90 FR 58 pgs. 13926-13933 - Self-Regulatory Organizations; National Securities Clearing Corporation; Notice of Filing of Proposed Rule Change Relating to a Participant System Disruption
Type: NOTICEVolume: 90Number: 58Pages: 13926 - 13933
Pages: 13926, 13927, 13928, 13929, 13930, 13931, 13932, 13933Docket number: [Release No. 34-102711; File No. SR-NSCC-2025-003]
FR document: [FR Doc. 2025-05206 Filed 3-26-25; 8:45 am]
Agency: Securities and Exchange Commission
Official PDF Version: PDF Version
[top]
SECURITIES AND EXCHANGE COMMISSION
[Release No. 34-102711; File No. SR-NSCC-2025-003]
Self-Regulatory Organizations; National Securities Clearing Corporation; Notice of Filing of Proposed Rule Change Relating to a Participant System Disruption
March 21, 2025.
Pursuant to Section 19(b)(1) of the Securities Exchange Act of 1934 ("Act")? 1 and Rule 19b-4 thereunder, 2 notice is hereby given that on March 14, 2025, National Securities Clearing Corporation ("NSCC") filed with the Securities and Exchange Commission ("Commission") the proposed rule change as described in Items I, II and III below, which Items have been prepared by the clearing agency. The Commission is publishing this notice to solicit comments on the proposed rule change from interested persons.
Footnotes:
1 ?15 U.S.C. 78s(b)(1).
2 ?17 CFR 240.19b-4.
I. Clearing Agency's Statement of the Terms of Substance of the Proposed Rule Change
The proposed rule change consists of amendments to Rule 60A (Systems Disconnect: Threat of Significant Impact to the Corporation's Systems) of the NSCC Rules & Procedures. NSCC's two affiliate clearing agencies, Fixed Income Clearing Corporation ("FICC") and The Depository Trust Company ("DTC," and together with NSCC and FICC, the "Clearing Agencies," or "Clearing Agency" when referring to one of any of the three Clearing Agencies)? 3 will each file with the Commission substantively similar proposals to amend their corresponding rules: Rule 50A of the FICC Government Securities Division ("FICC-GSD") Rulebook, Rule 40A of the FICC Mortgage-Backed Securities Division ("FICC-MBSD") Clearing Rules, and Rule 38(A) of the Rules, By-Laws and Organization Certificate of DTC (collectively with NSCC Rule 60A, the "Disruption Rules"). 4 Accordingly, each respective filing is written from the perspective of the Clearing Agencies, collectively, instead of NSCC, FICC, and DTC individually, but application of the proposed rule changes would only apply to the DTCC Systems Participant (as defined below) of the corresponding Clearing Agency or Clearing Agencies. 5
Footnotes:
3 ?The Clearing Agencies are each a subsidiary of The Depository Trust & Clearing Corporation ("DTCC"). DTCC operates on a shared service model with respect to the Clearing Agencies. Most corporate functions are established and managed on an enterprise-wide basis pursuant to intercompany agreements under which it is generally DTCC that provides relevant services to the Clearing Agencies.
4 ?Each Disruption Rule is publicly available in the respective rules of the applicable Clearing Agency at https://www.dtcc.com/legal/rules-and-procedures .
5 ?Capitalized terms not otherwise defined herein have the meaning as set forth in the respective rules of the Clearing Agencies, available at https://www.dtcc.com/legal/rules-and-procedures .
[top] The current Disruption Rules contain provisions identifying the events or circumstances that would be considered a Major Event? 6 or Systems Disruption. 7 During the pendency of a Major Event, the Disruption Rules authorize the Clearing Agencies to take certain actions, within a prescribed governance framework, to mitigate the effect of the Major Event on the Clearing Agencies, their respective members or participants as defined in the respective rules of the applicable Clearing Agency (hereinafter, "Respective Participants"), 8 their
Footnotes:
6 ?"Major Event" is currently defined in the Disruption Rules as, "the happening of one or more System Disruption(s) that is reasonably likely to have a significant impact on the Corporation's operations, including the DTCC Systems, that affect the business, operations, safeguarding of securities or funds, or physical functions of the Corporation, [Respective Participants] and/or other market participants." Disruption Rules, supra note 4, Section 1.
7 ?"Systems Disruption" is currently defined in the Disruption Rules as, "the unavailability, failure, malfunction, overload, or restriction (whether partial or total) of a DTCC Systems Participant's systems that disrupts or degrades the normal operation of such DTCC Systems Participant's systems; or anything that impacts or alters the normal communication, or the files that are received, or information transmitted, to or from the DTCC Systems." Disruption Rules, supra note 4, Section 1.
8 ?Under the current Disruption Rules, Respective Participants for NSCC are Members and Limited Members; for DTC, Participants; for FICC-GSD and FICC-MBSD, Members. Under the proposed changes to the Disruption Rules, as referenced herein, Respective Participants for NSCC will be Members, Limited Members, and Sponsored Members; for DTC, Participants, Limited Participants, and Pledgees; for FICC-GSD, Netting Members, CCIT Members, Comparison Only Members, and Funds-Only Settling Bank Members; and for FICC-MBSD, Members, Clearing Members, and Cash Settling Bank Members.
