17 CFR § 49.24 - System safeguards.

§ 49.24 System safeguards.

(a) Each swap data repository shall, with respect to all SDR data in its custody:

(1) Establish and maintain a program of risk analysis and oversight to identify and minimize sources of operational risk through the development of appropriate controls and procedures and the development of automated systems that are reliable, secure, and have adequate scalable capacity;

(2) Establish and maintain emergency procedures, backup facilities, and a business continuity-disaster recovery plan that allow for the timely recovery and resumption of operations and the fulfillment of the duties and obligations of the swap data repository; and

(3) Periodically conduct tests to verify that backup resources are sufficient to ensure continued fulfillment of all duties of the swap data repository established by the Act or the Commission's regulations.

(b) A swap data repository's program of risk analysis and oversight with respect to its operations and automated systems shall address each of the following categories of risk analysis and oversight:

(1) Enterprise risk management and governance. This category includes, but is not limited to: Assessment, mitigation, and monitoring of security and technology risk; security and technology capital planning and investment; board of directors and management oversight of technology and security; information technology audit and controls assessments; remediation of deficiencies; and any other elements of enterprise risk management and governance included in generally accepted best practices.

(2) Information security. This category includes, but is not limited to, controls relating to: Access to systems and data (including least privilege, separation of duties, account monitoring and control); user and device identification and authentication; security awareness training; audit log maintenance, monitoring, and analysis; media protection; personnel security and screening; automated system and communications protection (including network port control, boundary defenses, encryption); system and information integrity (including malware defenses, software integrity monitoring); vulnerability management; penetration testing; security incident response and management; and any other elements of information security included in generally accepted best practices.

(3) Business continuity-disaster recovery planning and resources. This category includes, but is not limited to: Regular, periodic testing and review of business continuity-disaster recovery capabilities, the controls and capabilities described in paragraph (a), (d), (e), (f), and (k) of this section; and any other elements of business continuity-disaster recovery planning and resources included in generally accepted best practices.

(4) Capacity and performance planning. This category includes, but is not limited to: Controls for monitoring the swap data repository's systems to ensure adequate scalable capacity (including testing, monitoring, and analysis of current and projected future capacity and performance, and of possible capacity degradation due to planned automated system changes); and any other elements of capacity and performance planning included in generally accepted best practices.

(5) Systems operations. This category includes, but is not limited to: System maintenance; configuration management (including baseline configuration, configuration change and patch management, least functionality, inventory of authorized and unauthorized devices and software); event and problem response and management; and any other elements of system operations included in generally accepted best practices.

(6) Systems development and quality assurance. This category includes, but is not limited to: Requirements development; pre-production and regression testing; change management procedures and approvals; outsourcing and vendor management; training in secure coding practices; and any other elements of systems development and quality assurance included in generally accepted best practices.

(7) Physical security and environmental controls. This category includes, but is not limited to: Physical access and monitoring; power, telecommunication, and environmental controls; fire protection; and any other elements of physical security and environmental controls included in generally accepted best practices.

(c) In addressing the categories of risk analysis and oversight required under paragraph (b) of this section, a swap data repository shall follow generally accepted standards and best practices with respect to the development, operation, reliability, security, and capacity of automated systems.

(d) A swap data repository shall maintain a business continuity-disaster recovery plan and business continuity-disaster recovery resources, emergency procedures, and backup facilities sufficient to enable timely recovery and resumption of its operations and resumption of its ongoing fulfillment of its duties and obligations as a swap data repository following any disruption of its operations. Such duties and obligations include, without limitation, the duties set forth in §§ 49.10 through 49.18, 49.23, and the core principles set forth in §§ 49.19 through 49.21 and §§ 49.25 through 49.27, and maintenance of a comprehensive audit trail. The swap data repository's business continuity-disaster recovery plan and resources generally should enable resumption of the swap data repository's operations and resumption of ongoing fulfillment of the swap data repository's duties and obligation during the next business day following the disruption. A swap data repository shall update its business continuity-disaster recovery plan and emergency procedures at a frequency determined by an appropriate risk analysis, but at a minimum no less frequently than annually.

(e) Swap data repositories determined by the Commission to be critical swap data repositories are subject to more stringent requirements as set forth below.

