[Federal Register Volume 88, Number 106 (Friday, June 2, 2023)]
[Notices]
[Pages 36351-36353]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-11714]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

[Release No. 34-97602; File No. SR-OCC-2023-003]


Self-Regulatory Organizations; The Options Clearing Corporation; 
Notice of Partial Amendment No. 1 to Proposed Rule Change by The 
Options Clearing Corporation Concerning Clearing Member Cybersecurity 
Obligations

May 26, 2023.
    On March 21, 2023, the Options Clearing Corporation (``OCC'') filed 
with the Securities and Exchange Commission (``Commission'') the 
proposed rule change SR-OCC-2023-003 pursuant to Section 19(b) of the 
Securities Exchange Act of 1934 (``Exchange Act'') \1\ and Rule 19b-4 
\2\ thereunder to amend certain provisions in OCC's Rules relating to 
Clearing Member cybersecurity obligations to address the occurrence of 
a cyber-related disruption or intrusion of a Clearing Member 
(``Security Incident''). The proposed rule change was published for 
public comment in the

[[Page 36352]]

Federal Register on April 5, 2023.\3\ The Commission has received 
comments regarding the proposal described in the proposed rule 
change.\4\ On May 24, 2023, OCC filed Partial Amendment No. 1 to the 
proposed rule change. Pursuant to Section 19(b)(1) of the Act \5\ and 
Rule 19b-4 thereunder,\6\ the Commission is publishing notice of this 
Partial Amendment No.1 to the proposed rule change as described in Item 
I below, which has been prepared primarily by OCC. The Commission is 
publishing this notice to solicit comment on Partial Amendment No. 1 
from interested persons.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 78s(b)(1).
    \2\ 17 CFR 240.19b-4.
    \3\ Securities Exchange Act Release No. 97225 (Mar. 30, 2023), 
88 FR 20195 (Apr. 5, 2023) (File No. SR-OCC-2023-003).
    \4\ Comments on the proposed rule change are available at 
https://www.sec.gov/comments/sr-occ-2023-003/srocc2023003.htm.
    \5\ 15 U.S.C. 78s(b)(1)
    \6\ 17 CFR 240.19b-4.
---------------------------------------------------------------------------

I. Clearing Agency's Statement of the Terms of Substance of the 
Proposed Rule Change Partial Amendment No. 1

    The Options Clearing Corporation (``OCC'') hereby submits this 
partial amendment, constituting Amendment No. 1 [sic], to its proposed 
rule change SR-OCC-2023-003 (the ``Initial Filing''), in which OCC 
proposed new sections (d) and (e) to existing Rule 219, which Rule 
subsequently was renumbered to Rule 213. The Proposal requires Clearing 
Members to notify OCC about the occurrence of a ``Security Incident'', 
and in the event of a disconnection from OCC, obligates the Clearing 
Member to provide an attestation to OCC before reconnecting. OCC 
intends to amend Proposed Rules 213(d) and 213(e) to clarify the 
definition of the term ``Security Incident'', the threshold conditions 
for disconnection of a Clearing Member, and the process for a Clearing 
Member's reconnection.
    As originally proposed in the Initial Filing, Proposed Rules 213(d) 
and 213(e) are as follows:

    (d) Occurrence of a Security Incident. A Clearing Member must 
notify the Corporation immediately, and shall promptly confirm such 
notice in writing, if there has been an incident, or an incident is 
occurring, involving a cyber-related disruption or intrusion of the 
Clearing Member, including, but not limited to, any disruption or 
degradation of the normal operation of the Clearing Member's systems 
or any unauthorized entry into the Clearing Member's systems 
(``Security Incident''). Upon such notice, or if the Corporation has 
a reasonable basis to believe that a Security Incident has occurred, 
or is occurring, the Corporation may take actions reasonably 
necessary to mitigate any effects to its operations, including the 
right to disconnect access, or to modify the scope and 
specifications of access, of the Clearing Member to the 
Corporation's information and data systems.
    (e) Procedures for Connecting Following a Security Incident. 
After a Clearing Member reports a Security Incident, upon the 
request of the Corporation, the Clearing Member must complete and 
submit a form that describes the Security Incident and includes 
required representations as determined by the Corporation 
(``Reconnection Attestation'') and an associated checklist that 
describes remediation efforts and provides required information as 
determined by the Corporation (``Reconnection Checklist''), both as 
provided by the Corporation from time to time.