The proposed rule changes would (i) update and add definitions used throughout the Disruption Rules; (ii) update the provisions and governance for declaring a Major Event (which would be redefined as a Major System Event? 9 ); (iii) clarify and enhance the requirements of the DTCC Systems Participant? 10 to notify the Clearing Agencies of a Systems Disruption (which would be redefined as a Participant System Disruption? 11 ); (iv) add provisions incorporating the reporting, testing, and approval requirements, process, legal obligations, and governance necessary for "reconnection" (as defined by this proposed rule change)? 12 of a DTCC Systems Participant that was "disconnected" from DTCC Systems? 13 pursuant to a Disruption Rule; and (v) make technical, ministerial, and other conforming and clarifying changes, including updating the name of the Disruption Rules.
Footnotes:
9 ?Pursuant to this proposed rule change, Major Event would be deleted and replaced with "Major System Event," to be defined as, "a Participant System Disruption that has or is reasonably anticipated to, for example, disrupt, degrade, cause a delay in, interrupt or otherwise alter the normal operation of DTCC Systems; result in unauthorized access to DTCC Systems; result in the loss of control of, disclosure of, or loss of DTCC Confidential Information; or cause a strain on, loss of, or overall threat to the Corporation's resources, functions, security or operations."
10 ?"DTCC Systems Participant" is currently defined in the Disruption Rules as, "a [Respective Participant], or third party service provider, or service bureau that is connecting with the DTCC Systems." Disruption Rules, supra note 4, Section 1. Pursuant to this proposed rule change, DTCC Systems Participant would be redefined in the Disruption Rules as, "(A) any [Respective Participant], or an Affiliate of any [Respective Participant], that directly or indirectly connects with DTCC Systems; or (B) any third-party service provider, service bureau, or other similar entity that directly or indirectly connects with DTCC Systems on behalf of or for the benefit of any [Respective Participant], or an Affiliate of any [Respective Participant]."
11 ?Pursuant to this proposed rule change, Systems Disruption would be deleted and replaced with "Participant System Disruption," to be defined as, "the actual or reasonably anticipated unauthorized access to, or unavailability, failure, malfunction, overload, corruption, or restriction (whether partial or total) of one or more systems of a DTCC Systems Participant."
12 ?Pursuant to this proposed rule change, "Reconnection" would be defined as the reestablishment of connectivity between DTCC Systems and the DTCC Systems Participant that was the subject of action taken pursuant to a Disruption Rule.
13 ?"DTCC Systems" is currently defined in the Disruption Rules as, "the systems, equipment and technology networks of DTCC, the Corporation and/or their Affiliates, whether owned, leased, or licensed, software, devices, IP addresses, or other addresses or accounts used in connection with providing the services set forth in the Rules, or used to transact business or to manage the connection with the Corporation." Disruption Rules, supra note 4, Section 1. Pursuant to this proposed rule change, the definition would be updated to mean "the systems, equipment and technology networks of DTCC, the Corporation and/or any Affiliates of DTCC or the Corporation, whether owned, leased, or licensed, and including software, hardware, applications, devices, IP addresses, or other addresses or accounts used in connection with such systems, equipment and technology networks, to provide the services set forth in these [Rules & Procedures/Rules and the Procedures/Rules], or otherwise used to transact business or connect with DTCC, the Corporation, or any Affiliates of DTCC or the Corporation."
II. Clearing Agency's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change
In its filing with the Commission, the clearing agency included statements concerning the purpose of and basis for the proposed rule change and discussed any comments it received on the proposed rule change. The text of these statements may be examined at the places specified in Item IV below. The clearing agency has prepared summaries, set forth in sections A, B, and C below, of the most significant aspects of such statements.
(A) Clearing Agency's Statement of the Purpose of, and Statutory Basis for, the Proposed Rule Change
1. Purpose
The purpose of the proposed rule change is to amend the Disruption Rules. Accordingly, each respective filing is written from the perspective of the Clearing Agencies, collectively, instead of DTC, FICC, or NSCC individually, but application of the proposed rule changes would only apply to the DTCC Systems Participant of the corresponding Clearing Agency or Clearing Agencies.
The current Disruption Rules contain provisions identifying the events or circumstances that would be considered a Major Event or Systems Disruption. During the pendency of a Major Event, the Disruption Rules authorize the Clearing Agencies to take certain actions, within a prescribed governance framework, to mitigate the effect of the Major Event on the Clearing Agencies, their Respective Participants, their Affiliates, and the industry more broadly.
The proposed rule changes would (i) update and add definitions used throughout the Disruption Rules; (ii) update the provisions and governance for declaring a Major Event (which would be redefined as a Major System Event); (iii) clarify and enhance the requirements of the DTCC Systems Participant to notify the Clearing Agencies of a Systems Disruption (which would be redefined as a Participant System Disruption); (iv) add provisions incorporating the reporting, testing, and approval requirements, process, legal obligations, and governance necessary for "reconnection" (as defined by this proposed rule change) of a DTCC Systems Participant that was "disconnected" from DTCC Systems pursuant to a Disruption Rule; and (v) make technical, ministerial, and other conforming and clarifying changes, including updating the name of the Disruption Rules, each of which is described in greater detail below.
Background-Current Disruption Rules
The current Disruption Rules were implemented by the Clearing Agencies on October 8, 2021. 14 Pursuant to the Disruption Rules, the Clearing Agencies are entitled to take action to help mitigate risk when there is a reasonable basis for the Clearing Agencies to conclude that there is a Major Event, as determined by one of the persons listed in the rules and then ratified, modified, or rescinded within five Business Days by the Clearing Agencies' management committee on which such listed persons serve, and the Clearing Agencies' Board of Directors ("Board"). 15
Footnotes:
14 ?Securities Exchange Act Release Nos. 93278 (Oct. 8, 2021), 86 FR 57229 (Oct. 14, 2021) (SR-NSCC-2021-007); 93280 (Oct. 8, 2021), 86 FR 57208 (Oct. 14, 2021) (SR-FICC-2021-004); 93279 (Oct. 8, 2021), 86 FR 57221 (Oct. 14, 2021) (SR-DTC-2021-011).
