View all text of Subjgrp 7 [§ 242.800 - § 242.835]
§ 242.830 - Core Principle 13—System safeguards.
(a) In general. The security-based swap execution facility shall:
(1) Establish and maintain a program of risk analysis and oversight to identify and minimize sources of operational risk, through the development of appropriate controls and procedures, and automated systems, that:
(i) Are reliable and secure; and
(ii) Have adequate scalable capacity;
(2) Establish and maintain emergency procedures, backup facilities, and a plan for disaster recovery that allow for:
(i) The timely recovery and resumption of operations; and
(ii) The fulfillment of the responsibilities and obligations of the security-based swap execution facility; and
(3) Periodically conduct tests to verify that the backup resources of the security-based swap execution facility are sufficient to ensure continued:
(i) Order processing and trade matching;
(ii) Price reporting;
(iii) Market surveillance; and
(iv) Maintenance of a comprehensive and accurate audit trail.
(b) Requirements. (1) A security-based swap execution facility's program of risk analysis and oversight with respect to its operations and automated systems shall address each of the following categories of risk analysis and oversight:
(i) Enterprise risk management and governance. This category includes, but is not limited to: Assessment, mitigation, and monitoring of security and technology risk; security and technology capital planning and investment; governing board and management oversight of technology and security; information technology audit and controls assessments; remediation of deficiencies; and any other elements of enterprise risk management and governance included in generally accepted best practices.
(ii) Information security. This category includes, but is not limited to, controls relating to: Access to systems and data (including least privilege, separation of duties, account monitoring, and control); user and device identification and authentication; security awareness training; audit log maintenance, monitoring, and analysis; media protection; personnel security and screening; automated system and communications protection (including network port control, boundary defenses, and encryption); system and information integrity (including malware defenses and software integrity monitoring); vulnerability management; penetration testing; security incident response and management; and any other elements of information security included in generally accepted best practices.
(iii) Business continuity-disaster recovery planning and resources. This category includes, but is not limited to: Regular, periodic testing and review of business continuity-disaster recovery capabilities; the controls and capabilities described in paragraphs (b)(3) and (10) of this section; and any other elements of business continuity-disaster recovery planning and resources included in generally accepted best practices.
(iv) Capacity and performance planning. This category includes, but is not limited to: Controls for monitoring the security-based swap execution facility's systems to ensure adequate scalable capacity (including testing, monitoring, and analysis of current and projected future capacity and performance, and of possible capacity degradation due to planned automated system changes); and any other elements of capacity and performance planning included in generally accepted best practices.
(v) Systems operations. This category includes, but is not limited to: System maintenance; configuration management (including baseline configuration, configuration change and patch management, least functionality, and inventory of authorized and unauthorized devices and software); event and problem response and management; and any other elements of system operations included in generally accepted best practices.
(vi) Systems development and quality assurance. This category includes, but is not limited to: Requirements development; pre-production and regression testing; change management procedures and approvals; outsourcing and vendor management; training in secure coding practices; and any other elements of systems development and quality assurance included in generally accepted best practices.
(vii) Physical security and environmental controls. This category includes, but is not limited to: Physical access and monitoring; power, telecommunication, and environmental controls; fire protection; and any other elements of physical security and environmental controls included in generally accepted best practices.
(2) In addressing the categories of risk analysis and oversight required under paragraph (b)(1) of this section, a security-based swap execution facility shall follow generally accepted standards and best practices with respect to the development, operation, reliability, security, and capacity of automated systems.
(3) A security-based swap execution facility shall maintain a business continuity-disaster recovery plan and business continuity-disaster recovery resources, emergency procedures, and back-up facilities sufficient to enable timely recovery and resumption of its operations and resumption of its ongoing fulfillment of its responsibilities and obligations as a security-based swap execution facility following any disruption of its operations. Such responsibilities and obligations include, without limitation: Order processing and trade matching; transmission of matched orders to a registered clearing agency for clearing, where appropriate; price reporting; market surveillance; and maintenance of a comprehensive audit trail. A security-based swap execution facility's business continuity-disaster recovery plan and resources generally should enable resumption of trading and clearing of security-based swaps executed on or pursuant to the rules of the security-based swap execution facility during the next business day following the disruption. A security-based swap execution facility shall update its business continuity-disaster recovery plan and emergency procedures at a frequency determined by an appropriate risk analysis, but at a minimum no less frequently than annually.
(4) A security-based swap execution facility satisfies the requirement to be able to resume its operations and resume its ongoing fulfillment of its responsibilities and obligations during the next business day following any disruption of its operations by maintaining either:
(i) Infrastructure and personnel resources of its own that are sufficient to ensure timely recovery and resumption of its operations and resumption of its ongoing fulfillment of its responsibilities and obligations as a security-based swap execution facility following any disruption of its operations; or
(ii) Contractual arrangements with other security-based swap execution facilities or disaster recovery service providers, as appropriate, that are sufficient to ensure continued trading and clearing of security-based swaps executed on the security-based swap execution facility, and ongoing fulfillment of all of the security-based swap execution facility's responsibilities and obligations with respect to such security-based swaps, in the event that a disruption renders the security-based swap execution facility temporarily or permanently unable to satisfy this requirement on its own behalf.
