Notice2021-23816
Self-Regulatory Organizations; The Options Clearing Corporation; Notice of Filing and Extension of Review Period of Advance Notice Relating to OCC's Adoption of Cloud Infrastructure for New Clearing, Risk Management, and Data Management Applications
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
November 2, 2021
Issuing agencies
Securities and Exchange Commission
Full Text
<html>
<head>
<title>Federal Register, Volume 86 Issue 209 (Tuesday, November 2, 2021)</title>
</head>
<body><pre>
[Federal Register Volume 86, Number 209 (Tuesday, November 2, 2021)]
[Notices]
[Pages 60503-60516]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2021-23816]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-93433; File No. SR-OCC-2021-802]
Self-Regulatory Organizations; The Options Clearing Corporation;
Notice of Filing and Extension of Review Period of Advance Notice
Relating to OCC's Adoption of Cloud Infrastructure for New Clearing,
Risk Management, and Data Management Applications
October 27, 2021.
Pursuant to Section 806(e)(1) of Title VIII of the Dodd-Frank Wall
Street Reform and Consumer Protection Act, entitled Payment, Clearing
and
[[Page 60504]]
Settlement Supervision Act of 2010 (``Clearing Supervision Act'') \1\
and Rule 19b-4(n)(1)(i) \2\ under the Securities Exchange Act of 1934
(``Exchange Act'' or ``Act''),\3\ notice is hereby given that on
October 8, 2021, the Options Clearing Corporation (``OCC'') filed with
the Securities and Exchange Commission (``SEC'' or ``Commission'') an
advance notice as described in Items I, II and III below, which Items
have been prepared primarily by OCC. The Commission is publishing this
notice to solicit comments on the advance notice from interested
persons and to extend the review period of the advance notice.
---------------------------------------------------------------------------
\1\ 12 U.S.C. 5465(e)(1).
\2\ 17 CFR 240.19b-4(n)(1)(i).
\3\ 15 U.S.C. 78a et seq.
---------------------------------------------------------------------------
I. Clearing Agency's Statement of the Terms of Substance of the Advance
Notice
This advance notice is submitted in connection with a proposed
adoption of Cloud infrastructure for OCC's new clearing, risk
management, and data management applications with an on-demand network
of configurable information technology resources running on virtual
infrastructure hosted by a third party. The proposed changes are
described in detail in Item II below. All terms with initial
capitalization not defined herein have the same meaning as set forth in
OCC's By-Laws and Rules.\4\
---------------------------------------------------------------------------
\4\ OCC's By-Laws and Rules can be found on OCC's public
website: <a href="https://www.theocc.com/Company-Information/Documents-and-Archives/By-Laws-and-Rules">https://www.theocc.com/Company-Information/Documents-and-Archives/By-Laws-and-Rules</a>.
---------------------------------------------------------------------------
II. Clearing Agency's Statement of the Purpose of, and Statutory Basis
for, the Advance Notice
In its filing with the Commission, OCC included statements
concerning the purpose of and basis for the advance notice and
discussed any comments it received on the advance notice. The text of
these statements may be examined at the places specified in Item IV
below. OCC has prepared summaries, set forth in sections A and B below,
of the most significant aspects of these statements.
(A) Clearing Agency's Statement on Comments on the Advance Notice
Received From Members, Participants or Others
Written comments were not and are not intended to be solicited with
respect to the advance notice and none have been received. OCC will
notify the Commission of any written comments received by OCC.
(B) Advance Notices Filed Pursuant to Section 806(e) of the Payment,
Clearing, and Settlement Supervision Act
Description of the Proposed Change
OCC is proposing to adopt an on-demand network of configurable
information technology resources running on infrastructure (``Cloud''
or ``Cloud Infrastructure'') hosted by a third party (``Cloud Service
Provider'' or ``CSP'') to support OCC's new core clearing, risk
management, and data management applications. OCC will provision
logically isolated sections of the Cloud Infrastructure that will
provide it with the virtual equivalent of physical data center
resources (``Virtual Private Cloud''),\5\ including scalable resources
that: (i) Handle various computationally intensive applications with
load-balancing and resource management (``Compute''); (ii) provide
configurable storage (``Storage''); and (iii) host network resources
and services (``Network''). Additionally, OCC will maintain an on-
premises data center to enable OCC to support core clearing, risk
management, and data management applications in the event of a multi-
region outage of Compute, Storage, and Network services impacting OCC
operations at the CSP.
---------------------------------------------------------------------------
\5\ The Virtual Private Cloud is the virtual equivalent of a
traditional data center, albeit with the scalability benefits of the
CSP's infrastructure. The Virtual Private Cloud will provide OCC
with a dedicated and secure space within the Cloud for OCC to
operate.
---------------------------------------------------------------------------
Background
ENCORE, consisting of OCC's core clearing, risk management, and
data management applications running in traditional data centers, was
launched in 2000 and has operated as OCC's real-time processing engine
receiving trade and post-trade data from a variety of sources on a
transaction-by-transaction basis, maintaining clearing member
positions, calculating margin and clearing fund requirements, and
providing reporting to OCC staff, regulators, and clearing members. Two
geographically diverse on-premises data centers located in Illinois and
Texas house the Compute, Storage, and Network resources required to run
all of these applications.\6\
---------------------------------------------------------------------------
\6\ OCC is not proposing changes to these services in connection
with this Advance Notice. As appropriate, OCC will file proposals
related to processing enhancements contemplated by the new core
clearing, risk management, and data management applications
separately. See, e.g., Securities Exchange Act Release No. 88654
(Apr. 15, 2020), 85 FR 22197, 98 n.7 (Apr. 21, 2020) (File No. SR-
OCC-2020-004) (stating that a proposed rule change was designed to
help facilitate the ability to run OCC's current clearing system,
known as ENCORE, in parallel with a new clearing system on which OCC
is working).
---------------------------------------------------------------------------
As the platform running OCC's core applications for approximately
twenty years, ENCORE has accommodated growth in average daily
transaction volumes \7\ and OCC has managed periods of extreme market
volatility and stress, including during the 2007-2008 financial crisis
and the COVID-19 global pandemic of 2020-21, without incident.
Nevertheless, as ENCORE was designed to operate in traditional on-
premises data centers that require the acquisition and installation of
additional hardware and systems software to accommodate scaled
resources or new applications, the resiliency and scalability of the
current infrastructure is less flexible than that offered by Cloud
Infrastructure. OCC's objective is the retirement of ENCORE and its
replacement with a resilient solution that meets market participants'
needs and the regulatory expectations of a systemically important
financial market utility (``SIFMU''). Given advances in Cloud
technology and information security since 2000, OCC's proposed adoption
of Cloud Infrastructure will offer more resiliency, security, and
scalability.
---------------------------------------------------------------------------
\7\ As of September 30, 2021, approximately 38,846,212 contracts
per day were processed through the clearing and risk applications on
ENCORE, an increase of over 34.6% of daily contract volume for the
same date of the prior year, which itself represented approximately
a 50% increase of daily contract volume from the prior year.
---------------------------------------------------------------------------
Proposed Changes
Proposed Cloud Infrastructure. Cloud implementation will enable OCC
to leverage the Compute, Storage, and Network capabilities of a CSP,
supplemented with compatible third-party vendor solutions, to maintain
a modular architecture with delineated domains that will result in (i)
improved resiliency, (ii) enhanced security, and (iii) increased
scalability for OCC's new core clearing, risk management, and data
management applications.\8\ Additionally, OCC will maintain an on-
premises data center to support core clearing, risk management, and
data management services in the event of a multi-region outage at the
CSP that impacts OCC operations.
---------------------------------------------------------------------------
\8\ OCC has separately submitted a request for confidential
treatment to the Commission regarding a diagram that depicts the
future state architecture following conclusion of the proposed Cloud
Implementation, which OCC has provided in confidential Exhibit 3a to
File No. SR-OCC-2021-802.
---------------------------------------------------------------------------
i. Improved Resiliency
As a SIFMU, OCC must ensure core applications on the Cloud
Infrastructure have resiliency and recovery capabilities commensurate
with OCC's
[[Page 60505]]
importance to the functioning of the US financial markets.\9\ As
explained in more detail below, OCC believes the Cloud Implementation
will enhance the resiliency of OCC's core clearing, risk management,
and data management applications by virtue of OCC's architectural
design decisions and the Cloud's built-in redundancy, guarantee of
persistent availability, and disciplined approach to deployment of
Cloud Infrastructure. In particular, the Cloud Implementation will
enhance OCC's ability to withstand and recover from adverse conditions
by provisioning redundant Compute, Storage, and Network resources in
three zones in each of two autonomous and geographically diverse
regions. This will afford OCC six levels of redundancy in the Cloud
with a primary and secondary Virtual Private Cloud running in a hot/
warm configuration. The hot Virtual Private Cloud will be operational
and accepting traffic, while the warm Virtual Private Cloud will
simultaneously receive the same incoming data and receive replicated
data from the hot Virtual Private Cloud with applications on stand-by.
This solution significantly reduces operational complexity, mitigates
the risk of human error, and provides resiliency and assured capacity.
Finally, the on-premises data center will operate as a separate,
logically isolated backup to the six levels of redundancy provided for
in the Cloud--a backup to backups. The on-premises data center will
also simultaneously receive incoming data and the replicated data from
the CSP hosted Virtual Private Clouds. The on-premises data center is
intended to be used only in the unlikely and extraordinary event that
OCC completely loses access to the CSP.
---------------------------------------------------------------------------
\9\ In this context, ``resiliency'' is the ``ability to
anticipate, withstand, recover from, and adapt to adverse
conditions, stresses, attacks, or compromises on systems that
include cyber resources.'' Systems Security Engineering: Cyber
Resiliency Considerations for Engineering of Trustworthy Secure
Systems, Spec. Publ. NIST SP No. 800-160, vol. 2 (2018).
---------------------------------------------------------------------------
ii. Enhanced Security
The physical and cyber security standards that OCC has designed to
align with the National Institute of Standards and Technology
(``NIST''), Cyber Security Framework (``CSF''), and Center for Internet
Security (``CIS'') benchmarks will not change in the Cloud
Infrastructure. OCC will add meaningful security capabilities and
measures provided by the CSP and selected third-party tools to enhance
the security of OCC's core clearing, risk management, and data
management applications.\10\ Given the scope of their service, CSPs
leverage economies of scale and offer infrastructure and services with
specialized configuration, monitoring, prevention, detection, and
response tools.\11\ Furthermore, unique Cloud-specific capabilities,
such as services for provisioning credentials and end-to-end
configuration change management and scanning, will provide OCC enhanced
levels of protection not available in traditional on-premises
solutions. Finally, the on-premises data center will be physically
isolated from other on-premises networks, such as the development
network, with consistent controls and equivalent security tools to that
of the Virtual Private Clouds. Specific security-based risks are
examined in more detail below.