15 ?Disruption Rules, supra note 4, Section 2.
During a Major Event, the Disruption Rules authorize the Clearing Agencies to (i) disconnect the subject DTCC Systems Participant from DTCC Systems; (ii) suspend the receipt and/or transmission of files or communications to/from the DTCC Systems Participant and DTCC Systems; or (iii) take, or refrain from taking, or require a DTCC Systems Participant to take, or refrain from taking, any actions the Clearing Agencies consider appropriate to prevent, address, correct, alleviate, or mitigate the event and facilitate the continuation of the Clearing Agencies' services as may be practicable. 16
Footnotes:
16 ? Id. at Section 3.
[top] The Disruption Rules also require the DTCC Systems Participant to immediately notify the Clearing Agencies when they become aware of a Major Event, to cooperate with the Clearing Agencies in addressing the Major Event, and that the Clearing Agencies notify a DTCC Systems Participant of any action that the Clearing Agencies take, or intend to
Footnotes:
17 ? Id. at Section 4.
Finally, the Disruption Rules provide certain indemnities, clarify powers available to the Clearing Agencies under the Disruption Rules, highlight confidentiality requirements, and include a conflicts provision. 18
Footnotes:
18 ? Id. at Section 5.
Based on the Clearing Agencies' experience applying the Disruption Rules, they are proposing a number of changes, as noted above and described in detail below, to make the rules more efficient, effective, and clear in their governance, authorities, application, and requirements, so that the Clearing Agencies are better situated to address the events that require action under the rules to protect the Clearing Agencies, and their Respective Participants, Affiliates, and the industry more broadly. The proposed changes also would enable a DTCC Systems Participant to better understand and prepare for their obligations to the Clearing Agencies in the event that they experience a Participant System Disruption.
Proposed Rule Changes
First, the Clearing Agencies propose to rename Section 1 of the Disruption Rules from "Major Event" to "Definitions," which more accurately states its purpose, and then update and add definitions to the section. In addition to various technical, ministerial, and other conforming and clarifying changes to existing definitions, the Clearing Agencies propose the following changes:
• Update the existing definition of "DTCC Systems" to include systems, equipment and technology networks of all DTCC Affiliates and expand the types of systems connectivity to include hardware and applications such that, in the event of a Participant System Disruption, all of DTCC's potentially impacted connections, and any means of connectivity, are incorporated into such definition.
• Broaden the existing definition of "DTCC Systems Participant" to include a more specific list of Respective Participants and Affiliates thereof, as well as entities that are similar to third-party service providers or service bureaus, which are already covered by the rule, that directly or indirectly connect with DTCC Systems on behalf of or for the benefit of one of the Respective Participants. This proposed change is necessary to be more specific about the type of Respective Participants subject to the rule and because in the Clearing Agencies' experience, Affiliates and third parties may share systems that are directly or indirectly connected to DTCC Systems, such that if, for example, a Respective Participant is experiencing a Participant System Disruption, an Affiliate or third party may be experiencing the same. Therefore, it is important to include these additional entities to address the risk they present.
• Add the definition "Best Practices" to mean, the "policies, procedures, practices or similar standards and guidelines that are reasonably designed and consistent with then current financial-sector cybersecurity standards issued by an authoritative body that is a U.S. governmental entity or agency, an association of a U.S. governmental entity or agency, or a widely recognized industry organization." The purpose of adding this definition is to clearly state the standards that the Clearing Agencies would require a Third-Party Cybersecurity Firm (as defined below) to employ when such firm is engaged, as would be required by the Disruption Rules and discussed further below. Much of the language of this proposed definition comes directly from Section 1001(a)(4) of the Commission's Regulation Systems Compliance and Integrity ("Reg SCI"). 19
Footnotes:
19 ?17 CFR 242.1001(a)(4).
• Delete the existing definition "Major Event" and replace it with the definition "Major System Event" to mean, "a Participant System Disruption that has or is reasonably anticipated to, for example, disrupt, degrade, cause a delay in, interrupt or otherwise alter the normal operation of DTCC Systems; result in unauthorized access to DTCC Systems; result in the loss of control of, disclosure of, or loss of DTCC Confidential Information; or cause a strain on, loss of, or overall threat to the Corporation's resources, functions, security or operations." Although the new definition is similar to the prior definition, the new definition more appropriately ties the disruption at issue to the effect on the normal operation of DTCC Systems and less so on any subsequent effect to the Clearing Agencies' operations.
• Add the definition "Third-Party Cybersecurity Firm" to mean, "a firm that, in [the Clearing Agencies'] reasonable judgement, (A) (i) is well-known and reputable; (ii) is not affiliated with DTCC, [the Clearing Agencies], an Affiliate of DTCC or [the Clearing Agencies], a DTCC Systems Participant, or an Affiliate of a DTCC Systems Participant; (iii) specializes in financial-sector cybersecurity; and (iv) employs Best Practices; or (B) is otherwise determined to be a Third-Party Cybersecurity Firm by [the Clearing Agencies]." The purpose of adding this definition is to clearly state the type of firm that the Clearing Agencies would require the subject DTCC Systems Participant to engage under the Disruption Rules, as discussed further below.
