(a) Each registered swap data repository shall, with respect to all swap data in its custody:
(1) Establish and maintain a program of risk analysis and oversight to identify and minimize sources of operational risk through the development of appropriate controls and procedures and the development of automated systems that are reliable, secure, and have adequate scalable capacity;
(2) Establish and maintain emergency procedures, backup facilities, and a business continuity-disaster recovery plan that allow for the timely recovery and resumption of operations and the fulfillment of the duties and obligations of the swap data repository; and
(3) Periodically conduct tests to verify that backup resources are sufficient to ensure continued fulfillment of all duties of the swap data repository established by the Act or the Commission's regulations.
(b) A registered swap data repository's program of risk analysis and oversight with respect to its operations and automated systems shall address each of the following categories of risk analysis and oversight:
(1) Information security;
(2) Business continuity--disaster recovery planning and resources;
(3) Capacity and performance planning;
(4) Systems operations;
(5) Systems development and quality assurance; and
(6) Physical security and environmental controls.
(c) In addressing the categories of risk analysis and oversight required under paragraph (b) of this section, a registered swap data repository should follow generally accepted standards and best practices with respect to the development, operation, reliability, security, and capacity of automated systems.
(d) A registered swap data repository shall maintain a business continuity--disaster recovery plan and business continuity--disaster recovery resources, emergency procedures, and backup facilities sufficient to enable timely recovery and resumption of its operations and resumption of its ongoing fulfillment of its duties and obligations as a swap data repository following any disruption of its operations. Such duties and obligations include, without limitation, the duties set forth in Sec. 49.9 and the core principles set forth in Sec. 49.19; and maintenance of a comprehensive audit trail. The swap data repository's business continuity--disaster recovery plan and resources generally should enable resumption of the swap data repository's operations and resumption of ongoing fulfillment of the swap data repository's duties and obligations during the next business day following the disruption.
(e) Registered swap data repositories determined by the Commission to be critical swap data repositories are subject to more stringent requirements as set forth below.
(1) Each swap data repository that the Commission determines is critical must maintain a disaster recovery plan and business continuity and disaster recovery resources, including infrastructure and personnel, sufficient to enable it to achieve a same-day recovery time objective in the event that its normal capabilities become temporarily inoperable for any reason up to and including a wide-scale disruption.
(2) A same-day recovery time objective is a recovery time objective within the same business day on which normal capabilities become temporarily inoperable for any reason up to and including a wide-scale disruption.
(3) To ensure its ability to achieve a same-day recovery time objective in the event of a wide-scale disruption, each swap data repository that the Commission determines is critical must maintain a degree of geographic dispersal of both infrastructure and personnel such that:
(i) Infrastructure sufficient to enable the swap data repository to meet a same-day recovery time objective after interruption is located outside the relevant area of the infrastructure the entity normally relies upon to conduct activities necessary to the reporting, recordkeeping and/or dissemination of swap data, and does not rely on the same critical transportation, telecommunications, power, water, or other critical infrastructure components the entity normally relies upon for such activities; and
(ii) Personnel sufficient to enable the swap data repository to meet a same-day recovery time objective, after interruption of normal swap data reporting, recordkeeping and/or dissemination by a wide-scale disruption affecting the relevant area in which the personnel the entity normally relies upon to engage in such activities are located, live and work outside that relevant area.
(4) Each swap data repository that the Commission determines is critical must conduct regular, periodic tests of its business continuity and disaster recovery plans and resources and its capacity to achieve a same-day recovery time objective in the event of a wide-scale disruption. The swap data repository shall keep records of the results of such tests, and make the results available to the Commission upon request.
(f) A registered swap data repository that is not determined by the Commission to be a critical swap data repository satisfies the requirement to be able to resume operations and resume ongoing fulfillment of the swap data repository's duties and obligations during the next business day following a disruption by maintaining either:
(1) Infrastructure and personnel resources of its own that are sufficient to ensure timely recovery and resumption of its operations, duties and obligations as a registered swap data repository following any disruption of its operations; or
(2) Contractual arrangements with other registered swap data repositories or disaster recovery service providers, as appropriate, that are sufficient to ensure continued fulfillment of all of the swap data repository's duties and obligations following any disruption of its operations, both with respect to all swaps reported to the swap data repository and with respect to all swap data contained in the swap data repository.
(g) A registered swap data repository shall notify Commission staff promptly of all:
(1) Systems malfunctions;
(2) Cyber security incidents or targeted threats that actually or potentially jeopardize automated system operation, reliability, security, or capacity; and
(3) Any activation of the swap data repository's business continuity-disaster recovery plan.
(h) A registered swap data repository shall give Commission staff timely advance notice of all:
(1) Planned changes to automated systems that may impact the reliability, security, or adequate scalable capacity of such systems; and
(2) Planned changes to the swap data repository's program of risk analysis and oversight.
(i) A registered swap data repository shall provide to the Commission upon request current copies of its business continuity and disaster recovery plan and other emergency procedures, its assessments of its operational risks, and other documents requested by Commission staff for the purpose of maintaining a current profile of the swap data repository's automated systems.
(j) A registered swap data repository shall conduct regular, periodic, objective testing and review of its automated systems to ensure that they are reliable, secure, and have adequate scalable capacity. It shall also conduct regular, periodic testing and review of its business continuity-disaster recovery capabilities. Both types of testing should be conducted by qualified, independent professionals. Such qualified independent professionals may be independent contractors or employees of the swap data repository, but should not be persons responsible for development or operation of the systems or capabilities being tested. Pursuant to Sec. Sec. 1.31, 49.12 and 45.2 of the Commission's Regulations, the swap data repository shall keep records of all such tests, and make all test results available to the Commission upon request.
(k) To the extent practicable, a registered swap data repository should:
(1) Coordinate its business continuity-disaster recovery plan with those of swap execution facilities, designated contract markets, derivatives clearing organizations, swap dealers, and major swap participants who report swap data to the swap data repository, and with those regulators identified in Section 21(c)(7) of the Act, in a manner adequate to enable effective resumption of the registered swap data repository's fulfillment of its duties and obligations following a disruption causing activation of the swap data repository's business continuity and disaster recovery plan;
(2) Participate in periodic, synchronized testing of its business continuity--disaster recovery plan and the business continuity--disaster recovery plans of swap execution facilities, designated contract markets, derivatives clearing organizations, swap dealers, and major swap participants who report swap data to the registered swap data repository, and the business continuity--disaster recovery plans required by the regulators identified in Section 21(c)(7) of the Act; and
(3) Ensure that its business continuity--disaster recovery plan takes into account the business continuity--disaster recovery plans of its telecommunications, power, water, and other essential service providers.