Notice2022-15003
Self-Regulatory Organizations; The Depository Trust Company; Order Approving a Proposed Rule Change To Require Applicants, Participants, and Pledgees To Maintain or Upgrade Their Network or Communications Technology
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
July 14, 2022
Issuing agencies
Securities and Exchange Commission
Full Text
<html>
<head>
<title>Federal Register, Volume 87 Issue 134 (Thursday, July 14, 2022)</title>
</head>
<body><pre>
[Federal Register Volume 87, Number 134 (Thursday, July 14, 2022)]
[Notices]
[Pages 42239-42242]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2022-15003]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-95232; File No. SR-DTC-2022-004]
Self-Regulatory Organizations; The Depository Trust Company;
Order Approving a Proposed Rule Change To Require Applicants,
Participants, and Pledgees To Maintain or Upgrade Their Network or
Communications Technology
July 8, 2022.
I. Introduction
On May 11, 2022, The Depository Trust Company (``DTC'') filed with
the Securities and Exchange Commission (``Commission'') proposed rule
change SR-DTC-2022-004 (``Proposed Rule Change'') pursuant to Section
19(b)(1) of the Securities Exchange Act of 1934 (``Act'') \1\ and Rule
19b-4 thereunder.\2\ The Proposed Rule Change was published for comment
in the Federal Register on May 31, 2022.\3\ The Commission did not
receive any comment letters on the proposed rule change. For the
reasons discussed
[[Page 42240]]
below, the Commission is approving the Proposed Rule Change.
---------------------------------------------------------------------------
\1\ 15 U.S.C. 78s(b)(1).
\2\ 17 CFR 240.19b-4.
\3\ Securities Exchange Act Release No. 94975 (May 24, 2022), 87
FR 32482 (May 31, 2022) (SR-DTC-2022-004) (``Notice of Filing'').
---------------------------------------------------------------------------
II. Description of the Proposed Rule Change
A. Background
DTC proposes to modify its Rules (``Rules'') \4\ to require its
Participants, Pledgees, and applicants for membership (collectively,
``participants'') to upgrade and maintain their network technology, and
communications technology or protocols, to meet standards that DTC
would identify and publish via Important Notice on its website, as
described more fully below.
---------------------------------------------------------------------------
\4\ DTC's Rules are available at https://dtcc.com/~/media/Files/
Downloads/legal/rules/dtc_rules.pdf.
---------------------------------------------------------------------------
DTC provides depository services and asset servicing for a wide
range of security types such as money market instruments, equities,
warrants, rights, corporate debt and notes, municipal bonds, government
securities, asset-backed securities, and collateralized mortgage
obligations.\5\ In light of its critical role in the marketplace, DTC
was designated a Systemically Important Financial Market Utility
(``SIFMU'') under Title VIII of the Dodd-Frank Wall Street Reform and
Consumer Protection Act of 2010.\6\ Due to DTC's unique position in the
marketplace, a failure or a disruption at DTC could, among other
things, increase the risk of significant liquidity problems spreading
among financial institutions or markets, and thereby threaten the
stability of the financial system in the United States.\7\
---------------------------------------------------------------------------
\5\ See Financial Stability Oversight Counsel 2012 Annual
Report, Appendix A (``FSOC 2012 Report''), available at <a href="http://www.treasury.gov/initiatives/fsoc/Documents/2012-20Annual-20Report.pdf">http://www.treasury.gov/initiatives/fsoc/Documents/2012-20Annual-20Report.pdf</a>.
\6\ 12 U.S.C. 5465(e)(1). See FSOC 2012 Report, supra note 5.
\7\ See FSOC 2012 Report, Appendix A, supra note 5.
---------------------------------------------------------------------------
DTC's Rules currently do not require, either as part of an
application for membership or as an ongoing membership requirement, any
level or version for network technology, such as a web browser or other
technology, or any level or version of communications technology or
protocols, such as email encryption, secure messaging, or file
transfers, that participants may use to connect to or communicate with
DTC.\8\ Therefore, DTC currently maintains multiple network and
communications methods and protocols to interact with its
participants.\9\ This includes some outdated communication technologies
in order to support participants that continue to use such older
technologies.\10\ DTC believes that continuing to use such outdated
technologies could render communications between DTC and some of its
participants vulnerable to cyber risks.\11\ Additionally, participants'
use of outdated technology delays DTC's implementation of its own
internal system upgrades, which by doing so, risks losing connectivity
between DTC and a number of its participants.\12\ Finally, DTC states
that it currently expends additional resources, both in personnel and
equipment, to maintain outdated communications channels.\13\
---------------------------------------------------------------------------
\8\ Notice of Filing, supra note 3, at 32482.
\9\ Id.
\10\ Id.
