Client Cyber Security Program

FAQs

General Information

What is DTCC’s Client Cybersecurity Program?

The Client Cybersecurity Program is an enhanced endpoint security framework designed to ensure that members of DTCC’s SIFMU (Systemically Important Financial Market Utilities) Subsidiaries with SMART (Securely Managed and Reliable Technology) network or other connectivity to DTCC is adequately protected against cyber-attacks.

The goal of this program is to provide oversight of the members’ cybersecurity program & framework and ensure that it meets the standards and requirements of DTCC and our regulators. 

The initial roll out will cover the following DTCC subsidiaries:

  • Depository Trust Company (DTC)
  • Fixed Income Clearing Corporation (FICC):

-       Government Securities Division (GSD)

-       Mortgage-Backed Securities Division (MBSD)

  • National Securities Clearing Corporation (NSCC)

DTCC has developed the Client Cybersecurity Program to establish due-diligence expectations around member access to protect our collective financial infrastructure.

  • Program does not introduce a new framework
  • Leverages established regulatory expectations
  • Changes obligations of members and applicant on-boarding requirements

Where can we find the Rule Filing?

You may download the rule filing in PDF format when you go to these links:

SR-DTC-2019-008:   http://www.dtcc.com/legal/sec-rule-filings?q=SR-DTC-2019-008&pgs=1

SR-FICC-2019-005   http://www.dtcc.com/legal/sec-rule-filings?q=SR-FICC-2019-005&pgs=1

SR-NSCC-2019-003   http://www.dtcc.com/legal/sec-rule-filings?q=SR-NSCC-2019-003&pgs=1

Note: You may also view the Confirmation Form on the later pages of the downloaded file.

How should each firm notify DTCC of its designated Control Officer?

The Control Officer is a senior executive responsible and accountable for overseeing the cyber security program within their organization.

We are giving you the obligation of designating the appropriate Control Officer of your company. The Control Officer is usually the CISO, a member of the Board of Directors or a Security Manager. The Relationship Manager assigned to each firm will be reaching out to the Company Contact to gather names of the Control Officer.

Why is cybersecurity important?

The financial services industry is more complex and globally interconnected than ever before. It is increasingly bringing together diverse firms that range from small businesses to leading financial centers and innovation hubs all over the world. While this can be helpful in driving innovation and creating healthy competitions, the downside to such an environment is increased cybersecurity risks.

Cyber-attacks are growing, and attackers are focusing more deeply inside financial institutions. As a leader in the financial services industry, DTCC is obliged to be secured 24/7 because of the confidentiality of its financial data; thus, all the clients/members connecting to a DTCC network should also be secured.

Cybersecurity is important because:

  • Cyber threats against the financial sector are more frequent, complex and sophisticated
  • Regulator’s focus is increasingly shifting to systemic cyber risks
  • The financial services ecosystem is now increasingly interconnected
  • Exposure to operational failure or cyberattacks through third parties is increasing
  • Financial risk is increasing

Is my organization required to use a cybersecurity framework?

Yes, any existing or new member connecting to a DTCC network is required to be cybersecurity resilient and follow a specific cybersecurity standard/framework.

There are various standards and frameworks available, but to perform the right due diligence, the standard and framework used by the member/participant must be widely acknowledged across the industry such as:

  1. FSSCC Security Profile - Financial Services Sector Coordinating Council Security Profile
  2. NIST CSF - National Institute of Standards and Technology Cybersecurity Framework 
  3. ISO27001/27002 - International Organization for Standardization 27001/27002
  4. FFIEC CAT - Federal Financial Institutions Examination Council Cybersecurity Assessment Tool
  5. CSC 20 - Critical Security Controls Top 20
  6. SOC 2 - System and Organization Controls 2 
  7. SOC for Cybersecurity – System and Organization Controls for Cybersecurity 
  8. COBIT 5 - Control Objectives for Information and Related Technologies 5
  9. COBIT 2019 - Control Objectives for Information and Related Technologies 2019
  10. OSFI - The Office of the Superintendent of Financial Institutions Cyber Security Self-Assessment Guidance
  11. JASDEC - Japan Securities Depository Center, Inc. Basic Policy on Risk Management and Basic Policy on Information Security

The Client Cybersecurity Program

Why did we receive this notice?

All members of DTCC subsidiaries mentioned below that connect to DTCC network are required to confirm that their firm has an established cybersecurity program.

  • Depository Trust Company (DTC)
  • Fixed Income Clearing Corporation (FICC):

-       Government Securities Division (GSD)

-       Mortgage-Backed Securities Division (MBSD)

  • National Securities Clearing Corporation (NSCC)

How is the Client Cybersecurity Program structured?

  • New rule filing
  • Identification of a Control Officer
  • Existing clients have 180 days to comply from the day they received the envelope
  • New clients must confirm during the onboarding process
  • Requires confirmation of key aspects of a cybersecurity program
  • Testing of compliance via sampling
  • 2-year cycle for confirmation renewal
  • Non-compliance consequences

What do clients need to do to prepare for Client Cybersecurity Program?

