I. Introduction

On March 21, 2023, the Options Clearing Corporation (“OCC”) filed with the Securities and Exchange Commission (“Commission”) the proposed rule change SR–OCC–2023–003 pursuant to Section 19(b) of the Securities Exchange Act of 1934 (“Exchange Act”) ^[1] and Rule 19b–4 ^[2] thereunder to amend certain provisions in OCC's Rules relating to each Clearing Member's obligation to address a ”Security Incident” ( i.e., the occurrence of a cyber-related disruption or intrusion) of that Clearing Member.^[3] The proposed rule change was published for public comment in the Federal Register on April 5, 2023.^[4] The Commission has received comments regarding the proposed rule change.^[5]

On May 18, 2023, pursuant to Section 19(b)(2) of the Exchange Act,^[6] the Commission designated a longer period within which to approve, disapprove, or institute proceedings to determine whether to approve or disapprove the proposed rule change.^[7] On May 24, 2023, OCC filed Partial Amendment No. 1 to the proposed rule change.^[8] This order institutes proceedings, pursuant to Section 19(b)(2)(B) of the Exchange Act,^[9] to determine whether to approve or disapprove the proposed rule change, as modified by Partial Amendment No. 1 (hereinafter defined as “Proposed Rule Change”).

II. Summary of the Proposed Rule Change

Currently, the only OCC Rule governing a Clearing Member's cybersecurity obligations to OCC is Rule 219, titled “Cybersecurity Confirmation.” It requires Clearing Members and applicants for clearing membership to submit to OCC a form called the “Cybersecurity Confirmation” at least every two years or as part of its application materials, respectively. Through the form, Clearing Members and applicants confirm that they maintain a comprehensive cybersecurity program that meets certain criteria ( e.g., it is approved by senior management, reviewed and updated periodically, protects the segment of the Clearing Member's or applicant's system that interacts with OCC, establishes a process for the Clearing Member to remediate cyber issues, etc.). However, current Rule 219 does not require Clearing Members to notify OCC if they experience a cybersecurity incident that could impact OCC or otherwise address OCC's processes, or the Clearing Member's obligations with respect to OCC, in the event a Clearing Member experiences a cybersecurity incident.

The substantive changes in the proposed rule change would be the addition of two new subsections—(d) and (e)—titled “Occurrence of a Security Incident” and “Procedures for Connecting Following a Security Incident,” respectively. New subsection (d) would require a Clearing Member that experiences a Security Incident (as defined in the Rule) to immediately notify OCC of the Security Incident. It would also specify that OCC may take actions it deems reasonably necessary to mitigate any effects on its operations following a Security Incident. New subsection (e) would require a Clearing Member wishing to reconnect its systems to OCC's systems to provide OCC with a new form, titled “Reconnection Attestation,” that describes the Security Incident and attests to certain security requirements, as well as an associated checklist, titled “Reconnection Checklist,” that describes the affected Clearing Member's remediation efforts and other key information.

OCC submitted Partial Amendment No. 1 in response to comments received on the scope of the proposed definition of Security Incident and potential conflicts with other existing and proposed Commission rules.^[10] OCC also submitted Partial Amendment No. 1 in response to comments about (i) the requirement that Clearing Members provide immediate notice of a Security Incident to OCC, (ii) the standards OCC would apply when determining whether to disconnect a Clearing Member from OCC, and (iii) the process for reconnection following a Security Incident that results in disconnection.^[11]

III. Proceedings To Determine Whether To Approve or Disapprove the Proposed Rule Change and Grounds for Disapproval Under Consideration

The Commission is instituting proceedings pursuant to Section 19(b)(2)(B) of the Exchange Act ^[12] to determine whether the Proposed Rule Change should be approved or disapproved. Institution of proceedings is appropriate at this time in view of the legal and policy issues raised by the Proposed Rule Change. Institution of proceedings does not indicate that the Commission has reached any conclusions with respect to any of the issues involved. Rather, the Commission seeks and encourages interested persons to comment on the Proposed Rule Change, providing the Commission with arguments to support the Commission's analysis as to whether to approve or disapprove the Proposed Rule Change.

Pursuant to Section 19(b)(2)(B) of the Exchange Act,^[13] the Commission is providing notice of the grounds for disapproval under consideration. The Commission is instituting proceedings to allow for additional analysis of, and input from commenters with respect to, the Proposed Rule Change's consistency with Section 17A of the Exchange Act,^[14] and the rules thereunder, including the following provisions:

• Section 17A(b)(3)(F) of the Exchange Act,^[15] which requires, among other things, that the rules of a clearing agency are designed to promote the prompt and accurate clearance and settlement of securities transactions and derivative agreements, contracts, and transactions; and to assure the safeguarding of securities and funds which are in the custody or control of the clearing agency or for which it is responsible; and

• Rule 17Ad–22(e)(17)(i) of the Exchange Act,^[16] which requires that a covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency's operational risks by identifying the plausible sources of operational risk, both internal and external, and mitigating their impact through the use of appropriate systems, policies, procedures, and controls.

IV. Procedure: Request for Written Comments

The Commission requests that interested persons provide written submissions of their views, data, and arguments with respect to the issues identified above, as well as any other concerns they may have with the Proposed Rule Change. In particular, the Commission invites the written views of interested persons concerning whether the Proposed Rule Change is consistent with Section 17A(b)(3)(F) ^[17] and Rule 17Ad–22(e)(17)(i) ^[18] of the Exchange Act, or any other provision of the Exchange Act, or the rules and regulations thereunder. Although there do not appear to be any issues relevant to approval or disapproval that would be facilitated by an oral presentation of views, data, and arguments, the Commission will consider, pursuant to Rule 19b–4(g) under the Exchange Act,^[19] any request for an opportunity to make an oral presentation.^[20]

Interested persons are invited to submit written data, views, and arguments regarding whether the Proposed Rule Change should be approved or disapproved by July 25, 2023. Any person who wishes to file a rebuttal to any other person's submission must file that rebuttal by August 8, 2023.

The Commission asks that commenters address the sufficiency of OCC's statements in support of the Proposed Rule Change, which are set forth in the Notice of Filing ^[21] and the Partial Amendment No. 1,^[22] in addition to any other comments they may wish to submit about the Proposed Rule Change.

Comments may be submitted by any of the following methods:

Electronic Comments

• Use the Commission's internet comment form

( http://www.sec.gov/​rules/​sro.shtml); or

• Send an email to rule-comments@sec.gov. Please include file number SR–OCC–2023–003 on the subject line.

Paper Comments

• Send paper comments in triplicate to Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549–1090.

All submissions should refer to file number SR–OCC–2023–003. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's internet website ( https://www.sec.gov/​rules/​sro.shtml). Copies of the submission, all subsequent amendments, all written statements with respect to the Proposed Rule Change that are filed with the Commission, and all written communications relating to the Proposed Rule Change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549 on official business days between the hours of 10 a.m. and 3 p.m. Copies of such filing also will be available for inspection and copying at the principal office of OCC and on OCC's website at https://www.theocc.com/​Company-Information/​Documents-and-Archives/​By-Laws-and-Rules.

Do not include personal identifiable information in submissions; you should submit only information that you wish to make available publicly. We may redact in part or withhold entirely from publication submitted material that is obscene or subject to copyright protection.

All submissions should refer to File Number SR–OCC–2023–003 and should be submitted on or before July 25, 2023. Rebuttal comments should be submitted by August 8, 2023.

Footnotes