\11\ Id.
\12\ Id.
\13\ Id.
---------------------------------------------------------------------------
To mitigate the foregoing security concerns and resource
inefficiencies, DTC proposes to require its participants to upgrade and
maintain network technology, communication technology, and protocol
standards, in accordance with applicable technology standards that DTC
would identify and publish via Important Notice on its website from
time to time.\14\ DTC would base these requirements on standards set
forth by widely accepted organizations such as the National Institute
of Standards and Technology (``NIST'') and the internet Engineer Task
Force (``IETF'').\15\
---------------------------------------------------------------------------
\14\ Id., at 32482-83.
\15\ Id.. NIST is part of the U.S. Department of Commerce. The
IETF is an open standards organization that develops and promotes
voluntary internet standards, in particular, the technical standards
that comprise the internet protocol suite (TCP/IP). For example,
NIST Special Publication 800-52 revision 2, specifies servers that
support government-only applications shall be configured to use
Transport Layer Security (``TLS'') 1.2 and should be configured to
use TLS 1.3 as well. See <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf</a>. (TLS, the successor of the
now-deprecated Secure Sockets Layer (``SSL''), is a cryptographic
protocol designed to provide communications security over a computer
network.) These servers should not be configured to use TLS 1.1 and
shall not use TLS 1.0, SSL 3.0, or SSL 2.0. Additionally, the IETF
formally deprecated TLS versions 1.0 and 1.1 in March of 2021,
stating that ``[t]hese versions lack support for current and
recommended cryptographic algorithms and mechanisms, and various
government and industry profiles of applications using TLS now
mandate avoiding these old TLS versions. . . . Removing support for
older versions from implementations reduces the attack surface,
reduces opportunity for misconfiguration, and streamlines library
and product maintenance.'' See <a href="https://datatracker.ietf.org/doc/rfc8996/">https://datatracker.ietf.org/doc/rfc8996/</a>. DTC would also require participants to discontinue using
File Transfer Protocol (``FTP''), which DTC believes to be an
insecure protocol because it transfers user authentication data
(username and password) and file data as plain-text (not encrypted)
over the network. Notice of Filing, supra note 3, at 32482-83.
---------------------------------------------------------------------------
To implement the proposed changes, DTC would revise its Rules to
require participants to maintain or upgrade their network technology,
communications technology, or protocols on the systems that connect to
DTC, to the version DTC requires, within the time period DTC
requires.\16\ Consistent with the guidance from NIST and other
standards organizations, DTC would require the use of TLS 1.2, Secure
FTP (``SFTP''), and other modern technology and communication standards
and protocols, by its participants for communication with DTC.\17\ DTC
would publish such requirements via Important Notice on its
website.\18\ DTC also proposes to amend its Rules to provide that
failure to perform a necessary technology upgrade within the required
timeframe would subject participants to a disciplinary sanctions.\19\
---------------------------------------------------------------------------
\16\ Notice of Filing, supra note 3, at 32483.
\17\ Id., at 32482-83.
\18\ Id.
\19\ Notice of Filing, supra note 3, at 32483.
---------------------------------------------------------------------------
III. Discussion and Commission Findings
Section 19(b)(2)(C) of the Act \20\ directs the Commission to
approve a proposed rule change of a self-regulatory organization if it
finds that such proposed rule change is consistent with the
requirements of the Act and the rules and regulations thereunder
applicable to such organization. After careful consideration, the
Commission finds that the Proposed Rule Change is consistent with the
requirements of the Act and the rules and regulations applicable to
DTC. In particular, the Commission finds that the Proposed Rule Change
is consistent with Sections 17A(b)(3)(F) \21\ and (b)(3)(G) \22\ of the
Act and Rules 17Ad-22(e)(17) \23\ and (e)(21) \24\ thereunder.
---------------------------------------------------------------------------
\20\ 15 U.S.C. 78s(b)(2)(C).
\21\ 15 U.S.C. 78q-1(b)(3)(F).
\22\ 15 U.S.C. 78q-1(b)(3)(G).
\23\ 17 CFR 240.17Ad-22(e)(17)(i) and (ii).
\24\ 17 CFR 240.17Ad-22(e)(21)(iv).
---------------------------------------------------------------------------
A. Consistency With Section 17A(b)(3)(F) of the Act
Section 17A(b)(3)(F) of the Act requires that the rules of a
clearing agency be designed to, among other things, promote the prompt
and accurate clearance and settlement of securities transactions and
assure the safeguarding of securities and funds which are in the
custody or control of the clearing agency or for which it is
responsible.\25\
---------------------------------------------------------------------------
\25\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
As described above, DTC proposes to require its participants to
upgrade and maintain network technology, and communication technology
and protocol standards, that meet the standards identified by DTC and
published via
[[Page 42241]]
Important Notice to DTC's website from time to time. DTC would use
standards set forth by widely accepted organizations such as NIST and
the IETF as the requirements. The proposed requirements would enable
DTC to avoid communicating with its participants using outdated
technologies that present security vulnerabilities to DTC.
