How does the firm test its systems resilience?
A: DTCC's Business Continuity Program oversees operational and technical walkthroughs, tabletops, and simulations, including Disaster Recovery exercises, Work Area Recovery exercises, loss of critical or key third-party service provider exercises, and crisis management tabletops.
What is the firm’s approach to cyber response planning?
A: The firm has worked to assess and enhance its ability to respond and recover from a wide range of events, including those with a large impact on the integrity and availability of data. This approach is built on scenario impact, timely and appropriate communication, as well as a rapid and safe recovery.
What tools does DTCC have in place to ensure continuity of its critical services?
A: Resiliency is first and foremost for DTCC in respect to ensuring business continuity for its critical processes. These tools include automated system health alerting and monitoring, recovery playbooks, cross regional system rotation and failover and fallback capabilities. In the event that a critical process were not able to be resolved in a timely fashion, DTCC has a suite of ad hoc functional capabilities designed to direct the firm and clients to the most optimal outcome, such as Response Capabilities.
How does DTCC plan to restore its business data in the event it was either corrupted or destroyed across multiple regions?
A: In the event of an incident with a large-scale data impact, the firm has developed capabilities to resume services in an efficient and secure manner by restoring business data to an earlier point-in-time. The firm along with client input determined the industry would be best served by reverting to a defined point in time within the same business day, where the data is known to be accurate.
Do clients and other external parties have a role to play in DTCC’s response and recovery from an incident with a large-scale data impact?
A: Such an event could create significant business impacts, including the possibility of discrepancies with clients’ books and records due to corruption or destruction of data. In such scenarios, help from clients will be needed in order to reconcile books and records as well as validate and replay data. In order to prepare for these types of events, DTCC has defined external tools to allow clients to help with this reconciliation and is detailed in DTCC's Disaster Recovery Guide.
Given DTCC’s unique position in the industry, what key assumption(s) has the firm defined in its resumption of service following an impactful event?
A: DTCC’s primary goal is to minimize impact to members in the event of an outage, and with that in mind, the firm established that once settlement has occurred and the day is complete, the position record for that business day is considered final. In order to allow the industry to continue to operate, the firm established a “fall forward” procedure, where any prior settlement day’s activity remains unchanged, and errors would be corrected through adjustments in future settlement cycles.
!----------->
What is the System Disruption Rule?
A: The System Disruption Rule, first implemented by DTCC in 2021, grants DTCC the authority to take decisive actions in response to external security incidents that could significantly affect its operations. These actions may include disconnecting file connectivity and communications between DTCC and its clients. An update is proposed to incorporate best practices and risk mitigation measures in the event of an external security incident.
What is the review and approval process, and timeline for the filing?
A: DTCC is working through the proposed rule draft with the SEC and expects federal register publication later this year for a public comment period. Timing may vary depending on draft review and feedback cycles. DTCC will post an announcement on dtcc.com when the proposed rule is available for review and comment.
Did DTCC consult with the industry when drafting the filing?
A: Yes, DTCC presented at Securities Industry and Financial Markets Association (SIFMA) committees on Cyber, Resilience, and Red Group (Mid-size institutions).
In addition, we consulted with Financial Services Information Sharing and Analysis Center (FSISAC); Options Clearing Corporation (OCC); CME Group; and others.
Does the rule filing replace existing standards, processes, or procedures that DTCC uses to make decisions about disconnecting-reconnecting a client after a cyber incident?
A: The proposed rule enhances existing standards, processes, and procedures to reflect DTCC’s experience and best practices in response to such incidents. These best practices include process changes and an updated governance framework that DTCC believes will enable a clear, effective, and efficient incident management response that helps mitigate risk to DTCC Systems and the financial industry at large.
Will this rule proposal impact all DTCC businesses?
A: This rule filing applies to DTC, NSCC, FICC (MBSD & GSD), their third-party service providers and service bureaus. Many of the concepts and practices from the final rule will be adapted for other business lines, with modifications tailored to specific entities and jurisdictional requirements.
What will DTCC’s updated processes look like?
A:DTCC’s updated process framework, in the proposed rule, better aligns with the series of events that occurs in connection with an outside security incident that may affect DTCC Systems. The framework focuses on process improvements and governance updates to the three major phases of such incidents:
- The security incident notification to DTCC.
- DTCC’s authority and response in connection with an outside security incident that may affect DTCC Systems, including potential disconnection from DTCC Systems.
- The reconnection process after a disconnection due to an outside security incident that may affect DTCC Systems, including specified documentation, testing, and approval requirements.
Are there more details on the upcoming changes and how they will impact me?
A: DTCC will share the review filing once the SEC publishes the proposed rule changes. In the meantime, please reach out to your relationship manager with any questions.
What are the next steps?
A: DTCC is currently collaborating with clients, regulators, and other industry firms regarding the proposed rule changes. We will continue to notify the industry of any updates.
How can I participate in providing feedback?
A: There will be a comment period coordinated by the SEC. In addition, DTCC will post an announcement on dtcc.com when the proposed rule is available for review and comment. Please contact your relationship manager with any questions.