2022-15003. Self-Regulatory Organizations; The Depository Trust Company; Order Approving a Proposed Rule Change To Require Applicants, Participants, and Pledgees To Maintain or Upgrade Their Network or Communications Technology

Start Preamble July 8, 2022.
I. Introduction

On May 11, 2022, The Depository Trust Company (“DTC”) filed with the Securities and Exchange Commission (“Commission”) proposed rule change SR-DTC-2022-004 (“Proposed Rule Change”) pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (“Act”) ^[1] and Rule 19b-4 thereunder.^[2] The Proposed Rule Change was published for comment in the Federal Register on May 31, 2022.^[3] The Commission did not receive any comment letters on the proposed rule change. For the reasons discussed Start Printed Page 42240 below, the Commission is approving the Proposed Rule Change.

II. Description of the Proposed Rule Change

A. Background

DTC proposes to modify its Rules (“Rules”) ^[4] to require its Participants, Pledgees, and applicants for membership (collectively, “participants”) to upgrade and maintain their network technology, and communications technology or protocols, to meet standards that DTC would identify and publish via Important Notice on its website, as described more fully below.

DTC provides depository services and asset servicing for a wide range of security types such as money market instruments, equities, warrants, rights, corporate debt and notes, municipal bonds, government securities, asset-backed securities, and collateralized mortgage obligations.^[5] In light of its critical role in the marketplace, DTC was designated a Systemically Important Financial Market Utility (“SIFMU”) under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.^[6] Due to DTC's unique position in the marketplace, a failure or a disruption at DTC could, among other things, increase the risk of significant liquidity problems spreading among financial institutions or markets, and thereby threaten the stability of the financial system in the United States.^[7]

DTC's Rules currently do not require, either as part of an application for membership or as an ongoing membership requirement, any level or version for network technology, such as a web browser or other technology, or any level or version of communications technology or protocols, such as email encryption, secure messaging, or file transfers, that participants may use to connect to or communicate with DTC.^[8] Therefore, DTC currently maintains multiple network and communications methods and protocols to interact with its participants.^[9] This includes some outdated communication technologies in order to support participants that continue to use such older technologies.^[10] DTC believes that continuing to use such outdated technologies could render communications between DTC and some of its participants vulnerable to cyber risks.^[11] Additionally, participants' use of outdated technology delays DTC's implementation of its own internal system upgrades, which by doing so, risks losing connectivity between DTC and a number of its participants.^[12] Finally, DTC states that it currently expends additional resources, both in personnel and equipment, to maintain outdated communications channels.^[13]

To mitigate the foregoing security concerns and resource inefficiencies, DTC proposes to require its participants to upgrade and maintain network technology, communication technology, and protocol standards, in accordance with applicable technology standards that DTC would identify and publish via Important Notice on its website from time to time.^[14] DTC would base these requirements on standards set forth by widely accepted organizations such as the National Institute of Standards and Technology (“NIST”) and the internet Engineer Task Force (“IETF”).^[15]

To implement the proposed changes, DTC would revise its Rules to require participants to maintain or upgrade their network technology, communications technology, or protocols on the systems that connect to DTC, to the version DTC requires, within the time period DTC requires.^[16] Consistent with the guidance from NIST and other standards organizations, DTC would require the use of TLS 1.2, Secure FTP (“SFTP”), and other modern technology and communication standards and protocols, by its participants for communication with DTC.^[17] DTC would publish such requirements via Important Notice on its website.^[18] DTC also proposes to amend its Rules to provide that failure to perform a necessary technology upgrade within the required timeframe would subject participants to a disciplinary sanctions.^[19]

III. Discussion and Commission Findings

Section 19(b)(2)(C) of the Act ^[20] directs the Commission to approve a proposed rule change of a self-regulatory organization if it finds that such proposed rule change is consistent with the requirements of the Act and the rules and regulations thereunder applicable to such organization. After careful consideration, the Commission finds that the Proposed Rule Change is consistent with the requirements of the Act and the rules and regulations applicable to DTC. In particular, the Commission finds that the Proposed Rule Change is consistent with Sections 17A(b)(3)(F) ^[21] and (b)(3)(G) ^[22] of the Act and Rules 17Ad-22(e)(17) ^[23] and (e)(21) ^[24] thereunder.