Specifically, as an initial matter, the proposed requirements would
enable DTC to discontinue using communication technologies such as TLS
1.0, TLS 1.1, SSL 2.0, SSL 3.0, and FTP, which have been deemed not
secure by organizations such as NIST and/or the IETF. Removing support
for such outdated technologies would reduce DTC's potential exposure to
cyberattacks and other cyber vulnerabilities.
If not adequately addressed, the risk of cyberattacks and other
cyber vulnerabilities could affect DTC's network and, in turn, DTC's
ability to clear and settle securities transactions, or to safeguard
the securities and funds which are in DTC's custody or control, or for
which it is responsible. DTC designed the proposed requirements for
participants to upgrade their communications technology to address
those risks, as described above. Accordingly, the Commission finds the
proposed technology requirements on DTC's participants would promote
the prompt and accurate clearance and settlement of securities
transactions and assure the safeguarding of securities and funds which
are in the custody or control of DTC or for which it is responsible,
consistent with the requirements of Section 17A(b)(3)(F) of the
Act.\26\
---------------------------------------------------------------------------
\26\ Id.
---------------------------------------------------------------------------
B. Consistency With Section 17A(b)(3)(G) of the Act
Section 17A(b)(3)(G) of the Act requires the rules of a clearing
agency to provide that its participants shall be appropriately
disciplined for violation of any provision of the rules of the clearing
agency by fine or other fitting sanction.\27\ As noted above, DTC
proposes to require its participants to upgrade and maintain network
technology, communication technology, and protocol standards, in
accordance with applicable technology standards that DTC would identify
and publish via Important Notice on its website. The proposed
requirements would enable DTC to avoid communicating with its
participants using outdated technologies that present security
vulnerabilities to DTC. If not adequately addressed, such
vulnerabilities could affect DTC's network and its ability to operate.
DTC also proposes to amend its Rules to provide that failure to perform
a necessary technology upgrade within the required timeframe would
subject participants to disciplinary sanctions. Because the proposed
disciplinary sanctions should incentivize DTC's participants to upgrade
and maintain secure communications technology, thereby reducing DTC's
operational risks, the Commission finds the proposed rule change is
consistent with the requirements of Section 17A(b)(3)(G) of the
Act.\28\
---------------------------------------------------------------------------
\27\ 15 U.S.C. 78q-1(b)(3)(G).
\28\ Id. Additionally, by including the monetary fine provision
in its Rules, DTC would enable its participants to better identify
and evaluate the material costs they might incur by participating in
DTC, consistent with Rule 17Ad-22(e)(23)(ii). under the Act, which
requires a covered clearing agency to establish, implement,
maintain, and enforce written policies and procedures reasonably
designed to provide sufficient information to enable participants to
identify and evaluate the risks, fees, and other material costs they
incur by participating in the covered clearing agency. See 17 CFR
240.17Ad-22(e)(23)(ii).
---------------------------------------------------------------------------
C. Consistency With Rule 17Ad-22(e)(17) Under the Act
Rule 17Ad-22(e)(17)(i) under the Act requires that each covered
clearing agency establish, implement, maintain and enforce written
policies and procedures reasonably designed to manage the covered
clearing agency's operational risks by identifying the plausible
sources of operational risk, both internal and external, and mitigating
their impact through the use of appropriate systems, policies,
procedures, and controls.\29\ DTC's operational risks include cyber
risks to its electronic systems.
---------------------------------------------------------------------------
\29\ 17 CFR 240.17Ad-22(e)(17)(i).
---------------------------------------------------------------------------
As described above, DTC and its participants connect electronically
to communicate with one another. However, DTC's Rules currently do not
require any level or version for network technology, such as a web
browser or other technology, or any level or version of communications
technology or protocols, such as email encryption, secure messaging, or
file transfers, that participants may use to connect to or communicate
with DTC. As a result, DTC maintains some outdated communication
technologies in order to support participants that continue to use such
older technologies. Continuing to use such outdated technologies could
render communications between DTC and some of its participants
vulnerable to cyber risks.
To mitigate the foregoing cyber risks, DTC proposes to require its
participants to upgrade and maintain network technology, and
communication technology and protocol standards that meet the standards
identified by DTC from time to time. The proposed technology
requirements should reduce DTC's cyber risk by requiring participants
to upgrade and maintain communications technology based on standards
set forth by widely accepted organizations such as NIST and the IETF,
thereby decreasing the operational risks presented to DTC. Because the
proposed technology requirements would help DTC mitigate plausible
sources of external operational risk, the Commission finds the proposed
changes are consistent with the requirements of Rule 17Ad-22(e)(17)(i)
under the Act.\30\
---------------------------------------------------------------------------
\30\ Id.
