Federal & State Lawfederalstatelaw.com
Home/Federal/Federal Register/2023-14441
Notice2023-14441

Self-Regulatory Organizations; Options Clearing Corporation; Order Instituting Proceedings To Determine Whether To Approve or Disapprove a Proposed Rule Change, as Modified by Partial Amendment No. 1, Concerning Clearing Member Cybersecurity Obligations

Primary source

Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.

Published
July 10, 2023

Issuing agencies

Securities and Exchange Commission

Full Text

<html>
<head>
<title>Federal Register, Volume 88 Issue 130 (Monday, July 10, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 130 (Monday, July 10, 2023)]
[Notices]
[Pages 43640-43641]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-14441]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-97832; File No. SR-OCC-2023-003]


Self-Regulatory Organizations; Options Clearing Corporation; 
Order Instituting Proceedings To Determine Whether To Approve or 
Disapprove a Proposed Rule Change, as Modified by Partial Amendment No. 
1, Concerning Clearing Member Cybersecurity Obligations

July 3, 2023.

I. Introduction

    On March 21, 2023, the Options Clearing Corporation (``OCC'') filed 
with the Securities and Exchange Commission (``Commission'') the 
proposed rule change SR-OCC-2023-003 pursuant to Section 19(b) of the 
Securities Exchange Act of 1934 (``Exchange Act'') \1\ and Rule 19b-4 
\2\ thereunder to amend certain provisions in OCC's Rules relating to 
each Clearing Member's obligation to address a ''Security Incident'' 
(i.e., the occurrence of a cyber-related disruption or intrusion) of 
that Clearing Member.\3\ The proposed rule change was published for 
public comment in the Federal Register on April 5, 2023.\4\ The 
Commission has received comments regarding the proposed rule change.\5\
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
    \3\ See Notice of Filing infra note 4, at 88 FR at 20195.
    \4\ Securities Exchange Act Release No. 97225 (Mar. 30, 2023), 
88 FR 20195 (Apr. 5, 2023) (File No. SR-OCC-2023-003) (``Notice of 
Filing'').
    \5\ Comments on the proposed rule change are available at 
<a href="https://www.sec.gov/comments/sr-occ-2023-003/srocc2023003.htm">https://www.sec.gov/comments/sr-occ-2023-003/srocc2023003.htm</a>.
---------------------------------------------------------------------------

    On May 18, 2023, pursuant to Section 19(b)(2) of the Exchange 
Act,\6\ the Commission designated a longer period within which to 
approve, disapprove, or institute proceedings to determine whether to 
approve or disapprove the proposed rule change.\7\ On May 24, 2023, OCC 
filed Partial Amendment No. 1 to the proposed rule change.\8\ This 
order institutes proceedings, pursuant to Section 19(b)(2)(B) of the 
Exchange Act,\9\ to determine whether to approve or disapprove the 
proposed rule change, as modified by Partial Amendment No. 1 
(hereinafter defined as ``Proposed Rule Change'').
---------------------------------------------------------------------------

    \6\ 15 U.S.C. 78s(b)(2).
    \7\ Securities Exchange Act Release No. 97525 (May 18, 2023), 88 
FR 33655 (May 24, 2023) (File No. SR-OCC-2023-003).
    \8\ Securities Exchange Act Release No. 97602 (May 26, 2023), 88 
FR 36351 (Jun. 2, 2023) (File No. SR-OCC-2023-003) (``Partial 
Amendment No. 1'').
    \9\ 15 U.S.C. 78s(b)(2)(B).
---------------------------------------------------------------------------

