(a) A swap execution facility's program of risk analysis and oversight with respect to its operations and automated systems shall address each of the following categories of risk analysis and oversight:
(1) Enterprise risk management and governance. This category includes, but is not limited to: Assessment, mitigation, and monitoring of security and technology risk; security and technology capital planning and investment; board of directors and management oversight of technology and security; information technology audit and controls assessments; remediation of deficiencies; and any other elements of enterprise risk management and governance included in generally accepted best practices.
(2) Information security. This category includes, but is not limited to, controls relating to: Access to systems and data (including least privilege, separation of duties, account monitoring and control); user and device identification and authentication; security awareness training; audit log maintenance, monitoring, and analysis; media protection; personnel security and screening; automated system and communications protection (including network port control, boundary defenses, encryption); system and information integrity (including malware defenses, software integrity monitoring); vulnerability management; penetration testing; security incident response and management; and any other elements of information security included in generally accepted best practices.
(3) Business continuity-disaster recovery planning and resources. This category includes, but is not limited to: Regular, periodic testing and review of business continuity-disaster recovery capabilities, the controls and capabilities described in paragraph (c), (d), (j), and (k) of this section; and any other elements of business continuity-disaster recovery planning and resources included in generally accepted best practices.
(4) Capacity and performance planning. This category includes, but is not limited to: Controls for monitoring the swap execution facility's systems to ensure adequate scalable capacity (including testing, monitoring, and analysis of current and projected future capacity and performance, and of possible capacity degradation due to planned automated system changes); and any other elements of capacity and performance planning included in generally accepted best practices.
(5) Systems operations. This category includes, but is not limited to: System maintenance; configuration management (including baseline configuration, configuration change and patch management, least functionality, inventory of authorized and unauthorized devices and software); event and problem response and management; and any other elements of system operations included in generally accepted best practices.
(6) Systems development and quality assurance. This category includes, but is not limited to: Requirements development; pre-production and regression testing; change management procedures and approvals; outsourcing and vendor management; training in secure coding practices; and any other elements of systems development and quality assurance included in generally accepted best practices.
(7) Physical security and environmental controls. This category includes, but is not limited to: Physical access and monitoring; power, telecommunication, and environmental controls; fire protection; and any other elements of physical security and environmental controls included in generally accepted best practices.
(b) In addressing the categories of risk analysis and oversight required under paragraph (a) of this section, a swap execution facility shall follow generally accepted standards and best practices with respect to the development, operation, reliability, security, and capacity of automated systems.
(c) A swap execution facility shall maintain a business continuity-disaster recovery plan and business continuity-disaster recovery resources, emergency procedures, and backup facilities sufficient to enable timely recovery and resumption of its operations and resumption of its ongoing fulfillment of its responsibilities and obligations as a swap execution facility following any disruption of its operations. Such responsibilities and obligations include, without limitation: Order processing and trade matching; transmission of matched orders to a designated clearing organization for clearing, where appropriate; price reporting; market surveillance; and maintenance of a comprehensive audit trail. A swap execution facility's business continuity-disaster recovery plan and resources generally should enable resumption of trading and clearing of swaps executed on or pursuant to the rules of the swap execution facility during the next business day following the disruption. Swap execution facilities determined by the Commission to be critical financial markets are subject to more stringent requirements in this regard, set forth in §40.9 of this chapter. A swap execution facility shall update its business continuity-disaster recovery plan and emergency procedures at a frequency determined by an appropriate risk analysis, but at a minimum no less frequently than annually.
(d) A swap execution facility that is not determined by the Commission to be a critical financial market satisfies the requirement to be able to resume its operations and resume its ongoing fulfillment of its responsibilities and obligations during the next business day following any disruption of its operations by maintaining either:
(1) Infrastructure and personnel resources of its own that are sufficient to ensure timely recovery and resumption of its operations and resumption of its ongoing fulfillment of its responsibilities and obligations as a swap execution facility following any disruption of its operations; or
(2) Contractual arrangements with other swap execution facilities or disaster recovery service providers, as appropriate, that are sufficient to ensure continued trading and clearing of swaps executed on the swap execution facility, and ongoing fulfillment of all of the swap execution facility's responsibilities and obligations with respect to such swaps, in the event that a disruption renders the swap execution facility temporarily or permanently unable to satisfy this requirement on its own behalf.
(e) A swap execution facility shall notify Commission staff promptly of all:
(1) Electronic trading halts and material system malfunctions;
(2) Cyber security incidents or targeted threats that actually or potentially jeopardize automated system operation, reliability, security, or capacity; and
(3) Activations of the swap execution facility's business continuity-disaster recovery plan.
(f) A swap execution facility shall provide Commission staff timely advance notice of all material:
(1) Planned changes to automated systems that may impact the reliability, security, or adequate scalable capacity of such systems; and
(2) Planned changes to the swap execution facility's program of risk analysis and oversight.