• Delete the existing definition "Systems Disruption" and replace it with the definition "Participant System Disruption" to mean, "the actual or reasonably anticipated unauthorized access to, or unavailability, failure, malfunction, overload, corruption, or restriction (whether partial or total) of one or more systems of a DTCC Systems Participant." Although similar to the existing definition, the new definition focuses more appropriately on what has actually happened, or is reasonably anticipated to happen, to the DTCC Systems Participant system, and less on subsequent operation of the system. For example, it is possible that a DTCC Systems Participant system is corrupted or compromised, but that corruption or compromise has not affected the normal operation of the system at that time.
Second, the Clearing Agencies propose to move current Section 4 of the Disruption Rules up to create a new Section 2, which would be renamed "Notifications of a Participant System Disruption." This move would better align the structure of the Disruption Rules with the expected sequence of events of a Participant System Disruption.
[top] The new Section 2 would delete the notification language of current Section 4 and replace it with enhanced notification requirements applicable to any DTCC Systems Participant, not only Respective Participants of the Clearing Agencies. More specifically, the Clearing Agencies propose that the subject DTCC Systems Participant, as defined in the proposed rule and above, provide the Clearing Agencies with immediate written notice, to include certain DTCC Systems Participant and Participant System Disruption information, if known, but in any event within two hours of experiencing or having actual knowledge, and legal permission to disclose such knowledge, of an unaffiliated DTCC Systems Participant that is experiencing a Participant System Disruption or is otherwise affected or potentially affected by the Participant System Disruption. The information required to be provided in the notice, if known, includes (i) the legal entity names of the subject DTCC Systems Participant experiencing or otherwise affected or
The purpose of these proposed changes in the new Section 2 is to (i) enable a DTCC Systems Participant to better understand and prepare for their obligations to the Clearing Agencies in the event that they experience a Participant System Disruption; and (ii) facilitate the Clearing Agencies' timely receipt of key information that could enable a more efficient and effective review and response by the Clearing Agencies to a Participant System Disruption, all in an effort to help mitigate the risk presented by a Participant System Disruption.
Third, the Clearing Agencies propose to redesignate current Section 2 of the Disruption Rules as Section 3 and rename the section from "Powers of [the Clearing Agencies]" to "Declaration of a Major System Event," which would more accurately describe the purpose of the section. In addition to various technical, ministerial, and other conforming and clarifying changes to the new Section 3, the Clearing Agencies propose to no longer (i) provide a list of specific persons that may determine that the Clearing Agencies have a reasonable basis to conclude that there is a Major System Event, nor (ii) require, within five Business Days, that such determination be reviewed by a management committee on which all of such listed people serve, and the Board. Instead, the Clearing Agencies propose that such determination be made by two or more members of the Clearing Agencies' "senior most management committee,"? 20 in their reasonable judgement, and then, after such determination is made, the Board, any remaining members of that senior management committee, and the Commission be promptly notified? 21 of such determination.
Footnotes:
20 ?The current "senior most management committee" of the Clearing Agencies is the Executive Committee, which includes each of the six persons listed in the existing Disruption Rules that can determine the existence of a Major Event ( i.e., the Chief Executive Officer, the Chief Financial Officer, the Group Chief Risk Officer, the Chief Information Officer, the Head of Clearing Agency Services, and the General Counsel), plus the Chief Client Officer, Global Head of DTCC Digital Assets, Head of Enterprise Services, and the Chief Human Resources Officer.
21 ?"Prompt notification" means the notification is to be made without undue or unreasonable delay, as is consistent with the use of "prompt" in Reg SCI.
In addition, the Clearing Agencies propose to provide the Board an update on the status of the Major System Event and any action taken pursuant to the Disruption Rules on the earlier of 45 calendar days from the date of declaration of the Major System Event or the next scheduled Board meeting, or more frequently following material changes to the status of a Major System Event.
The purpose of these changes is multifaceted. One, it shifts the authority to make such a determination from only one of the Clearing Agencies' most senior officers to two of the Clearing Agencies' most senior officers. Two, the proposed changes eliminate two subsequent reviews, after the determination is already made, that are administratively burdensome and may complicate managing the event in terms of ratifying, modifying, or rescinding the disconnection of a DTCC Systems Participant that has already happened. Instead, the proposed changes would set clear communication standards and provide more timely transparency to the remaining senior most management committee members, the Board, and the Commission, which could still act in response to the notice without the need for formal meetings pursuant to the Disruption Rules.
Fourth, the Clearing Agencies propose to redesignate current Section 3 of the Disruption Rules as Section 4, "Authority to Take Action and Required Cooperation," and make other various technical, ministerial, conforming, and clarifying changes to the section. Additionally, the Clearing Agencies propose to clarify and broaden, in what would be Subsections 4(a)(i) and (ii), the systems of the subject DTCC Systems Participant that can be disconnected and the transmissions, communications, or access that can be suspended. The purpose of these changes is to help ensure that the Clearing Agencies can adequately address all potential connectivity and communication types for each DTCC Systems Participant in an effort to help mitigate the risk presented by the Participant System Disruption and associated Major System Event.
New Subsection 4(a)(iii) would continue to provide from current Subsection 3(c) of the Disruption Rules? 22 the authority for the Clearing Agencies to (A) act or not act, or require the subject DTCC Systems Participant to act or not act, as the Clearing Agencies consider appropriate to help mitigate the risk of the Major System Event, as well as (B) facilitate the continuation of services of the subject DTCC Systems Participant, as appropriate and practical, which may require issuing instructions to the DTCC Systems Participant and, as proposed, requiring such instructions to be followed. The Clearing Agencies believe adding the requirement that their instructions be followed is important not only to help facilitate the continuation of services for the subject DTCC Systems Participant but also for any downstream effects that may have or could have resulted from the disruption.
