2023-24179. Self-Regulatory Organizations; National Securities Clearing Corporation; Notice of Filing and Immediate Effectiveness of Proposed Rule Change To Modify the Clearing Agency Operational Risk Management Framework
-
Start Preamble
October 27, 2023.
Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (“Act”) [1] and Rule 19b–4 thereunder,[2] notice is hereby given that on October 20, 2023, National Securities Clearing Corporation (“NSCC”) filed with the Securities and Exchange Commission (“Commission”) the proposed rule change as described in Items I, II and III below, which Items have been prepared by the clearing agency. NSCC filed the proposed rule change pursuant to Section 19(b)(3)(A) of the Act [3] and Rule 19b–4(f)(4) thereunder.[4] The Commission is publishing this notice to solicit comments on the proposed rule change from interested persons.
I. Clearing Agency's Statement of the Terms of Substance of the Proposed Rule Change
The proposed rule change consists of modifications to the Clearing Agency Operational Risk Management Framework (“ORM Framework” or “Framework”) of the National Securities Clearing Corporation (“NSCC”) and its affiliates The Depository Trust Company (“DTC”) and Fixed Income Clearing Corporation (“FICC,” and together with NSCC and DTC, the “Clearing Agencies”) in order to (i) revise nomenclature and process changes to Risk Profiles, (ii) update the ORM Framework to align programs, policies, procedures, and controls within Technology Risk Management (“TRM”) to the Cyber Risk Institute (“CRI”) Profile instead of the National Institute of Standards and Technology (“NIST”) standards, (iii) update recovery times for Start Printed Page 75345 Tier 5 non-essential functions, (iv) update business continuity testing across industry organizations, and (v) update the ORM Framework to reflect recent changes to group names and make other nonmaterial edits, as described in greater detail below.
II. Clearing Agency's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change
In its filing with the Commission, the clearing agency included statements concerning the purpose of and basis for the proposed rule change and discussed any comments it received on the proposed rule change. The text of these statements may be examined at the places specified in Item IV below. The clearing agency has prepared summaries, set forth in sections A, B, and C below, of the most significant aspects of such statements.
(A) Clearing Agency's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change
1. Purpose
The Clearing Agencies adopted the ORM Framework [5] to provide an outline for how each of the Clearing Agencies manages its operational risks. In this way, the Framework supports the Clearing Agencies' compliance with Rules 17Ad–22(e)(17) of the Standards for Covered Clearing Agencies (“Standards”) under the Securities Exchange Act of 1934 (“Act”),[6] as described in the Initial Filing. In addition to setting forth the way each of the Clearing Agencies addresses these requirements, the ORM Framework also contains a section titled “Framework Ownership and Change Management” that, among other matters, describes the Framework ownership and the required governance process for review and approval of changes to the Framework.
In connection with the annual review and approval of the Framework by the Boards of Directors of each of the Clearing Agencies (each a “Board” and collectively, the “Boards”), the Clearing Agencies are proposing to make certain revisions to the Framework.
Such proposed changes would include (i) revise nomenclature and process changes to Risk Profiles, (ii) updating the ORM Framework to align programs, policies, procedures, and controls within Technology Risk Management (“TRM”) to the Cyber Risk Institute (“CRI”) Profile instead of the National Institute of Standards and Technology (“NIST”) standards, (iii) updating the recovery times for Tier 5 equating to non-essential functions, (iv) updating business continuity testing across industry organizations, and (v) updating the ORM Framework to reflect recent changes to group names and making other nonmaterial edits. The proposed changes are described in greater detail below.
i. Proposed Amendments To Revise Nomenclature and Process Changes to Risk Profiles
Section 4.2 of the ORM Framework describes the risk profiles, which are tools used by the Clearing Agencies to monitor and document inherent risks and residual risks to support an overall assessment of the applicable Clearing Agency business' or Clearing Agency support area. The proposed changes would update the Framework to reflect recent developments to the name of the tools used by the Clearing Agency. The proposed changes would also reflect updates to Clearing Agency processes and other matters described in the Framework. These proposed changes do not substantively impact how the Clearing Agencies manage operational risk in compliance with the requirements of Rule 17Ad–22(e)(17) under the Act.[7]
The proposed changes would update the Framework by removing references to risk profiles and replacing them with Risk Assessments and Quarterly Business Monitoring. These proposed changes reflect the Clearing Agencies bifurcation of the prior Risk Profile process into an assessment and a metrics review component, each with differing cadences for publication. Specifically Risk Assessments are prepared at least annually, and Quarterly Business Monitoring is generally prepared quarterly and not less than semi-annually.