(g) As part of a swap execution facility's obligation to produce books and records in accordance with §1.31 of this chapter, Core Principle 10 (Recordkeeping and Reporting), and §§37.1000 and 37.1001, a swap execution facility shall provide to the Commission the following system safeguards-related books and records, promptly upon the request of any Commission representative:
(1) Current copies of its business continuity-disaster recovery plans and other emergency procedures;
(2) All assessments of its operational risks or system safeguards-related controls;
(3) All reports concerning system safeguards testing and assessment required by this chapter, whether performed by independent contractors or by employees of the swap execution facility; and
(4) All other books and records requested by Commission staff in connection with Commission oversight of system safeguards pursuant to the Act or Commission regulations, or in connection with Commission maintenance of a current profile of the swap execution facility's automated systems.
(5) Nothing in §37.1401(g) shall be interpreted as reducing or limiting in any way a swap execution facility's obligation to comply with Core Principle 10 (Recordkeeping and Reporting) or with §1.31 of this chapter or with §37.1000 or §37.1001.
(h) A swap execution facility shall conduct regular, periodic, objective testing and review of its automated systems to ensure that they are reliable, secure, and have adequate scalable capacity. It shall also conduct regular, periodic testing and review of its business continuity-disaster recovery capabilities. Such testing and review shall include, without limitation, all of the types of testing set forth in paragraph (h) of this section.
(1) Definitions. As used in this paragraph (h):
Controls means the safeguards or countermeasures employed by the swap execution facility in order to protect the reliability, security, or capacity of its automated systems or the confidentiality, integrity, and availability of its data and information, and in order to enable the swap execution facility to fulfill its statutory and regulatory responsibilities.
Controls testing means assessment of the swap execution facility's controls to determine whether such controls are implemented correctly, are operating as intended, and are enabling the swap execution facility to meet the requirements established by this section.
Enterprise technology risk assessment means a written assessment that includes, but is not limited to, an analysis of threats and vulnerabilities in the context of mitigating controls. An enterprise technology risk assessment identifies, estimates, and prioritizes risks to swap execution facility operations or assets, or to market participants, individuals, or other entities, resulting from impairment of the confidentiality, integrity, and availability of data and information or the reliability, security, or capacity of automated systems.
External penetration testing means attempts to penetrate the swap execution facility's automated systems from outside the systems' boundaries to identify and exploit vulnerabilities. Methods of conducting external penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.
Internal penetration testing means attempts to penetrate the swap execution facility's automated systems from inside the systems' boundaries, to identify and exploit vulnerabilities. Methods of conducting internal penetration testing include, but are not limited to, methods for circumventing the security features of an automated system.
Key controls means those controls that an appropriate risk analysis determines are either critically important for effective system safeguards or intended to address risks that evolve or change more frequently and therefore require more frequent review to ensure their continuing effectiveness in addressing such risks.
Security incident means a cyber security or physical security event that actually jeopardizes or has a significant likelihood of jeopardizing automated system operation, reliability, security, or capacity, or the availability, confidentiality or integrity of data.
Security incident response plan means a written plan documenting the swap execution facility's policies, controls, procedures, and resources for identifying, responding to, mitigating, and recovering from security incidents, and the roles and responsibilities of its management, staff and independent contractors in responding to security incidents. A security incident response plan may be a separate document or a business continuity-disaster recovery plan section or appendix dedicated to security incident response.
Security incident response plan testing means testing of a swap execution facility's security incident response plan to determine the plan's effectiveness, identify its potential weaknesses or deficiencies, enable regular plan updating and improvement, and maintain organizational preparedness and resiliency with respect to security incidents. Methods of conducting security incident response plan testing may include, but are not limited to, checklist completion, walk-through or table-top exercises, simulations, and comprehensive exercises.
Vulnerability testing means testing of a swap execution facility's automated systems to determine what information may be discoverable through a reconnaissance analysis of those systems and what vulnerabilities may be present on those systems.
(2) Vulnerability testing. A swap execution facility shall conduct vulnerability testing of a scope sufficient to satisfy the requirements set forth in paragraph (k) of this section.
(i) A swap execution facility shall conduct such vulnerability testing at a frequency determined by an appropriate risk analysis.
(ii) Such vulnerability testing shall include automated vulnerability scanning, which shall follow generally accepted best practices.
(iii) A swap execution facility shall conduct vulnerability testing by engaging independent contractors or by using employees of the swap execution facility who are not responsible for development or operation of the systems or capabilities being tested.
(3) External penetration testing. A swap execution facility shall conduct external penetration testing of a scope sufficient to satisfy the requirements set forth in paragraph (k) of this section.
(i) A swap execution facility shall conduct such external penetration testing at a frequency determined by an appropriate risk analysis.
(ii) A swap execution facility shall conduct external penetration testing by engaging independent contractors or by using employees of the swap execution facility who are not responsible for development or operation of the systems or capabilities being tested.
