Notice2025-20384
Self-Regulatory Organizations; The Depository Trust Company; Fixed Income Clearing Corporation; and National Securities Clearing Corporation; Order Approving Proposed Rule Changes, as Modified by Amendments No. 1, Relating to a Participant System Disruption
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
November 20, 2025
Issuing agencies
Securities and Exchange Commission
Full Text
<html>
<head>
<title>Federal Register, Volume 90 Issue 222 (Thursday, November 20, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 222 (Thursday, November 20, 2025)]
[Notices]
[Pages 52453-52460]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-20384]
[[Page 52453]]
=======================================================================
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-104183; File Nos. SR-DTC-2025-003; SR-FICC-2025-006;
SR-NSCC-2025-003]
Self-Regulatory Organizations; The Depository Trust Company;
Fixed Income Clearing Corporation; and National Securities Clearing
Corporation; Order Approving Proposed Rule Changes, as Modified by
Amendments No. 1, Relating to a Participant System Disruption
November 17, 2025.
On March 14, 2025, The Depository Trust Company (``DTC''), Fixed
Income Clearing Corporation (``FICC'') and National Securities Clearing
Corporation (``NSCC,'' and together with DTC and FICC, the ``Clearing
Agencies,'' or ``Clearing Agency'' when referring to one of the three
Clearing Agencies) filed with the Securities and Exchange Commission
(``Commission'') the proposed rule changes SR-DTC-2025-003, SR-FICC-
2025-006, and SR-NSCC-2025-003 pursuant to Section 19(b) of the
Securities Exchange Act of 1934 (``Exchange Act'') \1\ and Rule 19b-4
\2\ thereunder. The proposed rule changes were published for public
comment in the Federal Register on March 27, 2025.\3\ The Commission
has received comments regarding the substance of the changes proposed
in the proposed rule changes.\4\
---------------------------------------------------------------------------
\1\ 15 U.S.C. 78s(b)(1).
\2\ 17 CFR 240.19b-4.
\3\ Securities Exchange Act Release Nos. 102712 (Mar. 21, 2025),
90 FR 13919 (Mar. 27, 2025) (File No. SR-DTC-2025-003) (``DTC Notice
of Filing''); 102713 (Mar. 21, 2025), 90 FR 13942 (Mar. 27, 2025)
(File No. SR-FICC-2025-006) (``FICC Notice of Filing''); and 102711
(Mar. 21, 2025), 90 FR 13926 (Mar. 27, 2025) (File No. SR-NSCC-2025-
003) (``NSCC Notice of Filing'').
\4\ Comments on the proposed rule changes are available at
<a href="https://www.sec.gov/comments/sr-dtc-2025-003/srdtc2025003.htm">https://www.sec.gov/comments/sr-dtc-2025-003/srdtc2025003.htm</a>.
---------------------------------------------------------------------------
On May 2, 2025, pursuant to Section 19(b)(2) of the Exchange
Act,\5\ the Commission designated a longer period within which to
approve, disapprove, or institute proceedings to determine whether to
approve or disapprove the proposed rule changes.\6\
---------------------------------------------------------------------------
\5\ 15 U.S.C. 78s(b)(2).
\6\ Securities Exchange Act Release Nos. 102981 (May 5, 2025),
90 FR 19590 (May 8, 2025) (File Nos. SR-DTC-2025-003; SR-FICC-2025-
006; SR-NSCC-2025-003).
---------------------------------------------------------------------------
On June 20, 2025, the Clearing Agencies filed an amendment to each
of the proposed rule changes (collectively defined as ``Amendment No.
1''). On June 24, 2025, the Commission instituted proceedings to
determine whether to approve or disapprove the proposed rule changes,
as modified by Amendment No. 1 (hereinafter defined as ``Proposed Rule
Changes'').\7\ On September 22, 2025, the Commission designated a
longer period for Commission action on the Proposed Rule Changes.\8\
For the reasons discussed below, the Commission is approving the
Proposed Rule Changes.
---------------------------------------------------------------------------
\7\ Securities Exchange Act Release Nos. 103310 (June 24, 2025),
90 FR 27698 (June 27, 2025) (File No. SR-DTC-2025-003) (``DTC
Amendment''); 103311 (June 24, 2025), 90 FR 27712 (June 27, 2025)
(File No. SR-FICC-2025-006) (``FICC Amendment''); and 103309 (June
24, 2025), 90 FR 27717 (June 27, 2025) (File No. SR-NSCC-2025-003)
(``NSCC Amendment'').
\8\ Securities Exchange Act Release No. 104008 (Sept. 22, 2025),
90 FR 46281 (Sept. 25, 2025) (File Nos. SR-DTC-2025-003, SR-FICC-
2025-006, and SR-NSCC-2025-003).
---------------------------------------------------------------------------
I. Background
The Proposed Rule Changes seek to amend the Clearing Agencies'
Disruption Rules.\9\ The Disruption Rules allow the Clearing Agencies
to take certain actions to mitigate risk when there is a reasonable
basis to conclude that there is a Major Event, which is currently
defined as ``one or more System Disruption(s) that is reasonably likely
to have a significant impact on [a Clearing Agency]'s operations,
including the DTCC Systems, that affect the business, operations,
safeguarding of securities or funds, or physical functions of [each
Clearing Agency, its respective members or participants as defined in
the respective rules of the applicable Clearing Agency (hereinafter,
``Respective Participants'')] and/or other market participants.'' \10\
---------------------------------------------------------------------------
\9\ The Clearing Agencies are each a subsidiary of The
Depository Trust & Clearing Corporation (``DTCC''). DTCC operates on
a shared service model with respect to the Clearing Agencies. Most
corporate functions are established and managed on an enterprise-
wide basis pursuant to intercompany agreements under which it is
generally DTCC that provides relevant services to the Clearing
Agencies. Here, the Clearing Agencies are seeking to modify Rule
38(A) (Systems Disconnect: Threat of Significant Impact to the
Corporation's Systems) of the Rules, By-Laws and Organization
Certificate of DTC; Rule 50A of the FICC Government Securities
Division (``FICC-GSD'') Rulebook; Rule 40A of the FICC Mortgage-
Backed Securities Division (``FICC-MBSD'') Clearing Rules; and Rule
60A of the NSCC Rules & Procedures (collectively with DTC Rule
38(A), FICC-GSD Rule 50A, and FICC-MBSD Rule 40A, the ``Disruption
Rules''). The Disruption Rules are publicly available in the
respective rules of the applicable Clearing Agency at <a href="https://www.dtcc.com/legal/rules-and-procedures">https://www.dtcc.com/legal/rules-and-procedures</a>. Any capitalized terms not
otherwise defined herein have the meaning as set forth in the
Clearing Agencies' respective rules.
\10\ Disruption Rules, supra note 9, Section 1. Under the
current Disruption Rules, Respective Participants for NSCC are
Members and Limited Members; for DTC, Participants; for FICC-GSD and
FICC-MBSD, Members. Under the proposed changes to the Disruption
Rules, as referenced herein, Respective Participants for NSCC will
be Members, Limited Members, and Sponsored Members; for DTC,
Participants, Limited Participants, and Pledgees; for FICC-GSD,
Netting Members, CCIT Members, Comparison Only Members, and Funds-
Only Settling Bank Members; and for FICC-MBSD, Members, Clearing
Members, and Cash Settling Bank Members.