ii. Proposed Amendments To Align to the Cyber Risk Institute Profile
Section 5 of the Framework describes the role of TRM in establishing appropriate programs, policies, procedures, and controls with respect to the Clearing Agencies' information technology risks to help management ensure that systems have a high degree of security, resiliency, operational reliability, and adequate, scalable capacity, as required by Rule 17Ad–22(e)(17)(ii) under the Act.[8] The Clearing Agencies previously aligned their technology risks management practices to the NIST standards, which are recognized information technology standards that have been used by TRM in support of executing such responsibilities. TRM shifted from reliance only on NIST standards to instead align their risk management practices with the standards of CRI, which is a global standard for cyber risk assessment and are based on the NIST Cyber Security Framework (“NIST SCF”). NIST CSF has five core functions, while the CRI standards have those same five core functions plus two additional core functions. This shift would allow the Clearing Agencies to continue maintaining compliance with Rule 17Ad–22(e)(17) under the Act.[9]
Therefore, the Clearing Agencies are proposing to amend Section 5 of the Framework to remove reference to NIST standards and replace them with the CRI Profile to reflect its existing practice.
iii. Proposed Amendments To Update Recovery Time of Tier 5 Operations
Section 6 of the Framework describes how the Clearing Agencies have established and maintain business continuity plans to address events that may pose a significant risk of disrupting their operations. The Framework describes how the business continuity process for each Clearing Agency Business and Clearing Agency Support Area [10] is ranked within a range of tiers, from 0 to 5. The range of tiers is based on criticality to each applicable Clearing Agency's operations (each a “Tier”), where Tier 0 equates to critical operations or support of such operations for which virtually no downtime is permitted, and Tier 5 equates to non-essential operations or support of such operations for which recovery times of greater than five days is permitted. The Clearing Agencies are proposing a change to the Tier 5 recovery time from greater than five days to greater than fifteen days. The greater than fifteen days better represents the actual recovery time for the underlying product and service functions.
To reflect this change in the Framework, the Clearing Agencies are proposing to amend Section 6 of the Framework to replace the number five, with fifteen, as it relates to recovery times for Tier 5 and align with Clearing Agency current practice. Start Printed Page 75346
iv. Proposed Amendments To Update the Description of Business Continuity Testing
As mentioned above, Section 6 of the Framework describes how the Clearing Agencies manage business continuity risks. The Clearing Agencies are proposing changes to the Framework to describe their management of these risks more accurately. Specifically, the Clearing Agencies are proposing changes to better reflect their administration of industry testing, which is one of the preventive measures the Clearing Agencies may take with respect to business continuity risk management. The proposed changes would reflect the breadth of industry participants used for such industry exercises conducted by the Clearing Agencies instead of only the Securities Industry and Financial Markets Association (SIFMA) and the Financial Services Authority. The proposed rule change is not intended to reflect a material change to the industry testing done by the Clearing Agencies, but rather, would more accurately reflect the possible scope of any such testing.
Therefore, the Clearing Agencies are proposing to amend the last bullet of Section 6 of the Framework to remove reference to SIFMA and the Financial Services Authority and include a more comprehensive description of industry testing currently conducted to manage its business continuity risks.
v. Proposed Amendments To Update Organizational Name Changes and Make Other Nonmaterial Edits
Finally, the Framework is owned and managed by an officer within the Operational Risk Management Group within the Group Chief Risk Office of DTCC. While the role and responsibilities of the Operational Risk Management Group have not changed, the proposed changes would update the Framework to reflect a change in the name of the group. The Operational Risk Management Group is now referred to as Operational Risk. This proposed change would reflect a recent organizational name change.
The proposed rule change would make additional immaterial edits to the Framework that do not alter how the Clearing Agencies comply with the applicable requirements of Rule 17Ad–22(e)(17) under the Act.[11]
2. Statutory Basis
The Clearing Agencies believe that the proposed changes are consistent with Section 17A(b)(3)(F) of the Act [12] and Rule 17Ad–22(e)(17)(ii) and (iii) promulgated under the Act,[13] for the reasons described below.
