On March 21, 2023, the Options Clearing Corporation (“OCC”) filed with the Securities and Exchange Commission (“Commission”) the proposed rule change SR–OCC–2023–003 pursuant to Section 19(b) of the Securities Exchange Act of 1934 (“Exchange Act”) ^[1] and Rule 19b–4 ^[2] thereunder to amend certain provisions in OCC's Rules relating to Clearing Member cybersecurity obligations to address the occurrence of a cyber-related disruption or intrusion of a Clearing Member (“Security Incident”). The proposed rule change was published for public comment in the Start Printed Page 36352 Federal Register on April 5, 2023.^[3] The Commission has received comments regarding the proposal described in the proposed rule change.^[4] On May 24, 2023, OCC filed Partial Amendment No. 1 to the proposed rule change. Pursuant to Section 19(b)(1) of the Act ^[5] and Rule 19b–4 thereunder,^[6] the Commission is publishing notice of this Partial Amendment No.1 to the proposed rule change as described in Item I below, which has been prepared primarily by OCC. The Commission is publishing this notice to solicit comment on Partial Amendment No. 1 from interested persons.

I. Clearing Agency's Statement of the Terms of Substance of the Proposed Rule Change Partial Amendment No. 1

The Options Clearing Corporation (“OCC”) hereby submits this partial amendment, constituting Amendment No. 1 [sic], to its proposed rule change SR–OCC–2023–003 (the “Initial Filing”), in which OCC proposed new sections (d) and (e) to existing Rule 219, which Rule subsequently was renumbered to Rule 213. The Proposal requires Clearing Members to notify OCC about the occurrence of a “Security Incident”, and in the event of a disconnection from OCC, obligates the Clearing Member to provide an attestation to OCC before reconnecting. OCC intends to amend Proposed Rules 213(d) and 213(e) to clarify the definition of the term “Security Incident”, the threshold conditions for disconnection of a Clearing Member, and the process for a Clearing Member's reconnection.

As originally proposed in the Initial Filing, Proposed Rules 213(d) and 213(e) are as follows:

(d) Occurrence of a Security Incident. A Clearing Member must notify the Corporation immediately, and shall promptly confirm such notice in writing, if there has been an incident, or an incident is occurring, involving a cyber-related disruption or intrusion of the Clearing Member, including, but not limited to, any disruption or degradation of the normal operation of the Clearing Member's systems or any unauthorized entry into the Clearing Member's systems (“Security Incident”). Upon such notice, or if the Corporation has a reasonable basis to believe that a Security Incident has occurred, or is occurring, the Corporation may take actions reasonably necessary to mitigate any effects to its operations, including the right to disconnect access, or to modify the scope and specifications of access, of the Clearing Member to the Corporation's information and data systems.

(e) Procedures for Connecting Following a Security Incident. After a Clearing Member reports a Security Incident, upon the request of the Corporation, the Clearing Member must complete and submit a form that describes the Security Incident and includes required representations as determined by the Corporation (“Reconnection Attestation”) and an associated checklist that describes remediation efforts and provides required information as determined by the Corporation (“Reconnection Checklist”), both as provided by the Corporation from time to time.

OCC is submitting this partial amendment in response to comments received on the scope of the proposed definition of “Security Incident” and potential conflicts with other existing and proposed Securities and Exchange Commission (“SEC”) rules. Accordingly, OCC has determined to clarify what constitutes a Security Incident for purposes of new Rule 213(d). Such clarification would specify that only occurrences that have an impact on OCC's system(s) and/or operations are considered a Security Incident. In addition, OCC proposes to clarify that a Clearing Member must notify OCC if the Clearing Member becomes aware or should be aware that such incident has occurred or is occurring.

OCC also is submitting this partial amendment in response to comments about (i) the requirement that Clearing Members provide immediate notice of a Security Incident to OCC, (ii) the standards OCC would apply when determining whether to disconnect a Clearing Member from OCC, and (iii) the process for reconnection following a Security Incident that results in disconnection.

As a systemically important financial market utility, and the sole clearing agency providing clearing services for listed options in the U.S., it is vital that OCC's clearing systems remain functional and unaffected by Security Incidents. Any risk or threat to OCC's system(s) or operations could have a severe impact on the listed options markets. Therefore, time is of the essence with respect to any notification by a Clearing Member of the occurrence of a Security Incident. OCC intends to provide a dedicated OCC email address directly to Clearing Members for use in notifying OCC of a Security Incident, but without specifying the form of the notice. Accordingly, a Clearing Member can share information they believe is relevant, and OCC can follow up directly with the affected Clearing Member as needed.

