Self-Regulatory Organizations; The Options Clearing Corporation; Notice of Filing and Extension of Review Period of Advance Notice Relating to OCC's Adoption of Cloud Infrastructure for New Clearing, Risk Management, and Data Management Applications

Pursuant to Section 806(e)(1) of Title VIII of the Dodd-Frank Wall Street Reform and Consumer Protection Act, entitled Payment, Clearing and Settlement Supervision Act of 2010 (“Clearing Supervision Act”) and Rule 19b-4(n)(1)(i) under the Securities Exchange Act of 1934 (“Exchange Act” or “Act”), notice is hereby given that on October 8, 2021, the Options Clearing Corporation (“OCC”) filed with the Securities and Exchange Commission (“SEC” or “Commission”) an advance notice as described in Items I, II and III below, which Items have been prepared primarily by OCC. The Commission is publishing this notice to solicit comments on the advance notice from interested persons and to extend the review period of the advance notice.

I. Clearing Agency's Statement of the Terms of Substance of the Advance Notice

This advance notice is submitted in connection with a proposed adoption of Cloud infrastructure for OCC's new clearing, risk management, and data management applications with an on-demand network of configurable information technology resources running on virtual infrastructure hosted by a third party. The proposed changes are described in detail in Item II below. All terms with initial capitalization not defined herein have the same meaning as set forth in OCC's By-Laws and Rules.

II. Clearing Agency's Statement of the Purpose of, and Statutory Basis for, the Advance Notice

In its filing with the Commission, OCC included statements concerning the purpose of and basis for the advance notice and discussed any comments it received on the advance notice. The text of these statements may be examined at the places specified in Item IV below. OCC has prepared summaries, set forth in sections A and B below, of the most significant aspects of these statements.

(A) Clearing Agency's Statement on Comments on the Advance Notice Received From Members, Participants or Others

Written comments were not and are not intended to be solicited with respect to the advance notice and none have been received. OCC will notify the Commission of any written comments received by OCC.

(B) Advance Notices Filed Pursuant to Section 806(e) of the Payment, Clearing, and Settlement Supervision Act

Description of the Proposed Change

OCC is proposing to adopt an on-demand network of configurable information technology resources running on infrastructure (“Cloud” or “Cloud Infrastructure”) hosted by a third party (“Cloud Service Provider” or “CSP”) to support OCC's new core clearing, risk management, and data management applications. OCC will provision logically isolated sections of the Cloud Infrastructure that will provide it with the virtual equivalent of physical data center resources (“Virtual Private Cloud”), including scalable resources that: (i) Handle various computationally intensive applications with load-balancing and resource management (“Compute”); (ii) provide configurable storage (“Storage”); and (iii) host network resources and services (“Network”). Additionally, OCC will maintain an on-premises data center to enable OCC to support core clearing, risk management, and data management applications in the event of a multi-region outage of Compute, Storage, and Network services impacting OCC operations at the CSP.

Background

ENCORE, consisting of OCC's core clearing, risk management, and data management applications running in traditional data centers, was launched in 2000 and has operated as OCC's real-time processing engine receiving trade and post-trade data from a variety of sources on a transaction-by-transaction basis, maintaining clearing member positions, calculating margin and clearing fund requirements, and providing reporting to OCC staff, regulators, and clearing members. Two geographically diverse on-premises data centers located in Illinois and Texas house the Compute, Storage, and Network resources required to run all of these applications.

As the platform running OCC's core applications for approximately twenty years, ENCORE has accommodated growth in average daily transaction volumes and OCC has managed periods of extreme market volatility and stress, including during the 2007-2008 financial crisis and the COVID-19 global pandemic of 2020-21, without incident. Nevertheless, as ENCORE was designed to operate in traditional on-premises data centers that require the acquisition and installation of additional hardware and systems software to accommodate scaled resources or new applications, the resiliency and scalability of the current infrastructure is less flexible than that offered by Cloud Infrastructure. OCC's objective is the retirement of ENCORE and its replacement with a resilient solution that meets market participants' needs and the regulatory expectations of a systemically important financial market utility (“SIFMU”). Given advances in Cloud technology and information security since 2000, OCC's proposed adoption of Cloud Infrastructure will offer more resiliency, security, and scalability.

Proposed Changes

Proposed Cloud Infrastructure. Cloud implementation will enable OCC to leverage the Compute, Storage, and Network capabilities of a CSP, supplemented with compatible third-party vendor solutions, to maintain a modular architecture with delineated domains that will result in (i) improved resiliency, (ii) enhanced security, and (iii) increased scalability for OCC's new core clearing, risk management, and data management applications. Additionally, OCC will maintain an on-premises data center to support core clearing, risk management, and data management services in the event of a multi-region outage at the CSP that impacts OCC operations.

i. Improved Resiliency

As a SIFMU, OCC must ensure core applications on the Cloud Infrastructure have resiliency and recovery capabilities commensurate with OCC's importance to the functioning of the US financial markets. As explained in more detail below, OCC believes the Cloud Implementation will enhance the resiliency of OCC's core clearing, risk management, and data management applications by virtue of OCC's architectural design decisions and the Cloud's built-in redundancy, guarantee of persistent availability, and disciplined approach to deployment of Cloud Infrastructure. In particular, the Cloud Implementation will enhance OCC's ability to withstand and recover from adverse conditions by provisioning redundant Compute, Storage, and Network resources in three zones in each of two autonomous and geographically diverse regions. This will afford OCC six levels of redundancy in the Cloud with a primary and secondary Virtual Private Cloud running in a hot/warm configuration. The hot Virtual Private Cloud will be operational and accepting traffic, while the warm Virtual Private Cloud will simultaneously receive the same incoming data and receive replicated data from the hot Virtual Private Cloud with applications on stand-by. This solution significantly reduces operational complexity, mitigates the risk of human error, and provides resiliency and assured capacity. Finally, the on-premises data center will operate as a separate, logically isolated backup to the six levels of redundancy provided for in the Cloud—a backup to backups. The on-premises data center will also simultaneously receive incoming data and the replicated data from the CSP hosted Virtual Private Clouds. The on-premises data center is intended to be used only in the unlikely and extraordinary event that OCC completely loses access to the CSP.

