(a) A swap execution facility's program of risk analysis and oversight with respect to its operations and automated systems shall address each of the following categories of risk analysis and oversight:
(1) Information security;
(2) Business continuity-disaster recovery planning and resources;
(3) Capacity and performance planning;
(4) Systems operations;
(5) Systems development and quality assurance; and
(6) Physical security and environmental controls.
(b) A swap execution facility shall maintain a business continuity-disaster recovery plan and resources, emergency procedures, and backup facilities sufficient to enable timely recovery and resumption of its operations and resumption of its ongoing fulfillment of its responsibilities and obligations as a swap execution facility following any disruption of its operations. Such responsibilities and obligations include, without limitation, order processing and trade matching; transmission of matched orders to a designated clearing organization for clearing, where appropriate; price reporting; market surveillance; and maintenance of a comprehensive audit trail. The swap execution facility's business continuity-disaster recovery plan and resources generally should enable resumption of trading and clearing of swaps executed on the swap execution facility during the next business day following the disruption. Swap execution facilities determined by the Commission to be critical financial markets pursuant to appendix E to part 40 of this chapter are subject to more stringent requirements in this regard, set forth in Sec. 40.9 of this chapter.
(c) A swap execution facility that is not determined by the Commission to be a critical financial market satisfies the requirement to be able to resume its operations and resume its ongoing fulfillment of its responsibilities and obligations during the next business day following any disruption of its operations by maintaining either:
(1) Infrastructure and personnel resources of its own that are sufficient to ensure timely recovery and resumption of its operations and resumption of its ongoing fulfillment of its responsibilities and obligations as a swap execution facility following any disruption of its operations; or
(2) Contractual arrangements with other swap execution facilities or disaster recovery service providers, as appropriate, that are sufficient to ensure continued trading and clearing of swaps executed on the swap execution facility, and ongoing fulfillment of all of the swap execution facility's responsibilities and obligations with respect to such swaps, in the event that a disruption renders the swap execution facility temporarily or permanently unable to satisfy this requirement on its own behalf.
(d) A swap execution facility shall notify Commission staff promptly of all:
(1) Electronic trading halts and material system malfunctions;
(2) Cyber security incidents or targeted threats that actually or potentially jeopardize automated system operation, reliability, security, or capacity; and
(3) Activations of the swap execution facility's business continuity-disaster recovery plan.
(e) A swap execution facility shall provide Commission staff timely advance notice of all material:
(1) Planned changes to automated systems that may impact the reliability, security, or adequate scalable capacity of such systems; and
(2) Planned changes to the swap execution facility's program of risk analysis and oversight.
(f) A swap execution facility shall provide to the Commission, upon request, current copies of its business continuity-disaster recovery plan and other emergency procedures, its assessments of its operational risks, and other documents requested by Commission staff for the purpose of maintaining a current profile of the swap execution facility's automated systems.
(g) A swap execution facility shall conduct regular, periodic, objective testing and review of its automated systems to ensure that they are reliable, secure, and have adequate scalable capacity. A swap execution facility shall also conduct regular, periodic testing and review of its business continuity-disaster recovery capabilities. Pursuant to Core Principle 10 under section 5h of the Act (Recordkeeping and Reporting) and Sec. Sec. 37.1000 through 37.1001, the swap execution facility shall keep records of all such tests, and make all test results available to the Commission upon request.
(h) Part 40 of this chapter governs the obligations of those registered entities that the Commission has determined to be critical financial markets, with respect to maintenance and geographic dispersal of disaster recovery resources sufficient to meet a same-day recovery time objective in the event of a wide-scale disruption. Section 40.9 establishes the requirements for core principle compliance in that respect.