Footnotes:
22 ?Disruption Rules, supra note 4, Section 3.
For new Subsection 4(b), the Clearing Agencies propose to reinstate language from current Subsection 4(b), which, as described above, would be deleted as part of the proposed move of all of current Section 4 up to new Section 2. Specifically, the Clearing Agencies propose to reinstate similar language that states they will promptly notify the subject DTCC Systems Participant of any disconnection, suspension, or other material action the Clearing Agencies take with respect to such DTCC Systems Participant pursuant to the authority provided in new Section 4. Additionally, the Clearing Agencies propose to add new language to clarify that notwithstanding any action the Clearing Agencies take pursuant to new Section 4, the subject DTCC Systems Participant must continue to meet its obligations to the Clearing Agencies and comply with their rules, as applicable.
[top] The Clearing Agencies also propose to add a new Subsection (c) to new Section 4. Proposed Subsection 4(c) would expand upon the cooperation requirement in current Section 4(a) of the Disruption Rules to require the DTCC Systems Participant to cooperate "fully and completely" with the Clearing Agencies, to the Clearing Agencies' reasonable satisfaction, regarding the Participant System Disruption in whole, instead of limiting such cooperation to the root cause and resolution. Such cooperation would include, for example, (i) conducting timely investigations and inquiries relating to the Participant System Disruption; (ii) promptly notifying the Clearing Agencies of any material changes, updates, or new information learned regarding the Participant System Disruption; and (iii) to the extent legally permitted, promptly providing any documentation or information requested by the Clearing Agencies regarding the Participant System Disruption.
Fifth, the Clearing Agencies propose to insert a new Section 5 to the Disruption Rules titled "Reconnection Requirements." This new Section 5 would set forth the information that the subject DTCC Systems Participant would be required to provide to the Clearing Agencies, in form and substance that is reasonably satisfactory to the Clearing Agencies, 23 prior to the Clearing Agencies "reconnecting" a disconnected DTCC Systems Participant. Specifically, the Clearing Agencies propose that they receive three things: (i) a detailed, comprehensive, and auditable report, from a Third-Party Cybersecurity Firm; (ii) an attestation from a Participant Officer of the DTCC Systems Participant;? 24 and (iii) an executed indemnity from the DTCC Systems Participant to the reasonable satisfaction and judgement of the Clearing Agencies in consideration of the facts and circumstances.
Footnotes:
23 ?Whether the information provided is "reasonably satisfactory" would be a determination by the applicable Clearing Agency in consideration of the facts and circumstances, such as the severity of the disruption, thoroughness of and confidence in the information provided, any outstanding questions or concerns, etc., all within the context of reasonableness.
24 ?Pursuant to this proposed rule change, "Participant Officer" would be defined as a member of the board of directors, a senior executive officer, or other member of senior management of the subject DTCC Systems Participant.
As stated in proposed Subsection 5(a)(i), the Clearing Agencies would require the report by the Third-Party Cybersecurity Firm to include the following information:
• a timeline of the Participant System Disruption, including all material actions, events, and decisions taken for or relating to the Participant System Disruption;
• a description of the Participant System Disruption and how it was corrected and resolved;
• root cause analysis of the Participant System Disruption;
• confirmation that any severe, critical, or moderate items, or comparable categorizations, identified by the Third-Party Cybersecurity Firm have been resolved;
• confirmation of the normal or intended operation of the subject DTCC Systems Participant's systems, including, but not limited to, the return or replacement of key systems and datastores to pre-Participant System Disruption resilience, in a safe, secure, and proper manner for at least 72 hours;
• a description of any short- and long-term preventive monitoring and detection recommendations by the Third-Party Cybersecurity Firm; and
• any other information reasonably requested to be included by the Clearing Agencies.
As stated in proposed Subsection 5(a)(ii), the Clearing Agencies would require the Participant Officer to attest to the following:
• the Third-Party Cybersecurity Firm's report is, to the best of the Participant Officer's knowledge, accurate and complete;
• all short-term preventive monitoring and detection controls recommended by the Third-Party Cybersecurity Firm have been implemented;
• all medium- and long-term preventive monitoring and detection controls recommended by the Third-Party Cybersecurity Firm will be promptly implemented;
• the Participant Officer recommends Reconnection to DTCC Systems; and
• the DTCC Systems Participant will continue to oversee remediation efforts and monitor the systems of the DTCC Systems Participant, and immediately, but in any event within two hours, notify the Clearing Agencies if there is any indication of the continuation of a Participant System Disruption or an existence of a new Participant System Disruption.
Lastly, Subsection 5(b) would require the subject DTCC Systems Participant to promptly provide, upon the applicable Clearing Agency's request, any other documentation or information and/or require the subject DTCC Systems Participant to take other actions to the Clearing Agency's reasonable satisfaction, including obtaining a second Third-Party Cybersecurity Firm onsite validation of the subject DTCC Systems Participant, all of which would be decided by the Clearing Agency in consideration of the facts and circumstances.