---------------------------------------------------------------------------
During a Major Event,\11\ the Disruption Rules authorize the
Clearing Agencies to (i) disconnect the subject DTCC Systems
Participant from DTCC Systems; \12\ (ii) suspend the receipt and/or
transmission of files or communications to/from the DTCC Systems
Participant and DTCC Systems; or (iii) take, or refrain from taking, or
require a DTCC Systems Participant to take, or refrain from taking, any
actions the Clearing Agencies consider appropriate to prevent, address,
correct, alleviate, or mitigate the event and facilitate the
continuation of the Clearing Agencies' services as may be
practicable.\13\
---------------------------------------------------------------------------
\11\ Under the current rules, the decision to declare a ``Major
Event'' is determined by designated officials listed in the rules
and then ratified, modified, or rescinded within five Business Days
by the Clearing Agencies' management committees and the Clearing
Agencies' Boards of Directors (``Board''). Disruption Rules, supra
note 9, Section 2.
\12\ ``DTCC Systems Participant'' is currently defined in the
Disruption Rules as, ``a [Respective Participant], or third party
service provider, or service bureau that is connecting with the DTCC
Systems.'' ``DTCC Systems'' is currently defined in the Disruption
Rules as, ``the systems, equipment and technology networks of DTCC,
the Corporation and/or their Affiliates, whether owned, leased, or
licensed, software, devices, IP addresses, or other addresses or
accounts used in connection with providing the services set forth in
the Rules, or used to transact business or to manage the connection
with the Corporation.'' Disruption Rules, supra note 9, Section 1.
\13\ Id. at Section 3.
---------------------------------------------------------------------------
The Disruption Rules also require the DTCC Systems Participant to
immediately notify the Clearing Agencies when they become aware of a
Major Event, cooperate with the Clearing Agencies in addressing the
Major Event, and require the Clearing Agencies to notify a DTCC Systems
Participant of any action that the Clearing Agencies take, or intend to
take, against it under the rule.\14\
---------------------------------------------------------------------------
\14\ Id. at Section 4.
---------------------------------------------------------------------------
Finally, the Disruption Rules provide certain indemnities, clarify
powers available to the Clearing Agencies under the Disruption Rules,
impose confidentiality requirements, and include a conflicts provision
noting that the provisions of Disruption Rules will prevail if there is
a conflict between them and any other Rules or Procedures.\15\
---------------------------------------------------------------------------
\15\ Id. at Section 5.
---------------------------------------------------------------------------
The Proposed Rule Changes would (i) update and add definitions used
throughout the Disruption Rules; (ii) update the provisions and
governance for declaring a Major Event (which would be redefined as a
Major System
[[Page 52454]]
Event); (iii) clarify and enhance the requirements of the DTCC Systems
Participant to notify the Clearing Agencies of a Systems Disruption
(which would be redefined as a Participant System Disruption); (iv) add
provisions incorporating the reporting, testing, and approval
requirements, process, legal obligations, and governance necessary for
``reconnection'' (as defined by the Proposed Rule Changes) \16\ of a
DTCC Systems Participant that was ``disconnected'' from DTCC Systems
pursuant to a Disruption Rule; and (v) make technical, ministerial, and
other conforming and clarifying changes, including updating the name of
the Disruption Rules. The Clearing Agencies state that the Proposed
Rule Changes will make the rules more efficient, effective, and clear
in their governance, authorities, application, and requirements, so
that the Clearing Agencies are better situated to address the events
that require action under the rules to protect the Clearing Agencies,
and their Respective Participants, Affiliates, and the industry more
broadly.\17\ In addition, the Clearing Agencies state that the Proposed
Rule Changes would enable a DTCC Systems Participant to better
understand and prepare for their obligations to the Clearing Agencies
in the event of a Participant System Disruption.\18\
---------------------------------------------------------------------------
\16\ Under the Proposed Rule Changes, ``Reconnection'' would be
defined as the reestablishment of connectivity between DTCC Systems
and the DTCC Systems Participant that was the subject of action
taken pursuant to a Disruption Rule.
\17\ See DTC Notice of Filing, supra note 3, at 13920; FICC
Notice of Filing, supra note 3, at 13944; NSCC Notice of Filing,
supra note 3, at 13928.
\18\ Id.
---------------------------------------------------------------------------
II. Description of the Proposed Rule Change
First, the Proposed Rule Changes would rename Section 1 of the
Disruption Rules from ``Major Event'' to ``Definitions,'' and update
and add definitions to the section. In addition to various technical,
ministerial, and other conforming and clarifying changes to existing
definitions, the Proposed Rule Changes would change the following
items: \19\
---------------------------------------------------------------------------
\19\ Each respective filing was written from the perspective of
the Clearing Agencies, collectively, instead of DTC, FICC, and NSCC
individually, but application of the proposed rule changes would
only apply to the DTCC Systems Participant (as defined below) of the
corresponding Clearing Agency or Clearing Agencies.
---------------------------------------------------------------------------
<bullet> Update the existing definition of ``DTCC Systems'' to
include systems, equipment and technology networks of all DTCC
Affiliates and expand the types of systems connectivity to include
hardware and applications such that, in the event of a Participant
System Disruption, all of DTCC's potentially impacted connections, and
any means of connectivity, are incorporated into such definition.\20\
---------------------------------------------------------------------------
\20\ Id.
---------------------------------------------------------------------------
<bullet> Add the definition ``Third-Party Provider'' to cover
Affiliates of Respective Participants, third-party service providers,
service bureaus, or other similar entities that connect to DTCC Systems
on behalf of or for the benefit of the Respective Participant. The
Clearing Agencies state that this definition would help clarify that
the Disruption Rules apply to a DTCC Systems Participant's third-party
connections to DTCC Systems.\21\
---------------------------------------------------------------------------
\21\ See DTC Amendment, supra note 7, at 27700; FICC Amendment,
supra note 7, at 27714; NSCC Amendment, supra note 7, at 27719.
---------------------------------------------------------------------------
<bullet> Change the existing definition of ``DTCC Systems
Participant'' to clarify that Respective Participants connected to DTCC
Systems either directly or through a Third-Party Provider would be
considered DTCC Systems Participants. The Clearing Agencies state that
this change better reflects the entities that the definition is
intended to cover.\22\
---------------------------------------------------------------------------
\22\ See DTC Amendment, supra note 7, at 27699; FICC Amendment,
supra note 7, at 27713-14; NSCC Amendment, supra note 7, at 27719.
---------------------------------------------------------------------------
<bullet> Add the definition ``Best Practices'' to mean, the
``policies, procedures, practices or similar standards and guidelines
that are reasonably designed and consistent with then current
financial-sector cybersecurity standards issued by an authoritative
body that is a U.S. governmental entity or agency, an association of a
U.S. governmental entity or agency, or a widely recognized industry
organization.'' The Clearing Agencies state that the purpose of adding
this definition is to clearly state the standards that the Clearing
Agencies would require a Third-Party Cybersecurity Firm (as defined
below) to employ when such firm is engaged, as would be required by the
Disruption Rules and discussed further below.\23\ The Clearing Agencies
state that much of the language of this proposed definition comes
directly from Section 1001(a)(4) of the Commission's Regulation Systems
Compliance and Integrity (``Reg SCI'').\24\
---------------------------------------------------------------------------
\23\ See DTC Notice of Filing, supra note 3, at 13921; FICC
Notice of Filing, supra note 3, at 13944; NSCC Notice of Filing,
supra note 3, at 13928.
