Voglio sapere a riguardo di…

60514

Federal Register / Vol. 86, No. 209 / Tuesday, November 2, 2021 / Notices
vi. Auditing the CSP Post CloudImplementation OCCs Cloud Agreement gives OCC
the right to attend the CSP Audit Symposium annually so that OCC may inspect and verify evidence of the design and effectiveness of the CSPs control environment and physical security controls in place at the CSPs data centers. Through preparation for and attendance at this symposium, OCC
may also provide feedback and make requests of the CSP for future modifications of the control environment. The CSP is also required to maintain an information security program, including controls and certifications, that is as protective as the program evidenced by the CSPs SOC
2 report. The CSP must make available on demand to OCC its SOC2 report as well as the CSPs other certifications from accreditation bodies and information on its alignment with various frameworks, including NIST, CSF, and ISO.59 TPRM will coordinate an annual risk assessment of OCCs relationship with the CPS. TPRM, Security, and Business Continuity will determine the adequacy and reasonableness of the documentation received to complete the Third-Party Risk Assessment. Finally, the Cloud Agreement provides that OCCs regulators may visit the facilities of the CSP under specified conditions.
OCC plans to use the CSPs services combined with additional third-party tools to monitor systems deployed by ingesting logs into a security incident and event monitoring tool to provide a single pane of glass view into the Cloud Infrastructure and the on-premises data center to the extent it is used. When incidents are detected, OCC will follow its existing incident response governance to identify, detect, contain, eradicate, and recover from incidents.

jspears on DSK121TN23PROD with NOTICES1

Consistency With the Payment, Clearing and Settlement Supervision Act The stated purpose of the Clearing Supervision Act is to mitigate systemic risk in the financial system and promote financial stability by, among other things, promoting uniform risk management standards for systemically important financial market utilities and strengthening the liquidity of systemically important financial market utilities.60 Section 805a2 of the 59 The FFIEC Guidance provides that OCC may obtain SOC reports, other independent audits, or ISO certification reports to gain assurance that the CSPs controls are operating effectively. See FFIEC, Security in a Cloud Computing Environment, page 7. OCC reviews the CSPs SOC2 on an annual basis.
60 12 U.S.C. 5461b.

VerDate Sep<11>2014

17:42 Nov 01, 2021

Jkt 256001

Clearing Supervision Act 61 also authorizes the Commission to prescribe risk management standards for the payment, clearing and settlement activities of designated clearing entities, like OCC, for which the Commission is the supervisory agency. Section 805b of the Clearing Supervision Act 62 states that the objectives and principles for risk management standards prescribed under Section 805a shall be to:
Promote robust risk management;
promote safety and soundness;
reduce systemic risks; and support the stability of the broader financial system.
The Commission has adopted risk management standards under Section 805a2 of the Clearing Supervision Act and the Exchange Act in furtherance of these objectives and principles.63
Rule 17Ad22 requires registered clearing agencies, like OCC, to establish, implement, maintain, and enforce written policies and procedures that are reasonably designed to meet certain minimum requirements for their operations and risk management practices on an ongoing basis.64
Therefore, the Commission has stated 65
that it believes it is appropriate to review changes proposed in advance notices against Rule 17Ad22 and the objectives and principles of these risk management standards as described in Section 805b of the Clearing Supervision Act.66
OCC believes that the proposed changes are consistent with Section 805b1 of the Clearing Supervision Act 67 and the requirements of Rules 17Ad22e17 and e21 under the Act because the Cloud Implementation would provide OCC with resilient, secure, and scalable core clearing, risk management, and data management systems that far exceeds what is 61 12

U.S.C. 5464a2.
U.S.C. 5464b.
63 17 CFR 240.17Ad22. See Exchange Act Release Nos. 68080 October 22, 2012, 77 FR 66220
November 2, 2012 S70811 Clearing Agency Standards; 78961 September 28, 2016, 81 FR
70786 October 13, 2016 S70314 Standards for Covered Clearing Agencies.
64 17 CFR 240.17Ad22.
65 See e.g., Exchange Act Release No. 86182 June 24, 2019, 84 FR 31128, 31129 June 28, 2019 SR
OCC2019803.
66 12 U.S.C. 5464b. Reg SCI was not adopted under the Payment, Clearing and Settlement Supervision Act and thus is not analyzed in this section. However, an analysis of the compliance requirements of Reg SCI and the provisions of the Cloud Agreement that enable OCC to meet them are provided in confidential Exhibit 3d to File No. SR
OCC2021802, for which OCC has separately submitted a request for confidential treatment from the Commission.
67 12 U.S.C. 5464b1.
62 12

PO 00000

Frm 00074

Fmt 4703

Sfmt 4703

currently possible in an on-premises infrastructure.
Rule 17Ad22e17ii requires OCC
to establish, implement, maintain, and enforce written policies and procedures reasonably designed to manage OCCs operational risk by ensuring that systems have a high degree of security, resiliency, operational reliability, and adequate, scalable capacity. 68 OCC
maintains several policies specifically designed to manage the risks associated with maintaining adequate levels of system functionality, confidentiality, integrity, availability, capacity and resiliency for systems that support core clearing, risk management, and data management services.69 As stated above, resiliency of the Cloud Infrastructure is built into the system with functionality for OCCs core clearing, risk management, and data management applications to run in multiple zones within multiple regions. Regions are isolated from one another and are designed in part to minimize the possibility of a multi-region outage.
OCC has designed the infrastructure to have primary hot/secondary warm zones at all times ensuring Compute, Storage, and Network resources would be available in a new redundant region in the event of a primary region failure.
As a result, the Cloud Infrastructure offers OCC multiple redundancies within which to run its core clearing, risk management, and data management applications while simultaneously restricting the effect of an incident at the CSP to the smallest footprint possible.
Furthermore, in the unlikely and extraordinary event OCC loses access to each of the six levels of resiliency within the CSP environment, OCC can failover to an on-premises backup that will permit continued operations of core clearing, risk management, and data management applications.
OCC has established a robust Cloud security program to manage the security of the core clearing, risk management, and data management applications that will be running in the Cloud and to monitor the CSPs management of security of the Cloud Infrastructure that it operates. Processes are formally defined, automated to the fullest extent, repeatable with minimal variation, 68 17

CFR 240.17Ad22e17ii.
has separately submitted a request for confidential treatment to the Commission regarding the IT Operational Risk Management Policy, which OCC has provided as confidential Exhibit 3y to File No. SROCC2021802, the Technology Operations Policy, which OCC has provided as confidential Exhibit 3z to File No. SROCC2021802, and the Business Continuity Procedure, which OCC has provided as confidential Exhibit 3aa to File No. SR
OCC2021802.
69 OCC

E:FRFM02NON1.SGM

02NON1