The purpose of these proposed changes is to (i) provide each DTCC Systems Participant with notice of what information they would need to provide to the Clearing Agencies in order to be Reconnected under the Disruption Rules; (ii) ensure that the Clearing Agencies have all the necessary information regarding the Participant System Disruption and its remediation from an independent, reputable, and knowledgeable third party, so that the Clearing Agencies can make an informed decision about whether Reconnection is appropriate; (iii) confirm that an appropriate senior officer at the subject DTCC Systems Participant is sufficiently informed and responsible for the DTCC Systems Participant's systems and the information being provided to the Clearing Agencies; and (iv) ensure that the Clearing Agencies are properly indemnified for actions or inactions, as needed, all to help mitigate the risk presented by a Reconnection.
Sixth, the Clearing Agencies propose to insert a new Section 6 titled "Reconnection Testing and Approval." New Section 6 would do two things. First, Subsection 6(a) would require, prior to approval of the Reconnection, that the subject DTCC Systems Participant demonstrate, as applicable, to the Clearing Agencies' reasonable satisfaction, that it:
• can operate in a test environment, including, but not limited to, sending and receiving messages and transactions;
• can replay or resubmit previously submitted messages or transactions;
• can reverse or void previously submitted messages or transactions;
• can confirm the integrity of messages and transactions;
• has alternative communication methods with the Clearing Agency to facilitate the exchange of messages, transactions, and reports; and
• can complete any other such requirements as are reasonably requested by the Clearing Agencies.
Subsection 6(b) would authorize two or more members of the Clearing Agencies' senior most management committee, in their reasonable judgement, to approve the Reconnection of a DTCC Systems Participant that was the subject of action taken pursuant to the Disruption Rules, after the Clearing Agencies have received and reviewed to their satisfaction all information believed necessary for a safe Reconnection and certain testing has occurred, pursuant to Subsection 6(a).
Similar to the governance process for determining a Major System Event, the Clearing Agencies believe it appropriate that approval of a Reconnection be made by at least two of the Clearing Agencies' most senior officers to help ensure that information regarding the Reconnection has been escalated to the highest management level. But, it is essential that such approval not be made until the Clearing Agencies have (i) received, to their satisfaction, all necessary Participant System Disruption information and (ii) confirmed that the subject DTCC Systems Participant can safely perform the capabilities necessary for submitting, receiving, and correcting information appropriately, confidently, and in a manner unaffected by the Participant System Disruption, so as to help mitigate the risk presented by the Reconnection.
[top] Seventh, the Clearing Agencies propose to redesignate current Section 5
Finally, the Clearing Agencies propose to rename the Disruption Rules from "Systems Disconnect: Threat of Significant Impact to [the Clearing Agencies'] Systems" to "Participant System Disruption," which the Clearing Agencies believe is a more appropriate description of the rule, particularly in consideration of the proposed changes.
2. Statutory Basis
The Clearing Agencies believe that the proposal is consistent with the requirements of the Act and the rules and regulations thereunder applicable to each of the Clearing Agencies. In particular, the Clearing Agencies believe that the proposed rule change is consistent with Section 17A(b)(3)(F) of the Act, 25 and Rules 17ad-22(e)(2) and (e)(17) promulgated under the Act, 26 as described below.
Footnotes:
25 ?15 U.S.C. 78q-1(b)(3)(F).
26 ?17 CFR 240.17ad-22(e)(2) and (e)(17).
Consistency With Section 17A(b)(3)(F)
Section 17A(b)(3)(F) of the Act? 27 requires, in part, that the rules of the Clearing Agencies be designed to promote the prompt and accurate clearance and settlement of securities transactions, and to assure the safeguarding of securities and funds which are in the custody or control of the Clearing Agencies or for which they are responsible.
Footnotes:
27 ?15 U.S.C. 78q-1(b)(3)(F).
As described above, the proposed rule change would (i) update and add definitions used throughout the Disruption Rules; (ii) update the provisions and governance for declaring a Major System Event; (iii) clarify and enhance the requirements of a DTCC Systems Participant to notify the Clearing Agencies of a Participant System Disruption; (iv) add provisions incorporating the reporting, testing and approval requirements, process, and governance necessary to Reconnect a DTCC Systems Participant that was the subject of action pursuant to the Disruption Rules; and (v) make technical, ministerial, and other conforming and clarifying changes, including updating the name of the Disruption Rules.
The Clearing Agencies believe that these proposed changes would enhance, clarify, streamline, and improve the Clearing Agencies' ability to identify a Participant System Disruption, take action because of such disruption, and then appropriately and safely Reconnect a subject DTCC Systems Participant under the Disruption Rules. The Clearing Agencies also believe that the level of detail and clarity provided by the proposed changes provides greater transparency and notice to all parties that would be subject to the Disruption Rules. Ultimately, these proposed changes help mitigate risk and better protect the Clearing Agencies, their Respective Participants, each DTCC Systems Participant, and the industry more broadly from a Participant System Disruption and associated Major System Event, by providing advance transparency to the DTCC Systems Participant of their obligations in the event of a Participant System Disruption and more detailed and timely notification of such disruption to the Clearing Agencies, which would afford the Clearing Agencies more time and information to help manage risks presented. By helping to mitigate risk and better protect those parties, the Clearing Agencies would be better situated to successfully manage a Participant System Disruption, which, in turn, helps promote the prompt and accurate clearance and settlement of securities transactions and enables the Clearing Agencies to better safeguard securities and funds that are in their custody or control, consistent with Section 17A(b)(3)(F) of the Act. 28
Footnotes:
28 ? Id.
Consistency With Rule 17ad-22(e)(2)(i) and (v)
Rule 17ad-22(e)(2) promulgated under the Act? 29 requires, in part, that the Clearing Agencies establish, implement, maintain and enforce written policies and procedures reasonably designed to provide for governance arrangements that, among other things, (i) are clear and transparent ( i.e., Subsection (e)(2)(i) of Rule 17ad-22) and (ii) specify clear and direct lines of responsibility ( i.e., Subsection (e)(2)(v) of Rule 17ad-22).