\24\ Id.; see also 17 CFR 242.1001(a)(4).
---------------------------------------------------------------------------
<bullet> Delete the existing definition ``Major Event'' and replace
it with the definition ``Major System Event'' to mean, ``a Participant
System Disruption that has or is reasonably anticipated to, for
example, disrupt, degrade, cause a delay in, interrupt or otherwise
alter the normal operation of DTCC Systems; result in unauthorized
access to DTCC Systems; result in the loss of control of, disclosure
of, or loss of DTCC Confidential Information; or cause a strain on,
loss of, or overall threat to the Corporation's resources, functions,
security or operations.'' The Clearing Agencies state that, although
the new definition is similar to the prior definition, the new
definition would more appropriately tie the disruption at issue to the
effect on the normal operation of DTCC Systems and less so on any
subsequent effect to the Clearing Agencies' operations.\25\
---------------------------------------------------------------------------
\25\ See DTC Notice of Filing, supra note 3, at 13921; FICC
Notice of Filing, supra note 3, at 13944; NSCC Notice of Filing,
supra note 3, at 13928.
---------------------------------------------------------------------------
<bullet> Add the definition ``Third-Party Cybersecurity Firm'' to
mean ``a firm that, in [the Clearing Agencies'] reasonable judgement,
(A) (i) is well-known and reputable; (ii) is not the subject DTCC
Systems Participant, or an Affiliate or a Third-Party Provider of the
subject DTCC Systems Participant; (iii) is experienced in financial-
sector cybersecurity; and (iv) employs Best Practices; or (B) is
otherwise determined to be a Third-Party Cybersecurity Firm by the [the
Clearing Agencies].'' The Clearing Agencies state that the purpose of
adding this definition is to clearly describe the type of firm that the
Clearing Agencies would require the subject DTCC Systems Participant to
engage under the Disruption Rules, as discussed further below.\26\
---------------------------------------------------------------------------
\26\ Id.
---------------------------------------------------------------------------
<bullet> Delete the existing definition ``Systems Disruption'' and
replace it with the definition ``Participant System Disruption'' to
mean, ``an incident resulting from the unintended or unauthorized
access to, or the malfunction or corruption (whether partial or total)
of one or more systems, of a DTCC Systems Participant or its Third-
Party Provider, connected to DTCC Systems.'' The Clearing Agencies
state that the new definition is intended to capture only disruptions
to systems connected to DTCC Systems, whether via a direct connection
from the Respective Participant or through the Respective Participant's
third-party service provider, and that it is not intended to capture
every disruption to every system of the Respective Participant or its
provider.\27\
---------------------------------------------------------------------------
\27\ See DTC Amendment, supra note 7, at 27700; FICC Amendment,
supra note 7, at 27714; NSCC Amendment, supra note 7, at 27719.
---------------------------------------------------------------------------
[[Page 52455]]
Second, the Proposed Rule Changes would move current Section 4 of
the Disruption Rules to create a new Section 2, which would be renamed
``Notifications of a Participant System Disruption.'' The Clearing
Agencies state that this move would better align the structure of the
Disruption Rules with the expected sequence of events of a Participant
System Disruption.\28\
---------------------------------------------------------------------------
\28\ See DTC Notice of Filing, supra note 4, at 13921; FICC
Notice of Filing, supra note 4, at 13944; NSCC Notice of Filing,
supra note 4, at 13928.
---------------------------------------------------------------------------
The new Section 2 would delete the notification language of current
Section 4 and replace it with more granular notification requirements
applicable to any DTCC Systems Participant, not only the Respective
Participants of the Clearing Agencies. Specifically, the DTCC Systems
Participant would provide the Clearing Agencies with immediate written
notice, to include certain DTCC Systems Participant and Participant
System Disruption information, if known, but in any event within two
hours of experiencing the disruption.\29\ The information required in
the notice, if known, would include (i) the legal entity names of the
subject DTCC Systems Participant and any of its Third-Party Providers
experiencing or otherwise affected or potentially affected by the
Participant System Disruption; (ii) contact information of persons who
are authorized to act on behalf of the DTCC Systems Participant; and
(iii) key details about the Participant System Disruption, such as
event type, event effect, start date, end date (if applicable),
discovery date, scope, and any other notices or information that was
made public.
---------------------------------------------------------------------------
\29\ The Disruption Rules require immediate notification. The
Proposed Rule Changes would retain this requirement and further
specify that the written notice must be provided within two hours of
experiencing the disruption.
---------------------------------------------------------------------------
The Clearing Agencies state that the purpose of the proposed
changes in the new Section 2 is to (i) enable a DTCC Systems
Participant to better understand and prepare for their obligations to
the Clearing Agencies in the event that they experience a Participant
System Disruption; and (ii) facilitate the Clearing Agencies' timely
receipt of key information that could enable a more efficient and
effective review and response by the Clearing Agencies to a Participant
System Disruption, all in an effort to help mitigate the risk presented
by a Participant System Disruption.\30\
---------------------------------------------------------------------------
\30\ See DTC Notice of Filing, supra note 3, at 13921; FICC
Notice of Filing, supra note 3, at 13944; NSCC Notice of Filing,
supra note 3, at 13929.
---------------------------------------------------------------------------
Third, the Proposed Rule Changes would redesignate current Section
2 of the Disruption Rules as Section 3 and rename the section from
``Powers of [the Clearing Agencies]'' to ``Declaration of a Major
System Event,'' which the Clearing Agencies state would more accurately
describe the purpose of the section.\31\ In addition to various
technical, ministerial, and other conforming and clarifying changes to
the new Section 3, the Clearing Agencies would no longer (i) provide a
list of specific persons that may determine that the Clearing Agencies
have a reasonable basis to conclude that there is a Major System Event;
nor (ii) require, within five Business Days, that such determination be
reviewed by a management committee on which all of such listed people
serve, and the Board. Instead, the Clearing Agencies propose that such
determination be made by two or more members of the Clearing Agencies'
``senior most management committee,'' \32\ in their reasonable
judgement, and then, after such determination is made, the Board, any
remaining members of that senior management committee, and the
Commission be promptly notified \33\ of such determination.
---------------------------------------------------------------------------
\31\ See DTC Notice of Filing, supra note 3, at 13920; FICC
Notice of Filing, supra note 3, at 13945; NSCC Notice of Filing,
supra note 3, at 13929.
\32\ The current ``senior most management committee'' of the
Clearing Agencies is the Executive Committee, which includes each of
the six persons listed in the existing Disruption Rules that can
determine the existence of a Major Event (i.e., the Chief Executive
Officer, the Chief Financial Officer, the Group Chief Risk Officer,
the Chief Information Officer, the Head of Clearing Agency Services,
and the General Counsel), plus the Chief Client Officer, Global Head
of DTCC Digital Assets, Head of Enterprise Services, and the Chief
Human Resources Officer. Disruption Rules, supra note 9, Section 2.
