Requirements.
Requirements.
(1) A security-based swap execution facility's program of risk analysis and oversight with respect to its operations and automated systems shall address each of the following categories of risk analysis and oversight:
(i) Enterprise risk management and governance. This category includes, but is not limited to: Assessment, mitigation, and monitoring of security and technology risk; security and technology capital planning and investment; governing board and management oversight of technology and security; information technology audit and controls assessments; remediation of deficiencies; and any other elements of enterprise risk management and governance included in generally accepted best practices.
(ii) Information security. This category includes, but is not limited to, controls relating to: Access to systems and data (including least privilege, separation of duties, account monitoring, and control); user and device identification and authentication; security awareness training; audit log maintenance, monitoring, and analysis; media protection; personnel security and screening; automated system and communications protection (including network port control, boundary defenses, and encryption); system and information integrity (including malware defenses and software integrity monitoring); vulnerability management; penetration testing; security incident response and management; and any other elements of information security included in generally accepted best practices.
(iii) Business continuity-disaster recovery planning and resources. This category includes, but is not limited to: Regular, periodic testing and review of business continuity-disaster recovery capabilities; the controls and capabilities described in paragraphs (b)(3) and (10) of this section; and any other elements of business continuity-disaster recovery planning and resources included in generally accepted best practices.
(iv) Capacity and performance planning. This category includes, but is not limited to: Controls for monitoring the security-based swap execution facility's systems to ensure adequate scalable capacity (including testing, monitoring, and analysis of current and projected future capacity and performance, and of possible capacity degradation due to planned automated system changes); and any other elements of capacity and performance planning included in generally accepted best practices.
(v) Systems operations. This category includes, but is not limited to: System maintenance; configuration management (including baseline configuration, configuration change and patch management, least functionality, and inventory of authorized and unauthorized devices and software); event and problem response and management; and any other elements of system operations included in generally accepted best practices.
(vi) Systems development and quality assurance. This category includes, but is not limited to: Requirements development; pre-production and regression testing; change management procedures and approvals; outsourcing and vendor management; training in secure coding practices; and any other elements of systems development and quality assurance included in generally accepted best practices.
(vii) Physical security and environmental controls. This category includes, but is not limited to: Physical access and monitoring; power, telecommunication, and environmental controls; fire protection; and any other elements of physical security and environmental controls included in generally accepted best practices.
(2) In addressing the categories of risk analysis and oversight required under paragraph (b)(1) of this section, a security-based swap execution facility shall follow generally accepted standards and best practices with respect to the development, operation, reliability, security, and capacity of automated systems.
(3) A security-based swap execution facility shall maintain a business continuity-disaster recovery plan and business continuity-disaster recovery resources, emergency procedures, and back-up facilities sufficient to enable timely recovery and resumption of its operations and resumption of its ongoing fulfillment of its responsibilities and obligations as a security-based swap execution facility following any disruption of its operations. Such responsibilities and obligations include, without limitation: Order processing and trade matching; transmission of matched orders to a registered clearing agency for clearing, where appropriate; price reporting; market surveillance; and maintenance of a comprehensive audit trail. A security-based swap execution facility's business continuity-disaster recovery plan and resources generally should enable resumption of trading and clearing of security-based swaps executed on or pursuant to the rules of the security-based swap execution facility during the next business day following the disruption. A security-based swap execution facility shall update its business continuity-disaster recovery plan and emergency procedures at a frequency determined by an appropriate risk analysis, but at a minimum no less frequently than annually.
(4) A security-based swap execution facility satisfies the requirement to be able to resume its operations and resume its ongoing fulfillment of its responsibilities and obligations during the next business day following any disruption of its operations by maintaining either:
(i) Infrastructure and personnel resources of its own that are sufficient to ensure timely recovery and resumption of its operations and resumption of its ongoing fulfillment of its responsibilities and obligations as a security-based swap execution facility following any disruption of its operations; or
(ii) Contractual arrangements with other security-based swap execution facilities or disaster recovery service providers, as appropriate, that are sufficient to ensure continued trading and clearing of security-based swaps executed on the security-based swap execution facility, and ongoing fulfillment of all of the security-based swap execution facility's responsibilities and obligations with respect to such security-based swaps, in the event that a disruption renders the security-based swap execution facility temporarily or permanently unable to satisfy this requirement on its own behalf.