A. Consistency With Section 17A(b)(3)(F) of the Act

Section 17A(b)(3)(F) of the Act requires that the rules of a clearing agency be designed to, among other things, promote the prompt and accurate clearance and settlement of securities transactions and assure the safeguarding of securities and funds which are in the custody or control of the clearing agency or for which it is responsible.^[25]

As described above, DTC proposes to require its participants to upgrade and maintain network technology, and communication technology and protocol standards, that meet the standards identified by DTC and published via Start Printed Page 42241 Important Notice to DTC's website from time to time. DTC would use standards set forth by widely accepted organizations such as NIST and the IETF as the requirements. The proposed requirements would enable DTC to avoid communicating with its participants using outdated technologies that present security vulnerabilities to DTC. Specifically, as an initial matter, the proposed requirements would enable DTC to discontinue using communication technologies such as TLS 1.0, TLS 1.1, SSL 2.0, SSL 3.0, and FTP, which have been deemed not secure by organizations such as NIST and/or the IETF. Removing support for such outdated technologies would reduce DTC's potential exposure to cyberattacks and other cyber vulnerabilities.

If not adequately addressed, the risk of cyberattacks and other cyber vulnerabilities could affect DTC's network and, in turn, DTC's ability to clear and settle securities transactions, or to safeguard the securities and funds which are in DTC's custody or control, or for which it is responsible. DTC designed the proposed requirements for participants to upgrade their communications technology to address those risks, as described above. Accordingly, the Commission finds the proposed technology requirements on DTC's participants would promote the prompt and accurate clearance and settlement of securities transactions and assure the safeguarding of securities and funds which are in the custody or control of DTC or for which it is responsible, consistent with the requirements of Section 17A(b)(3)(F) of the Act.^[26]

B. Consistency With Section 17A(b)(3)(G) of the Act

Section 17A(b)(3)(G) of the Act requires the rules of a clearing agency to provide that its participants shall be appropriately disciplined for violation of any provision of the rules of the clearing agency by fine or other fitting sanction.^[27] As noted above, DTC proposes to require its participants to upgrade and maintain network technology, communication technology, and protocol standards, in accordance with applicable technology standards that DTC would identify and publish via Important Notice on its website. The proposed requirements would enable DTC to avoid communicating with its participants using outdated technologies that present security vulnerabilities to DTC. If not adequately addressed, such vulnerabilities could affect DTC's network and its ability to operate. DTC also proposes to amend its Rules to provide that failure to perform a necessary technology upgrade within the required timeframe would subject participants to disciplinary sanctions. Because the proposed disciplinary sanctions should incentivize DTC's participants to upgrade and maintain secure communications technology, thereby reducing DTC's operational risks, the Commission finds the proposed rule change is consistent with the requirements of Section 17A(b)(3)(G) of the Act.^[28]

C. Consistency With Rule 17Ad-22(e)(17) Under the Act

Rule 17Ad-22(e)(17)(i) under the Act requires that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency's operational risks by identifying the plausible sources of operational risk, both internal and external, and mitigating their impact through the use of appropriate systems, policies, procedures, and controls.^[29] DTC's operational risks include cyber risks to its electronic systems.

As described above, DTC and its participants connect electronically to communicate with one another. However, DTC's Rules currently do not require any level or version for network technology, such as a web browser or other technology, or any level or version of communications technology or protocols, such as email encryption, secure messaging, or file transfers, that participants may use to connect to or communicate with DTC. As a result, DTC maintains some outdated communication technologies in order to support participants that continue to use such older technologies. Continuing to use such outdated technologies could render communications between DTC and some of its participants vulnerable to cyber risks.

To mitigate the foregoing cyber risks, DTC proposes to require its participants to upgrade and maintain network technology, and communication technology and protocol standards that meet the standards identified by DTC from time to time. The proposed technology requirements should reduce DTC's cyber risk by requiring participants to upgrade and maintain communications technology based on standards set forth by widely accepted organizations such as NIST and the IETF, thereby decreasing the operational risks presented to DTC. Because the proposed technology requirements would help DTC mitigate plausible sources of external operational risk, the Commission finds the proposed changes are consistent with the requirements of Rule 17Ad-22(e)(17)(i) under the Act.^[30]

Rule 17Ad-22(e)(17)(ii) under the Act requires that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency's operational risks by ensuring, in part, that systems have a high degree of security, resiliency, and operational reliability.^[31] As noted above, DTC's operational risks include cyber risks.