The Clearing Agencies believe that the proposed changes are consistent with Section 17A(b)(3)(F) of the Act, which requires, in part, that the rules of a registered clearing agency be designed to promote the prompt and accurate clearance and settlement of securities transactions, and to assure the safeguarding of securities and funds which are in the custody or control of the clearing agency or for which it is responsible, for the reasons described below.[14] The proposed changes to (i) revise nomenclature and process changes to Risk Profiles, (ii) update the ORM Framework to align programs, policies, procedures, and controls within Technology Risk Management (“TRM”) to the Cyber Risk Institute (“CRI”) Profile instead of the National Institute of Standards and Technology (“NIST”) standards, (iii) update the recovery times for Tier 5 equating to non-essential functions, (iv) update business continuity testing across industry organizations, and (v) update the ORM Framework to reflect recent changes to group names and making other nonmaterial edits would update and clarify the Framework and would make it more comprehensive in how it describes the methods and tools currently used by the Clearing Agencies to manage operational risks and therefore comply with Section 17A(b)(3)(F) of the Act.[15] By creating clearer, updated and more comprehensive descriptions, the Clearing Agencies believe the proposed changes would make the ORM Framework more effective in providing an overview of the important risk management activities described therein.
The risk management functions described in the ORM Framework allow the Clearing Agencies to continue the prompt and accurate clearance and settlement of securities and can continue to assure the safeguarding of securities and funds which are in their custody or control or for which they are responsible notwithstanding the default of a member of an affiliated family. The proposed changes to (1) to revise nomenclature and process changes to risk profiles, (2) shift to the CRI standards, and (3) broaden the description of industry testing to capture the breadth of industry participants available to engage in such testing within the ORM Framework reflect the tools used by Clearing Agencies to assess inherent and residual risks; reliance by the Clearing Agencies on reliable global sources related to its information technology standards and diverse sources for industry testing. Identifying and mitigating plausible sources of operational risks both internal and external, information technology and business continuity, outlined in the above-referenced proposed changes, facilitates the Clearing Agencies' ability to continue the prompt and accurate clearance and settlement of securities transactions and assure the safeguarding of securities and funds which are in their custody or control or for which they are responsible. Therefore, the Clearing Agencies believe the proposed changes are consistent with the requirements of Section 17A(b)(3)(F) of the Act.[16]
Rule 17Ad–22(e)(17) under the Act requires, in part, that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency's operational risks by (ii) ensuring that systems have a high degree of security, resiliency, operational reliability, and adequate, scalable capacity; and (iii) establishing and maintaining business continuity plans in order to address events that may pose a significant risk of disrupting their operations.
The Framework would be amended to update the description of the Clearing Agencies' information technology and business continuity procedures. The proposed changes to revise nomenclature and process changes to Risk Profiles including the bifurcation of Risk Profiles process and identification of applicable governance processes assist the Clearing Agencies in effectively managing their operational risks by identifying the plausible sources of operational risk, both internal and external, and mitigating the impact of those risks. The proposed change to shift to CRI standards, which encompasses the NIST standards plus additional metrics, is part of the programs, policies, procedures, and controls used by the Clearing Agencies to continue the building, implementation, and maintenance of systems that have a high degree of security, resiliency, operational reliability, and adequate, scalable capacity. Lastly, accurately describing the Clearing Agencies industry testing procedure in the ORM framework conforms with the Clearing Agencies compliance obligations since business continuity testing is one of the Start Printed Page 75347 preventive measures the Clearing Agencies may take with respect to business continuity risk management. As described above, these procedures address how the Clearing Agencies detect, identify, investigate, and resolve incidents that affect the Clearing Agencies' systems. These procedures are designed to help address the Clearing Agencies' compliance with the requirements of Rule 17Ad–22(e)(17)(ii) and (iii) under the Act.[17] Therefore, the Clearing Agencies believe that the proposed rule changes to update the description of these procedures in the Risk Management Framework is consistent with Rule 17Ad–22(e)(17)(ii) and (iii).[18]
(B) Clearing Agency's Statement on Burden on Competition
The Clearing Agencies do not believe that the proposed changes to the ORM Framework described above would have any impact, or impose any burden, on competition. The proposed changes would enhance the Framework by providing additional clarity and accuracy concerning the Clearing Agencies' operational risk management processes. The proposed rule changes to the Framework, would not advantage, or disadvantage any participant or user of the Clearing Agencies' services or unfairly inhibit access to the Clearing Agencies' services. As such, the Clearing Agencies do not believe that the proposed rule changes would have any impact on competition.