Footnotes:
29 ?17 CFR 240.17ad-22(e)(2).
As described above, the Clearing Agencies propose to no longer (a) provide a list of specific persons that may determine the Clearing Agencies have a reasonable basis to conclude that there is a Major System Event, nor (b) require, within five Business Days, that such determination be reviewed by a management committee on which all such listed people serve, and the Board. Instead, the Clearing Agencies propose that such determination be made by two or more members of the Clearing Agencies' senior most management committee and then, after such determination is made, that the Board, any remaining members of that senior management committee, and the Commission be promptly notified of such determination.
The Clearing Agencies believe that these proposed changes to identify the subset of senior officers that would have the authority to declare a Major System Event, while also providing for prompt notice to the remaining members of the senior most management committee, the Board, and the Commission would make such governance procedures more clear and transparent, while specifying clear and direct lines of responsibility with respect to such determination, consistent with Rule 17ad-22(e)(2)(i) and (v) promulgated under the Act. 30
Footnotes:
30 ?17 CFR 240.17ad-22(e)(2)(i) and (v).
Consistency With Rule 17ad-22(e)(17)(i)
[top] Rule 17ad-22(e)(17)(i) promulgated under the Act? 31 requires that the Clearing Agencies establish, implement, maintain, and enforce written policies and procedures reasonably designed to manage operational risks by identifying plausible sources of operational risk, both internal and external, and mitigating their impact through the use
Footnotes:
31 ?17 CFR 240.17ad-22(e)(17)(i).
As described above, the Clearing Agencies propose to (a) expand the definition of DTCC Systems Participant to specifically name the applicable Respective Participant types, and include Affiliates of such Respective Participants and entities similar to third-party service providers and service bureaus; (b) clarify and enhance the requirements of each DTCC Systems Participant to notify the Clearing Agencies of a Participant System Disruption; and (c) add provisions incorporating the reporting, testing and approval requirements, process, and governance necessary to Reconnect a DTCC Systems Participant that was the subject of action taken pursuant to the Disruption Rules.
By more explicitly naming and expanding the parties that are subject to the Disruption Rules, and also clarifying and enhancing who has to report information to the Clearing Agencies in the event of a Participant System Disruption, when the disruption has to be reported, and what disruption details have to be reported, the Clearing Agencies would be improving their ability to identify and collect information about disruptions experienced by the entities connected to DTCC Systems, which, in turn, would enable the Clearing Agencies to react more quickly and effectively to the disruption, in protection of their systems, as well as the systems of other entities connected to the Clearing Agencies. Then, by adding the proposed Reconnection and associated testing requirements and governance prior to Reconnection of the DTCC Systems Participant, the Clearing Agencies would be better assured the operational disruption had been sufficiently mitigated such that it no longer presents a risk to the Clearing Agencies or their Respective Participants.
For these reasons, the Clearing Agencies believe these proposed changes would better position the Clearing Agencies to identify and address operational risk presented by a Participant System Disruption, consistent with the requirements of Rule 17ad-22(e)(17)(i) promulgated under the Act. 32
Footnotes:
32 ? Id.
(B) Clearing Agency's Statement on Burden on Competition
The Clearing Agencies believe that three of the proposed changes could have an impact on competition: (i) expanding the definition of DTCC Systems Participant to include Affiliates of the Respective Participants, and entities similar to third-party service providers and service bureaus; (ii) establishing the Reconnection requirements in new Section 5; and (iii) establishing the testing requirements, prior to Reconnection, in new Section 6, as described above. The Clearing Agencies believe the impact of these proposed changes could impose a burden on competition but that such burden is necessary and appropriate in furtherance of the purposes of the Act, as explained below.
The Clearing Agencies believe that expanding the definition of DTCC Systems Participant could impose a burden on competition on such entities because they would now be explicitly subject to the requirements of the Disruption Rules, including being the subject of a disconnection and all subsequent Reconnection requirements. The Clearing Agencies acknowledge and appreciate that being disconnected from DTCC Systems could place a disconnected entity at a competitive disadvantage, as the disconnection could effectively halt the entity's post-trade processing or other related activity transacted through the Clearing Agencies. However, the Clearing Agencies do not believe such expansion would create a significant burden because, in the Clearing Agencies' experience, such entities are already indirectly subject to the requirements of the Disruption Rules because of the often close relationship and interconnectivity between such entities and the Respective Participants. In other words, if one or more of the Respective Participants is disconnected from DTCC Systems under the current Disruption Rules, it is very likely that the entities associated with the disconnected Respective Participant, particularly Affiliates, also will be disconnected. Therefore, although not explicitly named in the current Disruption Rules, such entities are already indirectly subject to the rule through the Respective Participant. Additionally, as would continue to be provided for in the Disruption Rules, under new Subsection 4(a)(iii), the Clearing Agencies would endeavor to facilitate the continuation of their services, in some manner, for a DTCC Systems Participant that was the subject of action under the Disruption Rules, as appropriate and practical.