---------------------------------------------------------------------------
\10\ Examples of enhanced cloud security capabilities include
automated infrastructure deployment that is monitored for change,
creating a standardized baseline; default separation between SCI and
non-SCI operating domains; and automated and ubiquitous encryption.
OCC has separately submitted a request for confidential
treatment to the Commission regarding the Future State: CSP and On-
Premises Security Architecture, which OCC has provided in
confidential Exhibit 3b to File No. SR-OCC-2021-802.
\11\ For example, CSPs generally build infrastructure capable of
withstanding Distributed Denial of Service (``DDoS'') attacks to far
greater magnitudes than any one company can. In February 2020, one
CSP stated that its infrastructure was targeted by and withstood a
sustained DDoS attack of up to 2.3 terabytes per second.
---------------------------------------------------------------------------
iii. Increased Scalability
The Cloud Implementation will allow for more scalability of
Compute, Network, and Storage resources that support OCC's core
clearing, risk management, and data management applications.\12\ With a
Cloud Infrastructure, OCC can quickly provision or de-provision
Compute, Storage, or Network resources to meet demands, including
elevated trade volumes, and provide more flexibility to model and
create development and test environments for back testing and stress
testing, as well as other systems development needs. For example, the
CSP can support elastic workloads and scale dynamically without the
need for OCC to procure, test, and install additional servers or other
hardware. This means that OCC may increase Compute capacity in one or
both regions where it operates via manual or automated processes for
core clearing, risk management, and data management applications. The
rapid deployment of Compute capacity will allow OCC to obtain access to
resources far more quickly than with existing physical data centers.
The efficiency gains from the increased scalability of the Cloud
Infrastructure will allow OCC to run certain back testing processes at
a fraction of the time currently required. These and additional
efficiency gains are discussed in more detail below.
---------------------------------------------------------------------------
\12\ OCC will continue to follow existing policies and
procedures regarding capacity planning and change management. OCC
periodically performs capacity and availability planning analyses
that result in capacity baselines and forecasts, as an input to
technology delivery and strategic planning to ensure cost-
justifiable support of operational business needs. These analyses
are based on the collection of performance data, trending,
scenarios, and periodic high-volume capacity stress tests and
include storage capacity for log and record retention. Results are
reported to technology and security leadership as input to
performance management and investment planning.
---------------------------------------------------------------------------
Implementation Timeframe
OCC expects to launch the new core clearing, risk management, and
data management applications into production no earlier than April 1,
2024. The proposed timeline to launch includes several milestones, such
as connectivity testing in the first quarter of 2023, external testing
in the second quarter of 2023, and certification of readiness from
clearing members and exchanges in the first quarter of 2024. OCC will
communicate frequently with stakeholders during this timeframe and will
confirm the production implementation date of the proposed launch by
Information Memorandum posted to its public website at least eight
weeks prior to implementation.\13\
---------------------------------------------------------------------------
\13\ See, ``Timeline to Launch,'' available at: <a href="https://www.theocc.com/Participant-Resources">https://www.theocc.com/Participant-Resources</a>.
---------------------------------------------------------------------------
Anticipated Effect on and Management of Risk
Federal Financial Institutions Examination Council Cloud Computing
Guidance
On April 30, 2020, the Federal Financial Institutions Examination
Council (``FFIEC'') \14\ issued a joint statement to address the use of
Cloud computing services and security risk management principles in the
financial services sector (``FFIEC Guidance'').\15\ While the FFIEC
Guidance does not contain regulatory obligations, it highlights risk
management practices that financial institutions should adopt for the
safe and sound use of Cloud computing services in five broad areas
[[Page 60506]]
(``FFIEC Risk Management Categories''). As discussed in the next
section, the OCC is implementing practices for its proposed Cloud
deployment consistent with this guidance.
---------------------------------------------------------------------------
\14\ The Council is a formal interagency body empowered to
prescribe uniform principles, standards, and report forms for the
federal examination of financial institutions by the Board of
Governors of the Federal Reserve System, the Federal Deposit
Insurance Corporation, the National Credit Union Administration, the
Office of the Comptroller of the Currency, and the Consumer
Financial Protection Bureau, and to make recommendations to promote
uniformity in the supervision of financial institutions.
\15\ Available at: <a href="https://www.ffiec.gov/press/pr043020.htm">https://www.ffiec.gov/press/pr043020.htm</a>.
---------------------------------------------------------------------------
<bullet> Governance: Strategies for using Cloud computing services
as part of the financial institution's information technology strategic
plan and architecture.
<bullet> Cloud Security Management: (i) Appropriate due diligence
and ongoing oversight and monitoring of CSP's security; (ii)
contractual responsibilities, capabilities, and restrictions for the
financial institution and CSP; (iii) inventory process for systems and
information assets residing in the Cloud; (iv) security configuration,
provisioning, logging, and monitoring; (v) identity and access
management (``IAM'') and network controls; (vi) security controls for
sensitive data; and (vii) information security awareness and training
programs.
<bullet> Change Management: (i) Change management and software
development lifecycle processes and (ii) security and reliability of
microservice \16\ architecture.
---------------------------------------------------------------------------
\16\ OCC's use of microservices include specialized third-party
applications and a set of containers that work together to compose
an application. A container 'holds' both an application and all the
elements the application needs to run properly, including system
libraries, system settings, and other dependencies. See Application
Container Security Guide, NIST SP 800-190.
---------------------------------------------------------------------------
<bullet> Resiliency and Recovery: (i) Business resiliency and
recovery capabilities and (ii) incident response capabilities.
<bullet> Audit and Controls Assessment: (i) Regular testing of
financial institution controls for critical systems; (ii) oversight and
monitoring of CSP-managed controls; and (iii) oversight and monitoring
of controls unique to Cloud computing services, including those related
to (a) management of the virtual infrastructure; (b) use of containers
in the Cloud Infrastructure; (c) use of managed security services for
the Cloud Infrastructure; (d) consideration of interoperability and
portability of data and services; and (e) data destruction or
sanitization.
Governance
OCC's ongoing Cloud Implementation is a natural progression of its
information technology strategy and aligns seamlessly with its overall
corporate strategy. OCC's information technology strategy fully
supports OCC's corporate strategy to: (i) Reinforce OCC's foundational
capabilities and deliver effective and efficient services; (ii) deliver
product and service enhancements that enable growth in OCC's core
capabilities and provide capital efficiencies to market participants;
and (iii) demonstrate thought leadership in the delivery of innovative
solutions that provide long-term value and efficiencies for OCC and its
stakeholders. The corporate strategy is fortified by six guiding
principles: (i) Operating solutions that deliver reliability,
predictability, and integrity; (ii) designing efficiency into OCC
processes through automation and near-frictionless capabilities; (iii)
providing outcome-focused solutions; (iv) prioritizing collaboration
and accountability within the information technology team; (v) ensuring
protection for OCC, its clearing members, and the broader financial
market; and (vi) incorporating a ``continuous learning'' mindset.
As a SIFMU and the only provider of clearance and settlement
services for listed options in the US, it is vital that OCC's critical
services remain continuously available with sufficient security
measures in place to detect and defend against possible security
threats. The Cloud Implementation will present OCC with an agile
operating environment that can scale throughput to match workloads
nearly instantaneously and that will enable OCC to build a ``secure by
design'' pervasive security methodology that incorporates the NIST
Cybersecurity Framework's functions, categories, and subcategories as a
roadmap for Cloud security. Movement to an agile, Cloud-based operating
environment further reinforces OCC's commitment to building in a
comprehensive and adaptable risk-based security methodology instead of
a traditional perimeter-centric model.
OCC's Cloud Implementation does not alter OCC's responsibility to
maintain compliance with applicable regulations. Consistent with FFIEC
Guidance, OCC's plan for Cloud Implementation supports OCC's ability to
comply with the SEC's Regulation Systems, Compliance, and Integrity
(``Reg SCI'') \17\ and the CFTC's Systems Safeguards.\18\ Reg SCI
imposes certain information security and incident reporting standards
on OCC and requires OCC to adopt an information technology governance
framework reasonably designed to ensure that ``SCI systems,'' and for
purpose of security, ``indirect SCI systems,'' have adequate levels of
capacity, integrity, resiliency, availability, and security.\19\ As the
``SCI Entity,'' OCC remains solely responsible for meeting all
Regulation SCI obligations.\20\ Similarly, Systems Safeguards requires
OCC to have cybersecurity programs with risk analysis and oversight
that ensure automated systems are secure, reasonably reliable, and have
adequate scalable capacity. Within its agreement with the CSP (``Cloud
Agreement''), OCC has established obligations on the CSP to provide
support for OCC's compliance with all applicable regulations.\21\
---------------------------------------------------------------------------
\17\ 17 CFR 242.1000 et seq.
\18\ 17 CFR 39.18 et seq.
\19\ See 17 CFR 242.1001(a). SCI Systems are ``all computer,
network, electronic, technical, automated, or similar systems of, or
operated by or on behalf of, an SCI entity that, with respect to
securities, directly support trading, clearance and settlement,
order routing, market data, market regulation, or market
surveillance.'' Indirect SCI Systems are ``systems of, or operated
by or on behalf of, an SCI entity that, if breached, would be
reasonably likely to pose a security threat to SCI systems.''
\20\ References herein to ``Shared Responsibility'' conveys the
responsibility of OCC and the CSP vis-[agrave]-vis each other from a
business operations perspective and it not intended to suggest the
CSP has taken on, or that OCC has relinquished, any of OCC's Reg SCI
compliance requirements.
\21\ OCC has separately submitted a request for confidential
treatment to the Commission regarding the Cloud Agreement. OCC has
provided these documents in confidential Exhibit 3c to File No. SR-
OCC-2021-802, confidential Exhibit 3d to File No. SR-OCC-2021-802,
confidential Exhibit 3e to File No. SR-OCC-2021-802, and
confidential Exhibit 3f to File No. SR-OCC-2021-802. Among other
things, the Cloud Agreement sets forth the CSP's responsibility to
maintain the hardware, software, networking, and facilities that run
the Cloud services. See also the separately submitted Table of Reg
SCI Provisions, confidential Exhibit 3g to File No. SR-OCC-2021-802
that provides a summary of the terms and conditions of the Cloud
Agreement that OCC believes enables OCC to comply with Reg SCI.