\33\ ``Prompt notification'' means the notification is to be
made without undue or unreasonable delay, as is consistent with the
use of ``prompt'' in Reg SCI. See DTC Notice of Filing, supra note
3, at 13921 n.21; FICC Notice of Filing, supra note 3, at 13945
n.21; NSCC Notice of Filing, supra note 3, at 13929 n.21; see also
17 CFR 242.1001.
---------------------------------------------------------------------------
In addition, the Clearing Agencies would provide the Board an
update on the status of the Major System Event and any action taken
pursuant to the Disruption Rules on the earlier of 45 calendar days
from the date of declaration of the Major System Event or the next
scheduled Board meeting, or more frequently following material changes
to the status of a Major System Event.
Accordingly, the Clearing Agencies state that the proposed changes
shift the authority to make such a determination from only one of the
Clearing Agencies' most senior officers to two of the Clearing
Agencies' most senior officers.\34\ Further, the proposed changes
eliminate two subsequent reviews, after the determination is already
made. The Clearing Agencies state that these reviews are
administratively burdensome and may complicate managing the event in
terms of ratifying, modifying, or rescinding the disconnection of a
DTCC Systems Participant that has already happened.\35\ Instead, the
Clearing Agencies state that the proposed changes would set clear
communication standards and provide more timely transparency to the
remaining senior most management committee members, the Board, and the
Commission, which could still act in response to the notice without the
need for formal meetings pursuant to the Disruption Rules.\36\
---------------------------------------------------------------------------
\34\ See DTC Notice of Filing, supra note 3, at 13920; FICC
Notice of Filing, supra note 3, at 13945; NSCC Notice of Filing,
supra note 3, at 13929.
\35\ Id.
\36\ Id.
---------------------------------------------------------------------------
Fourth, the Clearing Agencies would redesignate current Section 3
of the Disruption Rules as Section 4, ``Authority to Take Action and
Required Cooperation,'' and make various technical, ministerial,
conforming, and clarifying changes to the section. Additionally, the
Clearing Agencies propose to clarify and broaden, in what would be
Subsections 4(a)(i) and (ii), the connections of the subject DTCC
Systems Participant that can be disconnected and the transmissions,
communications, or access that can be suspended. The Clearing Agencies
state that the purpose of these changes is to help ensure that the
Clearing Agencies can adequately address all potential connectivity and
communication types for each DTCC Systems Participant in an effort to
help mitigate the risk presented by the Participant System Disruption
and associated Major System Event.\37\
---------------------------------------------------------------------------
\37\ See DTC Notice of Filing, supra note 3, at 13922; FICC
Notice of Filing, supra note 3, at 13945; NSCC Notice of Filing,
supra note 3, at 13929.
---------------------------------------------------------------------------
New Subsection 4(a)(iii) would continue to provide from current
Subsection 3(c) of the Disruption Rules \38\ the authority for the
Clearing Agencies to (A) act or not act, or require the subject DTCC
Systems Participant to act or not act, as the Clearing Agencies
consider appropriate to help mitigate the risk of the Major System
Event, as well as (B) facilitate the continuation of services of the
subject DTCC Systems Participant, as appropriate and practical, which
may require issuing instructions to the DTCC Systems Participant and,
as proposed, requiring
[[Page 52456]]
such instructions to be followed. The Clearing Agencies state that
adding the requirement that their instructions be followed is important
not only to help facilitate the continuation of services for the
subject DTCC Systems Participant but also for any downstream effects
that may have or could have resulted from the disruption.\39\
---------------------------------------------------------------------------
\38\ Disruption Rules, supra note 9, Section 3.
\39\ See DTC Notice of Filing, supra note 3, at 13922; FICC
Notice of Filing, supra note 3, at 13945; NSCC Notice of Filing,
supra note 3, at 13929.
---------------------------------------------------------------------------
New Subsection 4(b) would reinstate similar language from current
Subsection 4(b) that would require the Clearing Agencies to promptly
notify the subject DTCC Systems Participant of any disconnection,
suspension, or other material action taken. Additionally, the Clearing
Agencies would add new language to clarify that, notwithstanding any
action the Clearing Agencies take pursuant to new Section 4, the
subject DTCC Systems Participant must continue to meet its obligations
to the Clearing Agencies and comply with their rules, as applicable.
New Subsection 4(c) would expand the cooperation requirement in
current Section 4(a) to require the DTCC Systems Participant to
cooperate ``fully and completely'' with the Clearing Agencies, to the
Clearing Agencies' reasonable satisfaction, regarding the Major System
Event in whole, instead of limiting such cooperation to the root cause
and resolution. Such cooperation would include, for example, (i)
conducting timely investigations and inquiries relating to the
Participant System Disruption; (ii) promptly notifying the Clearing
Agencies of any material changes, updates, or new information learned
regarding the Participant System Disruption; and (iii) promptly
providing any documentation or information requested by the Clearing
Agencies, unless not legally permitted to do so, regarding the
Participant System Disruption.
Fifth, the Clearing Agencies would insert a new Section 5 to the
Disruption Rules titled ``Reconnection Requirements.'' New Section 5
would set forth the information that the subject DTCC Systems
Participant would be required to provide to the Clearing Agencies, in
form and substance that is reasonably satisfactory to the Clearing
Agencies,\40\ prior to the Clearing Agencies ``reconnecting'' a
disconnected DTCC Systems Participant. The Clearing Agencies would
require three things: (i) a detailed, comprehensive, and auditable
report, from a Third-Party Cybersecurity Firm, or a summary of such
report; (ii) an attestation from a Participant Officer of the DTCC
Systems Participant; \41\ and (iii) an executed indemnity from the DTCC
Systems Participant to the reasonable satisfaction and judgement of the
Clearing Agencies in consideration of the facts and circumstances.
---------------------------------------------------------------------------
\40\ Whether the information provided is ``reasonably
satisfactory'' would be a determination by the applicable Clearing
Agency in consideration of the facts and circumstances, such as the
severity of the disruption, thoroughness of and confidence in the
information provided, any outstanding questions or concerns, etc.,
all within the context of reasonableness. See DTC Notice of Filing,
supra note 3, at 13922 n.23; FICC Notice of Filing, supra note 3, at
13946 n.23; NSCC Notice of Filing, supra note 3, at 13930 n.23.
\41\ Pursuant to this proposed rule change, ``Participant
Officer'' would be defined as a member of the board of directors, a
senior executive officer, or other member of senior management of
the subject DTCC Systems Participant.
---------------------------------------------------------------------------
Proposed Subsection 5(a)(i) would require the report by the Third-
Party Cybersecurity Firm, or a summary of such report, to include the
following information:
<bullet> a timeline of the Participant System Disruption, including
all material actions, events, and decisions taken for or relating to
the Participant System Disruption;
<bullet> a description of the Participant System Disruption and how
it was corrected and resolved;
<bullet> root cause analysis of the Participant System Disruption;
<bullet> confirmation that any severe, critical, or moderate items,
or comparable categorizations, identified by the Third-Party
Cybersecurity Firm have been resolved;
<bullet> confirmation of the normal or intended operation of the
subject systems, including, but not limited to, the return or
replacement of key systems and datastores to pre-Participant System
Disruption resilience, in a safe, secure, and proper manner for at
least 72 hours;
<bullet> a description of any short- and long-term preventive
monitoring and detection recommendations by the Third-Party
Cybersecurity Firm; and
<bullet> any other information reasonably requested to be included
by the Clearing Agencies.