The Clearing Agencies believe establishing the Reconnection requirements in newly proposed Section 5 and, similarly, establishing the testing requirements prior to Reconnection in newly proposed Section 6, each of which are described above, could each impose a burden on competition on a subject DTCC Systems Participant because the changes create steps that the subject DTCC Systems Participant would need to take in order to be Reconnected to DTCC Systems. The Clearing Agencies appreciate that these additional steps could mean the DTCC Systems Participant remains "disconnected" from DTCC Systems longer than it believes necessary or longer than it may otherwise be disconnected but for these additional steps, which could be a competitive burden for that DTCC Systems Participant. However, the Clearing Agencies do not believe the burden on competition from the proposed Reconnection and testing requirements is significant because, in the Clearing Agencies' experience, these additional steps are standard practice to ensure that Reconnections are appropriate and safe. In other words, although not explicitly required under the current Disruption Rules, a disconnected DTCC Systems Participant would likely need to complete the proposed Reconnection and testing requirements. Additionally, as noted in the preceding paragraph, under new Subsection 4(a)(iii) of the Disruption Rules, the Clearing Agencies would have endeavored to facilitate the continuation of services of a disconnected DTCC Systems Participant in some manner, as appropriate and practical, prior to Reconnection.
Regardless of the significance of the burden, the Clearing Agencies strongly believe that the burden on competition from explicitly including Affiliates of the Respective Participants, and entities similar to third parties in the Disruption Rules, and the addition of the proposed Reconnection and testing requirements is necessary and appropriate in furtherance of the purposes of the Act, as permitted by Section 17A(b)(3)(I) of the Act. 33 Specifically, the Clearing Agencies believe these changes are necessary and appropriate in furtherance of Section 17A(b)(3)(F) of the Act? 34 and Rule 17ad-22(e)(17) promulgated under the Act, 35 as each are described above.
Footnotes:
33 ?15 U.S.C. 78q-1(b)(3)(I).
34 ?15 U.S.C. 78q-1(b)(3)(F).
35 ?17 CFR 240.17ad-22(e)(17).
[top] These changes are necessary because, by covering Affiliates and additional third parties and requiring Reconnection and testing requirements, the Clearing Agencies would be helping to ensure that the breadth of the Disruption Rules is broad enough to address all likely subject parties of a Participant System Disruption, and that the Clearing Agencies receive adequate
Footnotes:
36 ?15 U.S.C. 78q-1(b)(3)(F).
37 ?17 CFR 240.17ad-22(e)(17).
The Clearing Agencies do not believe any of the other proposed changes would have an impact on competition because the remaining changes are various technical, ministerial, conforming, or clarifying changes, or are related to the Clearing Agencies' governance practices for the Disruption Rules, which would not impact a DTCC Systems Participant's competitive position.
(C) Clearing Agency's Statement on Comments on the Proposed Rule Change Received From Members, Participants, or Others
The Clearing Agencies have not received or solicited any written comments relating to this proposed rule change. If any written comments are received, the Clearing Agencies will amend their respective filings to publicly file such comments as an Exhibit 2 to this filing, as required by Form 19b-4 and the General Instructions thereto.
Persons submitting written comments are cautioned that, according to Section IV (Solicitation of Comments) of the Exhibit 1A in the General Instructions to Form 19b-4, the Commission does not edit personal identifying information from comment submissions. Commenters should submit only information that they wish to make available publicly, including their name, email address, and any other identifying information.
All prospective commenters should follow the Commission's instructions on How to Submit Comments, available at https://www.sec.gov/regulatory-actions/how-to-submit-comments . General questions regarding the rule filing process or logistical questions regarding this filing should be directed to the Main Office of the Commission's Division of Trading and Markets at tradingandmarkets@sec.gov or 202-551-5777.
The Clearing Agencies reserve the right to not respond to any comments received.
III. Date of Effectiveness of the Proposed Rule Change, and Timing for Commission Action
Within 45 days of the date of publication of this notice in the Federal Register or within such longer period up to 90 days (i) as the Commission may designate if it finds such longer period to be appropriate and publishes its reasons for so finding or (ii) as to which the self-regulatory organization consents, the Commission will:
(A) by order approve or disapprove such proposed rule change, or
(B) institute proceedings to determine whether the proposed rule change should be disapproved.
IV. Solicitation of Comments
Interested persons are invited to submit written data, views and arguments concerning the foregoing, including whether the proposed rule change is consistent with the Act. Comments may be submitted by any of the following methods:
Electronic Comments
• Use the Commission's internet comment form ( http://www.sec.gov/rules/sro.shtml ); or
• Send an email to rule-comments@sec.gov . Please include File Number SR-NSCC-2025-003 on the subject line.
Paper Comments
• Send paper comments in triplicate to Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549.
All submissions should refer to file number SR-NSCC-2025-003. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's internet website ( https://www.sec.gov/rules/sro.shtml ). Copies of the submission, all subsequent amendments, all written statements with respect to the proposed rule change that are filed with the Commission, and all written communications relating to the proposed rule change between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549 on official business days between the hours of 10 a.m. and 3 p.m. Copies of the filing also will be available for inspection and copying at the principal office of NSCC and on DTCC's website ( https://dtcc.com/legal/sec-rule-filings.aspx ). Do not include personal identifiable information in submissions; you should submit only information that you wish to make available publicly. We may redact in part or withhold entirely from publication submitted material that is obscene or subject to copyright protection. All submissions should refer to file number SR-NSCC-2025-003 and should be submitted on or before April 17, 2025.
For the Commission, by the Division of Trading and Markets, pursuant to delegated authority. 38
Footnotes:
38 ?17 CFR 200.30-3(a)(12).
J. Matthew DeLesDernier,
Deputy Secretary.
[FR Doc. 2025-05206 Filed 3-26-25; 8:45 am]
BILLING CODE 8011-01-P