---------------------------------------------------------------------------
OCC believes the combination of the following provides OCC
reasonable assurance that the proposed Cloud Implementation would
enable OCC to continue to fully satisfy its Regulation SCI obligations:
(i) The Cloud Agreement; (ii) CSP's compliance programs as described in
its Whitepapers \22\ and publicly available policies (e.g., its
Penetration Testing Policy), user guides, and other documents; (iii)
CSP's Service Level Agreements; (iv) CSP's Systems Organization
Controls reports (e.g., SOC 1, SOC 2, SOC 3) and ISO certifications
(e.g., ISO 27001); (v) CSP's size, scale, and ability to deploy
extensive resources to protect and secure its
[[Page 60507]]
facilities and services; \23\ and (vi) CSP's commercial incentive to
perform.
---------------------------------------------------------------------------
\22\ OCC has separately submitted requests for confidential
treatment to the Commission regarding two examples of CSP
Whitepapers, which OCC has provided in confidential Exhibit 3h to
File No. SR-OCC-2021-802 and confidential Exhibit 3i to File No. SR-
OCC-2021-802.
\23\ The OCC has contracted to work with a top-tier CSP that
provides Cloud hosting services to Fortune 500 companies and the
U.S. Government, amongst many others.
---------------------------------------------------------------------------
OCC and the CSP rely on the shared responsibility model, which
differentiates between the security ``of'' the Cloud and security
``in'' the Cloud.\24\ The CSP maintains sole responsibility and control
over the security ``of'' the Cloud, and their customers are responsible
for the security ``in'' the Cloud; i.e., security of hosted
applications and data. Thus, OCC remains responsible for managing and
maintaining the operating system and all applications, including
security and patching, running in the Cloud. There is no primary/
secondary relationship as each partner has a specific set of
responsibilities which, when combined, address the entire risk space.
---------------------------------------------------------------------------
\24\ References herein to ``Shared Responsibility'' conveys the
responsibility of OCC and the CSP vis-[agrave]-vis each other from a
business operations perspective and it not intended to suggest the
CSP has taken on, or that OCC has relinquished, any of OCC's Reg SCI
compliance requirements. See supra, footnote 20.
OCC has separately submitted a request for confidential
treatment to the Commission regarding a diagram that provides a
summary of the ``shared responsibility'' model between OCC and the
CSP, which OCC has provided in confidential Exhibit 3j to File No.
SR-OCC-2021-802.
---------------------------------------------------------------------------
The CSP performs its own risk and vulnerability assessments of the
CSP infrastructure on which OCC will run its core clearing, risk
management, and data management applications. In published
documentation and in meetings conducted with members of CSP's staff,
the CSP asserts that it maintains an industry-leading automated test
system, with strong executive oversight, and conducts full-scope
assessments of its hardware, infrastructure, internal threats, and
application software. The CSP asserts that it has an aggressive program
for conducting internal adversarial assessments (Red Team) designed not
only to evaluate system security but also the processes used to monitor
and defend its infrastructure. The CSP also uses external, third-party
assessments as a cross-check against its own results and to ensure that
testing is conducted in an independent fashion. Per the CSP's
documentation, results of these processes are reviewed weekly by the
CSP CISO and the CEO with senior CSP leaders to discuss security and
action plans.\25\
---------------------------------------------------------------------------
\25\ The CSP does not provide assessment results to its
customers, as doing so would constitute a breach of generally
accepted security best practices. Instead, the CSP provides its
customers with industry-standard reports--such as SOC2 Type II--
prepared by an independent third-party auditor to provide relevant
contextual information to its customers. The CSP also conducts
periodic audit meetings specifically designed to discuss security
concerns with its customers discussed later during the ``CSP Audit
Symposium.''
---------------------------------------------------------------------------
OCC has the responsibility to perform risk assessments and
technical security testing, including control validation, penetration
testing, and adversarial testing, of OCC applications running on the
CSP. This includes testing of the application interface layer of some
CSP provided services such as storage and key management. OCC's
security testing model will remain as it is for the on-premises
operations: The Security Engineering team will define security control
requirements and validate their correct implementation on OCC systems
and deployed core clearing, risk management, and data management
applications; automated tools will be used to scan OCC application code
and open source for security defects during the development process;
and automated vulnerability management tools will conduct periodic
scans of deployed software and devices to ensure that security patches
and fixes are correctly implemented within required timelines.
As mentioned, OCC's testing includes assessing the configuration of
CSP provided services: Security Services will work with Information
Technology staff to ensure that CSP tools are configured to
appropriately manage and mitigate potential sources of risk and will
assess the effectiveness of those configurations. The OCC Red Team will
operate freely ``in the Cloud,'' attempting to subvert or circumvent
controls; their testing will include probing of CSP provided services
to look for weaknesses in OCC's deployment of those tools.
Security Services will routinely report test results to Enterprise
Risk Management, appropriate functional Operations and Information
Technology management, senior management, and the Board of Directors.
Automated vulnerability scanning reports, source code analysis, and
results of specific assessments will be risk-rated and assigned a
priority for remediation in accordance with OCC policy.
Management and oversight of the Cloud Implementation follows
standard governing principles for large information technology
projects. OCC's Board of Directors has established a Technology
Committee to assist the Board of Directors in overseeing OCC's
information technology strategy and other company-wide operational
capabilities. The Risk and Technology Committees are responsible for
different aspects of the oversight of the Cloud Implementation.
Information Technology and Security Services, in collaboration with
Enterprise Risk Management, are responsible for the identification,
management, monitoring, and reporting on the risks associated with the
Cloud Implementation. To that end, management presents the Technology
Committee (with copies to the Risk Committee and the Board of
Directors) with reports on the status and progress of the Cloud
Implementation on at least a quarterly basis. This report includes an
overall risk and issue summary and an analysis of key risk indicators
for the Cloud Implementation.\26\ Finally, OCC's Internal Audit
Department is responsible for auditing security controls and
configurations, including those related to the Cloud, prior to OCC's
planned Cloud Implementation. Starting in 2021 and going forward, the
Internal Audit Annual Plan is designed to assess important elements of
the new core clearing, risk management, and data management application
roll-out. For example, the 2021 Audit Plan includes an audit on the
Cloud Implementation. These audits will help assess OCC's readiness for
the Cloud Implementation as discussed below, in ``Audit and Controls
Assessment.''
---------------------------------------------------------------------------
\26\ OCC has separately submitted a request for confidential
treatment to the Commission regarding an example of this Cloud
Implementation risk report, which OCC has provided in confidential
Exhibit 3k to File No. SR-OCC-2021-802.
OCC has also submitted a request for confidential treatment to
the Commission regarding Risk Appetite Statements and Risk
Tolerances for Cloud Services, which OCC has provided in
confidential Exhibit 3l to File No. SR-OCC-2021-802.
---------------------------------------------------------------------------
Cloud Security Management
OCC has established a robust Cloud security program to both: (i)
Manage the security of the core clearing, risk management, and data
management applications that will be running on the Cloud
Infrastructure hosted by the CSP, and (ii) assess and monitor the CSP
management of security of the Cloud Infrastructure that it operates.
The security program is designed to encompass all OCC assets existing
in OCC offices, data centers, and within the CSP's Cloud
Infrastructure. The security program is built upon enterprise security
standards that establish requirements that apply to any technology
system as well as any tool that provides technology services. The
following paragraphs in this section describe elements of OCC's Cloud
security management in the areas of: (i) Network and IAM controls
(e.g., determining who is accessing the systems, granting access to the
[[Page 60508]]
applications, and then controlling what information they can access);
(ii) security governance and controls for sensitive data; (iii)
security configuration, provisioning, logging, and monitoring; and (iv)
security testing.
i. Network and IAM Controls
OCC recognizes that robust network security configuration and IAM
will provide reasonable assurance that users--including OCC employees,
market participants, and service accounts for systems \27\--are granted
least-privileged access \28\ to the network, applications, and data.
OCC will use third-party tools to automate appropriate role-based
access to the core clearing, risk management, and data management
applications running in the Cloud. By enforcing strict separation of
duties and least-privileged access for infrastructure, applications,
and data, OCC will protect the confidentiality, availability, and
integrity of the data.
---------------------------------------------------------------------------
\27\ Service accounts are non-interactive accounts that permit
application access to support activities such as monitoring,
logging, or backup.
\28\ Least-privileged access means users will have only the
permissioning needed to perform their work, and no more.
---------------------------------------------------------------------------
The maintenance of an on-premises backup data center necessitates
additional network controls. The on-premises data center will be
physically separate from networks supporting routine business
functions, which will make the overall protection of the environment
easier simply by eliminating connectivity other than for critical
operations. OCC will explicitly provision all connectivity and will
manage and mitigate risks through use of jump hosts that are heavily
monitored (e.g., data feeds in and out, provisioned mechanisms for the
delivery of the software, and a minimum management interface that
requires multi-factor authentication for access). This connection
model, coupled with limited access via dedicated private circuits,
eliminates the most common threat exposures such as internet
connectivity and email. The default physical separation defined in the
on-premises backup architecture will be overlaid with industry standard
monitoring and blocking tools to ensure that lateral movement between
SCI and non-SCI environments is controlled in accordance with the risk.
OCC has established IAM requirements that build upon the least-
privileged model. As part of the IAM program, all users must be
assigned an appropriate enterprise identification. Users will be
granted access to systems via a standardized and auditable approval
process. The user identifications and granted access will be managed
through their full lifecycle from a centralized IAM system maintained
and administered by OCC. Role-, attribute-, and context-based access
controls will be used as defined by internal standards consistent with
industry recommended practices to promote the principles of least-
privileged access and separation of duties.
OCC will use and manage third party tools not otherwise provided by
nor managed by the CSP for single sign-on and least-privileged access.