(5) A security-based swap execution facility shall notify Commission staff promptly of all:
(i) Electronic trading halts and material system malfunctions;
(ii) Cyber-security incidents or targeted threats that actually or potentially jeopardize automated system operation, reliability, security, or capacity; and
(iii) Activations of the security-based swap execution facility's business continuity-disaster recovery plan.
(6) A security-based swap execution facility shall provide Commission staff timely advance notice of all material:
(i) Planned changes to automated systems that may impact the reliability, security, or adequate scalable capacity of such systems; and
(ii) Planned changes to the security-based swap execution facility's program of risk analysis and oversight.
(7) As part of a security-based swap execution facility's obligation to produce books and records in accordance with § 242.826 (Core Principle 9), the security-based swap execution facility shall provide to the Commission the following system-safeguards-related books and records, promptly upon the request of any Commission representative:
(i) Current copies of its business continuity-disaster recovery plans and other emergency procedures;
(ii) All assessments of its operational risks or system safeguards-related controls;
(iii) All reports concerning system safeguards testing and assessment required by this chapter, whether performed by independent contractors or by employees of the security-based swap execution facility; and
(iv) All other books and records requested by Commission staff in connection with Commission oversight of system safeguards pursuant to the Act or Commission rules, or in connection with Commission maintenance of a current profile of the security-based swap execution facility's automated systems.
(v) Nothing in paragraph (b)(7) of this section shall be interpreted as reducing or limiting in any way a security-based swap execution facility's obligation to comply with § 242.826 (Core Principle 9).
(8) A security-based swap execution facility shall conduct regular, periodic, objective testing and review of its automated systems to ensure that they are reliable, secure, and have adequate scalable capacity. A security-based swap execution facility shall also conduct regular, periodic testing and review of its business continuity-disaster recovery capabilities. Such testing and review shall include, without limitation, all of the types of testing set forth in this paragraph (b)(8).
(i) Definitions. As used in this paragraph (b)(8):
Controls means the safeguards or countermeasures employed by the security-based swap execution facility to protect the reliability, security, or capacity of its automated systems or the confidentiality, integrity, and availability of its data and information, and to enable the security-based swap execution facility to fulfill its statutory and regulatory responsibilities.
Controls testing means assessment of the security-based swap execution facility's controls to determine whether such controls are implemented correctly, are operating as intended, and are enabling the security-based swap execution facility to meet the requirements of this section.
Enterprise technology risk assessment means a written assessment that includes, but is not limited to, an analysis of threats and vulnerabilities in the context of mitigating controls. An enterprise technology risk assessment identifies, estimates, and prioritizes risks to security-based swap execution facility operations or assets, or to market participants, individuals, or other entities, resulting from impairment of the confidentiality, integrity, and availability of data and information or the reliability, security, or capacity of automated systems.
External penetration testing means attempts to penetrate the security-based swap execution facility's automated systems from outside the systems' boundaries to identify and exploit vulnerabilities. Methods of conducting external penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.
Internal penetration testing means attempts to penetrate the security-based swap execution facility's automated systems from inside the systems' boundaries, to identify and exploit vulnerabilities. Methods of conducting internal penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.
Security incident means a cybersecurity or physical security event that actually jeopardizes or has a significant likelihood of jeopardizing automated system operation, reliability, security, or capacity, or the availability, confidentiality or integrity of data.
Security incident response plan means a written plan documenting the security-based swap execution facility's policies, controls, procedures, and resources for identifying, responding to, mitigating, and recovering from security incidents, and the roles and responsibilities of its management, staff, and independent contractors in responding to security incidents. A security incident response plan may be a separate document or a business continuity-disaster recovery plan section or appendix dedicated to security incident response.
Security incident response plan testing means testing of a security-based swap execution facility's security incident response plan to determine the plan's effectiveness, identify its potential weaknesses or deficiencies, enable regular plan updating and improvement, and maintain organizational preparedness and resiliency with respect to security incidents. Methods of conducting security incident response plan testing may include, but are not limited to, checklist completion, walk-through or table-top exercises, simulations, and comprehensive exercises.
Vulnerability testing means testing of a security-based swap execution facility's automated systems to determine what information may be discoverable through a reconnaissance analysis of those systems and what vulnerabilities may be present on those systems.
(ii) Vulnerability testing. A security-based swap execution facility shall conduct vulnerability testing of a scope sufficient to satisfy the requirements set forth in paragraph (b)(10) of this section.
(A) A security-based swap execution facility shall conduct such vulnerability testing at a frequency determined by an appropriate risk analysis.
(B) Such vulnerability testing shall include automated vulnerability scanning, which shall follow generally accepted best practices.
(C) A security-based swap execution facility shall conduct vulnerability testing by engaging independent contractors or by using employees of the security-based swap execution facility who are not responsible for development or operation of the systems or capabilities being tested.
(iii) External penetration testing. A security-based swap execution facility shall conduct external penetration testing of a scope sufficient to satisfy the requirements set forth in paragraph (b)(10) of this section.
