客户网络安全计划

常见问题

What is 存’s 客户网络安全计划?

The 客户网络安全计划 (‘Program’) is an information risk management validation effort designed to gain assurance that members and participants of 存’s Systemically Important Financial Market Utility (SIFMU) services are utilizing an industry-accepted cybersecurity risk management framework for the governance and management of its cybersecurity program.

The Program include members/participants of the following 存 subsidiaries:

• 存托信托公司
• Fixed Income 清算 Corporation (FICC)
• Government Securities Division (GSD)
• Mortgage-Backed Securities Division (MBSD)
• National Securities 清算 Corporation (NSCC)

存 developed the 客户网络安全计划 to provide assurance that members/participants are utilizing an industry-accepted cybersecurity framework to govern their cybersecurity risk management program. It leverages current regulatory or standards-setting body frameworks.  It does not set any new control standards.

Where can financial institutions find the rule filing?

The approved SEC rule filing for each 存 market utility can be downloaded in PDF format using the links below:

直接转矩 (sr - 直接转矩 - 2019 - 008)   

FICC (sr - ficc - 2019 - 005)   

NSCC (sr - nscc - 2019 - 003)   

Is my organization required to use a cybersecurity framework?

是的. Members/Participants and new applicants to 直接转矩/FICC/NSCC services are required to demonstrate their use of an industry-accepted cyber risk management framework. Examples of an industry-accepted framework include:

1. 中国国际广播电台配置文件 – The Cyber Risk Institute Profile (former FSSCC Profile)
2. NIST脑脊液 - National Institute of Standards and Technology 网络安全 Framework 
3. ISO27001/27002 - 国际 Organization for Standardization 27001/27002
4. FFIEC猫 - Federal Financial Institutions Examination Council 网络安全 Assessment Tool
5. CSC 20 - 关键安全控制前20名
6. SOC 2 - 系统和组织控制 
7. 〇网络安全SOC System and Organization Controls for 网络安全 
8. COBIT - Control Objectives for Information and Related Technologies
9. OSFI - The Office of the Superintendent of Financial Institutions Cyber Security Self-Assessment Guidance
10. JASDEC - Japan Securities Depository Center, Inc. Basic Policy on Risk Management and Basic Policy on Information Security
11. 美国金融业监管局- - - - - - FINRA Small Firm 网络安全 Checklist
12. SEC OCIE - 美国.S. Securities and Exchange Commission’s Office of 合规 Inspections and Examinations 网络安全 Examination Initiative

How should each firm notify 存 of its designated Control Officer?

The Control Officer is a senior executive responsible and accountable for overseeing the cyber security program within their organization.

We are giving you the obligation of designating the appropriate Control Officer of your company. The Control Officer is usually the CISO, a member of the Board of Directors or a Security Manager.

To update your Control Officer information, email (电子邮件保护).

什么是确认表格?

The Confirmation Form is an electronic form sent via DocuSign that the designated Control Officer must complete and sign to attest that your firm has a written cybersecurity program structured from an industry known cybersecurity framework and goes through reviews periodically and updated based on risk assessments, technology and regulatory requirements.

Our firm is using a third party to transact directly to 存. Are we still required to complete the cybersecurity confirmation?

是的. 作为直接转矩的成员/参与者, FICC和/或NSCC, your firm is required to have your own written cybersecurity program and policies in compliance to the SEC rule.

Our firm is subscribed to a cybersecurity service provider and utilizing cybersecurity applications and software. Are we still required to have our cybersecurity program in writing?

是的. Having a written cybersecurity program approved by your Risk Committee or Board of Directors is one of the requirements of the SEC Rule.

Can we print, sign and fax or email the confirmation form instead of signing via DocuSign?

存 only accept confirmation forms the are completed and signed digitally via DocuSign. Upon completion and 存 approval of the form, the Control Officer will receive a pdf copy of the form.

Is it possible to edit/update the confirmation form after submission?

Members/Participants will not be able to edit or update a form that has been submitted. The firm should ensure that the information documented on the form is complete and accurate before submitting.

Who can I contact if I have any questions regarding the program?

You may contact your Relationship Manager for any questions or concerns about the program or email (电子邮件保护) .