Proposed Subsection 5(a)(ii) would require the Participant Officer
to attest to the following:
<bullet> the Third-Party Cybersecurity Firm's report is, to the
best of the Participant Officer's knowledge, accurate and complete;
<bullet> all short-term preventive monitoring and detection
controls recommended by the Third-Party Cybersecurity Firm have been
implemented;
<bullet> all medium- and long-term preventive monitoring and
detection controls recommended by the Third-Party Cybersecurity Firm
will be promptly implemented;
<bullet> the Participant Officer recommends Reconnection to DTCC
Systems; and
<bullet> the DTCC Systems Participant will continue to oversee
remediation efforts and monitor the subject systems, and immediately,
but in any event within two hours, notify the Clearing Agencies if
there is any indication of the continuation of a Participant System
Disruption or an existence of a new Participant System Disruption.
Finally, Subsection 5(b) would require the subject DTCC Systems
Participant to promptly provide, upon the applicable Clearing Agency's
request, any other documentation or information and/or take other
actions to the Clearing Agency's reasonable satisfaction, including
obtaining a second Third-Party Cybersecurity Firm onsite validation of
the subject DTCC Systems Participant, all of which would be decided by
the Clearing Agency in consideration of the facts and circumstances.
The Clearing Agencies state that the purpose of these proposed
changes is to (i) provide each DTCC Systems Participant with notice of
what information they would need to provide to the Clearing Agencies in
order to be Reconnected under the Disruption Rules; (ii) ensure that
the Clearing Agencies have all the necessary information regarding the
Participant System Disruption and its remediation from an independent,
reputable, and knowledgeable third party, so that the Clearing Agencies
can make an informed decision about whether Reconnection is
appropriate; (iii) confirm that an appropriate senior officer at the
subject DTCC Systems Participant is sufficiently informed and
responsible for the DTCC Systems Participant's systems and the
information being provided to the Clearing Agencies; and (iv) ensure
that the Clearing Agencies are properly indemnified for actions or
inactions, as needed, all to help mitigate the risk presented by a
Reconnection.
Sixth, the Proposed Rule Changes would insert a new Section 6
titled ``Reconnection Testing and Approval.'' New Subsection 6(a) would
require, prior to approval of the Reconnection, that the subject DTCC
Systems Participant demonstrate, as applicable, to the Clearing
Agencies' reasonable satisfaction, that it:
<bullet> can operate in a test environment, including, but not
limited to, sending and receiving messages and transactions;
[[Page 52457]]
<bullet> can replay or resubmit previously submitted messages or
transactions;
<bullet> can reverse or void previously submitted messages or
transactions;
<bullet> can confirm the integrity of messages and transactions;
<bullet> has alternative communication methods with the Clearing
Agency to facilitate the exchange of messages, transactions, and
reports; and
<bullet> can complete any other such requirements as are reasonably
requested by the Clearing Agencies.
Subsection 6(b) would authorize two or more members of the Clearing
Agencies' senior most management committee, in their reasonable
judgement, to approve the Reconnection of a DTCC Systems Participant
that was the subject of action taken pursuant to the Disruption Rules,
after the Clearing Agencies have received and reviewed to their
satisfaction all information believed necessary for a safe Reconnection
and certain testing has occurred, pursuant to Subsection 6(a).
Similar to the governance process for determining a Major System
Event, the Clearing Agencies state that it is appropriate that approval
of a Reconnection be made by at least two of the Clearing Agencies'
most senior officers to help ensure that information regarding the
Reconnection has been escalated to the highest management level. But,
it is essential that such approval not be made until the Clearing
Agencies have (i) received, to their satisfaction, all necessary
Participant System Disruption information and (ii) confirmed that the
subject DTCC Systems Participant can safely perform the capabilities
necessary for submitting, receiving, and correcting information
appropriately, confidently, and in a manner unaffected by the
Participant System Disruption, so as to help mitigate the risk
presented by the Reconnection.\42\
---------------------------------------------------------------------------
\42\ See DTC Notice of Filing, supra note 3, at 13923; FICC
Notice of Filing, supra note 3, at 13946; NSCC Notice of Filing,
supra note 3, at 13930.
---------------------------------------------------------------------------
Seventh, the Proposed Rule Changes would redesignate current
Section 5 of the Disruption Rules as Section 7, which would continue to
address ``Certain Miscellaneous Matters.'' In addition to various
technical, ministerial, and other conforming and clarifying changes to
newly designated Section 7, the Clearing Agencies propose to remove the
existing ``conflicts'' provision and replace it with a ``failure to
comply'' provision. The new ``failure to comply'' provision would
authorize the Clearing Agencies to (i) subject a DTCC Systems
Participant to any and all disciplinary action permitted under the
rules of the Clearing Agencies, if it fails to comply with the
Disruption Rules; and (ii) require a DTCC Systems Participant that has
authorized another party, such as a Third-Party Provider, to access and
use DTCC Systems to assume responsibility for such authorized party's
compliance or compliance failure. The Clearing Agencies state that the
purpose of these changes is to emphasize the importance in complying
with the Disruption Rules and highlight the actions that the Clearing
Agencies may take if there is a failure to comply, as applicable to the
subject party.\43\
---------------------------------------------------------------------------
\43\ See DTC Notice of Filing, supra note 3, at 13923; FICC
Notice of Filing, supra note 3, at 13947; NSCC Notice of Filing,
supra note 3, at 13931.
---------------------------------------------------------------------------
Finally, the Clearing Agencies propose to rename the Disruption
Rules from ``Systems Disconnect: Threat of Significant Impact to [the
Clearing Agencies'] Systems'' to ``Participant System Disruption,''
which the Clearing Agencies state is a more appropriate description of
the rule, particularly in consideration of the proposed changes.\44\
---------------------------------------------------------------------------
\44\ Id.
---------------------------------------------------------------------------
III. Discussion and Commission Findings
Section 19(b)(2)(C) of the Exchange Act directs the Commission to
approve a proposed rule change of a self-regulatory organization if it
finds that such proposed rule change is consistent with the
requirements of the Exchange Act and the rules and regulations
thereunder applicable to such organization.\45\ After carefully
considering the Proposed Rule Changes, the Commission finds that the
Proposed Rule Changes are consistent with the requirements of the
Exchange Act and the rules and regulations thereunder applicable to the
Clearing Agencies. More specifically, the Commission finds that the
Proposed Rule Changes are consistent with Section 17A(b)(3)(F) of the
Exchange Act \46\ and Rules 17ad-22(e)(2)(i), (2)(v), and (17)(i) \47\
thereunder as described in detail below.
---------------------------------------------------------------------------
\45\ 15 U.S.C. 78s(b)(2)(C).
\46\ 15 U.S.C. 78q-1(b)(3)(F).
\47\ 17 CFR 240.17ad-22(e)(17)(i).
---------------------------------------------------------------------------
A. Consistency With Section 17A(b)(3)(F) of the Exchange Act
Section 17A(b)(3)(F) of the Exchange Act requires, among other
things, that a clearing agency's rules are designed to promote the
prompt and accurate clearance and settlement of securities transactions
and assure the safeguarding of securities and funds which are in the
custody or control of the clearing agency or for which it is
responsible.\48\
---------------------------------------------------------------------------
\48\ 15 U.S.C. 78q-1(b)(3)(F).
