eLaws | eCases | United States Code | Federal Courts |
Home » 2022 Issues » 87 FR (07/14/2022) » 2022-15004. Self-Regulatory Organizations; Fixed Income Clearing Corporation; Order Approving a Proposed Rule Change To Require Applicants and Members To Maintain or Upgrade Their Network or Communications Technology

  2022-15004. Self-Regulatory Organizations; Fixed Income Clearing Corporation; Order Approving a Proposed Rule Change To Require Applicants and Members To Maintain or Upgrade Their Network or Communications Technology  

  • Start Preamble July 8, 2022.

    I. Introduction

    On May 20, 2022, Fixed Income Clearing Corporation (“FICC”) filed with the Securities and Exchange Commission (“Commission”) proposed rule change SR-FICC-2022-003 (“Proposed Rule Change”) pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 (“Act”) [1] and Rule 19b-4 thereunder.[2] The Proposed Rule Change was published for comment in the Federal Register on May 31, 2022.[3] The Commission did not receive any comment letters on the proposed rule change. For the reasons discussed below, the Commission is approving the Proposed Rule Change.

    II. Description of the Proposed Rule Change

    A. Background

    FICC proposes to modify its Government Securities Division Rulebook (“GSD Rules”), Mortgage-Backed Securities Division Clearing Rules (“MBSD Rules”), and Electronic Pool Notification Rules of MBSD (“EPN Rules,” and, together with the GSD Rules and the MBSD Rules, the Start Printed Page 42219 “Rules”) [4] to require its Members and applicants for membership (collectively, “members”) to upgrade and maintain their network technology, and communications technology or protocols, to meet standards that FICC would identify and publish via Important Notice on its website, as described more fully below.

    FICC is made up of two divisions, the Government Securities Division (FICC/GSD) and the Mortgage Backed Securities Division (FICC/MBSD), each providing clearing services in a different portion of the fixed income market.[5] FICC/GSD provides clearing, settlement, risk management, central counterparty services, and a guarantee of trade completion for U.S. government and agency securities.[6] FICC/MBSD provides clearing, netting, settlement, risk management, and pool notification services to major market participants trading in pass-through MBS issued by the Ginnie Mae, Freddie Mac, and Fannie Mae.[7] In light of its critical role in the marketplace, FICC was designated a Systemically Important Financial Market Utility (“SIFMU”) under Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010.[8] Due to FICC's unique position in the marketplace, a failure or a disruption at FICC could, among other things, increase the risk of significant liquidity problems spreading among financial institutions or markets, and thereby threaten the stability of the financial system in the United States.[9]

    FICC's Rules currently do not require, either as part of an application for membership or as an ongoing membership requirement, any level or version for network technology, such as a web browser or other technology, or any level or version of communications technology or protocols, such as email encryption, secure messaging, or file transfers, that members may use to connect to or communicate with FICC.[10] Therefore, FICC currently maintains multiple network and communications methods and protocols to interact with its members.[11] This includes some outdated communication technologies in order to support members that continue to use such older technologies.[12] FICC believes that continuing to use such outdated technologies could render communications between FICC and some of its members vulnerable to cyber risks.[13] Additionally, members' use of outdated technology delays FICC's implementation of its own internal system upgrades, which by doing so, risks losing connectivity between FICC and a number of its members.[14] Finally, FICC states that it currently expends additional resources, both in personnel and equipment, to maintain outdated communications channels.[15]

    To mitigate the foregoing security concerns and resource inefficiencies, FICC proposes to require its members to upgrade and maintain network technology, communication technology, and protocol standards, in accordance with applicable technology standards that FICC would identify and publish via Important Notice on its website from time to time.[16] FICC would base these requirements on standards set forth by widely accepted organizations such as the National Institute of Standards and Technology (“NIST”) and the internet Engineer Task Force (“IETF”).[17]

    To implement the proposed changes, FICC would revise its Rules to require members to maintain or upgrade their network technology, communications technology, or protocols on the systems that connect to FICC, to the version FICC requires, within the time period FICC requires.[18] Consistent with the guidance from NIST and other standards organizations, FICC would require the use of TLS 1.2, Secure FTP (“SFTP”), and other modern technology and communication standards and protocols, by its members for communication with FICC.[19] FICC would publish such requirements via Important Notice on its website.[20] FICC also proposes to amend its Rules to provide that failure to perform a necessary technology upgrade within the required timeframe would subject members to a monetary fine.[21]

