17 C.F.R. § 39.18
(a) Definitions. For purposes of this section and § 39.34:
Controls mean the safeguards or countermeasures employed by the derivatives clearing organization in order to protect the reliability, security, or capacity of its automated systems or the confidentiality, integrity, or availability of its data and information, and in order to enable the derivatives clearing organization to fulfill its statutory and regulatory responsibilities.
Controls testing means assessment of the derivatives clearing organization's controls to determine whether such controls are implemented correctly, are operating as intended, and are enabling the derivatives clearing organization to meet the requirements established by this section.
Enterprise technology risk assessment means a written assessment that includes, but is not limited to, an analysis of threats and vulnerabilities in the context of mitigating controls. An enterprise technology risk assessment identifies, estimates, and prioritizes risks to a derivatives clearing organization's operations or assets, or to market participants, individuals, or other entities, resulting from impairment of the confidentiality, integrity, or availability of data and information or the reliability, security, or capacity of automated systems.
External penetration testing means attempts to penetrate a derivatives clearing organization's automated systems from outside the systems' boundaries to identify and exploit vulnerabilities. Methods of conducting external penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.
Internal penetration testing means attempts to penetrate a derivatives clearing organization's automated systems from inside the systems' boundaries to identify and exploit vulnerabilities. Methods of conducting internal penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.
Key controls means those controls that an appropriate risk analysis determines are either critically important for effective system safeguards or intended to address risks that evolve or change more frequently and therefore require more frequent review to ensure their continuing effectiveness in addressing such risks.
Recovery time objective means the time period within which a derivatives clearing organization should be able to achieve recovery and resumption of processing, clearing, and settlement of transactions, after those capabilities become temporarily inoperable for any reason up to or including a wide-scale disruption.
Relevant area means the metropolitan or other geographic area within which a derivatives clearing organization has physical infrastructure or personnel necessary for it to conduct activities necessary to the processing, clearing, and settlement of transactions. The term “relevant area” also includes communities economically integrated with, adjacent to, or within normal commuting distance of that metropolitan or other geographic area.
Security incident means a cybersecurity or physical security event that actually jeopardizes or has a significant likelihood of jeopardizing automated system operation, reliability, security, or capacity, or the availability, confidentiality or integrity of data.
Security incident response plan means a written plan documenting the derivatives clearing organization's policies, controls, procedures, and resources for identifying, responding to, mitigating, and recovering from security incidents, and the roles and responsibilities of its management, staff, and independent contractors in responding to security incidents. A security incident response plan may be a separate document or a business continuity-disaster recovery plan section or appendix dedicated to security incident response.
Security incident response plan testing means testing of a derivatives clearing organization's security incident response plan to determine the plan's effectiveness, identify its potential weaknesses or deficiencies, enable regular plan updating and improvement, and maintain organizational preparedness and resiliency with respect to security incidents. Methods of conducting security incident response plan testing may include, but are not limited to, checklist completion, walk-through or table-top exercises, simulations, and comprehensive exercises.
Vulnerability testing means testing of a derivatives clearing organization's automated systems to determine what information may be discoverable through a reconnaissance analysis of those systems and what vulnerabilities may be present on those systems.
Wide-scale disruption means an event that causes a severe disruption or destruction of transportation, telecommunications, power, water, or other critical infrastructure components in a relevant area, or an event that results in an evacuation or unavailability of the population in a relevant area.
(b) Program of risk analysis and oversight—(1) General. A derivatives clearing organization shall establish and maintain a program of risk analysis and oversight with respect to its operations and automated systems to identify and minimize sources of operational risk through:
(2) Elements of program. A derivatives clearing organization's program of risk analysis and oversight with respect to its operations and automated systems, as described in paragraph (b)(1) of this section, shall address each of the following elements:
(3) Coordination of plans. A derivatives clearing organization shall, to the extent practicable:
(1) A derivatives clearing organization shall maintain the resources required under paragraphs (b)(4) and (c)(1) of this section either:
(e) Testing—(1) General. A derivatives clearing organization shall conduct regular, periodic, and objective testing and review of:
(2) Vulnerability testing. A derivatives clearing organization shall conduct vulnerability testing of a scope sufficient to satisfy the requirements set forth in paragraph (e)(8) of this section.
(3) External penetration testing. A derivatives clearing organization shall conduct external penetration testing of a scope sufficient to satisfy the requirements set forth in paragraph (e)(8) of this section.
(4) Internal penetration testing. A derivatives clearing organization shall conduct internal penetration testing of a scope sufficient to satisfy the requirements set forth in paragraph (e)(8) of this section.
(5) Controls testing. A derivatives clearing organization shall conduct controls testing of a scope sufficient to satisfy the requirements set forth in paragraph (e)(8) of this section.
(6) Security incident response plan testing. A derivatives clearing organization shall conduct security incident response plan testing sufficient to satisfy the requirements set forth in paragraph (e)(8) of this section.
(7) Enterprise technology risk assessment. A derivatives clearing organization shall conduct enterprise technology risk assessments of a scope sufficient to satisfy the requirements set forth in paragraph (e)(8) of this section.
(8) Scope of testing and assessment. The scope of testing and assessment required by this section shall be broad enough to include the testing of automated systems and controls that a derivatives clearing organization's required program of risk analysis and oversight and its current cybersecurity threat analysis indicate is necessary to identify risks and vulnerabilities that could enable an intruder or unauthorized user or insider to:
(f) Recordkeeping. A derivatives clearing organization shall maintain, and provide to staff of the Division of Clearing and Risk, or any successor division, promptly upon request, pursuant to § 1.31 of this chapter:
(g) Notice of exceptional events. A derivatives clearing organization shall notify staff of the Division of Clearing and Risk, or any successor division, promptly of:
(h) Notice of planned changes. A derivatives clearing organization shall provide staff of the Division of Clearing and Risk, or any successor division, timely advance notice of all material:
[81 FR 64336, Sept. 19, 2016]