---------------------------------------------------------------------------
Rule 17Ad-22(e)(17)(ii) under the Act requires that each covered
clearing agency establish, implement, maintain and enforce written
policies and procedures reasonably designed to manage the covered
clearing agency's operational risks by ensuring, in part, that systems
have a high degree of security, resiliency, and operational
reliability.\31\ As noted above, DTC's operational risks include cyber
risks.
---------------------------------------------------------------------------
\31\ 17 CFR 240.17Ad-22(e)(17)(ii).
---------------------------------------------------------------------------
As described above, DTC's Rules currently do not require any level
or version for network technology, such as a web browser or other
technology, or any level or version of communications technology or
protocols, such as email encryption, secure messaging, or file
transfers, that participants may use to connect to or communicate with
DTC. DTC designed the proposed technology requirements to reduce cyber
risks by requiring its participants to upgrade and maintain
communications technology based on standards set forth by widely
accepted organizations such as NIST and the IETF. Requiring DTC's
participants to use only secure communications technology would reduce
DTC's cyber risks and thereby strengthen the security, resiliency, and
operational reliability of DTC's network and other systems. Because the
proposed technology requirements would enhance DTC's ability to ensure
that its systems have a high degree of security, resiliency, and
operational reliability, the Commission finds the Proposed Rule Change
is consistent with the requirements of Rule 17Ad-22(e)(17)(ii) under
the Act.\32\
---------------------------------------------------------------------------
\32\ Id.
---------------------------------------------------------------------------
D. Consistency With Rule 17Ad-22(e)(21) Under the Act
Rule 17Ad-22(e)(21)(iv) under the Act requires that each covered
clearing agency establish, implement, maintain
[[Page 42242]]
and enforce written policies and procedures reasonably designed to have
the covered clearing agency's management regularly review the
efficiency and effectiveness of its use of technology and communication
procedures.\33\
---------------------------------------------------------------------------
\33\ 17 CFR 240.17Ad-22(e)(21)(iv).
---------------------------------------------------------------------------
As mentioned above, DTC maintains multiple network and
communication methods to interact with its participants, including
certain outdated communication technologies necessary to support
participants that continue to use such older technologies. DTC believes
that continuing to use such outdated technologies could render
communications between DTC and some of its participants vulnerable to
cyber risks. Additionally, participants' use of outdated technology
delays DTC's implementation of its own internal system upgrades, which
by doing so, risks losing connectivity between DTC and a number of its
participants. Finally, DTC states that it currently expends unnecessary
resources to maintain outdated communications channels. In other words,
DTC has subjected its network communication methods to review for
efficiency and effectiveness. As a result, to enhance the efficiency
and effectiveness of its technology and communication procedures, DTC
proposes to require its participants to upgrade and maintain network
technology, communication technology, and protocol standards, in
accordance with applicable technology standards that DTC would identify
and publish via Important Notice on its website. Because the Proposed
Rule Change is an outgrowth of DTC's review of the efficiency and
effectiveness of its technology and communication procedures, the
Commission finds the Proposed Rule Change is consistent with the
requirements of Rule 17Ad-22(e)(21)(iv) under the Act.\34\
---------------------------------------------------------------------------
\34\ Id.
---------------------------------------------------------------------------
IV. Conclusion
On the basis of the foregoing, the Commission finds that the
Proposed Rule Change is consistent with the requirements of the Act and
in particular with the requirements of Section 17A of the Act \35\ and
the rules and regulations promulgated thereunder.
---------------------------------------------------------------------------
\35\ 15 U.S.C. 78q-1.
---------------------------------------------------------------------------
It is therefore ordered, pursuant to Section 19(b)(2) of the Act
\36\ that Proposed Rule Change SR-DTC-2022-004, be, and hereby is,
approved.\37\
---------------------------------------------------------------------------
\36\ 15 U.S.C. 78s(b)(2).
\37\ In approving the Proposed Rule Change, the Commission
considered the proposals' impact on efficiency, competition, and
capital formation. 15 U.S.C. 78c(f).
\38\ 17 CFR 200.30-3(a)(12).
For the Commission, by the Division of Trading and Markets,
---------------------------------------------------------------------------
pursuant to delegated authority.\38\
J. Matthew DeLesDernier,
Assistant Secretary.
[FR Doc. 2022-15003 Filed 7-13-22; 8:45 am]
BILLING CODE 8011-01-P
</pre></body>
</html>Indexed from Federal Register on July 14, 2022.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.