    III. Discussion and Commission Findings

    Section 19(b)(2)(C) of the Act [22] directs the Commission to approve a proposed rule change of a self-regulatory organization if it finds that such proposed rule change is consistent with the requirements of the Act and the rules and regulations thereunder applicable to such organization. After careful consideration, the Commission finds that the Proposed Rule Change is consistent with the requirements of the Act and the rules and regulations applicable to FICC. In particular, the Commission finds that the Proposed Rule Change is consistent with Sections 17A(b)(3)(F) [23] and (b)(3)(G) [24] of the Act and Rules 17Ad-22(e)(17) [25] and (e)(21) [26] thereunder.

    A. Consistency With Section 17A(b)(3)(F) of the Act

    Section 17A(b)(3)(F) of the Act requires that the rules of a clearing agency be designed to, among other things, promote the prompt and accurate clearance and settlement of securities transactions and assure the safeguarding of securities and funds which are in the custody or control of the clearing agency or for which it is responsible.[27]

    As described above, FICC proposes to require its members to upgrade and maintain network technology, and Start Printed Page 42220 communication technology and protocol standards, that meet the standards identified by FICC and published via Important Notice to FICC's website from time to time. FICC would use standards set forth by widely accepted organizations such as NIST and the IETF as the requirements. The proposed requirements would enable FICC to avoid communicating with its members using outdated technologies that present security vulnerabilities to FICC. Specifically, as an initial matter, the proposed requirements would enable FICC to discontinue using communication technologies such as TLS 1.0, TLS 1.1, SSL 2.0, SSL 3.0, and FTP, which have been deemed not secure by organizations such as NIST and/or the IETF. Removing support for such outdated technologies would reduce FICC's potential exposure to cyberattacks and other cyber vulnerabilities.

    If not adequately addressed, the risk of cyberattacks and other cyber vulnerabilities could affect FICC's network and, in turn, FICC's ability to clear and settle securities transactions, or to safeguard the securities and funds which are in FICC's custody or control, or for which it is responsible. FICC designed the proposed requirements for members to upgrade their communications technology to address those risks, as described above. Accordingly, the Commission finds the proposed technology requirements on FICC's members would promote the prompt and accurate clearance and settlement of securities transactions and assure the safeguarding of securities and funds which are in the custody or control of FICC or for which it is responsible, consistent with the requirements of Section 17A(b)(3)(F) of the Act.[28]

    B. Consistency With Section 17A(b)(3)(G) of the Act

    Section 17A(b)(3)(G) of the Act requires the rules of a clearing agency to provide that its participants shall be appropriately disciplined for violation of any provision of the rules of the clearing agency by fine or other fitting sanction.[29] As noted above, FICC proposes to require its members to upgrade and maintain network technology, communication technology, and protocol standards, in accordance with applicable technology standards that FICC would identify and publish via Important Notice on its website. The proposed requirements would enable FICC to avoid communicating with its members using outdated technologies that present security vulnerabilities to FICC. If not adequately addressed, such vulnerabilities could affect FICC's network and its ability to operate. FICC also proposes to amend its Rules to provide that failure to perform a necessary technology upgrade within the required timeframe would subject members to a monetary fine. Because the proposed monetary fine should incentivize FICC's members to upgrade and maintain secure communications technology, thereby reducing FICC's operational risks, the Commission finds the proposed rule change is consistent with the requirements of Section 17A(b)(3)(G) of the Act.[30]

    C. Consistency With Rule 17Ad-22(e)(17) Under the Act

    Rule 17Ad-22(e)(17)(i) under the Act requires that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency's operational risks by identifying the plausible sources of operational risk, both internal and external, and mitigating their impact through the use of appropriate systems, policies, procedures, and controls.[31] FICC's operational risks include cyber risks to its electronic systems.

