17 C.F.R. § 49.24
(a) Each swap data repository shall, with respect to all SDR data in its custody:
(b) A swap data repository's program of risk analysis and oversight with respect to its operations and automated systems shall address each of the following categories of risk analysis and oversight:
(e) Swap data repositories determined by the Commission to be critical swap data repositories are subject to more stringent requirements as set forth below.
(3) To ensure its ability to achieve a same-day recovery time objective in the event of a wide-scale disruption, each swap data repository that the Commission determines is critical must maintain a degree of geographic dispersal of both infrastructure and personnel such that:
(f) A swap data repository that is not determined by the Commission to be a critical swap data repository satisfies the requirement to be able to resume operations and resume ongoing fulfillment of the swap data repository's duties and obligations during the next business day following a disruption by maintaining either:
(g) A swap data repository shall notify Commission staff promptly of all:
(h) A swap data repository shall give Commission staff timely advance notice of all:
(i) As part of a swap data repository's obligation to produce books and records in accordance with § 1.31 of this chapter, and § 49.12, a swap data repository shall provide to the Commission the following system safeguards-related books and records, promptly upon the request of any Commission representative:
(j) A swap data repository shall conduct regular, periodic, objective testing and review of its automated systems to ensure that they are reliable, secure, and have adequate scalable capacity. It shall also conduct regular, periodic testing and review of its business continuity-disaster recovery capabilities. Such testing and review shall include, without limitation, all of the types of testing set forth in this paragraph.
(1) Definitions. As used in this paragraph (j):
Controls means the safeguards or countermeasures employed by the swap data repository in order to protect the reliability, security, or capacity of its automated systems or the confidentiality, integrity, and availability of its SDR data and SDR information, and in order to enable the swap data repository to fulfill its statutory and regulatory duties and responsibilities.
Controls testing means assessment of the swap data repository's controls to determine whether such controls are implemented correctly, are operating as intended, and are enabling the swap data repository to meet the requirements established by this section.
Enterprise technology risk assessment means a written assessment that includes, but is not limited to, an analysis of threats and vulnerabilities in the context of mitigating controls. An enterprise technology risk assessment identifies, estimates, and prioritizes risks to swap data repository operations or assets, or to market participants, individuals, or other entities, resulting from impairment of the confidentiality, integrity, and availability of SDR data and SDR information or the reliability, security, or capacity of automated systems.
External penetration testing means attempts to penetrate the swap data repository's automated systems from outside the systems' boundaries to identify and exploit vulnerabilities. Methods of conducting external penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.
Internal penetration testing means attempts to penetrate the swap data repository's automated systems from inside the systems' boundaries, to identify and exploit vulnerabilities. Methods of conducting internal penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.
Key controls means those controls that an appropriate risk analysis determines are either critically important for effective system safeguards or intended to address risks that evolve or change more frequently and therefore require more frequent review to ensure their continuing effectiveness in addressing such risks.
Security incident means a cyber security or physical security event that actually jeopardizes or has a significant likelihood of jeopardizing automated system operation, reliability, security, or capacity, or the availability, confidentiality, or integrity of SDR data.
Security incident response plan means a written plan documenting the swap data repository's policies, controls, procedures, and resources for identifying, responding to, mitigating, and recovering from security incidents, and the roles and responsibilities of its management, staff and independent contractors in responding to security incidents. A security incident response plan may be a separate document or a business continuity-disaster recovery plan section or appendix dedicated to security incident response.
Security incident response plan testing means testing of a swap data repository's security incident response plan to determine the plan's effectiveness, identify its potential weaknesses or deficiencies, enable regular plan updating and improvement, and maintain organizational preparedness and resiliency with respect to security incidents. Methods of conducting security incident response plan testing may include, but are not limited to, checklist completion, walk-through or table-top exercises, simulations, and comprehensive exercises.
Vulnerability testing means testing of a swap data repository's automated systems to determine what information may be discoverable through a reconnaissance analysis of those systems and what vulnerabilities may be present on those systems.
(2) Vulnerability testing. A swap data repository shall conduct vulnerability testing of a scope sufficient to satisfy the requirements set forth in paragraph (l) of this section.
(3) External penetration testing. A swap data repository shall conduct external penetration testing of a scope sufficient to satisfy the requirements set forth in paragraph (l) of this section.
(4) Internal penetration testing. A swap data repository shall conduct internal penetration testing of a scope sufficient to satisfy the requirements set forth in paragraph (l) of this section.
(5) Controls testing. A swap data repository shall conduct controls testing of a scope sufficient to satisfy the requirements set forth in paragraph (l) of this section.
(6) Security incident response plan testing. A swap data repository shall conduct security incident response plan testing sufficient to satisfy the requirements set forth in paragraph (l) of this section.
(7) Enterprise technology risk assessment. A swap data repository shall conduct enterprise technology risk assessment of a scope sufficient to satisfy the requirements set forth in paragraph (l) of this section.
(k) To the extent practicable, a swap data repository shall:
(l) Scope of testing and assessment. The scope for all system safeguards testing and assessment required by this part shall be broad enough to include the testing of automated systems and controls that the swap data repository's required program of risk analysis and oversight and its current cybersecurity threat analysis indicate is necessary to identify risks and vulnerabilities that could enable an intruder or unauthorized user or insider to:
[76 FR 54575, Sept. 1, 2011, as amended at 81 FR 64315, Sept. 19, 2016; 85 FR 75661, Nov. 25, 2020]