(1) Each swap data repository that the Commission determines is critical must maintain a disaster recovery plan and business continuity and disaster recovery resources, including infrastructure and personnel, sufficient to enable it to achieve a same-day recovery time objective in the event that its normal capabilities become temporarily inoperable for any reason up to and including a wide-scale disruption.

(2) A same-day recovery time objective is a recovery time objective within the same business day on which normal capabilities become temporarily inoperable for any reason up to and including a wide-scale disruption.

(3) To ensure its ability to achieve a same-day recovery time objective in the event of a wide-scale disruption, each swap data repository that the Commission determines is critical must maintain a degree of geographic dispersal of both infrastructure and personnel such that:

(i) Infrastructure sufficient to enable the swap data repository to meet a same-day recovery time objective after interruption is located outside the relevant area of the infrastructure the entity normally relies upon to conduct activities necessary to the reporting, recordkeeping and/or dissemination of SDR data, and does not rely on the same critical transportation, telecommunications, power, water, or other critical infrastructure components the entity normally relies upon for such activities; and

(ii) Personnel sufficient to enable the swap data repository to meet a same-day recovery time objective, after interruption of normal SDR data reporting, recordkeeping and/or dissemination by a wide-scale disruption affecting the relevant area in which the personnel the entity normally relies upon to engage in such activities are located, live and work outside that relevant area.

(4) Each swap data repository that the Commission determines is critical must conduct regular, periodic tests of its business continuity and disaster recovery plans and resources and its capacity to achieve a same-day recovery time objective in the event of a wide-scale disruption. The swap data repository shall keep records of the results of such tests, and make the results available to the Commission upon request.

(f) A swap data repository that is not determined by the Commission to be a critical swap data repository satisfies the requirement to be able to resume operations and resume ongoing fulfillment of the swap data repository's duties and obligations during the next business day following a disruption by maintaining either:

(1) Infrastructure and personnel resources of its own that are sufficient to ensure timely recovery and resumption of its operations, duties and obligations as a swap data repository following any disruption of its operations; or

(2) Contractual arrangements with other swap data repositories or disaster recovery service providers, as appropriate, that are sufficient to ensure continued fulfillment of all of the swap data repository's duties and obligations following any disruption of its operations, both with respect to all swaps reported to the swap data repository and with respect to all SDR data contained in the swap data repository.

(g) A swap data repository shall notify Commission staff promptly of all:

(1) Systems malfunctions;

(2) Cyber security incidents or targeted threats that actually or potentially jeopardize automated system operation, reliability, security, or capacity; and

(3) Any activation of the swap data repository's business continuity-disaster recovery plan.

(h) A swap data repository shall give Commission staff timely advance notice of all:

(1) Planned changes to automated systems that may impact the reliability, security, or adequate scalable capacity of such systems; and

(2) Planned changes to the swap data repository's program of risk analysis and oversight.

(i) As part of a swap data repository's obligation to produce books and records in accordance with § 1.31 of this chapter, and § 49.12, a swap data repository shall provide to the Commission the following system safeguards-related books and records, promptly upon the request of any Commission representative:

(1) Current copies of its business continuity-disaster recovery plans and other emergency procedures;

(2) All assessments of its operational risks or system safeguards-related controls;

(3) All reports concerning system safeguards testing and assessment required by this chapter, whether performed by independent contractors or by employees of the swap data repository; and

(4) All other books and records requested by Commission staff in connection with Commission oversight of system safeguards pursuant to the Act or Commission regulations, or in connection with Commission maintenance of a current profile of the swap data repository's automated systems.

(5) Nothing in paragraph (i) of this section shall be interpreted as reducing or limiting in any way a swap data repository's obligation to comply with § 1.31 of this chapter, or with § 49.12.

(j) A swap data repository shall conduct regular, periodic, objective testing and review of its automated systems to ensure that they are reliable, secure, and have adequate scalable capacity. It shall also conduct regular, periodic testing and review of its business continuity-disaster recovery capabilities. Such testing and review shall include, without limitation, all of the types of testing set forth in this paragraph.

(1) Definitions. As used in this paragraph (j):

Controls means the safeguards or countermeasures employed by the swap data repository in order to protect the reliability, security, or capacity of its automated systems or the confidentiality, integrity, and availability of its SDR data and SDR information, and in order to enable the swap data repository to fulfill its statutory and regulatory duties and responsibilities.