The network will also include hardware and software to limit and
monitor ingress and egress traffic, encrypt data in transmission, and
isolate traffic between OCC and the Virtual Private Cloud. Since OCC
will continue to provide cryptographic services, including key
management, the CSP and other network service providers will not be
able to decrypt OCC data either at rest or while in transit.
ii. Security Governance and Controls for Sensitive Data
OCC's data governance framework that applies to the Cloud
Implementation is identified within the OCC Enterprise Security
Standards.\29\ The Enterprise Security Standards address data moving
between systems within the Cloud as well as data transiting and
traversing both trusted and untrusted networks. For example, the
Enterprise Security Standards require a system or Software as a
Solution to: (i) Store data and information, including all copies of
data and information in the system, in the United States throughout its
lifecycle; (ii) be able to retrieve and access the data and information
throughout its lifecycle; (iii) for data in the system hosted in the
Cloud, encrypt such data with key pairs kept and owned by OCC; (iv)
comply with United States federal and applicable state data regulations
regarding data location; and (v) enable secure disposition of non-
records in accordance with OCC's Information Governance Policy.\30\
---------------------------------------------------------------------------
\29\ OCC has separately submitted a request for confidential
treatment to the Commission regarding the Enterprise Security
Standards, which OCC has provided in confidential Exhibit 3m to File
No. SR-OCC-2021-802. OCC security controls and standards are
created, published, and managed in accordance with applicable OCC
policies.
\30\ OCC has separately submitted a request for confidential
treatment to the Commission regarding the Information Governance
Policy, which OCC has provided as confidential Exhibit 3n to File
No. SR-OCC-2021-802.
---------------------------------------------------------------------------
Furthermore, OCC policies establish the overall data governance
framework applied to the management, use, and governance of OCC
information to include digital instantiations, storage media, or
whether the information is located, processed, stored, or transmitted
on OCC's information systems and networks, public, private, or hybrid
Cloud infrastructures, third-party data centers and data repositories,
or Software-as-a-Service (SaaS) applications.\31\ The Information
Classification and Handling Policy classifies OCC's information into
three categories. System owners of technology that enable
classification and/or labeling of information are responsible for
ensuring the correct classification level is designated in the system
of record and the applicable controls are enforced. All information
requiring disposal is required to be disposed of securely in accordance
with all applicable procedures. Sensitive data must be handled in a
manner consistent with requirements in the Information Classification
and Handling Policy.
---------------------------------------------------------------------------
\31\ OCC has separately submitted a request for confidential
treatment to the Commission regarding the Information Classification
and Handling Policy, which OCC has provided in confidential Exhibit
3o to File No. SR-OCC-2021-802.
---------------------------------------------------------------------------
OCC will implement key components of a ``zero trust'' control
environment, namely ubiquitous authentication and encryption via use of
an automated public key infrastructure, coupled with responsive, highly
available authentication, authorization tools, and key management
strategies to ensure appropriate industry standard security controls
are in place for sensitive data both in transit and at rest. External
connectivity to OCC systems hosted by the CSP will be provided as it is
now, through dedicated private circuits or over encrypted tunnels
through the internet. These network links will also have additional
security controls, including encryption during transmission and
restrictions on network access to and from the Virtual Private Cloud.
Additionally, OCC will use dedicated redundant private network
connections between OCC data centers and the CSP infrastructure. OCC
currently maintains two data centers and will do so in the future to
provide redundant, geographically diverse connectivity for market
participants. All network communications between OCC and the Cloud
Infrastructure will rely on industry standard encryption for traffic
while in transit. Data at rest will be safeguarded through pervasive
encryption. OCC's Encryption Standards describe requirements for
implementation of the minimum required strengths, encryption at rest,
[[Page 60509]]
and cryptographic algorithms approved for use in cryptographic
technology deployments across OCC.\32\ All OCC identifying data is
encrypted in transit using industry standard methods. The Key
Management Service (``KMS'') Strategy dictates that all CSP endpoints
support HTTPS for encrypting data in transit.\33\ OCC also secures
connections to the endpoint service by using virtual private computer
endpoints and ensures client applications are properly configured to
ensure encapsulation between minimum and maximum Transport Layer
Security (TLS) versions per OCC encryption standard. OCC will have
exclusive control over the key management system; only OCC authorized
users will be able to access that data. CSP systems and staff will not
have access to the OCC certificate management and/or key management
system.\34\ OCC is responsible for the application architecture,
software, configuration and use of the CSP services, and for the
maintenance of the environment, including ongoing monitoring of the
application environment to achieve the appropriate security posture. To
do this, OCC follows: (i) Existing security design and controls; (ii)
Cloud-specific information security controls defined in ``Enterprise
Security Controls;'' and (iii) regulatory compliance requirements
detailed in sources or information technology practices that are widely
available and issued by an authoritative body that is a U.S.
governmental entity or agency including NIST-CSF, COBIT, and the FFIEC
Guidelines.
---------------------------------------------------------------------------
\32\ OCC has separately submitted a request for confidential
treatment to the Commission regarding the Encryption Standards,
which OCC has provided in confidential Exhibit 3p to File No. SR-
OCC-2021-802.
\33\ OCC has separately submitted a request for confidential
treatment to the Commission regarding OCC Key Management Service
(KMS) Strategy, which OCC has provided in confidential Exhibit 3q to
File No. SR-OCC-2021-802.
\34\ Certificate management is the process of creating,
monitoring, and handling digital keys (certificates) to encrypt
communications.
---------------------------------------------------------------------------
OCC uses third-party tools for CSP security compliance monitoring,
security scanning, and reporting. Alerts and all API-level actions are
gathered using both CSP provided and third-party monitoring tools. The
CSP provided monitoring tool is enabled by default at the organization
level to monitor all CSP services activity. Centralized logging
provides near real-time analysis of events and contains information
about all aspects of user and role management, detection of
unauthorized, security relevant configuration changes, and inbound and
outbound communication.
As previously discussed, OCC uses a KMS Strategy to encrypt data in
transit and at rest in the Cloud. KMS is designed so that no one,
including CSP employees, can retrieve customer plaintext keys and use
them. The Federal Information Processing Standards (``FIPS'') 140-2
validated Host Security Modules (HSMs) in KMS protect the
confidentiality and integrity of OCC customer keys.\35\ Customer
plaintext keys are never written to disk and only ever used in
protected, volatile memory of the HSMs for the time needed to perform
the customer's requested cryptographic operation. KMS keys are never
transmitted outside of the Cloud regions in which they were created.
Updates to the KMS HSM firmware are controlled by quorum-based access
control \36\ that is audited and reviewed by an independent group
within the CSP. This tightly controlled deployment process minimizes
the risk that the security properties of the service will be changed as
new software, firmware, or hardware is introduced. With these security
measures, only users granted access by OCC to the core clearing, risk
management, or data management applications will be able to interact
with the information contained therein.
---------------------------------------------------------------------------
\35\ The HSM is analogous to a safe that only OCC has knowledge
of the combination and the ability to access the keys to locks
stored within.
\36\ A quorum-based access mechanism requires multiple users to
provide credentials over a fixed period in order to obtain access.
---------------------------------------------------------------------------
iii. Security Configuration, Provisioning, Logging, and Monitoring
Automated delivery of business and security capability via the use
of ``Infrastructure as Code'' and continuous integration/continuous
deployment pipeline methods will permit security controls to be
consistently and transparently deployed on-demand. OCC will provision
Cloud Infrastructure using pre-established system configurations that
are deployed through infrastructure as code, then scanned for
compliance to secure baseline configuration standards. OCC also employs
continuous configuration monitoring and periodic vulnerability
scanning. OCC will continue to perform regular reviews and testing of
OCC systems running on the Cloud while relying upon information
provided by the CSP through the CSP's SOC2 and Audit Symposiums.
Finally, configuration, security incident, and event monitoring will
rely on a blend of CSP native and third-party solutions.
OCC also plans to use tools offered by the CSP and third-parties to
monitor the core clearing, risk management, and data management
applications run on the Cloud Infrastructure. OCC will track metrics,
monitor log files, set alarms, and have the ability to act on changes
to OCC core clearing, risk management, and data management applications
and the environment in which they operate.\37\ The CSP will provide a
dashboard to reflect- general health (e.g., up/down status of a region)
but will not give additional insights into performance of services and
applications which run on those services. The OCC operated centralized
logging system will provide for a single frame of reference for log
aggregation, access, and workflow management by ingesting the CSP's
logs coming from native detective tools and OCC instrumented controls
for logging, monitoring, and vulnerability management. This
instrumentation will give OCC a real-time view into the availability of
Cloud services as well as the ability to track historical data. By
using the enterprise monitoring tools OCC has in place, OCC will be
able to integrate the availability and capacity management of Cloud
into OCC's existing processes, whether hosted on the Cloud or running
in the local on-premises backup, and respond to issues in a timely
manner.
---------------------------------------------------------------------------
\37\ OCC has separately submitted a request for confidential
treatment to the Commission regarding the Draft Cloud Provider
Logging and Alerting Test Environment, which OCC has provided in
confidential Exhibit 3r to File No. SR-OCC-2021-802.
---------------------------------------------------------------------------
OCC will also use specialized third-party tools, as discussed
above, to programmatically configure Cloud services and deploy security
infrastructure. This automation of configuration and deployment will
ensure Cloud services are repeatably and consistently configured
securely and validated. Change detection tools providing event logs
into the incident management system are also vital for reacting to and
investigating unexpected changes to the environment.
Security has implemented tools for the core clearing, risk
management, and data management applications and back office
environments that will be hosted at the CSP; notably, the IAM system,
monitoring and Security Information and Event Management (``SIEM'')
systems, the workflow system of record for incident handling, KMS, and
enterprise Data Loss Prevention (``DLP''). Most of these services can
also be run on-premises in a fully Cloud-independent mode, and Security
Services has identified potential alternatives for those that will be
needed for isolated on-premises operations and cannot operate
[[Page 60510]]
independently. All required technical controls deployed via or reliant
on CSP services will be replaced or supplemented to ensure equivalent
independent operation of the on-premises backup.\38\
---------------------------------------------------------------------------
\38\ OCC has separately submitted a request for confidential
treatment to the Commission regarding the Key Technologies, which
OCC has provided in confidential Exhibit 3s to File No. SR-OCC-2021-
802.
---------------------------------------------------------------------------
Finally, the CSP prioritizes assurance programs and certifications,
underscoring its ability to comply with financial services regulations
and standards and to provide OCC with a secure Cloud
Infrastructure.\39\
---------------------------------------------------------------------------
\39\ The CSP has certifications for the following frameworks:
NIST, Cloud Security Alliance, Control Objectives for Information
and Related Technology (COBIT), International Organization for
Standardization (ISO), and the Federal Information Security
Management Act (FISMA).
