as noted above, by making the Cybersecurity Confirmation an application requirement and an ongoing membership requirement, NSCC would be able to prevent the connection by any applicant, and take action against any Member, that may pose an increased cyber risk to NSCC by not having a defined and ongoing cybersecurity program that meets appropriate standards. Members or applicants that are not in alignment with a recognized framework, guideline, or standard that NSCC believes is adequate to guide and assess such organization's cybersecurity program may present increased risk to NSCC. By enabling NSCC to identify these risks, the proposed changes would allow NSCC to more effectively secure its environment against potential vulnerabilities. NSCC's controls are strengthened when NSCC's Members, and other organizations that connect to NSCC, have similar technology risk management controls and programs within their computing environment. Control weaknesses within a Member's environment could allow for malicious or unauthorized usage of the link between NSCC and the Member. As a result, NSCC believes the proposal would improve NSCC's ability to ensure that its systems have a high degree of security, resiliency, and operational reliability, and, as such, is consistent with the requirements of Rule 17Ad-22(e)(17)(ii) under the Act.[18]

    (B) Clearing Agency's Statement on Burden on Competition

    NSCC believes the proposed rule change could have an impact on competition. Specifically, NSCC believes that the proposed rule change could burden competition because it would require Members and applicants that do not already have cybersecurity programs that meet the standards set out in the Cybersecurity Confirmation to incur additional costs including, but not limited to, establishing a cybersecurity program and framework, engaging an internal audit function or appropriate third party to review that program and framework, and remediating any findings from such review. In addition, those Members and applicants that do not connect directly to the SMART network, but connect through a third party service provider or service bureau would have the additional burden of evaluating the cyber risks and impact of these third parties and reviewing the third party's assurance reports.

    NSCC believes the above described burden on competition that could be created by the proposed changes would be both necessary and appropriate in furtherance of the purposes of the Act, as permitted by Section 17A(b)(3)(I) of the Act, for the reasons described below.[19]

    First, NSCC believes the proposed rule change would be necessary in furtherance of the Act, specifically Section 17A(b)(3)(F) of the Act, because the Rules must be designed to promote the prompt and accurate clearance and settlement of securities transactions and assure the safeguarding of securities and funds which are in the custody or control of the clearing agency or for which it is responsible.[20] By requiring Members and applicants to provide a Cybersecurity Confirmation, the proposed rule change would allow NSCC to better understand, assess, and, therefore, mitigate the cyber risks that NSCC could face through its connections to its Members. As described above, these risks could impact NSCC's ability to clear and settle securities transactions, or to safeguard the securities and funds which are in NSCC's custody or control, or for which it is responsible. Implementing a tool as described above would help to mitigate these risks, and therefore NSCC believes the proposal is necessary in furtherance of the requirements of Section 17A(b)(3)(F) of the Act.[21]

    The proposed changes are also necessary in furtherance of the purposes of Rules 17Ad-22(e)(17)(i) and (e)(17)(ii) under the Act.[22] The proposed Cybersecurity Confirmations would identify to NSCC potential sources of external operational risks and allow it to establish appropriate controls that would mitigate these risks and their possible impacts to NSCC's operations. The proposed changes would also improve NSCC's ability to ensure that its systems have a high degree of security, by enabling NSCC to identify the cybersecurity risks that may be presented to it by Members and other entities that connect to NSCC.

    Second, NSCC believes that the proposed rule change would be appropriate in furtherance of the purposes of the Act. The proposed rule change would apply equally to all Members and applicants. As described above, NSCC believes Members may already be subject to one or more regulatory requirements that include the implementation of a cybersecurity program, and these firms would already follow a widely recognized framework, guideline, or standard to guide and assess their organization's cybersecurity program to comply with these regulations. Therefore, NSCC believes any burden that may be imposed by the proposed rule change would be appropriate.Start Printed Page 58187

    Further, while the proposed Cybersecurity Confirmation would identify certain standards and guidelines that would be appropriate, NSCC would consider requests by applicants and Members to allow other standards in accepting a Cybersecurity Confirmation. Additionally, the proposed Cybersecurity Confirmation would provide differing options to conduct the review of the applicant's or Member's cybersecurity program. As such, NSCC has endeavored to design the Cybersecurity Confirmation in a way that is reasonable and does not require one approach for meeting its requirements.

    Finally, NSCC is proposing to provide Members with a minimum of 180 calendar days' notice before the deadline for providing a Cybersecurity Confirmation. This notice would allow Members to address any impact this change may have on their business. Applicants would be required to provide the Cybersecurity Confirmation as part of their application materials upon the effective date of this proposed rule change. This implementation schedule is designed to be fair and not disproportionately impact any Members more than others. The proposal is designed to provide all impacted Members with time to review their cybersecurity programs with respect to the required representations, and identify, if necessary, internal or third party cybersecurity reviewers.

    For the reasons described above, NSCC believes any burden on competition that may result from the proposed rule change would be both necessary and appropriate in furtherance of the purposes of the Act, as permitted by Section 17A(b)(3)(I) of the Act.[23]

    (C) Clearing Agency's Statement on Comments on the Proposed Rule Change Received From Members, Participants, or Others

    NSCC has not solicited or received any written comments relating to this proposal. NSCC will notify the Commission of any written comments received.