(5) A security-based swap execution facility shall notify Commission staff promptly of all:
(i) Electronic trading halts and material system malfunctions;
(ii) Cyber-security incidents or targeted threats that actually or potentially jeopardize automated system operation, reliability, security, or capacity; and
(iii) Activations of the security-based swap execution facility's business continuity-disaster recovery plan.
(6) A security-based swap execution facility shall provide Commission staff timely advance notice of all material:
(i) Planned changes to automated systems that may impact the reliability, security, or adequate scalable capacity of such systems; and
(ii) Planned changes to the security-based swap execution facility's program of risk analysis and oversight.
(7) As part of a security-based swap execution facility's obligation to produce books and records in accordance with § 242.826 (Core Principle 9), the security-based swap execution facility shall provide to the Commission the following system-safeguards-related books and records, promptly upon the request of any Commission representative:
(i) Current copies of its business continuity-disaster recovery plans and other emergency procedures;
(ii) All assessments of its operational risks or system safeguards-related controls;
(iii) All reports concerning system safeguards testing and assessment required by this chapter, whether performed by independent contractors or by employees of the security-based swap execution facility; and
(iv) All other books and records requested by Commission staff in connection with Commission oversight of system safeguards pursuant to the Act or Commission rules, or in connection with Commission maintenance of a current profile of the security-based swap execution facility's automated systems.
(v) Nothing in paragraph (b)(7) of this section shall be interpreted as reducing or limiting in any way a security-based swap execution facility's obligation to comply with § 242.826 (Core Principle 9).
(8) A security-based swap execution facility shall conduct regular, periodic, objective testing and review of its automated systems to ensure that they are reliable, secure, and have adequate scalable capacity. A security-based swap execution facility shall also conduct regular, periodic testing and review of its business continuity-disaster recovery capabilities. Such testing and review shall include, without limitation, all of the types of testing set forth in this paragraph (b)(8).
(i) Definitions. As used in this paragraph (b)(8):
(1) A security-based swap execution facility's program of risk analysis and oversight with respect to its operations and automated systems shall address each of the following categories of risk analysis and oversight:
(i) Enterprise risk management and governance. This category includes, but is not limited to: Assessment, mitigation, and monitoring of security and technology risk; security and technology capital planning and investment; governing board and management oversight of technology and security; information technology audit and controls assessments; remediation of deficiencies; and any other elements of enterprise risk management and governance included in generally accepted best practices.
(ii) Information security. This category includes, but is not limited to, controls relating to: Access to systems and data (including least privilege, separation of duties, account monitoring, and control); user and device identification and authentication; security awareness training; audit log maintenance, monitoring, and analysis; media protection; personnel security and screening; automated system and communications protection (including network port control, boundary defenses, and encryption); system and information integrity (including malware defenses and software integrity monitoring); vulnerability management; penetration testing; security incident response and management; and any other elements of information security included in generally accepted best practices.
(iii) Business continuity-disaster recovery planning and resources. This category includes, but is not limited to: Regular, periodic testing and review of business continuity-disaster recovery capabilities; the controls and capabilities described in paragraphs (b)(3) and (10) of this section; and any other elements of business continuity-disaster recovery planning and resources included in generally accepted best practices.
(iv) Capacity and performance planning. This category includes, but is not limited to: Controls for monitoring the security-based swap execution facility's systems to ensure adequate scalable capacity (including testing, monitoring, and analysis of current and projected future capacity and performance, and of possible capacity degradation due to planned automated system changes); and any other elements of capacity and performance planning included in generally accepted best practices.
(v) Systems operations. This category includes, but is not limited to: System maintenance; configuration management (including baseline configuration, configuration change and patch management, least functionality, and inventory of authorized and unauthorized devices and software); event and problem response and management; and any other elements of system operations included in generally accepted best practices.
(vi) Systems development and quality assurance. This category includes, but is not limited to: Requirements development; pre-production and regression testing; change management procedures and approvals; outsourcing and vendor management; training in secure coding practices; and any other elements of systems development and quality assurance included in generally accepted best practices.