(C) Clearing Agency's Statement on Comments on the Proposed Rule Change Received From Members, Participants, or Others
NSCC has not received or solicited any written comments relating to this proposal. If any written comments are received, they will be publicly filed as an Exhibit 2 to this filing, as required by Form 19b–4 and the General Instructions thereto.
Persons submitting comments are cautioned that, according to Section IV (Solicitation of Comments) of the Exhibit 1A in the General Instructions to Form 19b–4, the Securities and Exchange Commission (“Commission”) does not edit personal identifying information from comment submissions. Commenters should submit only information that they wish to make available publicly, including their name, email address, and any other identifying information.
All prospective commenters should follow the Commission's instructions on how to submit comments, available at https://www.sec.gov/regulatory-actions/how-to-submit comments. General questions regarding the rule filing process or logistical questions regarding this filing should be directed to the Main Office of the Commission's Division of Trading and Markets at tradingandmarkets@sec.gov or 202–551–5777.
NSCC reserves the right not to respond to any comments received.
III. Date of Effectiveness of the Proposed Rule Change, and Timing for Commission Action
The foregoing rule change has become effective pursuant to Section 19(b)(3)(A) [19] of the Act and paragraph (f) [20] of Rule 19b–4 thereunder. At any time within 60 days of the filing of the proposed rule change, the Commission summarily may temporarily suspend such rule change if it appears to the Commission that such action is necessary or appropriate in the public interest, for the protection of investors, or otherwise in furtherance of the purposes of the Act.
IV. Solicitation of Comments
Interested persons are invited to submit written data, views and arguments concerning the foregoing, including whether the proposed rule change is consistent with the Act. Comments may be submitted by any of the following methods:
Electronic Comments
• Use the Commission's internet comment form ( https://www.sec.gov/rules/sro.shtml); or
• Send an email to rule-comments@sec.gov. Please include file number SR–NSCC–2023–010 on the subject line.
Paper Comments
- Send paper comments in triplicate to Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549.
All submissions should refer to file number SR–NSCC–2023–010. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's internet website ( https://www.sec.gov/rules/sro.shtml). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549 on official business days between the hours of 10 a.m. and 3 p.m. Copies of the filing also will be available for inspection and copying at the principal office of NSCC and on DTCC's website ( https://dtcc.com/legal/sec-rule-filings.aspx). Do not include personal identifiable information in submissions; you should submit only information that you wish to make available publicly. We may redact in part or withhold entirely from publication submitted material that is obscene or subject to copyright protection. All submissions should refer to file number SR–NSCC–2023–010 and should be submitted on or before November 24, 2023.
Start SignatureFor the Commission, by the Division of Trading and Markets, pursuant to delegated authority.[21]
J. Matthew DeLesDernier,
Deputy Secretary.
Footnotes
5. See Securities Exchange Act Release No. 81745 (September 28, 2017), 82 FR 46332 (October 4, 2017) (SR–DTC–2017–014; SR–NSCC–2017–013; SR–FICC–2017–017) (“Initial Filing”).
Back to Citation7. Id.
Back to Citation10. The Clearing Agencies monitor key risks, including Operational Risks stemming from the day-to day operation of the Clearing Agencies' businesses and support areas (each a “Clearing Agency Business” or “Clearing Agency Support Area”).
Back to Citation15. Id.
Back to Citation16. Id.
Back to Citation18. Id.
Back to Citation[FR Doc. 2023–24179 Filed 11–1–23; 8:45 am]
BILLING CODE 8011–01–P
Document Information
- Published:
- 11/02/2023
- Department:
- Securities and Exchange Commission
- Entry Type:
- Notice
- Document Number:
- 2023-24179
- Pages:
- 75344-75347 (4 pages)
- Docket Numbers:
- Release No. 34-98814, File No. SR-NSCC-2023-010
- PDF File:
- 2023-24179.pdf