---------------------------------------------------------------------------
iv. Security Testing and Verification by the 2nd and 3rd Line
Security testing is integrated into business-as-usual processes as
outlined in relevant policy and procedures. These documents define how
testing is initiated, executed, and tracked.
For new assets and application (or code) releases, Security
determines whether and what type of security testing is required
through a risk-based analysis. If required, testing is conducted prior
to implementation and the different testing techniques are outlined
below:
<bullet> Automated Security Testing: Using industry standard
security testing tools and/or other security engineering techniques
specifically configured for each test, Security will test to identify
vulnerabilities and deliver payloads with the intent to break, change,
or gain access to unauthorized areas within an application, data, or
system.
<bullet> Manual Penetration Testing: Using information gathered
from automated testing and/or other information sources, Security will
manually test to identify vulnerabilities and deliver payloads with the
intent to break, change, or gain access to the unauthorized area within
an application or system.
<bullet> Blue Team Testing: The Blue Team identifies security
threats and risks in the operating environment and analyzes the
network, system, and SaaS environments and their current state of
security readiness. Blue Team assessment results guide risk mitigation
and remediation, validate the effectiveness of controls, and provide
evidence to support authorization or approval decisions. Blue Team
testing ensures that OCCs networks, systems, and SaaS solutions are as
secure as possible before deploying to a production environment.
The results of Security controls testing are risk-rated and managed
to remediation via the Security Observation Risk Tracking process.
Change Management
Consistent with FFIEC Guidance, OCC's use of the Cloud will have
sufficient change management controls in place to effectively
transition systems and information assets to the Cloud and will help
ensure the security and reliability of microservices in the Cloud.
OCC's enterprise software development lifecycle processes help ensure
the same control environment for all OCC resources, irrespective of
whether they reside in an on-premises environment or in the Cloud. OCC
has established baselines for design inputs and control requirements
and enforces workload isolation and segregation through a Virtual
Private Cloud using existing Cloud native technical controls and added
new tools. OCC also plans to use other specialized platform monitoring
tools for logging, scanning of configuration, and systems process
scanning. OCC also has oversight as a code owner for the OCC
infrastructure security containers and will have final review and
approval for related changes and code merges before deployment of
secure containers into production. Finally, OCC will periodically
conduct static code scanning and perform vulnerability scanning for
external dependencies prior to deployment in production, along with
manual penetration testing of the provided application code. In
addition, OCC will perform routine scans of Compute resources with the
existing enterprise scanning tools. Any identified vulnerabilities will
be reviewed for severity, prioritized, and logged for remediation
tracking in upcoming development releases.
OCC will create a ``user acceptance plan'' prior to promoting code
to production. This user acceptance plan will include tests of all
major functions, processes, and interfacing systems, as well as
security tests. Through acceptance tests, OCC users will be able to
simulate complete application functionality of the live environment.
The change will move to the next stage of the OCC delivery model only
after satisfying the criteria for this phase.\40\
---------------------------------------------------------------------------
\40\ The ``user acceptance plan'' represents only one aspect of
the overall change management program at the OCC.
---------------------------------------------------------------------------
OCC plans to use microservices in its use of the Cloud. OCC has
internal projects that will address change management of the various
microservices. In particular, OCC runs a suite of supporting services
that enable building, running, scaling, and monitoring of OCC's
business applications in the Cloud in an automated, resilient, and
secure manner. The application platform relies on various CSP and
third-party tools for different components, including Infrastructure as
a Service, Infrastructure as Code, CI/CD, Container as a Service,
Continuous Delivery, and Platform Monitoring. For example, OCC will use
a third-party tool for managing containers and a different third-party
tool for distributing containers and workloads to assist with platform
automation. Security measures for planned production microservices are
already incorporated within the overall security architecture and
Enterprise Security Standards.\41\
---------------------------------------------------------------------------
\41\ The minimal security control architecture reflects
awareness of the need to consider data storage and management
outside of containers, configuration management to prevent
unintended container interactions, and routine monitoring and
replacement of containers when appropriate.
---------------------------------------------------------------------------
With respect to software development in the Cloud, OCC has
established a closed Virtual Private Cloud non-production environment
that allows OCC to develop, test, and integrate new capabilities,
including those related to security enhancements, while preventing
direct external access to the development environment and tightly
controlling on-premises access from OCC to the non-production
environment. This OCC Virtual Private Cloud non-production environment
(hosted in the Cloud) focuses on the foundational security, operations,
and infrastructure requirements with the intent to take lessons learned
to implement into future production. OCC developed and maintains a
Cloud Reference Architecture that defines necessary capabilities and
controls required to securely host core clearing, risk management, and
data management applications on the CSP. The minimum foundational
security requirements are based on the NIST CSF and CIS benchmarks and
include the design and implementation requirements of a secure Cloud
account structure within a multi-region Cloud environment. OCC
maintains enterprise security requirements that provide structure for
current and future development. As the Virtual Private Cloud
environment is further developed and expanded, there is a comprehensive
process to identify any incremental risks and develop and
[[Page 60511]]
implement controls to manage and mitigate those risks.\42\
---------------------------------------------------------------------------
\42\ OCC has separately submitted a request for confidential
treatment to the Commission discussing the status of security
projects which OCC has provided in confidential Exhibit 3t to File
No. SR-OCC-2021-802.
---------------------------------------------------------------------------
Resiliency and Recovery
As noted earlier, given OCC's role as a SIFMU, it is vital that OCC
work to ensure operations moved to Cloud Infrastructure have
appropriately robust resilience and recovery capabilities. Below is a
discussion of how OCC has evaluated resiliency including: (i) The steps
taken by OCC and the CSP to help ensure the persistent availability of
Compute, Storage, and Network capabilities in the Cloud; (ii) the
resiliency of the CSP's method for deploying updates to help ensure
that consequences of incidents are limited to the fullest extent
possible; (iii) the on-premises backup; and (iv) the use of ``store and
forward'' \43\ messaging technology.
---------------------------------------------------------------------------
\43\ ``Store and forward'' messaging refers to messaging
technology that retains copies of messages until confirmation of
receipt, thus limiting the likelihood of loss during transmission.
---------------------------------------------------------------------------
i. Resiliency of the Cloud Infrastructure
OCC believes the Cloud Implementation will enhance the resiliency
of OCC's core clearing, risk management, and data management
applications by virtue of its built-in six levels of redundancy that
will provide OCC with easy access to multiple zones within multiple and
geographically diverse regions. The redundancy provided to OCC in the
Cloud Infrastructure helps ensure that Compute, Storage, and Network
resources will be available to OCC on a persistent basis.
OCC will provision Compute, Storage, and Network resources in two
autonomous and geographically diverse regions, in a hot/warm
configuration to increase resources on demand, maintained by the CSP.
Each region will maintain independent and identical copies of all
applications that are deployed by OCC, allowing OCC to transition its
core clearing, risk management, and data management applications from
one region to another seamlessly. Production workloads would be run
across and shifted between regions regularly to protect OCC against
disruptions from regionalized incidents. In the unlikely event that a
region is temporarily disabled as a result of an extreme event, OCC
would failover to run core clearing, risk management, and data
management applications in the other region. This will necessarily
require that both regions be maintained with full and expansion
capacity. At any point, OCC will have active primary and standby
instances of the core clearing, risk management, and data management
applications that can be moved to any of the six instances (i.e. three
zones in each of the two regions). This is analogous to having six
physical data centers with primary and backup running out of any two
instances at a given point in time.
Each region consists of three zones, each of which has a physical
infrastructure with separate and dedicated connections to utility
power, standalone backup power sources, independent mechanical
services, and independent network connectivity. While not dependent on
one another, zones are connected to one another with private fiber-
optic networking, enabling the architecture of core clearing, risk
management, and data management applications to automatically failover
between zones without interruption. Since each zone can operate
independently of one another but failover capability is near
instantaneous, a loss of one zone will not affect operation in another
zone; however, no core clearing, risk management, or data management
application will be reliant on the functioning of a single zone. This
structural framework offers OCC a wide expanse within which to run its
core clearing, risk management, and data management applications while
simultaneously restricting the effect of an incident at the CSP to the
smallest footprint possible.\44\
---------------------------------------------------------------------------
\44\ To further ensure the resiliency of the Compute, Storage,
and Network capabilities, the CSP's services are divided into ``data
plane'' and ``control plane'' services. OCC's applications will run
using data plane services; control plane services are used by the
CSP to configure the environment. Resources and requests are further
partitioned into cells, or multiple instantiations of a service that
are isolated from each other and invisible to the CSP's customers,
on each plane, again minimizing the effect of a potential incident
to the smallest footprint possible.
---------------------------------------------------------------------------
As core clearing, risk management, and data management applications
will be deployed in a primary (hot)/secondary (warm) mode, each
environment will be active, run the same software, and receive the same
data, enabling a failover or switch from one region to another within
two hours. Software and Infrastructure will be deployed via automated
processes to ensure both are identical in each region.
Additional capacity will always be available to support the
resiliency of OCC's core clearing, risk management, and data management
applications by way of the six-way redundancy. OCC will continue to
periodically test the CSP's capacity scaling features and failover
capabilities to ensure adequate capacity is always available to
OCC.\45\
---------------------------------------------------------------------------
\45\ OCC will continue to perform periodic business continuity
and disaster recovery tests to verify business continuity plans and
disaster recovery infrastructure will support a two-hour recovery
time objective for critical systems.
---------------------------------------------------------------------------
The CSP may not unilaterally terminate the relationship with OCC
absent good cause or without sufficient notice to allow OCC to
transition to an alternate CSP or to the on-premises solution for its
Compute, Storage, and Network needs. The notice provision in the Cloud
Agreement for terminations that are not for cause would give OCC
sufficient time to consider and transition \46\ its core clearing, risk
management, and data management applications to another CSP or to its
backup on-premises data center. Specifically, the CSP must provide
notice OCC believes is sufficient to transition if it wishes to
terminate the Cloud Agreement for convenience or if it wishes to
terminate an individual CSP service offering on which OCC relies for
all of its Cloud customers.\47\
---------------------------------------------------------------------------
\46\ The possible transition of core clearing, risk management,
and data management applications either from the CSP back to an on-
premises solution or to another CSP is discussed below.