---------------------------------------------------------------------------
As described above, the Proposed Rule Changes introduce and amend
several definitions in the Disruption Rules, streamline governance for
declaring a Major System Event, add more granular notification
requirements for DTCC Systems Participants, introduce a structured
reconnection process, which includes reporting, testing, and approval
following a disruption, replace the existing ``conflicts'' provision
with a ``failure to comply'' provision, and make technical,
ministerial, and other conforming and clarifying changes. The Proposed
Rule Changes are designed to enhance the Clearing Agencies' ability to
identify, manage, respond to, and recover from systems disruptions
experienced by a DTCC Systems Participant or its Third-Party Provider.
Collectively, the changes impose certain additional obligations on DTCC
Systems Participants and provide additional identification of the
actions the Clearing Agencies may take to mitigate the risks presented
by a Participant System Disruption and associated Major System Event.
The changes also strengthen the Clearing Agencies' ability to manage
its disruption-related risks by revising the governance procedure for
the Clearing Agencies to declare a Major System Event; providing
context and clarity regarding the existing ``immediate'' notification
requirement applicable to DTCC Systems Participants regarding
Participant System Disruptions; requiring specific enumerated details
for DTCC Systems Participants to provide to the Clearing Agencies about
a disruption; and imposing new reconnection requirements for DTCC
Systems Participants, including a detailed, comprehensive and auditable
report from a Third-Party Cybersecurity Firm, or a summary of such
report. The proposed changes should strengthen the Clearing Agencies'
risk management processes governing systems disruptions. By creating a
consistent set of obligations on DTCC Systems Participants for
identifying and reporting system disruptions, the Clearing Agencies
would enhance their ability to monitor, mitigate, and manage disruption
risks--such as unauthorized disclosure of sensitive information or a
loss of data or system integrity--in the event a DTCC Systems
Participants experiences a Participant System Disruption. Because the
Clearing Agencies' information, data, and systems support and enable
their ability to conduct essential clearance and
[[Page 52458]]
settlement functions, enhancing each Clearing Agency's ability to limit
the impact of a Participant System Disruption at a DTCC Systems
Participant promotes each Clearing Agency's ability to continue the
prompt and accurate clearance and settlement of securities
transactions.
One commenter, who ``agrees with the spirit of the disruption rule
updates,'' provided comments on several specific aspects of the
Proposed Rule Changes, as originally proposed and prior to the
Amendment No. 1. DTCC responded to the comments and made several
changes related to areas that the commenters addressed.\49\ First, the
commenter stated that the originally proposed definition of Participant
System Disruption, which required the reporting of all operational
incidents rather than only malicious cybersecurity events, was overly
broad.\50\ Further, the commenter stated that requiring the reporting
of ``reasonably anticipated'' incidents would be ``subjective, vague,
and impractical'' which would result in large volumes of reporting that
could ``dilute the [Clearing Agencies' abilities] to identify serious
incidents that threaten real harm.'' \51\ Specifically, the commenter
stated that the overly broad definition ``sets an unnecessarily low
threshold for incident notification'' that ``will likely cause
participants to overreport low-risk incidents,'' and that it risks
misapplying disconnection as a response when it would not be
appropriate.\52\ The commenter, therefore, stated that the Clearing
Agencies should limit the scope of the definition of Participant System
Disruption to actual or ongoing ``substantial incidents that impact
critical services'' caused by ``malicious cybersecurity breaches.''
\53\ The commenter also stated that the Clearing Agencies should more
clearly articulate the risks and threats for which they consider
disconnection to be an appropriate mitigant.\54\
---------------------------------------------------------------------------
\49\ See Letter from Stephen Byron, Managing Director, Head of
Operations, Technology, Cyber & BCP, Securities Industry and
Financial Markets Association (``SIFMA''), dated April 17, 2025
(``SIFMA Letter'').
\50\ Id. at 4.
\51\ Id. at 2-4.
\52\ Id. at 2.
\53\ Id. at 4.
\54\ Id. at 7.
---------------------------------------------------------------------------
In response, the Clearing Agencies stated that they believe that
the Proposed Rule Changes clearly articulate the risk and threats that
would be considered in both declaring a Major System Event and in the
actions that could be taken in response to such an event.\55\
Specifically, the Proposed Rule Changes provide that the Clearing
Agencies may consider the risks enumerated in the definition of a Major
System Event, which include a disruption, degradation, delay,
interruption, or alteration to the normal operation of DTCC Systems;
unauthorized access to DTCC Systems; loss of control, disclosure, or
loss of DTCC Confidential Information; or a strain, loss, or threat to
Clearing Agency resources, functions, security, or operations. The
Clearing Agencies state that while they cannot account for or enumerate
every risk or threat, they believe the Proposed Rule Changes provide
clear and sufficient notice on what the Clearing Agencies would
consider prior to acting.\56\
---------------------------------------------------------------------------
\55\ See Letter from W. Carson McLean, Managing Director and
Deputy General Counsel, DTCC, dated June 20, 2025 (``DTCC Letter''),
at 5.
\56\ Id.
---------------------------------------------------------------------------
The Clearing Agencies also amended the definition of Participant
System Disruption in response to the comments by limiting it to a
narrower list of incidents, removing the previously proposed
``reasonably anticipated'' requirement, and explicitly stating that
only systems ``connected to DTCC Systems'' fall within the definition.
These amendments to the Participant System Disruption definition are
responsive to the commenter's concerns about the scope of the rule by
narrowing the definition to a smaller list of ``incidents'' and
explicitly stating that the definition only applies to systems that are
``connected to DTCC Systems.'' The Clearing Agencies, however, stated
that the scope of incidents should not be limited to only ``substantial
incidents that limit critical services'' caused by ``malicious
cybersecurity breaches'' because concepts such as ``substantial,''
``critical,'' and ``malicious'' are subjective and could result in
different interpretations, non-malicious incidents can still present
significant risks to DTCC Systems and there is no direct correlation
between a ``substantial'' or ``critical'' incident at a Participant and
the subsequent effect at the Clearing Agencies.\57\ The Commission
agrees that a non-malicious or non-substantial incident could still
have a material effect at the Clearing Agencies. Accordingly, the
amended definition of Participant System Disruption reasonably balances
the commenter's concerns about capturing too many incidents, and each
Clearing Agency's need to ensure that it can identify, monitor, and
manage the impact of a Participant System Disruption on its systems and
operations.
---------------------------------------------------------------------------
\57\ Id. at 2.
---------------------------------------------------------------------------
Second, the commenter stated that demonstrating that a Third-Party
Cybersecurity Firm is ``specialized'' in financial-sector
cybersecurity, as originally proposed, would be ``complex and
subjective'' for participants and the requirement that the
cybersecurity firm cannot be affiliated with the participant was
unclear and potentially unworkable.\58\ Instead, the commenter
suggested that the Third-Party Cybersecurity Firm be ``experienced'' in
financial-sector cybersecurity, which would be ``more actionable and
objective.'' \59\ In response, the Clearing Agencies amended the
definition of Third-Party Cybersecurity Firm to require the firm to be
``experienced'' rather than ``specialized'' in financial-sector
cybersecurity, as suggested by the commenter. The Clearing Agencies
also agreed that the ``not affiliated with'' language in the definition
was unclear and modified it to remove the exclusion of firms affiliated
with DTCC or the Clearing Agencies and clarify that the firm cannot be
the subject DTCC Systems Participant or an Affiliate or a Third-Party
Provider of the subject DTCC Systems Participant.\60\ The Commission
agrees that these changes are reasonable and provide specificity
regarding the nature of a Third-Party Cybersecurity Firm.