    III. Date of Effectiveness of the Proposed Rule Change, and Timing for Commission Action

    Within 45 days of the date of publication of this notice in the Federal Register or within such longer period up to 90 days (i) as the Commission may designate if it finds such longer period to be appropriate and publishes its reasons for so finding or (ii) as to which the self-regulatory organization consents, the Commission will:

    (A) By order approve or disapprove such proposed rule change, or

    (B) institute proceedings to determine whether the proposed rule change should be disapproved.

    IV. Solicitation of Comments

    Interested persons are invited to submit written data, views and arguments concerning the foregoing, including whether the proposed rule change is consistent with the Act. Comments may be submitted by any of the following methods:

    Electronic Comments

    Paper Comments

    • Send paper comments in triplicate to Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549.

    All submissions should refer to File Number SR-NSCC-2019-003. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's internet website (http://www.sec.gov/​rules/​sro.shtml). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549 on official business days between the hours of 10:00 a.m. and 3:00 p.m. Copies of the filing also will be available for inspection and copying at the principal office of NSCC and on DTCC's website (http://dtcc.com/​legal/​sec-rule-filings.aspx). All comments received will be posted without change. Persons submitting comments are cautioned that we do not redact or edit personal identifying information from comment submissions. You should submit only information that you wish to make available publicly. All submissions should refer to File Number SR-NSCC-2019-003 and should be submitted on or before November 20, 2019.

    Start Signature

    For the Commission, by the Division of Trading and Markets, pursuant to delegated authority.24

    Eduardo A. Aleman,

    Deputy Secretary.

    End Signature End Preamble

    Footnotes

    3.  Capitalized terms not defined herein are defined in the Rules, available at http://www.dtcc.com/​legal/​rules-and-procedures. References to “Members” in this filing include both Members and Limited Members, as such terms are defined in the Rules.

    Back to Citation

    4.  The SMART network is a technology managed by NSCC's parent company, The Depository Trust & Clearing Corporation (“DTCC”), that connects a nationwide complex of networks, processing centers and control facilities. This network extends between NSCC's and its Members' operating premises. DTCC operates on a shared services model with respect to NSCC and DTCC's other subsidiaries pursuant to intercompany agreements under which it is generally DTCC that provides a relevant service to its subsidiaries, including NSCC.

    Back to Citation

    5.  NSCC and its affiliates, The Depository Trust Company and Fixed Income Clearing Corporation, were designated SIFMUs under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. 12 U.S.C. 5465(e)(1).

    Back to Citation

    6.  For example, depending on the type of entity, Members may be subject to one or more of the following regulations: (1) Regulation S-ID, which requires “financial institutions” or “creditors” under the rule to adopt programs to identify and address the risk of identity theft of individuals (17 CFR 248.201-202); (2) Regulation S-P, which requires broker-dealers, investment companies, and investment advisers to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information (17 CFR 248.1-30); and (3) Rule 15c3-5 under the Act, known as the “Market Access Rule,” which requires broker-dealers to establish, document, and maintain a system for regularly reviewing the effectiveness of its management controls and supervisory procedures (17 CFR 240.15c3-5).

    Back to Citation

    7.  Examples of recognized frameworks, guidelines and standards that NSCC believes are adequate include the Financial Services Sector Coordinating Council Cybersecurity Profile, the National Institute of Standards and Technology Cybersecurity Framework (“NIST CSF”), International Organization for Standardization (“ISO”) standard 27001/27002 (“ISO 27001”), Federal Financial Institutions Examination Council (“FFIEC”) Cybersecurity Assessment Tool, Critical Security Controls Top 20, and Control Objectives for Information and Related Technologies. NSCC would identify recognized frameworks, guidelines and standards in the form of Cybersecurity Confirmation and in an Important Notice that NSCC would issue from time to time. NSCC would also consider accepting other standards upon request by a Member or applicant.

    Back to Citation

    8.  23 N.Y. Comp. Codes R. & Regs. tit. 23, § 500 (2017). This regulation requires firms to confirm that they have a comprehensive cybersecurity program, as described in the regulation, which NSCC believes is sufficient to meet the objectives of the proposed Cybersecurity Confirmation.

    Back to Citation

    9.  Industry cybersecurity frameworks and industry standards could include, for example, the Office of the Comptroller of the Currency or the FFIEC Cybersecurity Assessment Tool. NSCC would identify acceptable industry cybersecurity frameworks and standards in the form of Cybersecurity Confirmation and in an Important Notice that NSCC would issue from time to time. NSCC would also consider accepting other industry cybersecurity frameworks and standards upon request by a Member or applicant.

    Back to Citation

    10.  A third party with cybersecurity domain expertise is one that follows and understands industry standards, practices and regulations that are relevant to the financial sector. Examples of such standards and practices include ISO 27001 certification or NIST CSF assessment. NSCC would identify acceptable industry standards and practices in the form of Cybersecurity Confirmation and in an Important Notice that NSCC would issue from time to time. NSCC would also consider accepting other industry standards and practices upon request by a Member or applicant.

    Back to Citation

    [FR Doc. 2019-23632 Filed 10-29-19; 8:45 am]

    BILLING CODE 8011-01-P

Document Information

Published:
10/30/2019
Department:
Securities and Exchange Commission
Entry Type:
Notice
Document Number:
2019-23632
Pages:
58183-58187 (5 pages)
Docket Numbers:
Release No. 34-87392, File No. SR-NSCC-2019-003
PDF File:
2019-23632.pdf