\47\ The CSP permits an exception to this sufficient notice
provision in the event the CSP must terminate the individual service
offering if necessary to comply with the law or requests of a
government entity or to respond to claims, litigation, or los [sic]
of license rights related to third-party intellectual property
rights. In this event, the CSP must provide reasonable notice to OCC
of the termination of the individual service offering.
---------------------------------------------------------------------------
The CSP is permitted to terminate the Cloud Agreement with shorter
notice periods in the event of a critical breach or an uncured material
breach of the Cloud Agreement. In the highly unlikely event that a
critical breach or uncured material breach occurs, OCC would have
sufficient notice to shift operations to the on-premises data center.
Contract provisions that allow a party to terminate for uncured
material breaches are designed to limit the types of actions that could
lead to contract termination (typically, a breach is considered
material only if it goes to the root of the agreement between the
parties or is so substantial that it defeats the object of the parties
in making the contract) and to establish a short period of time to
resolve an aggrieved party's claim (often 30 days). This gives the
parties time and incentive to address the problem without having to
resort to termination. Critical breaches are material breaches: (i) For
which OCC knew its behavior would cause a material breach (such as a
willful violation of Cloud Agreement
[[Page 60512]]
terms); (ii) that cause ongoing material harm to the CSP, its services,
or its customers (e.g., criminal misuse of the services); or (iii) for
undisputed non-payment under the Cloud Agreement. Even if the CSP
notifies OCC of an alleged breach (material or critical), termination
of services is not immediate.
OCC believes the risk of termination with a shorter notice period
is mitigated by the following factors. In all cases of an alleged
breach, the CSP must notify OCC in writing and provide time for OCC to
cure the alleged breach (``Notice Period''). With respect to an alleged
critical breach, OCC would use the Notice Period to attempt to cure the
alleged critical breach while also preparing for a seamless transition
to the on-premises data center. With respect to an alleged material
breach, which requires the CSP to extend the Notice Period if OCC
demonstrates a good faith effort to cure the alleged material breach,
OCC would use the Notice Period to attempt to cure the alleged material
breach while also preparing for a seamless transition to the on-
premises data center. As a result, it is highly unlikely that a
critical breach or a material breach would remain uncured beyond the
Notice Period; if one does, however, OCC would have ample notice to
shift operations to the on-premises data center to avoid a disruption
to core clearing, risk management, and data management applications.
ii. Resiliency of the Deployment of Cloud Infrastructure Updates
The CSP will update the Cloud Infrastructure from time to time \48\
using a conservative approach for update deployment that helps to
ensure that any potential effects of possible incidents are contained
to the greatest extent possible. The CSP achieves this by: (i) Fully
automating the build and deployment process; and (ii) deploying
services to production in a phased manner.
---------------------------------------------------------------------------
\48\ OCC will continue to retain responsibility for patching,
configuration, and monitoring of the operating systems and
applications in the Cloud.
---------------------------------------------------------------------------
CSP Services are first deployed to cells, which minimizes the
chance that a disruption caused by a service update such as a patch in
one cell would disrupt other cells. Following a successful cell-based
deployment, service updates are next deployed to a specific zone, which
limits the potential disruption caused by a service update to that
particular zone. Following a successful zone deployment, service
updates are then deployed in a staged manner to other zones starting
with the same region and later within other regions until the process
is complete.
OCC will continue to meet regularly with staff of the CSP, in
addition to formal quarterly Briefing Meetings with the CSP as
described in the Reg SCI Addendum.\49\ The informal discussions and
quarterly Briefing Meetings will permit OCC to gather information in
advance of the quarterly Systems Change report. Most reportable systems
changes will continue to occur based on changes to Compute, Storage,
Network, or applications controlled by OCC.
---------------------------------------------------------------------------
\49\ See confidential Exhibit 3f.
---------------------------------------------------------------------------
iii. Resiliency Through the Build Out of an On-Premises Data Center
OCC will maintain an on-premises data center to provide the ability
to support core clearing, risk management, and data management
applications in the unlikely and extraordinary event of either the
termination of the Cloud Agreement for uncured breach or a multi-region
outage at the CSP that simultaneously impacts OCC operations within all
three zones in both regions.\50\
---------------------------------------------------------------------------
\50\ OCC, with the assistance of an external consultant,
conducted an analysis of the benefits and risks of a multi-CSP
infrastructure. The key findings indicated that a multi-CSP
infrastructure would not significant improver resiliency and could
create additional risks, including: (i) Increased functionality and
delivery risks; (ii) increased operational and cybersecurity risks;
(iii) human capital risks; (iv) third-party and legal risks; and (v)
general business risks.
---------------------------------------------------------------------------
OCC has designed the on-premises data center to operate 30 or more
days to permit a smooth transition back to the Cloud (once the Cloud
disruption is remediated) on a low volume day. From an architectural
perspective, the on-premises data center is similar to adding a third
CSP region with a single zone. While most technologies will remain the
same with a failover to on-premises, there are several technologies
that are only available at the CSP and for which alternative solutions
must be devised. All equivalent on-premises core platform technologies
that enable Compute, Network, and Storage will be operated by OCC with
synchronous data replication between the Cloud and on-premises while
member connectivity would remain unchanged.\51\ OCC will ensure
adequate capacity in the on-premises data center for up to two and a
half times observed peak volume. If the circumstances that required OCC
to rely on the on-premises data center persist beyond seven days, OCC
would take steps necessary to enhance its Storage to enable seamless
operation of the on-premises data center for longer than 30 days.
---------------------------------------------------------------------------
\51\ OCC has separately submitted a request for confidential
treatment to the Commission for a diagram that the presents draft
Failover Architecture which OCC has provided in confidential Exhibit
3u to File No. SR-OCC-2021-802.
---------------------------------------------------------------------------
iv. Resiliency Through the Use of ``Store and Forward'' Messaging
Technology
OCC has designed the architecture to ensure it is able to support
zero message loss and a quick recovery time. To meet these requirements
the architecture places a premium on data integrity and throughput over
the latency of any one transaction. The established techniques for this
are ``store and forward'' messaging technology where messages are
preserved until delivered to servers that consume the messages and
synchronous writes to multiple servers. Unlike OCC's current system,
the core clearing, risk management, and data management applications do
not rely on block storage replication across CSP regions. The solution
is entirely message based and message replication achieves the data
redundancy required to deliver high availability services.
OCC will continue to rely on the existing ``store and forward''
messaging technology as the primary technology for exchanging messages
with both exchanges & clearing members for the intake of clearing and
settlement related information. The ``store and forward'' messaging
technology manager is hosted on-premises and is replicated across all
OCC on-premises data centers. The ``store and forward'' messaging
technology will then forward messages to the hot/warm instances at the
CSP and the redundant on-premises data center applications.
Core clearing, risk management, and data management applications
rely on a platform for managing containerized workloads and messaging
services. This platform enables multi-region message replication with
synchronous acknowledgement. The platform will treat the on-premises
data center as another region, with messages being replicated to all
three regions (the two Cloud regions and on-premises).
The core clearing, risk management, and data management application
architecture deployed across the two CSP regions and on-premises will
maximize data integrity and throughput during routine operations and
enhance failover should it be necessary.
Audit and Controls Assessment
OCC has a plan in place to continually test the Cloud security
controls and OCC's readiness for the Cloud Implementation, and also has
processes in place to regularly audit and test security controls and
[[Page 60513]]
configurations,\52\ including by monitoring the CSP's technical,
administrative, and physical security controls that support OCC's
systems in the Cloud Infrastructure.
---------------------------------------------------------------------------
\52\ Internal Audit will assess plans during the 2021 Cloud
Transition Audit, and more in-depth in early 2022 when the processes
are modified to operate in the Cloud.
---------------------------------------------------------------------------
i. Internal Risk Assessments
In addition to existing OCC Third Party Vendor Risk Management
activities, OCCs Third Party Risk Management department (``TPRM'') will
assess the operational risks of the CSP as a critical vendor annually.
Additionally, OCC conducts a technology risk assessment, which is an
evaluation of risks to OCC's critical systems, monitoring of key risk
indicators (``KRI''), risk events, security events, and key controls,
and which will encompass all risks presented by the CSP, on an annual
basis.\53\
---------------------------------------------------------------------------
\53\ This annual risk assessment is provided to the Board of
Directors and the Technology Committee.
---------------------------------------------------------------------------
ii. External Risk Assessment
OCC engaged a third-party familiar with Cloud Infrastructure best
practices to conduct a design effectiveness review of the OCC's
proposed Cloud strategy, application architecture, and related security
and resiliency controls.\54\ The External Risk Assessment focused on:
(i) Cloud reference architecture, capabilities, and controls required
to host applications in the Cloud; (ii) existing and planned resiliency
capabilities to meet a two-hour recovery time objective of OCC's
critical services; and (iii) design of the existing and planned
security controls during and after the Cloud Implementation.\55\
---------------------------------------------------------------------------
\54\ OCC has separately submitted a request for confidential
treatment to the Commission regarding the External Risk Assessment,
which OCC has provided in confidential Exhibit 3v to File No. SR-
OCC-2021-802 and regarding OCC's response to the External Risk
Assessment recommendations, which OCC has provided in confidential
Exhibit 3w to File No. SR-OCC-2021-802.
\55\ The External Risk Assessment included five discovery
workshops, thirty design review sessions, discussions with over
forty-eight OCC stakeholders, and review of one hundred sixty
documents ranging from strategy materials to configuration builds.
---------------------------------------------------------------------------
The External Risk Assessment identified strengths in OCC's planned
Cloud Implementation, including that OCC incorporated several leading
security practices as well as support for elastic capacity and the
ability to scale effectively into its plan. The External Risk
Assessment also included recommendations to supplement OCC's execution
plan for the Cloud Implementation and were broadly categorized into six
technical areas: (i) Workload isolation and networking; (ii) automation
and pipelines; (iii) data fabric and data lifecycle management; (iv)
platform shared services and support model; (v) security shared
services and support model; and (vi) resiliency. Recommendations were
categorized across two dimensions: (i) Program priority (high, medium,
or low) and (ii) implementation action (start, accelerate, or
continue). A recommendation does not necessarily mean OCC would not
have implemented the recommended action absent the recommendation, as
several of the recommendations were for OCC to continue an activity it
had already begun. OCC has a plan in place to address the
recommendations provided in the External Risk Assessment and will track
the plan to completion.
iii. Internal Audit Department Plan Related to Cloud Implementation
As mentioned above, starting in 2021 and going forward, the
Internal Audit Annual Plan is designed to assess important elements of
the new core clearing, risk management, and data management
applications roll-out. For example, the 2021 Audit Plan includes an
audit on the Cloud Implementation. This audit included an analysis of
OCC's disposition of the findings in the External Risk Assessment,
determined if the risks associated with findings have been adequately
addressed, evaluated OCC's strategy in the event it needs to transition
from the CSP at any time, evaluated the adequacy of OCC's remediation
plans and timelines, and OCC's assessment of the third-party CSP
attestation report (SOC). The Internal Audit Department plans to
augment internal resources with co-source resources with specific
expertise in Cloud-based controls and has conducted a department-wide
training of Cloud auditing, with additional training to be conducted as
necessary.
iv. Audit Symposium and Access Rights
The CSP hosts an annual Audit Symposium, which will allow OCC to
review evidence supporting the CSP's control environment. The CSP also
hosts an annual Cloud security conference focused on Security,
Governance, Risk and Compliance.