(4) Internal penetration testing. A swap execution facility shall conduct internal penetration testing of a scope sufficient to satisfy the requirements set forth in paragraph (k) of this section.
(i) A swap execution facility shall conduct such internal penetration testing at a frequency determined by an appropriate risk analysis.
(ii) A swap execution facility shall conduct internal penetration testing by engaging independent contractors, or by using employees of the swap execution facility who are not responsible for development or operation of the systems or capabilities being tested.
(5) Controls testing. A swap execution facility shall conduct controls testing of a scope sufficient to satisfy the requirements set forth in paragraph (k) of this section.
(i) A swap execution facility shall conduct controls testing, which includes testing of each control included in its program of risk analysis and oversight, at a frequency determined by an appropriate risk analysis. Such testing may be conducted on a rolling basis.
(ii) A swap execution facility shall conduct controls testing by engaging independent contractors or by using employees of the swap execution facility who are not responsible for development or operation of the systems or capabilities being tested.
(6) Security incident response plan testing. A swap execution facility shall conduct security incident response plan testing sufficient to satisfy the requirements set forth in paragraph (k) of this section.
(i) A swap execution facility shall conduct such security incident response plan testing at a frequency determined by an appropriate risk analysis.
(ii) A swap execution facility's security incident response plan shall include, without limitation, the swap execution facility's definition and classification of security incidents, its policies and procedures for reporting security incidents and for internal and external communication and information sharing regarding security incidents, and the hand-off and escalation points in its security incident response process.
(iii) A swap execution facility may coordinate its security incident response plan testing with other testing required by this section or with testing of its other business continuity-disaster recovery and crisis management plans.
(iv) A swap execution facility may conduct security incident response plan testing by engaging independent contractors or by using employees of the swap execution facility.
(7) Enterprise technology risk assessment. A swap execution facility shall conduct enterprise technology risk assessment of a scope sufficient to satisfy the requirements set forth in paragraph (k) of this section.
(i) A swap execution facility shall conduct enterprise technology risk assessment at a frequency determined by an appropriate risk analysis. A swap execution facility that has conducted an enterprise technology risk assessment that complies with this section may conduct subsequent assessments by updating the previous assessment.
(ii) A swap execution facility may conduct enterprise technology risk assessments by using independent contractors or employees of the swap execution facility who are not responsible for development or operation of the systems or capabilities being assessed.
(i) To the extent practicable, a swap execution facility shall:
(1) Coordinate its business continuity-disaster recovery plan with those of the market participants it depends upon to provide liquidity, in a manner adequate to enable effective resumption of activity in its markets following a disruption causing activation of the swap execution facility's business continuity-disaster recovery plan;
(2) Initiate and coordinate periodic, synchronized testing of its business continuity-disaster recovery plan with those of the market participants it depends upon to provide liquidity; and
(3) Ensure that its business continuity-disaster recovery plan takes into account the business continuity-disaster recovery plans of its telecommunications, power, water, and other essential service providers.
(j) Part 40 of this chapter governs the obligations of those registered entities that the Commission has determined to be critical financial markets, with respect to maintenance and geographic dispersal of disaster recovery resources sufficient to meet a same-day recovery time objective in the event of a wide-scale disruption. Section 40.9 establishes the requirements for core principle compliance in that respect.
(k) Scope of testing and assessment. The scope for all system safeguards testing and assessment required by this part shall be broad enough to include the testing of automated systems and controls that the swap execution facility's required program of risk analysis and oversight and its current cybersecurity threat analysis indicate is necessary to identify risks and vulnerabilities that could enable an intruder or unauthorized user or insider to:
(1) Interfere with the swap execution facility's operations or with fulfillment of its statutory and regulatory responsibilities;
(2) Impair or degrade the reliability, security, or adequate scalable capacity of the swap execution facility's automated systems;
(3) Add to, delete, modify, exfiltrate, or compromise the integrity of any data related to the swap execution facility's regulated activities; or
(4) Undertake any other unauthorized action affecting the swap execution facility's regulated activities or the hardware or software used in connection with those activities.
(l) Internal reporting and review. Both the senior management and the Board of Directors of a swap execution facility shall receive and review reports setting forth the results of the testing and assessment required by this section. A swap execution facility shall establish and follow appropriate procedures for the remediation of issues identified through such review, as provided in paragraph (m) of this section, and for evaluation of the effectiveness of testing and assessment protocols.
(m) Remediation. A swap execution facility shall identify and document the vulnerabilities and deficiencies in its systems revealed by the testing and assessment required by this section. The swap execution facility shall conduct and document an appropriate analysis of the risks presented by such vulnerabilities and deficiencies, to determine and document whether to remediate or accept the associated risk. When the swap execution facility determines to remediate a vulnerability or deficiency, it must remediate in a timely manner given the nature and magnitude of the associated risk.
[78 FR 33582, June 4, 2013, as amended at 81 FR 64310, Sept. 19, 2016]