OCC comment on SEC RIN 3235-AN15 Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents
The Options Clearing Corporation (“OCC”) welcomes the opportunity to comment on the Securities and Exchange Commission’s (the “SEC” or the “Commission”) proposed rulemaking regarding cybersecurity risk management (the “Proposal” or “Rule 10”).
Summary and Overall Comments
OCC supports and appreciates the Commission enhancing its regulations to identify and protect the U.S. securities markets from cybersecurity vulnerabilities and threats, and generally to improve cybersecurity risk management across the industry. We agree that, as mentioned in the Proposal, the U.S. securities markets depend on Market Entities to perform various functions without disruption to ensure market stability and operations, and that the interconnectedness of Market Entities potentially increases the risk of a cybersecurity incident impacting multiple entities for U.S. securities markets, which could result in considerable harm to the securities markets. We further agree that the fair, orderly and efficient operations of all U.S. securities markets relies on the use of information systems and a network of interconnected information systems. OCC, like other clearing agencies, uses information systems to perform a variety of functions, including its core clearing and settlement functions, and relies on its interconnectedness with its participant exchanges and clearing members through networking and other system access to perform its self-regulatory organization obligations. OCC appreciates the Commission’s efforts to strengthen the operational resilience of the securities markets through this Proposal.
The Commission is proposing that Covered Entities adopt enhanced policies and procedures to identify, assess and respond to cybersecurity incidents and mitigate cybersecurity risk. OCC recognizes that requiring consistent cybersecurity practices for all securities market participants will strengthen the cybersecurity of the securities marketplace and result in fewer cybersecurity incidents. While supportive of the principles of the Proposal, OCC respectfully requests that the Commission consider revising the Proposal to specify that Covered Entities may achieve compliance through the establishment and maintenance of policies and procedures that align with industry standards, as it has done with other similar regulations. This change would support the Commission’s stated objective of promoting the use of best practices in policies and procedures across Covered Entities.
OCC also appreciates the Commission’s goals related to notification and reporting of significant cybersecurity incidents, including the objective to improve the Commission’s ability to monitor and evaluate the effects of significant cybersecurity incidents. Although OCC agrees with the Commission’s objective, OCC respectfully requests that the Commission consider modifying the Proposal to include reasonable reporting timelines to align with overlapping Commission regulatory requirements in order to enable OCC and other Covered Entities to focus cybersecurity personnel’s undivided attention and efforts on the eradication and containment of incidents as a first priority.
Finally, we believe that the Proposal’s public disclosure requirements for cybersecurity risks would introduce new risks to Covered Entities with potentially severe negative consequences to the securities markets. We are concerned that a Covered Entity’s public disclosure of such risks could provide information to threat actors that increases the opportunity for these parties to compromise the security and integrity of the Covered Entity. We therefore respectfully request that the Commission reconsider the requirement for public disclosure of these cybersecurity risks given the real possibility that this information may be used as a roadmap for threat actors to compromise the securities markets generally.