Because of the innumerable circumstances that could lead to a Security Incident, OCC's determination to disconnect a Clearing Member will be based on the facts and circumstances related to any specific Security Incident. Accordingly, OCC may consider any one or more of the following in determining whether or not to disconnect a member: the potential loss of control by a Clearing Member of its internal system(s), the potential loss of OCC's confidential data, the potential strain on or loss of OCC's resources due to OCC's inability to perform clearance and settlement functions, and the overall severity of the threat to OCC's security and operations. It is OCC's belief that not all Security Incident notifications will result in a Clearing Member disconnection. Finally, OCC also added clarification that in the event of a disconnection, a Clearing Member will remain responsible for its obligations to OCC, e.g., a Clearing Member remains responsible for the payment of margin to OCC.

With respect to the process for reconnection following a Security Incident that results in disconnection, OCC proposes to clarify that only in the event OCC disconnects a Clearing Member will the Clearing Member be required to complete the Reconnection Attestation and Reconnection Checklist. OCC also made additional edits to clarify the process for reconnection.

The text below reflects the proposed changes to the originally proposed Rules 213(d) and 213(e) in the Initial Filing. Italicized text indicates new text, and bracketed text indicates deleted text.

(d) Occurrence of a Security Incident. A Clearing Member must notify the Corporation immediately, and shall promptly confirm such notice in writing, if the Clearing Member becomes aware or should be aware that there has been an incident, or an incident is occurring, involving a cyber-related disruption or intrusion of the Clearing Member's system(s) that is reasonably likely to pose an imminent risk or threat to the Corporation's operations. Such occurrence may include, but is not limited to [including, but not limited to], any disruption or degradation of the normal operation of the Clearing Member's system(s) or any unauthorized entry into the Clearing Member's system(s) that would result in loss of the Corporation's data or system integrity, unauthorized disclosure of sensitive information related to the Corporation, or the inability of the Corporation to conduct essential clearance and settlement functions (“Security Incident”). Upon such notice, or if the Corporation has a reasonable basis to believe that a Security Incident has occurred, or is occurring, the Corporation may take actions reasonably necessary to mitigate any Start Printed Page 36353 effects to its operations, including the right to disconnect access, or to modify the scope and specifications of access, of the Clearing Member to the Corporation's information and data systems. In determining whether to disconnect a Clearing Member, the Corporation will evaluate the facts and circumstances related to the Security Incident. The Corporation may take into consideration a number of factors, including, but not limited to, the potential loss of control by a Clearing Member of its internal system(s), the potential loss of the Corporation's confidential data, the potential strain on or loss of the Corporation's resources due to the Corporation's inability to perform clearance and settlement functions, and the overall severity of the threat to the security and operations of the Corporation. If the Corporation determines that disconnection of a Clearing Member is necessary, the Clearing Member must continue to meet its obligations to the Corporation, notwithstanding disconnection from the Corporation's systems.

(e) Procedures for Connecting Following a Security Incident that Results in Disconnection. [After a Clearing Member reports a Security Incident] In the event OCC disconnects a Clearing Member that has reported a Security Incident, upon the request of the Corporation, the Clearing Member must complete and submit a form as provided by the Corporation that describes the Security Incident and includes required representations [as determined by the Corporation] (“Reconnection Attestation”). The Clearing Member also will be required to complete [and] an associated checklist as provided by the Corporation that describes remediation efforts [and provides required information as determined by the Corporation] (“Reconnection Checklist”)[, both as provided by the Corporation from time to time].

The partial amendment would not change the purpose of, or statutory basis for the proposed rule change. All other representations in the Initial Filing remain as stated therein and no other changes are being made.

II. Solicitation of Comments

Interested persons are invited to submit written data, views and arguments concerning the foregoing, including whether the proposed rule change is consistent with the Exchange Act. Comments may be submitted by any of the following methods:

Electronic Comments

• Use the Commission's internet comment form ( http://www.sec.gov/​rules/​sro.shtml); or

• Send an email to rule-comments@sec.gov. Please include File Number SR–OCC–2023–003 on the subject line.

Paper Comments

• Send paper comments in triplicate to Vanessa Countryman, Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549–1090.

All submissions should refer to File Number SR–OCC–2023–003. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's internet website ( http://www.sec.gov/​rules/​sro.shtml). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549, on official business days between the hours of 10:00 a.m. and 3:00 p.m. Copies of such filing also will be available for inspection and copying at the principal office of OCC and on OCC's website at https://www.theocc.com/​Company-Information/​Documents-and-Archives/​By-Laws-and-Rules.

Do not include personal identifiable information in submissions; you should submit only information that you wish to make available publicly. We may redact in part or withhold entirely from publication submitted material that is obscene or subject to copyright protection.

All submissions should refer to File Number SR–OCC–2023–003 and should be submitted on or before June 23, 2023.

Footnotes