Client Cybersecurity Program

FAQs

What is DTCC’s Client Cybersecurity Program?

The Client Cybersecurity Program (‘Program’) is an information risk management validation effort designed to gain assurance that members and participants of DTCC’s Systemically Important Financial Market Utility (SIFMU) services are utilizing an industry-accepted cybersecurity risk management framework for the governance and management of its cybersecurity program.

The Program include members/participants of the following DTCC subsidiaries:

• Depository Trust Company (DTC)
• Fixed Income Clearing Corporation (FICC)
• Government Securities Division (GSD)
• Mortgage-Backed Securities Division (MBSD)
• National Securities Clearing Corporation (NSCC)

DTCC developed the Client Cybersecurity Program to provide assurance that members/participants are utilizing an industry-accepted cybersecurity framework to govern their cybersecurity risk management program. It leverages current regulatory or standards-setting body frameworks.  It does not set any new control standards.

Where can financial institutions find the rule filing?

The approved SEC rule filing for each DTCC market utility can be downloaded in PDF format using the links below:

DTC (SR-DTC-2019-008)   

FICC (SR-FICC-2019-005)   

NSCC (SR-NSCC-2019-003)   

Is my organization required to use a cybersecurity framework?

Yes. Members/Participants and new applicants to DTC/FICC/NSCC services are required to demonstrate their use of an industry-accepted cyber risk management framework. Examples of an industry-accepted framework include:

1. CRI Profile – The Cyber Risk Institute Profile (former FSSCC Profile)
2. NIST CSF - National Institute of Standards and Technology Cybersecurity Framework 
3. ISO27001/27002 - International Organization for Standardization 27001/27002
4. FFIEC CAT - Federal Financial Institutions Examination Council Cybersecurity Assessment Tool
5. CSC 20 - Critical Security Controls Top 20
6. SOC 2 - System and Organization Controls 2 
7. SOC for Cybersecurity – System and Organization Controls for Cybersecurity 
8. COBIT - Control Objectives for Information and Related Technologies
9. OSFI - The Office of the Superintendent of Financial Institutions Cyber Security Self-Assessment Guidance
10. JASDEC - Japan Securities Depository Center, Inc. Basic Policy on Risk Management and Basic Policy on Information Security
11. FINRA - FINRA Small Firm Cybersecurity Checklist
12. SEC OCIE - The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations Cybersecurity Examination Initiative

How should each firm notify DTCC of its designated Control Officer?

The Control Officer is a senior executive responsible and accountable for overseeing the cyber security program within their organization.

We are giving you the obligation of designating the appropriate Control Officer of your company. The Control Officer is usually the CISO, a member of the Board of Directors or a Security Manager.

To update your Control Officer information, email [email protected].

What is a Confirmation form?

The Confirmation Form is an electronic form sent via DocuSign that the designated Control Officer must complete and sign to attest that your firm has a written cybersecurity program structured from an industry known cybersecurity framework and goes through reviews periodically and updated based on risk assessments, technology and regulatory requirements.

Our firm is using a third party to transact directly to DTCC. Are we still required to complete the cybersecurity confirmation?

Yes. As a member/participant of DTC, FICC and/or NSCC, your firm is required to have your own written cybersecurity program and policies in compliance to the SEC rule.

Our firm is subscribed to a cybersecurity service provider and utilizing cybersecurity applications and software. Are we still required to have our cybersecurity program in writing?

Yes. Having a written cybersecurity program approved by your Risk Committee or Board of Directors is one of the requirements of the SEC Rule.

Can we print, sign and fax or email the confirmation form instead of signing via DocuSign?

DTCC only accept confirmation forms the are completed and signed digitally via DocuSign. Upon completion and DTCC approval of the form, the Control Officer will receive a pdf copy of the form.

Is it possible to edit/update the confirmation form after submission?

Members/Participants will not be able to edit or update a form that has been submitted. The firm should ensure that the information documented on the form is complete and accurate before submitting.

Who can I contact if I have any questions regarding the program?

You may contact your Relationship Manager for any questions or concerns about the program or email [email protected] .