  • Identify a Control Officer(s) for businesses transacting with DTCC
  • Have your cybersecurity program assessed by an independent external entity with cybersecurity domain expertise, a regulator, an internal audit function or be compliant with NYSDFS cybersecurity regulation
  • Identify industry standards and frameworks used in your cybersecurity program
  • Validate/review connectivity to DTCC. Verify how your firm’s connectivity to DTCC – whether direct or through a third party, is being reviewed.
  • Prepare materials used to communicate cybersecurity program with your risk management team

Is it possible to edit/update the Confirmation Form after submission?

Members will not be able to edit or update a form that has been already submitted.

Members should ensure that the information documented on the form is accurate and correct before submitting.


The Confirmation of Client Cybersecurity Program Form

What is a Confirmation form?

The Confirmation Form is an electronic form that your designated Senior Executive / Control Officer must complete and sign to confirm that your organization has a resilient cybersecurity program that is aligned to an established framework thus protected against cyber-attacks.

DTCC will be sending out the Confirmation Form to the designated Senior Executive / Control Officer through email with the link.

What are the Elements of a Confirmation Form?

  • A comprehensive cybersecurity program
  • Cybersecurity policies and procedures approved by senior management or the company’s board of directors
  • Alignment with industry standard best practices and guidelines
  • A program to review the risks of third parties used to connect to DTCC
  • A process to remediate cyber issues identified to fulfill regulatory and/or statutory requirements
  • Periodic update of cybersecurity program and framework
  • A comprehensive review of the cybersecurity program and framework has been conducted by one of the following:
    • The Company, which has filed and maintains a current Certification of Compliance with the Superintendent of the New York State Department of Financial Services (NYSDFS) pursuant to 23 NYCRR 500
    • A regulator who assesses the program against a designated cybersecurity framework or industry standard (OCC: Office of the Comptroller and the FFIEC CAT)
    • An independent external entity with cybersecurity domain expertise (SOC2 Certification, ISO 27001 Certification, NIST CSF assessment)
    • An independent internal audit function reporting directly to the board of directors or designated board of directors committee of The Company, such that the findings of that review are shared with these governance bodies

What is the deadline to complete and submit the Confirmation Form?

Established Members:  The Control Officer has 180 days from receipt of the link to complete and sign the Confirmation form.

New Members: There is no specified deadline for new members however, submitting the Confirmation Form is a requirement to be on-boarded to DTCC.

How will I assign the Confirmation Form to someone else if I am not the correct contact to complete the form?

If the Confirmation Form was sent to the incorrect Control Officer or the receiver of the form decides that he/she is not the correct person to sign the form, please follow the steps bellow:

1. Click Review Document















2. On the upper right side click Other Actions > Select Assign to Someone Else














3. Assign the document to the correct Control Officer:

  1. Type in the complete email address of the new/correct signer (Control Officer)
  2. Enter the first and last name of the new/correct signer (Control Officer)
  3. Write a short message to the person you are assigning it to.
  4. Click ASSIGN TO SOMEONE ELSE













The new/correct Control Officer will receive the Confirmation Form.


I don’t want to sign the Confirmation Form via DocuSign, can we print, sign and fax or email it to DTCC?

DTCC only accepts Confirmation Forms completed & signed digitally via DocuSign.

The Technology Risk Management (TRM) needs to screen and approve (or reject) all the Confirmation Forms submitted; this can only be done electronically using DocuSign.

The final copy of the completed & signed Confirmation Form will be converted and saved in a pdf format.  The signing party (the control officer) will receive a copy (via email) of the completed & signed Confirmation Form in a pdf file once it is approved.

 

I lost the DocuSign email. Could you resend it?

Kindly contact your Relationship Manager to request the DocuSign email (Confirmation Form) to be resent.


Sampling

What is Sampling?

Sampling is a process within the program wherein DTCC selects a certain percentage of members per line of business to test the accuracy of the Control Officer’s responses/answers to the Confirmation Form.

DTCC will be conducting sampling through WebEx. A list of sampling requirements will be sent to the selected members beforehand.

To complete the sampling review for accuracy, the member will need to present the following evidence:

a)    cybersecurity program policies & procedures

b)    framework certification or proof third-party assessment

c)    other pieces of evidence as it relates to the confirmation form

 

There will be no physical exchange of data for sampling and the recording functionality of WebEx will be disabled during the meeting to ensure that no client confidential information will be stored. 

What documents do I need to present during the sampling review meeting?

If your firm is selected for sampling, DTCC will send you a list of requirements that you have to prepare to support your answers in the Confirmation Form.

Sampling will be conducted via WebEx for roughly 60 to 90 minutes.

DTCC will not save any written documentation or policies. All evidences will be presented only during the WebEx meeting and the recording functionality of the application will be disabled to ensure that no client confidential information is stored in our system.


Fines and Waivers

When will be a firm be subject to fines?

If you fail to complete and sign the Confirmation Form within 180 days, DTCC will provide you an additional 30 days which serves as your grace period, on the 31st day your company may be subject to fines. 


Contact Information

Who do I contact if I have any questions regarding the program?

You may contact your Relationship Manager for any questions or concerns about the program. 


dtccdotcom