As described above, DTC's Rules currently do not require any level or version for network technology, such as a web browser or other technology, or any level or version of communications technology or protocols, such as email encryption, secure messaging, or file transfers, that participants may use to connect to or communicate with DTC. DTC designed the proposed technology requirements to reduce cyber risks by requiring its participants to upgrade and maintain communications technology based on standards set forth by widely accepted organizations such as NIST and the IETF. Requiring DTC's participants to use only secure communications technology would reduce DTC's cyber risks and thereby strengthen the security, resiliency, and operational reliability of DTC's network and other systems. Because the proposed technology requirements would enhance DTC's ability to ensure that its systems have a high degree of security, resiliency, and operational reliability, the Commission finds the Proposed Rule Change is consistent with the requirements of Rule 17Ad-22(e)(17)(ii) under the Act.^[32]

D. Consistency With Rule 17Ad-22(e)(21) Under the Act

Rule 17Ad-22(e)(21)(iv) under the Act requires that each covered clearing agency establish, implement, maintain Start Printed Page 42242 and enforce written policies and procedures reasonably designed to have the covered clearing agency's management regularly review the efficiency and effectiveness of its use of technology and communication procedures.^[33]

As mentioned above, DTC maintains multiple network and communication methods to interact with its participants, including certain outdated communication technologies necessary to support participants that continue to use such older technologies. DTC believes that continuing to use such outdated technologies could render communications between DTC and some of its participants vulnerable to cyber risks. Additionally, participants' use of outdated technology delays DTC's implementation of its own internal system upgrades, which by doing so, risks losing connectivity between DTC and a number of its participants. Finally, DTC states that it currently expends unnecessary resources to maintain outdated communications channels. In other words, DTC has subjected its network communication methods to review for efficiency and effectiveness. As a result, to enhance the efficiency and effectiveness of its technology and communication procedures, DTC proposes to require its participants to upgrade and maintain network technology, communication technology, and protocol standards, in accordance with applicable technology standards that DTC would identify and publish via Important Notice on its website. Because the Proposed Rule Change is an outgrowth of DTC's review of the efficiency and effectiveness of its technology and communication procedures, the Commission finds the Proposed Rule Change is consistent with the requirements of Rule 17Ad-22(e)(21)(iv) under the Act.^[34]

IV. Conclusion

On the basis of the foregoing, the Commission finds that the Proposed Rule Change is consistent with the requirements of the Act and in particular with the requirements of Section 17A of the Act ^[35] and the rules and regulations promulgated thereunder.

It is therefore ordered, pursuant to Section 19(b)(2) of the Act ^[36] that Proposed Rule Change SR-DTC-2022-004, be, and hereby is, approved .^[37]
Start Signature

For the Commission, by the Division of Trading and Markets, pursuant to delegated authority.³⁸

J. Matthew DeLesDernier,

Assistant Secretary.

End Signature End Preamble
Footnotes

1. 15 U.S.C. 78s(b)(1).
Back to Citation

2. 17 CFR 240.19b-4.
Back to Citation

3. Securities Exchange Act Release No. 94975 (May 24, 2022), 87 FR 32482 (May 31, 2022) (SR-DTC-2022-004) (“Notice of Filing”).
Back to Citation

4. DTC's Rules are available at https://dtcc.com/~/media/Files/Downloads/legal/rules/dtc_rules.pdf.
Back to Citation

5. See Financial Stability Oversight Counsel 2012 Annual Report, Appendix A (“FSOC 2012 Report”), available at http://www.treasury.gov/initiatives/fsoc/Documents/2012-20Annual-20Report.pdf.
Back to Citation