II. Summary of the Proposed Rule Change

    Currently, the only OCC Rule governing a Clearing Member's 
cybersecurity obligations to OCC is Rule 219, titled ``Cybersecurity 
Confirmation.'' It requires Clearing Members and applicants for 
clearing membership to submit to OCC a form called the ``Cybersecurity 
Confirmation'' at least every two years or as part of its application 
materials, respectively. Through the form, Clearing Members and 
applicants confirm that they maintain a comprehensive cybersecurity 
program that meets certain criteria (e.g., it is approved by senior 
management, reviewed and updated periodically, protects the segment of 
the Clearing Member's or applicant's system that interacts with OCC, 
establishes a process for the Clearing Member to remediate cyber 
issues, etc.). However, current Rule 219 does not require Clearing 
Members to notify OCC if they experience a cybersecurity incident that 
could impact OCC or otherwise address OCC's processes, or the Clearing 
Member's obligations with respect to OCC, in the event a Clearing 
Member experiences a cybersecurity incident.
    The substantive changes in the proposed rule change would be the 
addition of two new subsections--(d) and (e)--titled ``Occurrence of a 
Security Incident'' and ``Procedures for Connecting Following a 
Security Incident,'' respectively. New subsection (d) would require a 
Clearing Member that experiences a Security Incident (as defined in the 
Rule) to immediately notify OCC of the Security Incident. It would also 
specify that OCC may take actions it deems reasonably necessary to 
mitigate any effects on its operations following a Security Incident. 
New subsection (e) would require a Clearing Member wishing to reconnect 
its systems to OCC's systems to provide OCC with a new form, titled 
``Reconnection Attestation,'' that describes the Security Incident and 
attests to certain security requirements, as well as an associated 
checklist, titled ``Reconnection Checklist,'' that describes the 
affected Clearing Member's remediation efforts and other key 
information.
    OCC submitted Partial Amendment No. 1 in response to comments 
received on the scope of the proposed definition of Security Incident 
and potential conflicts with other existing and proposed Commission 
rules.\10\ OCC also submitted Partial Amendment No. 1 in response to 
comments about (i) the requirement that Clearing Members provide 
immediate notice of a Security Incident to OCC, (ii) the standards OCC 
would apply when determining whether to disconnect a Clearing Member 
from OCC, and (iii) the process for reconnection following a Security 
Incident that results in disconnection.\11\
---------------------------------------------------------------------------

    \10\ See Partial Amendment No. 1, supra note 8.
    \11\ Id.
---------------------------------------------------------------------------

III. Proceedings To Determine Whether To Approve or Disapprove the 
Proposed Rule Change and Grounds for Disapproval Under Consideration

    The Commission is instituting proceedings pursuant to Section 
19(b)(2)(B) of the Exchange Act \12\ to determine whether the Proposed 
Rule Change should be approved or disapproved. Institution of 
proceedings is appropriate at this time in view of the legal and policy 
issues raised by the Proposed Rule Change. Institution of proceedings 
does not indicate that the Commission has reached any conclusions with 
respect to any of the issues involved. Rather, the Commission seeks and 
encourages interested persons to comment on the Proposed Rule Change, 
providing the Commission with arguments to support the Commission's 
analysis as to whether to approve or disapprove the Proposed Rule 
Change.
---------------------------------------------------------------------------

    \12\ 15 U.S.C. 78s(b)(2)(B).
---------------------------------------------------------------------------

    Pursuant to Section 19(b)(2)(B) of the Exchange Act,\13\ the 
Commission is providing notice of the grounds for disapproval under 
consideration. The Commission is instituting proceedings to allow for 
additional analysis of, and input from commenters with respect to, the 
Proposed Rule Change's consistency with Section 17A of the Exchange 
Act,\14\ and the rules thereunder, including the following provisions:
---------------------------------------------------------------------------

    \13\ Id.
    \14\ 15 U.S.C. 78q-1.
---------------------------------------------------------------------------

    <bullet> Section 17A(b)(3)(F) of the Exchange Act,\15\ which 
requires, among other things, that the rules of a clearing agency are 
designed to promote the prompt and accurate clearance and settlement of 
securities transactions and derivative agreements, contracts, and 
transactions; and to assure the safeguarding of securities and funds 
which are in the custody or control of the clearing agency or for which 
it is responsible; and
---------------------------------------------------------------------------

    \15\ 15 U.S.C. 78q-1(b)(3)(F).

---------------------------------------------------------------------------

[[Page 43641]]

    <bullet> Rule 17Ad-22(e)(17)(i) of the Exchange Act,\16\ which 
requires that a covered clearing agency establish, implement, maintain 
and enforce written policies and procedures reasonably designed to 
manage the covered clearing agency's operational risks by identifying 
the plausible sources of operational risk, both internal and external, 
and mitigating their impact through the use of appropriate systems, 
policies, procedures, and controls.
---------------------------------------------------------------------------

    \16\ 17 CFR 240.17Ad-22(e)(17)(i).
---------------------------------------------------------------------------