(vii) Physical security and environmental controls. This category includes, but is not limited to: Physical access and monitoring; power, telecommunication, and environmental controls; fire protection; and any other elements of physical security and environmental controls included in generally accepted best practices.
(2) In addressing the categories of risk analysis and oversight required under paragraph (b)(1) of this section, a security-based swap execution facility shall follow generally accepted standards and best practices with respect to the development, operation, reliability, security, and capacity of automated systems.
(3) A security-based swap execution facility shall maintain a business continuity-disaster recovery plan and business continuity-disaster recovery resources, emergency procedures, and back-up facilities sufficient to enable timely recovery and resumption of its operations and resumption of its ongoing fulfillment of its responsibilities and obligations as a security-based swap execution facility following any disruption of its operations. Such responsibilities and obligations include, without limitation: Order processing and trade matching; transmission of matched orders to a registered clearing agency for clearing, where appropriate; price reporting; market surveillance; and maintenance of a comprehensive audit trail. A security-based swap execution facility's business continuity-disaster recovery plan and resources generally should enable resumption of trading and clearing of security-based swaps executed on or pursuant to the rules of the security-based swap execution facility during the next business day following the disruption. A security-based swap execution facility shall update its business continuity-disaster recovery plan and emergency procedures at a frequency determined by an appropriate risk analysis, but at a minimum no less frequently than annually.
(4) A security-based swap execution facility satisfies the requirement to be able to resume its operations and resume its ongoing fulfillment of its responsibilities and obligations during the next business day following any disruption of its operations by maintaining either:
(i) Infrastructure and personnel resources of its own that are sufficient to ensure timely recovery and resumption of its operations and resumption of its ongoing fulfillment of its responsibilities and obligations as a security-based swap execution facility following any disruption of its operations; or
(ii) Contractual arrangements with other security-based swap execution facilities or disaster recovery service providers, as appropriate, that are sufficient to ensure continued trading and clearing of security-based swaps executed on the security-based swap execution facility, and ongoing fulfillment of all of the security-based swap execution facility's responsibilities and obligations with respect to such security-based swaps, in the event that a disruption renders the security-based swap execution facility temporarily or permanently unable to satisfy this requirement on its own behalf.
(5) A security-based swap execution facility shall notify Commission staff promptly of all:
(i) Electronic trading halts and material system malfunctions;
(ii) Cyber-security incidents or targeted threats that actually or potentially jeopardize automated system operation, reliability, security, or capacity; and
(iii) Activations of the security-based swap execution facility's business continuity-disaster recovery plan.
(6) A security-based swap execution facility shall provide Commission staff timely advance notice of all material:
(i) Planned changes to automated systems that may impact the reliability, security, or adequate scalable capacity of such systems; and
(ii) Planned changes to the security-based swap execution facility's program of risk analysis and oversight.
(7) As part of a security-based swap execution facility's obligation to produce books and records in accordance with § 242.826 (Core Principle 9), the security-based swap execution facility shall provide to the Commission the following system-safeguards-related books and records, promptly upon the request of any Commission representative:
(i) Current copies of its business continuity-disaster recovery plans and other emergency procedures;
(ii) All assessments of its operational risks or system safeguards-related controls;
(iii) All reports concerning system safeguards testing and assessment required by this chapter, whether performed by independent contractors or by employees of the security-based swap execution facility; and
(iv) All other books and records requested by Commission staff in connection with Commission oversight of system safeguards pursuant to the Act or Commission rules, or in connection with Commission maintenance of a current profile of the security-based swap execution facility's automated systems.
(v) Nothing in paragraph (b)(7) of this section shall be interpreted as reducing or limiting in any way a security-based swap execution facility's obligation to comply with § 242.826 (Core Principle 9).
(8) A security-based swap execution facility shall conduct regular, periodic, objective testing and review of its automated systems to ensure that they are reliable, secure, and have adequate scalable capacity. A security-based swap execution facility shall also conduct regular, periodic testing and review of its business continuity-disaster recovery capabilities. Such testing and review shall include, without limitation, all of the types of testing set forth in this paragraph (b)(8).
(i) Definitions. As used in this paragraph (b)(8):