---------------------------------------------------------------------------
\58\ See SIFMA Letter, supra note 49, at 4-5. SIFMA also stated
that it ``feel[s] strongly that DTCC should not preclude a firm
which DTCC itself has formerly or currently retains for
cybersecurity incident response. This would significantly detract
from system participants' ability to choose an appropriate firm.
Additionally, as a practical matter, the proposed language does not
state how system participants would have knowledge of what firms
have an affiliation with DTCC.'' Id. at 4.
\59\ Id.
\60\ See DTCC Letter, supra note 55, at 2-3.
---------------------------------------------------------------------------
Third, the commenter addressed the originally proposed notice and
reporting obligations for DTCC Systems Participants. For example, the
commenter objected to the two-hour reporting requirement for DTCC
Systems Participant because it stated that the requirement will
``divert resources and attention away from assessment and remediation''
concerning the incident.\61\ The commenter suggested aligning this
requirement with other federal and state reporting standards that range
from 36 to 72 hours.\62\ In response, the Clearing
[[Page 52459]]
Agencies clarified that the existing ``immediate'' reporting
requirement is not changing under the Proposed Rule Changes.\63\
Rather, the Clearing Agencies stated that the addition of ``no later
than two hours after experiencing the disruption'' is simply to provide
context on what the Clearing Agencies meant by ``immediate.'' \64\
Further, the Clearing Agencies stated that given the central and
interconnected role that the Clearing Agencies play in the U.S.
securities markets, it is imperative that they be notified of and be
able to assess a Participant System Disruption as immediately as
possible.\65\ The Clearing Agencies, however, stated that if
information is unknown within two hours, participants can simply report
it as ``unknown,'' emphasizing that it is better to be aware of issues
sooner with less information than later with complete information.\66\
---------------------------------------------------------------------------
\61\ See SIFMA Letter, supra note 49, at 5.
\62\ Id. at 5-6. Specifically, the commenter stated that the (1)
Office of the Comptroller of the Currency requires notifications
about incidents no later than 36 hours after the banking
organization determines that a notification incident has occurred;
(2) Joint Agency Final Rule on Computer-Security Incident
Notification Requirements for Banking Organizations and Their
Service Providers requires notification no later than 36 hours after
determining that a notification event has occurred; and (3) New York
State Department of Financial Services has a 72-hour notification
requirement. Id.
\63\ See DTCC Letter, supra note 55, at 3.
\64\ Id.
\65\ Id.
\66\ Id.
---------------------------------------------------------------------------
The Commission agrees that enabling the Clearing Agencies to
receive timely information on Participant System Disruptions supports
the Clearing Agencies' ability to identify, monitor, and manage risks
posed to its operations. Further, providing additional specificity
regarding what constitutes the ``immediate'' timeframe should help the
DTCC Systems Participants better comply with the Clearing Agencies'
rules. The Commission acknowledges that there would be some resources
involved for DTCC Systems Participants to report to the Clearing
Agencies, but the Clearing Agencies' statement that simply reporting
that certain information is unknown should allow for timely
notification, allowing the Clearing Agencies to consider what steps may
be necessary to safeguard DTCC Systems while still allowing the DTCC
Systems Participants the time to fully address any incidents. Given the
connectivity between DTCC Systems and a DTCC Systems Participant's
systems, a timeframe of 36 to 72 hours would not allow the Clearing
Agencies sufficient time to effectively assess and address the impacts
of a Participant System Disruption; the federal and state reporting
requirements cited by the commenter \67\ do not address situations in
which there is connectivity to a system that could be impacted by the
systems issue (as the DTCC Systems could be impacted by their DTCC
Systems Participant's systems). Accordingly, the Proposed Rule Changes
reasonably balance, on the one hand, the commenter's concerns regarding
potentially diverting a DTCC Systems Participant's resources and
attention away from assessment and remediation concerning the incident,
and, on the other hand, the Clearing Agencies' need to address a
Participant System Disruption quickly and remain functional as a
systemically important financial market utility.
---------------------------------------------------------------------------
\67\ See supra note 62.
---------------------------------------------------------------------------
Fourth, the commenter stated that the requirement to report
disruptions of an ``unaffiliated DTCC Systems Participant'' is unclear,
should be defined, and could divert resources away from participants'
management of incidents.\68\ The commenter also suggested that the
Clearing Agencies define the following terms: unauthorized access
(actual or anticipated), unavailability, system failures or
malfunctions system overloads, data corruption, and restrictions
(partial or total).\69\ In response, the Clearing Agencies deleted the
notification requirements concerning ``unaffiliated DTCC Systems
Participants'' in Section 2(b), amended the definitions of DTCC Systems
Participant and Participant System Disruption, and added an entirely
new definition, Third-Party Provider, to more precisely describe the
entities the rule is intended to cover (e.g., participants connected to
DTCC Systems directly and third-party service providers connected to
DTCC Systems on behalf of participants).\70\ This change addresses the
commenter's concern regarding the clarity of the term and ensures that
the reporting requirements are focused on participants connected to
DTCC Systems directly and third-party service providers connected to
DTCC Systems on behalf of participants. The Clearing Agencies also
deleted the following originally proposed terms from ``Participant
System Disruption'': ``unavailability,'' ``failure,'' ``overload,''
``restriction,'' and the ``actual or anticipated'' modifier to
``unauthorized access.'' The terms ``malfunction'' and ``data
corruption'' are not defined but are commonly understood.
---------------------------------------------------------------------------
\68\ See SIFMA Letter, supra note 49, at 3, 6.
\69\ Id. at 3.
\70\ See DTCC Letter, supra note 55, at 3-4.
---------------------------------------------------------------------------
Fifth, the commenter objected to the proposed disclosure of notices
given to other firms or regulators, noting that such communications are
subject to confidentiality.\71\ In response, the Clearing Agencies
amended the rule text to only require notices to be disclosed if they
were made public.\72\ This change addresses the commenter's concern
regarding potentially confidential materials, as it clarifies that such
materials would not be included.
---------------------------------------------------------------------------
\71\ See SIFMA Letter, supra note 49, at 7.
\72\ See DTCC Letter, supra note 55, at 4.
---------------------------------------------------------------------------
Sixth, the commenter stated that the information that participants
should be required to report to the Clearing Agencies should be limited
to ``an actionable purpose,'' and that the requirement that
participants provide the Clearing Agencies with the Third-Party
Cybersecurity Firm's report is inappropriate as it could contain
sensitive information and delay participants' reviews of and responses
to the incident.\73\ The Clearing Agencies disagreed with limiting
requested information to only ``actionable'' purposes, stating that
this requirement is intended to help inform the Clearing Agencies
regarding the disruption so they can make an informed decision and they
would need to have the necessary information before they can determine
what information is actionable.\74\ However, in response to the
commenter's concern about the potential disclosure of sensitive
information in in the Third-Party Cybersecurity report, the Clearing
Agencies modified the requirement to allow participants to provide the
Clearing Agencies with a summary of the Third-Party Cybersecurity
report in lieu of the full report.\75\ By allowing a summary of the
Third-Party Cybersecurity report in lieu of the full report, the
Proposed Rule Changes address the commenter's concern about being
required to disclose sensitive information by allowing participants to
omit such information in a summary, while still ensuring that the
Clearing Agencies receive sufficient information to identify, monitor,
and manage risks posed to its operations.