    OCC is submitting this partial amendment in response to comments 
received on the scope of the proposed definition of ``Security 
Incident'' and potential conflicts with other existing and proposed 
Securities and Exchange Commission (``SEC'') rules. Accordingly, OCC 
has determined to clarify what constitutes a Security Incident for 
purposes of new Rule 213(d). Such clarification would specify that only 
occurrences that have an impact on OCC's system(s) and/or operations 
are considered a Security Incident. In addition, OCC proposes to 
clarify that a Clearing Member must notify OCC if the Clearing Member 
becomes aware or should be aware that such incident has occurred or is 
occurring.
    OCC also is submitting this partial amendment in response to 
comments about (i) the requirement that Clearing Members provide 
immediate notice of a Security Incident to OCC, (ii) the standards OCC 
would apply when determining whether to disconnect a Clearing Member 
from OCC, and (iii) the process for reconnection following a Security 
Incident that results in disconnection.
    As a systemically important financial market utility, and the sole 
clearing agency providing clearing services for listed options in the 
U.S., it is vital that OCC's clearing systems remain functional and 
unaffected by Security Incidents. Any risk or threat to OCC's system(s) 
or operations could have a severe impact on the listed options markets. 
Therefore, time is of the essence with respect to any notification by a 
Clearing Member of the occurrence of a Security Incident. OCC intends 
to provide a dedicated OCC email address directly to Clearing Members 
for use in notifying OCC of a Security Incident, but without specifying 
the form of the notice. Accordingly, a Clearing Member can share 
information they believe is relevant, and OCC can follow up directly 
with the affected Clearing Member as needed.
    Because of the innumerable circumstances that could lead to a 
Security Incident, OCC's determination to disconnect a Clearing Member 
will be based on the facts and circumstances related to any specific 
Security Incident. Accordingly, OCC may consider any one or more of the 
following in determining whether or not to disconnect a member: the 
potential loss of control by a Clearing Member of its internal 
system(s), the potential loss of OCC's confidential data, the potential 
strain on or loss of OCC's resources due to OCC's inability to perform 
clearance and settlement functions, and the overall severity of the 
threat to OCC's security and operations. It is OCC's belief that not 
all Security Incident notifications will result in a Clearing Member 
disconnection. Finally, OCC also added clarification that in the event 
of a disconnection, a Clearing Member will remain responsible for its 
obligations to OCC, e.g., a Clearing Member remains responsible for the 
payment of margin to OCC.
    With respect to the process for reconnection following a Security 
Incident that results in disconnection, OCC proposes to clarify that 
only in the event OCC disconnects a Clearing Member will the Clearing 
Member be required to complete the Reconnection Attestation and 
Reconnection Checklist. OCC also made additional edits to clarify the 
process for reconnection.
    The text below reflects the proposed changes to the originally 
proposed Rules 213(d) and 213(e) in the Initial Filing. Italicized text 
indicates new text, and bracketed text indicates deleted text.

    (d) Occurrence of a Security Incident. A Clearing Member must 
notify the Corporation immediately, and shall promptly confirm such 
notice in writing, if the Clearing Member becomes aware or should be 
aware that there has been an incident, or an incident is occurring, 
involving a cyber-related disruption or intrusion of the Clearing 
Member's system(s) that is reasonably likely to pose an imminent 
risk or threat to the Corporation's operations. Such occurrence may 
include, but is not limited to [including, but not limited to], any 
disruption or degradation of the normal operation of the Clearing 
Member's system(s) or any unauthorized entry into the Clearing 
Member's system(s) that would result in loss of the Corporation's 
data or system integrity, unauthorized disclosure of sensitive 
information related to the Corporation, or the inability of the 
Corporation to conduct essential clearance and settlement functions 
(``Security Incident''). Upon such notice, or if the Corporation has 
a reasonable basis to believe that a Security Incident has occurred, 
or is occurring, the Corporation may take actions reasonably 
necessary to mitigate any

