(a) A designated contract market's program of risk analysis and oversight with respect to its operations and automated systems must address each of the following categories of risk analysis and oversight:
(1) Information security;
(2) Business continuity-disaster recovery planning and resources;
(3) Capacity and performance planning;
(4) Systems operations;
(5) Systems development and quality assurance; and
(6) Physical security and environmental controls.
(b) In addressing the categories of risk analysis and oversight required under paragraph (a) of this section, a designated contract market should follow generally accepted standards and best practices with respect to the development, operation, reliability, security, and capacity of automated systems.
(c) A designated contract market must maintain a business continuity-disaster recovery plan and business continuity-disaster recovery resources, emergency procedures, and backup facilities sufficient to enable timely recovery and resumption of its operations and resumption of its ongoing fulfillment of its responsibilities and obligations as a designated contract market following any disruption of its operations. Such responsibilities and obligations include, without limitation, order processing and trade matching; transmission of matched orders to a designated clearing organization for clearing; price reporting; market surveillance; and maintenance of a comprehensive audit trail. The designated contract market's business continuity-disaster recovery plan and resources generally should enable resumption of trading and clearing of the designated contract market's products during the next business day following the disruption. Designated contract markets determined by the Commission to be critical financial markets are subject to more stringent requirements in this regard, set forth in Sec. 40.9 of this chapter. Electronic trading is an acceptable backup for open outcry trading in the event of a disruption.
(d) A designated contract market that is not determined by the Commission to be a critical financial market satisfies the requirement to be able to resume trading and clearing during the next business day following a disruption by maintaining either:
(1) Infrastructure and personnel resources of its own that are sufficient to ensure timely recovery and resumption of its operations and resumption of its ongoing fulfillment of its responsibilities and obligations as a designated contract market following any disruption of its operations; or
(2) Contractual arrangements with other designated contract markets or disaster recovery service providers, as appropriate, that are sufficient to ensure continued trading and clearing of the designated contract market's products, and ongoing fulfillment of all of the designated contract market's responsibilities and obligations with respect to those products, in the event that a disruption renders the designated contract market temporarily or permanently unable to satisfy this requirement on its own behalf.
(e) A designated contract market must notify Commission staff promptly of all:
(1) Electronic trading halts and significant systems malfunctions;
(2) Cyber security incidents or targeted threats that actually or potentially jeopardize automated system operation, reliability, security, or capacity; and
(3) Activation of the designated contract market's business continuity-disaster recovery plan.
(f) A designated contract market must give Commission staff timely advance notice of all material:
(1) Planned changes to automated systems that may impact the reliability, security, or adequate scalable capacity of such systems; and
(2) Planned changes to the designated contract market's program of risk analysis and oversight.
(g) A designated contract market must provide to the Commission upon request current copies of its business continuity-disaster recovery plan and other emergency procedures, its assessments of its operational risks, and other documents requested by Commission staff for the purpose of maintaining a current profile of the designated contract market's automated systems.
(h) A designated contract market must conduct regular, periodic, objective testing and review of its automated systems to ensure that they are reliable, secure, and have adequate scalable capacity. It must also conduct regular, periodic testing and review of its business continuity-disaster recovery capabilities. Both types of testing should be conducted by qualified, independent professionals. Such qualified independent professionals may be independent contractors or employees of the designated contract market, but should not be persons responsible for development or operation of the systems or capabilities being tested. Pursuant to Core Principle 18 (Recordkeeping) and Sec. Sec. 38.950 and 38.951 of this part, the designated contract market must keep records of all such tests, and make all test results available to the Commission upon request.
(i) To the extent practicable, a designated contract market should:
(1) Coordinate its business continuity-disaster recovery plan with those of the members and other market participants upon whom it depends to provide liquidity, in a manner adequate to enable effective resumption of activity in its markets following a disruption causing activation of the designated contract market's business continuity-disaster recovery plan;
(2) Initiate and coordinate periodic, synchronized testing of its business continuity-disaster recovery plan and the business continuity-disaster recovery plans of the members and other market participants upon whom it depends to provide liquidity; and
(3) Ensure that its business continuity-disaster recovery plan takes into account the business continuity-disaster recovery plans of its telecommunications, power, water, and other essential service providers.
(j) Part 46 of this chapter governs the obligations of those registered entities that the Commission has determined to be critical financial markets, with respect to maintenance and geographic dispersal of disaster recovery resources sufficient to meet a same-day recovery time objective in the event of a wide-scale disruption. Section 40.9 of this chapter establishes the requirements for core principle compliance in that respect.