    As described above, FICC and its members connect electronically to communicate with one another. However, FICC's Rules currently do not require any level or version for network technology, such as a web browser or other technology, or any level or version of communications technology or protocols, such as email encryption, secure messaging, or file transfers, that members may use to connect to or communicate with FICC. As a result, FICC maintains some outdated communication technologies in order to support members that continue to use such older technologies. Continuing to use such outdated technologies could render communications between FICC and some of its members vulnerable to cyber risks.

    To mitigate the foregoing cyber risks, FICC proposes to require its members to upgrade and maintain network technology, and communication technology and protocol standards that meet the standards identified by FICC from time to time. The proposed technology requirements should reduce FICC's cyber risk by requiring members to upgrade and maintain communications technology based on standards set forth by widely accepted organizations such as NIST and the IETF, thereby decreasing the operational risks presented to FICC. Because the proposed technology requirements would help FICC mitigate plausible sources of external operational risk, the Commission finds the proposed changes are consistent with the requirements of Rule 17Ad-22(e)(17)(i) under the Act.[32]

    Rule 17Ad-22(e)(17)(ii) under the Act requires that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to manage the covered clearing agency's operational risks by ensuring, in part, that systems have a high degree of security, resiliency, and operational reliability.[33] As noted above, FICC's operational risks include cyber risks.

    As described above, FICC's Rules currently do not require any level or version for network technology, such as a web browser or other technology, or any level or version of communications technology or protocols, such as email encryption, secure messaging, or file transfers, that members may use to connect to or communicate with FICC. FICC designed the proposed technology requirements to reduce cyber risks by requiring its members to upgrade and maintain communications technology based on standards set forth by widely accepted organizations such as NIST and the IETF. Requiring FICC's members to use only secure communications technology would reduce FICC's cyber risks and thereby strengthen the security, resiliency, and operational reliability of FICC's network and other systems. Because the proposed technology requirements would enhance FICC's ability to ensure that its systems have a high degree of security, resiliency, and operational reliability, the Commission finds the Proposed Rule Change is consistent with the requirements of Rule 17Ad-22(e)(17)(ii) under the Act.[34]

    Start Printed Page 42221

    D. Consistency With Rule 17Ad-22(e)(21) Under the Act

    Rule 17Ad-22(e)(21)(iv) under the Act requires that each covered clearing agency establish, implement, maintain and enforce written policies and procedures reasonably designed to have the covered clearing agency's management regularly review the efficiency and effectiveness of its use of technology and communication procedures.[35]

    As mentioned above, FICC maintains multiple network and communication methods to interact with its members, including certain outdated communication technologies necessary to support members that continue to use such older technologies. FICC believes that continuing to use such outdated technologies could render communications between FICC and some of its members vulnerable to cyber risks. Additionally, members' use of outdated technology delays FICC's implementation of its own internal system upgrades, which by doing so, risks losing connectivity between FICC and a number of its members. Finally, FICC states that it currently expends unnecessary resources to maintain outdated communications channels. In other words, FICC has subjected its network communication methods to review for efficiency and effectiveness. As a result, to enhance the efficiency and effectiveness of its technology and communication procedures, FICC proposes to require its members to upgrade and maintain network technology, communication technology, and protocol standards, in accordance with applicable technology standards that FICC would identify and publish via Important Notice on its website. Because the Proposed Rule Change is an outgrowth of FICC's review of the efficiency and effectiveness of its technology and communication procedures, the Commission finds the Proposed Rule Change is consistent with the requirements of Rule 17Ad-22(e)(21)(iv) under the Act.[36]

    IV. Conclusion

    On the basis of the foregoing, the Commission finds that the Proposed Rule Change is consistent with the requirements of the Act and in particular with the requirements of Section 17A of the Act [37] and the rules and regulations promulgated thereunder.

    It is therefore ordered, pursuant to Section 19(b)(2) of the Act [38] that Proposed Rule Change SR-FICC-2022-003, be, and hereby is, approved.[39]

    Start Signature

    For the Commission, by the Division of Trading and Markets, pursuant to delegated authority.[40]

    J. Matthew DeLesDernier,

    Assistant Secretary.