(A) A security-based swap execution facility shall conduct such external penetration testing at a frequency determined by an appropriate risk analysis.
(B) A security-based swap execution facility shall conduct external penetration testing by engaging independent contractors or by using employees of the security-based swap execution facility who are not responsible for development or operation of the systems or capabilities being tested.
(iv) Internal penetration testing. A security-based swap execution facility shall conduct internal penetration testing of a scope sufficient to satisfy the requirements set forth in paragraph (b)(10) of this section.
(A) A security-based swap execution facility shall conduct such internal penetration testing at a frequency determined by an appropriate risk analysis.
(B) A security-based swap execution facility shall conduct internal penetration testing by engaging independent contractors, or by using employees of the security-based swap execution facility who are not responsible for development or operation of the systems or capabilities being tested.
(v) Controls testing. A security-based swap execution facility shall conduct controls testing of a scope sufficient to satisfy the requirements set forth in paragraph (b)(10) of this section.
(A) A security-based swap execution facility shall conduct controls testing, which includes testing of each control included in its program of risk analysis and oversight, at a frequency determined by an appropriate risk analysis. Such testing may be conducted on a rolling basis.
(B) A security-based swap execution facility shall conduct controls testing by engaging independent contractors or by using employees of the security-based swap execution facility who are not responsible for development or operation of the systems or capabilities being tested.
(vi) Security incident response plan testing. A security-based swap execution facility shall conduct security incident response plan testing sufficient to satisfy the requirements set forth in paragraph (b)(10) of this section.
(A) A security-based swap execution facility shall conduct such security incident response plan testing at a frequency determined by an appropriate risk analysis.
(B) A security-based swap execution facility's security incident response plan shall include, without limitation, the security-based swap execution facility's definition and classification of security incidents, its policies and procedures for reporting security incidents and for internal and external communication and information sharing regarding security incidents, and the hand-off and escalation points in its security incident response process.
(C) A security-based swap execution facility may coordinate its security incident response plan testing with other testing required by this section or with testing of its other business continuity-disaster recovery and crisis management plans.
(D) A security-based swap execution facility may conduct security incident response plan testing by engaging independent contractors or by using employees of the security-based swap execution facility.
(vii) Enterprise technology risk assessment. A security-based swap execution facility shall conduct enterprise technology risk assessment of a scope sufficient to satisfy the requirements set forth in paragraph (b)(10) of this section.
(A) A security-based swap execution facility shall conduct enterprise technology risk assessment at a frequency determined by an appropriate risk analysis. A security-based swap execution facility that has conducted an enterprise technology risk assessment that complies with this section may conduct subsequent assessments by updating the previous assessment.
(B) A security-based swap execution facility may conduct enterprise technology risk assessments by using independent contractors or employees of the security-based swap execution facility who are not responsible for development or operation of the systems or capabilities being assessed.
(9) To the extent practicable, a security-based swap execution facility shall:
(i) Coordinate its business continuity-disaster recovery plan with those of its members that it depends upon to provide liquidity, in a manner adequate to enable effective resumption of activity in its markets following a disruption causing activation of the security-based swap execution facility's business continuity-disaster recovery plan;
(ii) Initiate and coordinate periodic, synchronized testing of its business continuity- disaster recovery plan with those of members that it depends upon to provide liquidity; and
(iii) Ensure that its business continuity-disaster recovery plan takes into account the business continuity-disaster recovery plans of its telecommunications, power, water, and other essential service providers.
(10) The scope for all system safeguards testing and assessment required by this section shall be broad enough to include the testing of automated systems and controls that the security-based swap execution facility's required program of risk analysis and oversight and its current cybersecurity threat analysis indicate is necessary to identify risks and vulnerabilities that could enable an intruder or unauthorized user or insider to:
(i) Interfere with the security-based swap execution facility's operations or with fulfillment of its statutory and regulatory responsibilities;
(ii) Impair or degrade the reliability, security, or adequate scalable capacity of the security-based swap execution facility's automated systems;
(iii) Add to, delete, modify, exfiltrate, or compromise the integrity of any data related to the security-based swap execution facility's regulated activities; or
(iv) Undertake any other unauthorized action affecting the security-based swap execution facility's regulated activities or the hardware or software used in connection with those activities.
(11) Both the senior management and the governing board of a security-based swap execution facility shall receive and review reports setting forth the results of the testing and assessment required by this section. A security-based swap execution facility shall establish and follow appropriate procedures for the remediation of issues identified through such review, as provided in paragraph (b)(12) of this section, and for evaluation of the effectiveness of testing and assessment protocols.
(12) A security-based swap execution facility shall identify and document the vulnerabilities and deficiencies in its systems revealed by the testing and assessment required by this section. The security-based swap execution facility shall conduct and document an appropriate analysis of the risks presented by such vulnerabilities and deficiencies, to determine and document whether to remediate or accept the associated risk. When the security-based swap execution facility determines to remediate a vulnerability or deficiency, it must remediate in a timely manner given the nature and magnitude of the associated risk.