(a) Definitions. For purposes of this section:
Recovery time objective means the time period within which an entity should be able to achieve recovery and resumption of clearing and settlement of existing and new products, after those capabilities become temporarily inoperable for any reason up to or including a wide-scale disruption.
Relevant area means the metropolitan or other geographic area within which a derivatives clearing organization has physical infrastructure or personnel necessary for it to conduct activities necessary to the clearing and settlement of existing and new products. The term ``relevant area'' also includes communities economically integrated with, adjacent to, or within normal commuting distance of that metropolitan or other geographic area.
Wide-scale disruption means an event that causes a severe disruption or destruction of transportation, telecommunications, power, water, or other critical infrastructure components in a relevant area, or an event that results in an evacuation or unavailability of the population in a relevant area.
(b) General--(1) Program of risk analysis. Each derivatives clearing organization shall establish and maintain a program of risk analysis and oversight with respect to its operations and automated systems to identify and minimize sources of operational risk through:
(1) Program of risk analysis. Each derivatives clearing organization shall establish and maintain a program of risk analysis and oversight with respect to its operations and automated systems to identify and minimize sources of operational risk through:
(i) The development of appropriate controls and procedures; and
(ii) The development of automated systems that are reliable, secure, and have adequate scalable capacity.
(2) Resources. Each derivatives clearing organization shall establish and maintain resources that allow for the fulfillment of each obligation and responsibility of the derivatives clearing organization in light of the risks identified pursuant to paragraph (b)(1) of this section.
(3) Verification of adequacy. Each derivatives clearing organization shall periodically verify that resources described in paragraph (b)(2) of this section are adequate to ensure daily processing, clearing, and settlement.
(c) Elements of program. A derivatives clearing organization's program of risk analysis and oversight with respect to its operations and automated systems, as described in paragraph (b) of this section, shall address each of the following categories of risk analysis and oversight:
(1) Information security;
(2) Business continuity and disaster recovery planning and resources;
(3) Capacity and performance planning;
(4) Systems operations;
(5) Systems development and quality assurance; and
(6) Physical security and environmental controls.
(d) Standards for program. In addressing the categories of risk analysis and oversight required under paragraph (c) of this section, a derivatives clearing organization shall follow generally accepted standards and industry best practices with respect to the development, operation, reliability, security, and capacity of automated systems.
(e) Business continuity and disaster recovery--(1) Plan and resources. A derivatives clearing organization shall maintain a business continuity and disaster recovery plan, emergency procedures, and physical, technological, and personnel resources sufficient to enable the timely recovery and resumption of operations and the fulfillment of each obligation and responsibility of the derivatives clearing organization following any disruption of its operations.
(1) Plan and resources. A derivatives clearing organization shall maintain a business continuity and disaster recovery plan, emergency procedures, and physical, technological, and personnel resources sufficient to enable the timely recovery and resumption of operations and the fulfillment of each obligation and responsibility of the derivatives clearing organization following any disruption of its operations.
(2) Responsibilities and obligations. The responsibilities and obligations described in paragraph (e)(1) of this section shall include, without limitation, daily processing, clearing, and settlement of transactions cleared.
(3) Recovery time objective. The derivatives clearing organization's business continuity and disaster recovery plan described in paragraph (e)(1) of this section, shall have the objective of, and the physical, technological, and personnel resources described therein shall be sufficient to, enable the derivatives clearing organization to resume daily processing, clearing, and settlement no later than the next business day following the disruption.
(f) Location of resources; outsourcing. A derivatives clearing organization may maintain the resources required under paragraph (e)(1) of this section either:
(1) Using its own employees as personnel, and property that it owns, licenses, or leases (own resources); or
(2) Through written contractual arrangements with another derivatives clearing organization or other service provider (outsourcing).
(i) Retention of responsibility. A derivatives clearing organization that enters into such a contractual arrangement shall retain complete liability for any failure to meet the responsibilities specified in paragraph (e) of this section, although it is free to seek indemnification from the service provider. The outsourcing derivatives clearing organization must employ personnel with the expertise necessary to enable it to supervise the service provider's delivery of the services.
(ii) Testing. The testing referred to in paragraph (j) of this section shall include all of the derivatives clearing organization's own and outsourced resources, and shall verify that all such resources will work effectively together.
(g) Notice of exceptional events. A derivatives clearing organization shall notify staff of the Division of Clearing and Risk promptly of:
(1) Any hardware or software malfunction, cyber security incident, or targeted threat that materially impairs, or creates a significant likelihood of material impairment, of automated system operation, reliability, security, or capacity; or
(2) Any activation of the derivatives clearing organization's business continuity and disaster recovery plan.
(h) Notice of planned changes. A derivatives clearing organization shall give staff of the Division of Clearing and Risk timely advance notice of all:
(1) Planned changes to automated systems that are likely to have a significant impact on the reliability, security, or adequate scalable capacity of such systems; and
(2) Planned changes to the derivatives clearing organization's program of risk analysis and oversight.
(i) Recordkeeping. A derivatives clearing organization shall maintain, and provide to Commission staff promptly upon request, pursuant to Sec. 1.31 of this chapter, current copies of its business continuity plan and other emergency procedures, its assessments of its operational risks, and records of testing protocols and results, and shall provide any other documents requested by Commission staff for the purpose of maintaining a current profile of the derivatives clearing organization's automated systems.
(j) Testing--(1) Purpose of testing. A derivatives clearing organization shall conduct regular, periodic, and objective testing and review of:
(1) Purpose of testing. A derivatives clearing organization shall conduct regular, periodic, and objective testing and review of:
(i) Its automated systems to ensure that they are reliable, secure, and have adequate scalable capacity; and
(ii) Its business continuity and disaster recovery capabilities, using testing protocols adequate to ensure that the derivatives clearing organization's backup resources are sufficient to meet the requirements of paragraph (e) of this section.
(2) Conduct of testing. Testing shall be conducted by qualified, independent professionals. Such qualified, independent professionals may be independent contractors or employees of the derivatives clearing organization, but shall not be persons responsible for development or operation of the systems or capabilities being tested.
(3) Reporting and review. Reports setting forth the protocols for, and results of, such tests shall be communicated to, and reviewed by, senior management of the derivatives clearing organization. Protocols of tests which result in few or no exceptions shall be subject to more searching review.
(k) Coordination of business continuity and disaster recovery plans. A derivatives clearing organization shall, to the extent practicable:
(1) Coordinate its business continuity and disaster recovery plan with those of its clearing members, in a manner adequate to enable effective resumption of daily processing, clearing, and settlement following a disruption;
(2) Initiate and coordinate periodic, synchronized testing of its business continuity and disaster recovery plan and the plans of its clearing members; and
(3) Ensure that its business continuity and disaster recovery plan takes into account the plans of its providers of essential services, including telecommunications, power, and water.