OCC Information Technology staff currently meets with CSP
representatives weekly to focus on technical issues related to OCC's
proposed Cloud environment. In addition, OCC will be holding compliance
briefings with the CSP quarterly, wherein the CSP will provide OCC with
documentation (e.g., SOC 2 Report) and assist OCC's preparation for the
Audit Symposium. OCC management, including Security, Information
Technology, and the Internal Audit Department, will coordinate to
ensure appropriate representation during the planned briefings. TPRM
will help initiate and orchestrate the annual reviews.
v. Key Risk and Key Performance Indicators
OCC has also established several key risk indicators (``KRI'') and
key performance indicators (``KPI'') to evaluate OCC's management of
risk and the CSP's performance during the Cloud implementation and
ongoing operation.\56\ The KRIs are approved by and regularly reported
to OCC's Management Committee, Board of Directors, and the Risk
Committee of the Board of Directors.
---------------------------------------------------------------------------
\56\ These KRIs and KPIs are contained in the Cloud
Implementation risk report. OCC has separately submitted a request
for confidential treatment to the Commission regarding the Cloud
Implementation risk report, which OCC has provided in confidential
Exhibit 3k to File No. SR-OCC-2021-802. See supra note 26.
---------------------------------------------------------------------------
OCC has developed Cloud KPIs and socialized these KPIs internally.
The KRIs already exist for core clearing, risk management, and data
management applications and are aligned to overall systems
availability, capacity, data integrity, and security. The CSP KPIs feed
into existing KRIs and will continue to be used to evaluate the CSP's
performance after the Cloud Implementation.\57\ KPIs will be added to
monitor the performance and risks of the CSP services for which OCC has
contracted. These post-Cloud Implementation KRIs and KPIs will allow
OCC to assess its ongoing use of the CSP against its operational and
security requirements and will demonstrate the effectiveness of risk
controls and the CSP's performance against commitments in the Service
Level Agreements, and will be reported on a regular basis to OCC's
Management Committee, Board of Directors, and Technology and Risk
Committees of the Board of Directors.\58\
---------------------------------------------------------------------------
\57\ OCC has established metrics for monitoring CSP systems
capacity and availability in each zone in Risk Appetite Statements
and Risk Tolerance for Cloud Services which OCC has provided in
confidential Exhibit 3l to File No. SR-OCC-2021-802. Data integrity
and systems incidents are monitored through OCC's Quality Standards
Program and Systems Incident Program, respectively.
\58\ OCC has separately submitted a request for confidential
treatment to the Commission regarding metrics and reporting that OCC
will use to monitor the security and performance of the CSP after
adoption, which OCC has provided in confidential Exhibit 3x to File
No. SR-OCC-2021-802.
---------------------------------------------------------------------------
[[Page 60514]]
vi. Auditing the CSP Post Cloud-Implementation
OCC's Cloud Agreement gives OCC the right to attend the CSP Audit
Symposium annually so that OCC may inspect and verify evidence of the
design and effectiveness of the CSP's control environment and physical
security controls in place at the CSP's data centers. Through
preparation for and attendance at this symposium, OCC may also provide
feedback and make requests of the CSP for future modifications of the
control environment. The CSP is also required to maintain an
information security program, including controls and certifications,
that is as protective as the program evidenced by the CSP's SOC-2
report. The CSP must make available on demand to OCC its SOC-2 report
as well as the CSP's other certifications from accreditation bodies and
information on its alignment with various frameworks, including NIST,
CSF, and ISO.\59\ TPRM will coordinate an annual risk assessment of
OCC's relationship with the CPS. TPRM, Security, and Business
Continuity will determine the adequacy and reasonableness of the
documentation received to complete the Third-Party Risk Assessment.
Finally, the Cloud Agreement provides that OCC's regulators may visit
the facilities of the CSP under specified conditions.
---------------------------------------------------------------------------
\59\ The FFIEC Guidance provides that OCC may obtain SOC
reports, other independent audits, or ISO certification reports to
gain assurance that the CSP's controls are operating effectively.
See FFIEC, Security in a Cloud Computing Environment, page 7. OCC
reviews the CSP's SOC-2 on an annual basis.
---------------------------------------------------------------------------
OCC plans to use the CSP's services combined with additional third-
party tools to monitor systems deployed by ingesting logs into a
security incident and event monitoring tool to provide a single pane of
glass view into the Cloud Infrastructure (and the on-premises data
center to the extent it is used). When incidents are detected, OCC will
follow its existing incident response governance to identify, detect,
contain, eradicate, and recover from incidents.
Consistency With the Payment, Clearing and Settlement Supervision Act
The stated purpose of the Clearing Supervision Act is to mitigate
systemic risk in the financial system and promote financial stability
by, among other things, promoting uniform risk management standards for
systemically important financial market utilities and strengthening the
liquidity of systemically important financial market utilities.\60\
Section 805(a)(2) of the Clearing Supervision Act \61\ also authorizes
the Commission to prescribe risk management standards for the payment,
clearing and settlement activities of designated clearing entities,
like OCC, for which the Commission is the supervisory agency. Section
805(b) of the Clearing Supervision Act \62\ states that the objectives
and principles for risk management standards prescribed under Section
805(a) shall be to:
---------------------------------------------------------------------------
\60\ 12 U.S.C. 5461(b).
\61\ 12 U.S.C. 5464(a)(2).
\62\ 12 U.S.C. 5464(b).
---------------------------------------------------------------------------
<bullet> Promote robust risk management;
<bullet> promote safety and soundness;
<bullet> reduce systemic risks; and
<bullet> support the stability of the broader financial system.
The Commission has adopted risk management standards under Section
805(a)(2) of the Clearing Supervision Act and the Exchange Act in
furtherance of these objectives and principles.\63\ Rule 17Ad-22
requires registered clearing agencies, like OCC, to establish,
implement, maintain, and enforce written policies and procedures that
are reasonably designed to meet certain minimum requirements for their
operations and risk management practices on an ongoing basis.\64\
Therefore, the Commission has stated \65\ that it believes it is
appropriate to review changes proposed in advance notices against Rule
17Ad-22 and the objectives and principles of these risk management
standards as described in Section 805(b) of the Clearing Supervision
Act.\66\
---------------------------------------------------------------------------
\63\ 17 CFR 240.17Ad-22. See Exchange Act Release Nos. 68080
(October 22, 2012), 77 FR 66220 (November 2, 2012) (S7-08-11)
(``Clearing Agency Standards''); 78961 (September 28, 2016), 81 FR
70786 (October 13, 2016) (S7-03-14) (``Standards for Covered
Clearing Agencies'').
\64\ 17 CFR 240.17Ad-22.
\65\ See e.g., Exchange Act Release No. 86182 (June 24, 2019),
84 FR 31128, 31129 (June 28, 2019) (SR-OCC-2019-803).
\66\ 12 U.S.C. 5464(b). Reg SCI was not adopted under the
Payment, Clearing and Settlement Supervision Act and thus is not
analyzed in this section. However, an analysis of the compliance
requirements of Reg SCI and the provisions of the Cloud Agreement
that enable OCC to meet them are provided in confidential Exhibit 3d
to File No. SR-OCC-2021-802, for which OCC has separately submitted
a request for confidential treatment from the Commission.
---------------------------------------------------------------------------
OCC believes that the proposed changes are consistent with Section
805(b)(1) of the Clearing Supervision Act \67\ and the requirements of
Rules 17Ad-22(e)(17) and (e)(21) under the Act because the Cloud
Implementation would provide OCC with resilient, secure, and scalable
core clearing, risk management, and data management systems that far
exceeds what is currently possible in an on-premises infrastructure.
---------------------------------------------------------------------------
\67\ 12 U.S.C. 5464(b)(1).
---------------------------------------------------------------------------
Rule 17Ad-22(e)(17)(ii) requires OCC to establish, implement,
maintain, and enforce written policies and procedures reasonably
designed to manage OCC's operational risk by ``ensuring that systems
have a high degree of security, resiliency, operational reliability,
and adequate, scalable capacity.'' \68\ OCC maintains several policies
specifically designed to manage the risks associated with maintaining
adequate levels of system functionality, confidentiality, integrity,
availability, capacity and resiliency for systems that support core
clearing, risk management, and data management services.\69\ As stated
above, resiliency of the Cloud Infrastructure is built into the system
with functionality for OCC's core clearing, risk management, and data
management applications to run in multiple zones within multiple
regions. Regions are isolated from one another and are designed in part
to minimize the possibility of a multi-region outage. OCC has designed
the infrastructure to have primary (hot)/secondary (warm) zones at all
times ensuring Compute, Storage, and Network resources would be
available in a new redundant region in the event of a primary region
failure. As a result, the Cloud Infrastructure offers OCC multiple
redundancies within which to run its core clearing, risk management,
and data management applications while simultaneously restricting the
effect of an incident at the CSP to the smallest footprint possible.
Furthermore, in the unlikely and extraordinary event OCC loses access
to each of the six levels of resiliency within the CSP environment, OCC
can failover to an on-premises backup that will permit continued
operations of core clearing, risk management, and data management
applications.
---------------------------------------------------------------------------
\68\ 17 CFR 240.17Ad-22(e)(17)(ii).
\69\ OCC has separately submitted a request for confidential
treatment to the Commission regarding the IT Operational Risk
Management Policy, which OCC has provided as confidential Exhibit 3y
to File No. SR-OCC-2021-802, the Technology Operations Policy, which
OCC has provided as confidential Exhibit 3z to File No. SR-OCC-2021-
802, and the Business Continuity Procedure, which OCC has provided
as confidential Exhibit 3aa to File No. SR-OCC-2021-802.