Controls testing means assessment of the swap data repository's controls to determine whether such controls are implemented correctly, are operating as intended, and are enabling the swap data repository to meet the requirements established by this section.

Enterprise technology risk assessment means a written assessment that includes, but is not limited to, an analysis of threats and vulnerabilities in the context of mitigating controls. An enterprise technology risk assessment identifies, estimates, and prioritizes risks to swap data repository operations or assets, or to market participants, individuals, or other entities, resulting from impairment of the confidentiality, integrity, and availability of SDR data and SDR information or the reliability, security, or capacity of automated systems.

External penetration testing means attempts to penetrate the swap data repository's automated systems from outside the systems' boundaries to identify and exploit vulnerabilities. Methods of conducting external penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.

Internal penetration testing means attempts to penetrate the swap data repository's automated systems from inside the systems' boundaries, to identify and exploit vulnerabilities. Methods of conducting internal penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.

Key controls means those controls that an appropriate risk analysis determines are either critically important for effective system safeguards or intended to address risks that evolve or change more frequently and therefore require more frequent review to ensure their continuing effectiveness in addressing such risks.

Security incident means a cyber security or physical security event that actually jeopardizes or has a significant likelihood of jeopardizing automated system operation, reliability, security, or capacity, or the availability, confidentiality, or integrity of SDR data.

Security incident response plan means a written plan documenting the swap data repository's policies, controls, procedures, and resources for identifying, responding to, mitigating, and recovering from security incidents, and the roles and responsibilities of its management, staff and independent contractors in responding to security incidents. A security incident response plan may be a separate document or a business continuity-disaster recovery plan section or appendix dedicated to security incident response.

Security incident response plan testing means testing of a swap data repository's security incident response plan to determine the plan's effectiveness, identify its potential weaknesses or deficiencies, enable regular plan updating and improvement, and maintain organizational preparedness and resiliency with respect to security incidents. Methods of conducting security incident response plan testing may include, but are not limited to, checklist completion, walk-through or table-top exercises, simulations, and comprehensive exercises.

Vulnerability testing means testing of a swap data repository's automated systems to determine what information may be discoverable through a reconnaissance analysis of those systems and what vulnerabilities may be present on those systems.

(2) Vulnerability testing. A swap data repository shall conduct vulnerability testing of a scope sufficient to satisfy the requirements set forth in paragraph (l) of this section.

(i) A swap data repository shall conduct such vulnerability testing at a frequency determined by an appropriate risk analysis, but no less frequently than quarterly.

(ii) Such vulnerability testing shall include automated vulnerability scanning, which shall follow generally accepted best practices.

(iii) A swap data repository shall conduct vulnerability testing by engaging independent contractors or by using employees of the swap data repository who are not responsible for development or operation of the systems or capabilities being tested.

(3) External penetration testing. A swap data repository shall conduct external penetration testing of a scope sufficient to satisfy the requirements set forth in paragraph (l) of this section.

(i) A swap data repository shall conduct such external penetration testing at a frequency determined by an appropriate risk analysis, but no less frequently than annually.

(ii) A swap data repository shall engage independent contractors to conduct the required annual external penetration test. The swap data repository may conduct other external penetration testing by using employees of the swap data repository who are not responsible for development or operation of the systems or capabilities being tested.

(4) Internal penetration testing. A swap data repository shall conduct internal penetration testing of a scope sufficient to satisfy the requirements set forth in paragraph (l) of this section.

(i) A swap data repository shall conduct such internal penetration testing at a frequency determined by an appropriate risk analysis, but no less frequently than annually.

(ii) A swap data repository shall conduct internal penetration testing by engaging independent contractors, or by using employees of the swap data repository who are not responsible for development or operation of the systems or capabilities being tested.

(5) Controls testing. A swap data repository shall conduct controls testing of a scope sufficient to satisfy the requirements set forth in paragraph (l) of this section.

(i) A swap data repository shall conduct controls testing, which includes testing of each control included in its program of risk analysis and oversight, at a frequency determined by an appropriate risk analysis. Such testing may be conducted on a rolling basis. A swap data repository shall conduct testing of its key controls no less frequently than every three years. The swap data repository may conduct testing of its key controls on a rolling basis over the course of three years or the period determined by such risk analysis, whichever is shorter.