IV. Procedure: Request for Written Comments

    The Commission requests that interested persons provide written 
submissions of their views, data, and arguments with respect to the 
issues identified above, as well as any other concerns they may have 
with the Proposed Rule Change. In particular, the Commission invites 
the written views of interested persons concerning whether the Proposed 
Rule Change is consistent with Section 17A(b)(3)(F) \17\ and Rule 17Ad-
22(e)(17)(i) \18\ of the Exchange Act, or any other provision of the 
Exchange Act, or the rules and regulations thereunder. Although there 
do not appear to be any issues relevant to approval or disapproval that 
would be facilitated by an oral presentation of views, data, and 
arguments, the Commission will consider, pursuant to Rule 19b-4(g) 
under the Exchange Act,\19\ any request for an opportunity to make an 
oral presentation.\20\
---------------------------------------------------------------------------

    \17\ 15 U.S.C. 78q-1(b)(3)(F).
    \18\ 17 CFR 240.17Ad-22(e)(17)(i).
    \19\ 17 CFR 240.19b-4(g).
    \20\ Section 19(b)(2) of the Exchange Act grants to the 
Commission flexibility to determine what type of proceeding--either 
oral or notice and opportunity for written comments--is appropriate 
for consideration of a particular proposal by a self-regulatory 
organization. See Securities Act Amendments of 1975, Senate Comm. on 
Banking, Housing & Urban Affairs, S. Rep. No. 75, 94th Cong., 1st 
Sess. 30 (1975).
---------------------------------------------------------------------------

    Interested persons are invited to submit written data, views, and 
arguments regarding whether the Proposed Rule Change should be approved 
or disapproved by July 25, 2023. Any person who wishes to file a 
rebuttal to any other person's submission must file that rebuttal by 
August 8, 2023.
    The Commission asks that commenters address the sufficiency of 
OCC's statements in support of the Proposed Rule Change, which are set 
forth in the Notice of Filing \21\ and the Partial Amendment No. 1,\22\ 
in addition to any other comments they may wish to submit about the 
Proposed Rule Change.
---------------------------------------------------------------------------

    \21\ See Notice of Filing, supra note 4.
    \22\ See Partial Amendment No. 1, supra note 8.
---------------------------------------------------------------------------

    Comments may be submitted by any of the following methods:

Electronic Comments

    <bullet> Use the Commission's internet comment form
    (<a href="http://www.sec.gov/rules/sro.shtml">http://www.sec.gov/rules/sro.shtml</a>); or
    <bullet> Send an email to <a href="/cdn-cgi/l/email-protection#0173746d642c626e6c6c646f7572417264622f666e77"><span class="__cf_email__" data-cfemail="3c4e495059115f5351515952484f7c4f595f125b534a">[email&#160;protected]</span></a>. Please include 
file number SR-OCC-2023-003 on the subject line.

Paper Comments

    <bullet> Send paper comments in triplicate to Secretary, Securities 
and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090.

All submissions should refer to file number SR-OCC-2023-003. This file 
number should be included on the subject line if email is used. To help 
the Commission process and review your comments more efficiently, 
please use only one method. The Commission will post all comments on 
the Commission's internet website (<a href="https://www.sec.gov/rules/sro.shtml">https://www.sec.gov/rules/sro.shtml</a>). Copies of the submission, all subsequent amendments, all 
written statements with respect to the Proposed Rule Change that are 
filed with the Commission, and all written communications relating to 
the Proposed Rule Change between the Commission and any person, other 
than those that may be withheld from the public in accordance with the 
provisions of 5 U.S.C. 552, will be available for website viewing and 
printing in the Commission's Public Reference Room, 100 F Street NE, 
Washington, DC 20549 on official business days between the hours of 10 
a.m. and 3 p.m. Copies of such filing also will be available for 
inspection and copying at the principal office of OCC and on OCC's 
website at <a href="https://www.theocc.com/Company-Information/Documents-and-Archives/By-Laws-and-Rules">https://www.theocc.com/Company-Information/Documents-and-Archives/By-Laws-and-Rules</a>.
    Do not include personal identifiable information in submissions; 
you should submit only information that you wish to make available 
publicly. We may redact in part or withhold entirely from publication 
submitted material that is obscene or subject to copyright protection.
    All submissions should refer to File Number SR-OCC-2023-003 and 
should be submitted on or before July 25, 2023. Rebuttal comments 
should be submitted by August 8, 2023.

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\23\
---------------------------------------------------------------------------

    \23\ 17 CFR 200.30-3(a)(31).
---------------------------------------------------------------------------

Vanessa A. Countryman,
Secretary.
[FR Doc. 2023-14441 Filed 7-7-23; 8:45 am]
BILLING CODE 8011-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>
View on FederalRegister.gov →Plain-text source
Indexed from Federal Register on July 10, 2023.

This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.