---------------------------------------------------------------------------
\73\ See SIFMA Letter, supra note 49, at 2, 8-9.
\74\ See DTCC Letter, supra note 55, at 4.
\75\ Id.
---------------------------------------------------------------------------
Seventh, the commenter stated that the proposal gives Clearing
Agencies the authority to interfere with a participant's ability to
make business decisions and, therefore, the Clearing Agencies should
acknowledge that the participants are best placed to determine
mitigation actions and that the Clearing Agencies should explicitly
acknowledge their intention to consider the balance of the risk created
by the incident with the business effect of any disconnection decision
taken by the
[[Page 52460]]
Clearing Agencies.\76\ In response, the Clearing Agencies stated that
they do not believe that the Proposed Rule Changes will interfere with
participants' business decisions and that they are intended to protect
DTCC Systems and provide necessary information for informed decision-
making.\77\ The Clearing Agencies did, however, acknowledge that their
decisions in accordance with the Proposed Rule Changes could have
business effects on participants.\78\ The Clearing Agencies stated that
they did not take that effect lightly and have designed the rule to
involve the Clearing Agencies' most senior management, their Board, and
the Commission to ensure the action is appropriate.\79\
---------------------------------------------------------------------------
\76\ See SIFMA Letter, supra note 49, at 2, 9.
\77\ See DTCC Letter, supra note 55, at 5.
\78\ Id.
\79\ Id.
---------------------------------------------------------------------------
Finally, the commenter objected to the Clearing Agencies requiring
indemnities from affected participants because existing contracts
govern these relationships and it requested that the Clearing Agencies
clarify their intention with respect to the indemnity requirement.\80\
In response, the Clearing Agencies stated that the indemnity
requirement is intended to cover situations that may fall outside of
existing relationships, such as bespoke arrangements needed to continue
services that present unique risks.\81\ The proposed indemnity is
therefore appropriate to address unique and otherwise uncovered risks
to the Clearing Agencies.
---------------------------------------------------------------------------
\80\ See SIFMA Letter, supra note 49, at 9.
\81\ See DTCC Letter, supra note 55, at 6.
---------------------------------------------------------------------------
Based on the foregoing, the Commission finds that the Proposed Rule
Changes are consistent with the requirements of Section 17A(b)(3)(F) of
the Exchange Act.
B. Consistency With Rules 17ad-22(e)(2)(i) and (v) of the Exchange Act
Rules 17ad-22(e)(2)(i) and (v) require that a covered clearing
agency establish, implement, maintain and enforce written policies and
procedures reasonably designed to provide for governance arrangements
that are clear and transparent and specify clear lines of
responsibility.\82\
---------------------------------------------------------------------------
\82\ 17 CFR 240.17ad-22(e)(2)(i) and (v).
---------------------------------------------------------------------------
As described above, the Proposed Rule Changes would update the
governance procedures for declaring a Major System Event. The Proposed
Rule Changes would no longer require approval from the Board and
specific members of management to declare a Major System Event. Rather,
the declaration of a Major System Event would be made by two or more
members of the Clearing Agencies' most senior management committee.
Similarly, the approval for Reconnection of a disconnected DTCC Systems
Participant would be made by two or more members of the Clearing
Agencies' most senior management committee. By requiring two or more
members of the Clearing Agencies' most senior management committee to
declare a Major System Event and approve reconnection, the Proposed
Rule Changes provide for governance arrangements that are clear and
transparent and specify clear lines of responsibility for making such
determinations, consistent with Rule 17ad-22(e)(2)(i) and (v).
C. Consistency With Rule 17ad-22(e)(17)(i) of the Exchange Act
Rule 17ad-22(e)(17)(i) requires that a covered clearing agency
establish, implement, maintain and enforce written policies and
procedures reasonably designed to manage the covered clearing agency's
operational risks by identifying the plausible sources of operational
risk, both internal and external, and mitigating their impact through
the use of appropriate systems, policies, procedures, and controls.\83\
In adopting Rule 17ad-22(e)(17)(i), the Commission provided guidance,
stating that a covered clearing agency generally should consider, among
other things, whether it identifies, monitors, and manages the risks
that key participants pose to its operations.\84\ To the extent they
interact with the Clearing Agencies' systems, systems of a DTCC Systems
Participant or its Third-Party Provider may present operational risk to
the Clearing Agencies. As described above, the Clearing Agencies
propose expanding the definition of DTCC Systems Participant to
specifically name the applicable Respective Participant types and
clarifying and enhancing the requirements for each DTCC Systems
Participant to notify the Clearing Agencies of a Participant System
Disruption, which could pose a risk to the Clearing Agencies'
operations and, therefore, result in the inability of the Clearing
Agencies to conduct essential clearance and settlement functions. The
Clearing Agencies also propose numerous protective measures, such as
(1) the right to consider a non-exhaustive list of factors included in
the definition of ``Major System Event'' to determine whether to modify
a DTCC Systems Participant's access to the Clearing Agencies' systems
in response to a Participant Systems Disruption, up to and including
disconnection and (2) requirements for disconnected DTCC Systems
Participants to provide a detailed, auditable report from a Third-Party
Cybersecurity Firm or a summary of such report, a reconnection
attestation, and an executed indemnity to the Clearing Agencies. These
proposals support the Clearing Agencies' ability to effectively
identify, monitor, and manage the risks that DTCC Systems Participants
pose to the Clearing Agencies' operations, and are therefore consistent
with Rule 17ad-22(e)(17)(i).
---------------------------------------------------------------------------
\83\ 17 CFR 240.17ad-22(e)(17)(i).
\84\ See Standards for Covered Clearing Agencies, Securities
Exchange Act Release No. 78961 (Sept. 28, 2016), 81 FR 70786, 70838
(Oct. 13, 2016).
---------------------------------------------------------------------------
IV. Conclusion
On the basis of the foregoing, the Commission finds that the
Proposed Rule Changes, as modified by Amendment No. 1, are consistent
with the requirements of the Exchange Act, and in particular, the
requirements of Section 17A of the Exchange Act \85\ and the rules and
regulations thereunder.
---------------------------------------------------------------------------
\85\ In approving the Proposed Rule Changes, the Commission has
considered the proposed rules' impact on efficiency, competition,
and capital formation. See 15 U.S.C. 78c(f).
---------------------------------------------------------------------------
It is therefore ordered, pursuant to Section 19(b)(2) of the
Exchange Act,\86\ that the Proposed Rule Changes (SR-DTC-2025-003; SR-
FICC-2025-006; and SR-NSCC-2025-003), as modified by Amendment No. 1,
be, and hereby are, approved.
---------------------------------------------------------------------------
\86\ 15 U.S.C. 78s(b)(2).
For the Commission, by the Division of Trading and Markets,
pursuant to delegated authority.\87\
---------------------------------------------------------------------------
\87\ 17 CFR 200.30-3(a)(12).
---------------------------------------------------------------------------
Sherry R. Haywood,
Assistant Secretary.
[FR Doc. 2025-20384 Filed 11-19-25; 8:45 am]
BILLING CODE 8011-01-P
</pre></body>
</html>Indexed from Federal Register on November 20, 2025.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.