[[Page 36353]]

effects to its operations, including the right to disconnect access, 
or to modify the scope and specifications of access, of the Clearing 
Member to the Corporation's information and data systems. In 
determining whether to disconnect a Clearing Member, the Corporation 
will evaluate the facts and circumstances related to the Security 
Incident. The Corporation may take into consideration a number of 
factors, including, but not limited to, the potential loss of 
control by a Clearing Member of its internal system(s), the 
potential loss of the Corporation's confidential data, the potential 
strain on or loss of the Corporation's resources due to the 
Corporation's inability to perform clearance and settlement 
functions, and the overall severity of the threat to the security 
and operations of the Corporation. If the Corporation determines 
that disconnection of a Clearing Member is necessary, the Clearing 
Member must continue to meet its obligations to the Corporation, 
notwithstanding disconnection from the Corporation's systems.
    (e) Procedures for Connecting Following a Security Incident that 
Results in Disconnection. [After a Clearing Member reports a 
Security Incident] In the event OCC disconnects a Clearing Member 
that has reported a Security Incident, upon the request of the 
Corporation, the Clearing Member must complete and submit a form as 
provided by the Corporation that describes the Security Incident and 
includes required representations [as determined by the Corporation] 
(``Reconnection Attestation''). The Clearing Member also will be 
required to complete [and] an associated checklist as provided by 
the Corporation that describes remediation efforts [and provides 
required information as determined by the Corporation] 
(``Reconnection Checklist'')[, both as provided by the Corporation 
from time to time].

    The partial amendment would not change the purpose of, or statutory 
basis for the proposed rule change. All other representations in the 
Initial Filing remain as stated therein and no other changes are being 
made.

II. Solicitation of Comments

    Interested persons are invited to submit written data, views and 
arguments concerning the foregoing, including whether the proposed rule 
change is consistent with the Exchange Act. Comments may be submitted 
by any of the following methods:

Electronic Comments

     Use the Commission's internet comment form (http://www.sec.gov/rules/sro.shtml); or
     Send an email to [email protected]. Please include 
File Number SR-OCC-2023-003 on the subject line.

Paper Comments

     Send paper comments in triplicate to Vanessa Countryman, 
Secretary, Securities and Exchange Commission, 100 F Street NE, 
Washington, DC 20549-1090.

All submissions should refer to File Number SR-OCC-2023-003. This file 
number should be included on the subject line if email is used. To help 
the Commission process and review your comments more efficiently, 
please use only one method. The Commission will post all comments on 
the Commission's internet website (http://www.sec.gov/rules/sro.shtml). 
Copies of the submission, all subsequent amendments, all written 
statements with respect to the proposed rule change that are filed with 
the Commission, and all written communications relating to the proposed 
rule change between the Commission and any person, other than those 
that may be withheld from the public in accordance with the provisions 
of 5 U.S.C. 552, will be available for website viewing and printing in 
the Commission's Public Reference Room, 100 F Street NE, Washington, DC 
20549, on official business days between the hours of 10:00 a.m. and 
3:00 p.m. Copies of such filing also will be available for inspection 
and copying at the principal office of OCC and on OCC's website at 
https://www.theocc.com/Company-Information/Documents-and-Archives/By-Laws-and-Rules.
    Do not include personal identifiable information in submissions; 
you should submit only information that you wish to make available 
publicly. We may redact in part or withhold entirely from publication 
submitted material that is obscene or subject to copyright protection.
    All submissions should refer to File Number SR-OCC-2023-003 and 
should be submitted on or before June 23, 2023.

    For the Commission, by the Division of Trading and Markets, 
pursuant to delegated authority.\7\
---------------------------------------------------------------------------

    \7\ 17 CFR 200.30-3(a)(31).
---------------------------------------------------------------------------

J. Lynn Taylor,
Assistant Secretary.
[FR Doc. 2023-11714 Filed 6-1-23; 8:45 am]
BILLING CODE 8011-01-P