    End Signature End Preamble

    Footnotes

    3.  Securities Exchange Act Release No. 94972 (May 24, 2022), 87 FR 32489 (May 31, 2022) (SR-FICC-2022-003) (“Notice of Filing”).

    Back to Citation

    5.   See Financial Stability Oversight Counsel 2012 Annual Report, Appendix A (“FSOC 2012 Report”), available at http://www.treasury.gov/​initiatives/​fsoc/​Documents/​2012-20Annual-20Report.pdf.

    Back to Citation

    8.  12 U.S.C. 5465(e)(1). See FSOC 2012 Report, supra note 5.

    Back to Citation

    9.   See FSOC 2012 Report, Appendix A, supra note 5.

    Back to Citation

    10.  Notice of Filing, supra note 3, at 32490.

    Back to Citation

    11.   Id.

    Back to Citation

    12.   Id.

    Back to Citation

    13.   Id.

    Back to Citation

    14.   Id.

    Back to Citation

    15.   Id.

    Back to Citation

    16.   Id., at 32490-91.

    Back to Citation

    17.   Id. NIST is part of the U.S. Department of Commerce. The IETF is an open standards organization that develops and promotes voluntary internet standards, in particular, the technical standards that comprise the internet protocol suite (TCP/IP). For example, NIST Special Publication 800-52 revision 2, specifies servers that support government-only applications shall be configured to use Transport Layer Security (“TLS”) 1.2 and should be configured to use TLS 1.3 as well. See https://nvlpubs.nist.gov/​nistpubs/​SpecialPublications/​NIST.SP.800-52r2.pdf. (TLS, the successor of the now-deprecated Secure Sockets Layer (“SSL”), is a cryptographic protocol designed to provide communications security over a computer network.) These servers should not be configured to use TLS 1.1 and shall not use TLS 1.0, SSL 3.0, or SSL 2.0. Additionally, the IETF formally deprecated TLS versions 1.0 and 1.1 in March of 2021, stating that “[t]hese versions lack support for current and recommended cryptographic algorithms and mechanisms, and various government and industry profiles of applications using TLS now mandate avoiding these old TLS versions. . . . Removing support for older versions from implementations reduces the attack surface, reduces opportunity for misconfiguration, and streamlines library and product maintenance.” See https://datatracker.ietf.org/​doc/​rfc8996/​. FICC would also require members to discontinue using File Transfer Protocol (“FTP”), which FICC believes to be an insecure protocol because it transfers user authentication data (username and password) and file data as plain-text (not encrypted) over the network. Notice of Filing, supra note 3, at 32490-91.

    Back to Citation

    18.  Notice of Filing, supra note 3, at 32490-91.

    Back to Citation

    19.   Id.

    Back to Citation

    20.   Id.

    Back to Citation

    21.  Notice of Filing, supra note 3, at 32490-91.

    Back to Citation

    28.   Id.

    Back to Citation

    30.   Id. Additionally, by including the monetary fine provision in its Rules, FICC would enable its members to better identify and evaluate the material costs they might incur by participating in FICC, consistent with Rule 17Ad-22(e)(23)(ii). under the Act, which requires a covered clearing agency to establish, implement, maintain, and enforce written policies and procedures reasonably designed to provide sufficient information to enable participants to identify and evaluate the risks, fees, and other material costs they incur by participating in the covered clearing agency. See 17 CFR 240.17Ad-22(e)(23)(ii).

    Back to Citation

    32.   Id.

    Back to Citation

    34.   Id.

    Back to Citation

    36.   Id.

    Back to Citation

    39.  In approving the Proposed Rule Change, the Commission considered the proposals' impact on efficiency, competition, and capital formation. 15 U.S.C. 78c(f).

    Back to Citation

    [FR Doc. 2022-15004 Filed 7-13-22; 8:45 am]

    BILLING CODE 8011-01-P

Visit the Official Version
Leave a Comment

Document Information

Published:
07/14/2022
Department:
Securities and Exchange Commission
Entry Type:
Notice
Document Number:
2022-15004
Pages:
42218-42221 (4 pages)
Docket Numbers:
Release No. 34-95233, File No. SR-FICC-2022-003
PDF File:
2022-15004.pdf