---------------------------------------------------------------------------
OCC has established a robust Cloud security program to manage the
security of the core clearing, risk management, and data management
applications that will be running in the Cloud and to monitor the CSP's
management of security of the Cloud Infrastructure that it operates.
Processes are formally defined, automated to the fullest extent,
repeatable with minimal variation,
[[Page 60515]]
accessible, adhered to, and timely.\70\ The enterprise security program
encompasses all OCC assets existing in OCC offices, data centers, and
within the Cloud Provider's Cloud Infrastructure, and IAM controls
ensure least-privileged user access to applications on the Cloud. OCC
has appropriate controls in place to ensure the security of
confidential information in-transit between OCC data centers and the
Cloud Infrastructure, between systems within the Cloud Infrastructure,
and at-rest. All network communications between OCC and the Cloud will
rely on industry standard encryption for traffic while in transit, and
data at rest will be safeguarded through pervasive encryption. Finally,
automated delivery of business and security capability via the use of
the ``Infrastructure as Code,'' Cloud agnostic tools, and continuous
integration/continuous deployment pipeline methods ensure security
controls are consistently and transparently deployed.
---------------------------------------------------------------------------
\70\ For example, vulnerability scanning, automated secrets
management including certificate encryption, and incident triage
management and handling process.
---------------------------------------------------------------------------
Since additional computing power can be launched on demand, the
scalability in a Cloud computing environment is considerable and
instantaneous. OCC could provision or de-provision Compute, Storage,
and Network resources to meet demand at any given point in time. In the
current on-premises environment, immediate scalability is limited by
the capacity of the on-premises hardware: OCC would need to obtain
additional physical servers and network equipment to scale beyond the
limits of the on-premises hardware, potentially affecting the ability
to quickly adapt to evolving market conditions, including spikes in
trading volume.
Rule 17Ad-22(e)(21) requires OCC to establish, implement, maintain,
and enforce written policies and procedures reasonably designed to ``be
efficient and effective in meeting the requirements of its participants
and the markets it serves,'' and to have OCC's management regularly
review the ``efficiency and effectiveness of, [inter alia,] its (i)
clearing and settlement arrangements and (ii) operating structure,
including risk management policies, procedures, and systems.'' \71\ OCC
maintains policies designed to enable the regular review of the
efficiency and effectiveness of the arrangements and operating
structures supporting OCC's identified goals and objectives.\72\ There
are several significant efficiency benefits to the Cloud
Implementation, including:
---------------------------------------------------------------------------
\71\ 17 CFR 240.17Ad-22(e)(21).
\72\ OCC has separately submitted a request for confidential
treatment to the Commission regarding the Annual Planning Policy,
which OCC has provided as confidential Exhibit 3bb to File No. SR-
OCC-2021-802, the Balanced Scorecard Procedure, which OCC has
provided as confidential Exhibit 3cc to File No. SR-OCC-2021-802,
the Enterprise Portfolio Management Procedure, which OCC has
provided as confidential Exhibit 3dd to File No. SR-OCC-2021-802,
the New Business and New Exchange Procedure, which OCC has provided
as confidential Exhibit 3ee to File No. SR-OCC-2021-802, and the New
Product Procedure, which OCC has provided as confidential Exhibit
3ff to File No. SR-OCC-2021-802.
---------------------------------------------------------------------------
<bullet> Ad-hoc reporting capability with new filtering
functionality and application programming interfaces to make it easier
to procure and submit data to and from the system.
<bullet> The capability to quickly add or remove Compute, Storage,
or Network resources to meet changing application needs and market
volatility.
<bullet> The capability to (i) run certain back testing processes
that used to take days to months in a few hours; (ii) manage multiple
back testing processes the same time; and (iii) eliminate any undue
delay in the evaluation of potential risk management enhancements for
the industry.
<bullet> The scalability to more efficiently meet historical data
storage needs, provide data access through standard data services, and
the ability to respond quickly to regulatory requests.
<bullet> Easy and secure access to high-quality, high-fidelity
data, including a centralized, enterprise-wide repository to store and
provide timely access to system of record data.
Accordingly, the proposed changes: (i) Are designed to promote
robust risk management; (ii) are consistent with promoting safety and
soundness; and (iii) are consistent with reducing systemic risks and
promoting the stability of the broader financial system. The proposed
changes also ensure that OCC systems have a high degree of security,
resiliency, operational reliability, and adequate, scalable capacity,
and enable OCC to be efficient and effective in meeting the
requirements of its participants and the markets it serves. For the
foregoing reasons, OCC believes that the proposed changes are
consistent with Section 805(b)(1) of the Clearing Supervision Act \73\
and Rules 17Ad-22(e)(17) \74\ and (e)(21) \75\ under the Exchange Act.
---------------------------------------------------------------------------
\73\ 12 U.S.C. 5464(b).
\74\ 17 CFR 240.17Ad-22(e)(17).
\75\ 17 CFR 240.17Ad-22(e)(21).
---------------------------------------------------------------------------
III. Date of Effectiveness of the Advance Notice
The proposed change may be implemented if the Commission does not
object to the proposed change within 60 days of the later of (i) the
date the proposed change was filed with the Commission or (ii) the date
any additional information requested by the Commission is received.\76\
OCC shall not implement the proposed change if the Commission has any
objection to the proposed change.\77\
---------------------------------------------------------------------------
\76\ 12 U.S.C. 5465(e)(1)(G).
\77\ 12 U.S.C. 5465(e)(1)(F).
---------------------------------------------------------------------------
OCC shall post notice on its website of proposed changes that are
implemented. The proposal shall not take effect until all regulatory
actions required with respect to the proposal are completed.
IV. Solicitation of Comments
Interested persons are invited to submit written data, views, and
arguments concerning the foregoing, including whether the advance
notice is consistent with the Clearing Supervision Act. Comments may be
submitted by any of the following methods:
Electronic Comments
<bullet> Use the Commission's internet comment form (<a href="http://www.sec.gov/rules/sro.shtml">http://www.sec.gov/rules/sro.shtml</a>); or
<bullet> Send an email to <a href="/cdn-cgi/l/email-protection#a5d7d0c9c088c6cac8c8c0cbd1d6e5d6c0c68bc2cad3"><span class="__cf_email__" data-cfemail="f280879e97df919d9f9f979c8681b2819791dc959d84">[email protected]</span></a>. Please include
File Number SR-OCC-2021-802 on the subject line.
Paper Comments
<bullet> Send paper comments in triplicate to Secretary, Securities
and Exchange Commission, 100 F Street NE, Washington, DC 20549.
All submissions should refer to File Number SR-OCC-2021-802. This file
number should be included on the subject line if email is used. To help
the Commission process and review your comments more efficiently,
please use only one method. The Commission will post all comments on
the Commission's internet website (<a href="http://www.sec.gov/rules/sro.shtml">http://www.sec.gov/rules/sro.shtml</a>).
Copies of the submission, all subsequent amendments, all written
statements with respect to the advance notice that are filed with the
Commission, and all written communications relating to the advance
notice between the Commission and any person, other than those that may
be withheld from the public in accordance with the provisions of 5
U.S.C. 552, will be available for website viewing and printing in the
Commission's Public Reference Room, 100 F Street NE,
[[Page 60516]]
Washington, DC 20549 on official business days between the hours of
10:00 a.m. and 3:00 p.m. Copies of the filing also will be available
for inspection and copying at the principal office of the self-
regulatory organization.
All comments received will be posted without change. Persons
submitting comments are cautioned that we do not redact or edit
personal identifying information from comment submissions. You should
submit only information that you wish to make available publicly.
V. Date of Timing for Commission Action
Section 806(e)(1)(G) of the Clearing Supervision Act provides that
OCC may implement the changes if it has not received an objection to
the proposed changes within 60 days of the later of (i) the date that
the Commission receives the Advance Notice or (ii) the date that any
additional information requested by the Commission is received,\78\
unless extended as described below.
---------------------------------------------------------------------------
\78\ 12 U.S.C. 5465(e)(1)(G).
---------------------------------------------------------------------------
Pursuant to Section 806(e)(1)(H) of the Clearing Supervision Act,
the Commission may extend the review period of an advance notice for an
additional 60 days, if the changes proposed in the advance notice raise
novel or complex issues, subject to the Commission providing the
clearing agency with prompt written notice of the extension.\79\
---------------------------------------------------------------------------
\79\ 12 U.S.C. 5465(e)(1)(H).
---------------------------------------------------------------------------
Here, as the Commission has not requested any additional
information, the date that is 60 days after OCC filed the Advance
Notice with the Commission is December 7, 2021. However, the Commission
finds the issues raised by the Advance Notice complex because OCC
proposes to migrate its clearing, risk management, and data management
applications to a cloud infrastructure with an on-demand network of
configurable information technology resources running on virtual
infrastructure hosted by a third party. The Commission also finds the
issues raised by the Advance Notice novel because the proposed
migration of a covered clearing agency's clearing, risk management, and
data management applications to a third-party-hosted cloud
infrastructure represents a novel circumstance in the U.S. markets that
would require careful scrutiny and consideration of its associated
risks. Therefore, the Commission finds it appropriate to extend the
review period of the Advance Notice for an additional 60 days under
Section 806(e)(1)(H) of the Clearing Supervision Act.\80\
---------------------------------------------------------------------------
\80\ Id.
---------------------------------------------------------------------------
Accordingly, the Commission, pursuant to Section 806(e)(1)(H) of
the Clearing Supervision Act,\81\ extends the review period for an
additional 60 days so that the Commission shall have until February 5,
2022 to issue an objection or non-objection to advance notice SR-OCC-
2021-802.
---------------------------------------------------------------------------
\81\ Id.
---------------------------------------------------------------------------
All submissions should refer to File Number SR-OCC-2021-802 and
should be submitted on or before November 23, 2021.
---------------------------------------------------------------------------
\82\ 17 CFR 200.30-3(a)(91).
For the Commission, by the Division of Trading and Markets,
pursuant to delegated authority.\82\
J. Matthew DeLesDernier,
Assistant Secretary.
[FR Doc. 2021-23816 Filed 11-1-21; 8:45 am]
BILLING CODE 8011-01-P
</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>Indexed from Federal Register on November 2, 2021.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.