6. 12 U.S.C. 5465(e)(1). See FSOC 2012 Report, supra note 5.
Back to Citation

7. See FSOC 2012 Report, Appendix A, supra note 5.
Back to Citation

8. Notice of Filing, supra note 3, at 32482.
Back to Citation

9. Id.
Back to Citation

10. Id.
Back to Citation

11. Id.
Back to Citation

12. Id.
Back to Citation

13. Id.
Back to Citation

14. Id., at 32482-83.
Back to Citation

15. Id.. NIST is part of the U.S. Department of Commerce. The IETF is an open standards organization that develops and promotes voluntary internet standards, in particular, the technical standards that comprise the internet protocol suite (TCP/IP). For example, NIST Special Publication 800-52 revision 2, specifies servers that support government-only applications shall be configured to use Transport Layer Security (“TLS”) 1.2 and should be configured to use TLS 1.3 as well. See https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf. (TLS, the successor of the now-deprecated Secure Sockets Layer (“SSL”), is a cryptographic protocol designed to provide communications security over a computer network.) These servers should not be configured to use TLS 1.1 and shall not use TLS 1.0, SSL 3.0, or SSL 2.0. Additionally, the IETF formally deprecated TLS versions 1.0 and 1.1 in March of 2021, stating that “[t]hese versions lack support for current and recommended cryptographic algorithms and mechanisms, and various government and industry profiles of applications using TLS now mandate avoiding these old TLS versions. . . . Removing support for older versions from implementations reduces the attack surface, reduces opportunity for misconfiguration, and streamlines library and product maintenance.” See https://datatracker.ietf.org/doc/rfc8996/. DTC would also require participants to discontinue using File Transfer Protocol (“FTP”), which DTC believes to be an insecure protocol because it transfers user authentication data (username and password) and file data as plain-text (not encrypted) over the network. Notice of Filing, supra note 3, at 32482-83.
Back to Citation

16. Notice of Filing, supra note 3, at 32483.
Back to Citation

17. Id., at 32482-83.
Back to Citation

18. Id.
Back to Citation

19. Notice of Filing, supra note 3, at 32483.
Back to Citation

20. 15 U.S.C. 78s(b)(2)(C).
Back to Citation

21. 15 U.S.C. 78q-1(b)(3)(F).
Back to Citation

22. 15 U.S.C. 78q-1(b)(3)(G).
Back to Citation

23. 17 CFR 240.17Ad-22(e)(17)(i) and (ii).
Back to Citation

24. 17 CFR 240.17Ad-22(e)(21)(iv).
Back to Citation

25. 15 U.S.C. 78q-1(b)(3)(F).
Back to Citation

26. Id.
Back to Citation

27. 15 U.S.C. 78q-1(b)(3)(G).
Back to Citation

28. Id. Additionally, by including the monetary fine provision in its Rules, DTC would enable its participants to better identify and evaluate the material costs they might incur by participating in DTC, consistent with Rule 17Ad-22(e)(23)(ii). under the Act, which requires a covered clearing agency to establish, implement, maintain, and enforce written policies and procedures reasonably designed to provide sufficient information to enable participants to identify and evaluate the risks, fees, and other material costs they incur by participating in the covered clearing agency. See 17 CFR 240.17Ad-22(e)(23)(ii).
Back to Citation

29. 17 CFR 240.17Ad-22(e)(17)(i).
Back to Citation

30. Id.
Back to Citation

31. 17 CFR 240.17Ad-22(e)(17)(ii).
Back to Citation

32. Id.
Back to Citation

33. 17 CFR 240.17Ad-22(e)(21)(iv).
Back to Citation

34. Id.
Back to Citation

35. 15 U.S.C. 78q-1.
Back to Citation

36. 15 U.S.C. 78s(b)(2).
Back to Citation

37. In approving the Proposed Rule Change, the Commission considered the proposals' impact on efficiency, competition, and capital formation. 15 U.S.C. 78c(f).
Back to Citation

38. 17 CFR 200.30-3(a)(12).
Back to Citation

[FR Doc. 2022-15003 Filed 7-13-22; 8:45 am]

BILLING CODE 8011-01-P

Visit the Official Version

Document Information

Published:: 07/14/2022
Department:: Securities and Exchange Commission
Entry Type:: Notice
Document Number:: 2022-15003
Pages:: 42239-42242 (4 pages)
Docket Numbers:: Release No. 34-95232, File No. SR-DTC-2022-004
PDF File:: 2022-15003.pdf

2022-15003. Self-Regulatory Organizations; The Depository Trust Company; Order Approving a Proposed Rule Change To Require Applicants, Participants, and Pledgees To Maintain or Upgrade Their Network or Communications Technology

I. Introduction

II. Description of the Proposed Rule Change

A. Background

III. Discussion and Commission Findings

A. Consistency With Section 17A(b)(3)(F) of the Act

B. Consistency With Section 17A(b)(3)(G) of the Act

C. Consistency With Rule 17Ad-22(e)(17) Under the Act

D. Consistency With Rule 17Ad-22(e)(21) Under the Act

IV. Conclusion

Footnotes

Document Information