(ii) A swap data repository shall engage independent contractors to test and assess the key controls included in its program of risk analysis and oversight no less frequently than every three years. The swap data repository may conduct any other controls testing required by this section by using independent contractors or employees of the swap data repository who are not responsible for development or operation of the systems or capabilities being tested.

(6) Security incident response plan testing. A swap data repository shall conduct security incident response plan testing sufficient to satisfy the requirements set forth in paragraph (l) of this section.

(i) A swap data repository shall conduct such security incident response plan testing at a frequency determined by an appropriate risk analysis, but no less frequently than annually.

(ii) A swap data repository's security incident response plan shall include, without limitation, the swap data repository's definition and classification of security incidents, its policies and procedures for reporting security incidents and for internal and external communication and information sharing regarding security incidents, and the hand-off and escalation points in its security incident response process.

(iii) A swap data repository may coordinate its security incident response plan testing with other testing required by this section or with testing of its other business continuity-disaster recovery and crisis management plans.

(iv) A swap data repository may conduct security incident response plan testing by engaging independent contractors or by using employees of the swap data repository.

(7) Enterprise technology risk assessment. A swap data repository shall conduct enterprise technology risk assessment of a scope sufficient to satisfy the requirements set forth in paragraph (l) of this section.

(i) A swap data repository shall conduct an enterprise technology risk assessment at a frequency determined by an appropriate risk analysis, but no less frequently than annually. A swap data repository that has conducted an enterprise technology risk assessment that complies with this section may conduct subsequent assessments by updating the previous assessment.

(ii) A swap data repository may conduct enterprise technology risk assessments by using independent contractors or employees of the swap data repository who are not responsible for development or operation of the systems or capabilities being assessed.

(k) To the extent practicable, a swap data repository shall:

(1) Coordinate its business continuity-disaster recovery plan with those of swap execution facilities, designated contract markets, derivatives clearing organizations, swap dealers, and major swap participants who report SDR data to the swap data repository, and with those regulators identified in Section 21(c)(7) of the Act, in a manner adequate to enable effective resumption of the swap data repository's fulfillment of its duties and obligations following a disruption causing activation of the swap data repository's business continuity and disaster recovery plan;

(2) Participate in periodic, synchronized testing of its business continuity - disaster recovery plan and the business continuity - disaster recovery plans of swap execution facilities, designated contract markets, derivatives clearing organizations, swap dealers, and major swap participants who report SDR data to the swap data repository, and the business continuity - disaster recovery plans required by the regulators identified in Section 21(c)(7) of the Act; and

(3) Ensure that its business continuity - disaster recovery plan takes into account the business continuity - disaster recovery plans of its telecommunications, power, water, and other essential service providers.

(l) Scope of testing and assessment. The scope for all system safeguards testing and assessment required by this part shall be broad enough to include the testing of automated systems and controls that the swap data repository's required program of risk analysis and oversight and its current cybersecurity threat analysis indicate is necessary to identify risks and vulnerabilities that could enable an intruder or unauthorized user or insider to:

(1) Interfere with the swap data repository's operations or with fulfillment of its statutory and regulatory responsibilities;

(2) Impair or degrade the reliability, security, or adequate scalable capacity of the swap data repository's automated systems;

(3) Add to, delete, modify, exfiltrate, or compromise the integrity of any SDR data related to the swap data repository's regulated activities; or

(4) Undertake any other unauthorized action affecting the swap data repository's regulated activities or the hardware or software used in connection with those activities.

(m) Internal reporting and review. Both the senior management and the board of directors of a swap data repository shall receive and review reports setting forth the results of the testing and assessment required by this section. A swap data repository shall establish and follow appropriate procedures for the remediation of issues identified through such review, as provided in paragraph (n) of this section, and for evaluation of the effectiveness of testing and assessment protocols.

(n) Remediation. A swap data repository shall identify and document the vulnerabilities and deficiencies in its systems revealed by the testing and assessment required by this section. The swap data repository shall conduct and document an appropriate analysis of the risks presented by such vulnerabilities and deficiencies, to determine and document whether to remediate or accept the associated risk. When the swap data repository determines to remediate a vulnerability or deficiency, it must remediate in a timely manner given the nature and magnitude of the associated risk.

[76 FR 54575, Sept. 1, 2011, as amended at 81 FR 64315, Sept. 19, 2016; 85 FR 75661, Nov. 25, 2020]

The following state regulations pages link to this page.