ii. Enhanced Security

The physical and cyber security standards that OCC has designed to align with the National Institute of Standards and Technology (“NIST”), Cyber Security Framework (“CSF”), and Center for Internet Security (“CIS”) benchmarks will not change in the Cloud Infrastructure. OCC will add meaningful security capabilities and measures provided by the CSP and selected third-party tools to enhance the security of OCC's core clearing, risk management, and data management applications. Given the scope of their service, CSPs leverage economies of scale and offer infrastructure and services with specialized configuration, monitoring, prevention, detection, and response tools. Furthermore, unique Cloud-specific capabilities, such as services for provisioning credentials and end-to-end configuration change management and scanning, will provide OCC enhanced levels of protection not available in traditional on-premises solutions. Finally, the on-premises data center will be physically isolated from other on-premises networks, such as the development network, with consistent controls and equivalent security tools to that of the Virtual Private Clouds. Specific security-based risks are examined in more detail below.

iii. Increased Scalability

The Cloud Implementation will allow for more scalability of Compute, Network, and Storage resources that support OCC's core clearing, risk management, and data management applications. With a Cloud Infrastructure, OCC can quickly provision or de-provision Compute, Storage, or Network resources to meet demands, including elevated trade volumes, and provide more flexibility to model and create development and test environments for back testing and stress testing, as well as other systems development needs. For example, the CSP can support elastic workloads and scale dynamically without the need for OCC to procure, test, and install additional servers or other hardware. This means that OCC may increase Compute capacity in one or both regions where it operates via manual or automated processes for core clearing, risk management, and data management applications. The rapid deployment of Compute capacity will allow OCC to obtain access to resources far more quickly than with existing physical data centers. The efficiency gains from the increased scalability of the Cloud Infrastructure will allow OCC to run certain back testing processes at a fraction of the time currently required. These and additional efficiency gains are discussed in more detail below.

Implementation Timeframe

OCC expects to launch the new core clearing, risk management, and data management applications into production no earlier than April 1, 2024. The proposed timeline to launch includes several milestones, such as connectivity testing in the first quarter of 2023, external testing in the second quarter of 2023, and certification of readiness from clearing members and exchanges in the first quarter of 2024. OCC will communicate frequently with stakeholders during this timeframe and will confirm the production implementation date of the proposed launch by Information Memorandum posted to its public website at least eight weeks prior to implementation.

Anticipated Effect on and Management of Risk

Federal Financial Institutions Examination Council Cloud Computing Guidance

On April 30, 2020, the Federal Financial Institutions Examination Council (“FFIEC”) issued a joint statement to address the use of Cloud computing services and security risk management principles in the financial services sector (“FFIEC Guidance”). While the FFIEC Guidance does not contain regulatory obligations, it highlights risk management practices that financial institutions should adopt for the safe and sound use of Cloud computing services in five broad areas (“FFIEC Risk Management Categories”). As discussed in the next section, the OCC is implementing practices for its proposed Cloud deployment consistent with this guidance.

• Governance: Strategies for using Cloud computing services as part of the financial institution's information technology strategic plan and architecture.

• Cloud Security Management: (i) Appropriate due diligence and ongoing oversight and monitoring of CSP's security; (ii) contractual responsibilities, capabilities, and restrictions for the financial institution and CSP; (iii) inventory process for systems and information assets residing in the Cloud; (iv) security configuration, provisioning, logging, and monitoring; (v) identity and access management (“IAM”) and network controls; (vi) security controls for sensitive data; and (vii) information security awareness and training programs.

• Change Management: (i) Change management and software development lifecycle processes and (ii) security and reliability of microservice architecture.

• Resiliency and Recovery: (i) Business resiliency and recovery capabilities and (ii) incident response capabilities.

• Audit and Controls Assessment: (i) Regular testing of financial institution controls for critical systems; (ii) oversight and monitoring of CSP-managed controls; and (iii) oversight and monitoring of controls unique to Cloud computing services, including those related to (a) management of the virtual infrastructure; (b) use of containers in the Cloud Infrastructure; (c) use of managed security services for the Cloud Infrastructure; (d) consideration of interoperability and portability of data and services; and (e) data destruction or sanitization.

Governance

OCC's ongoing Cloud Implementation is a natural progression of its information technology strategy and aligns seamlessly with its overall corporate strategy. OCC's information technology strategy fully supports OCC's corporate strategy to: (i) Reinforce OCC's foundational capabilities and deliver effective and efficient services; (ii) deliver product and service enhancements that enable growth in OCC's core capabilities and provide capital efficiencies to market participants; and (iii) demonstrate thought leadership in the delivery of innovative solutions that provide long-term value and efficiencies for OCC and its stakeholders. The corporate strategy is fortified by six guiding principles: (i) Operating solutions that deliver reliability, predictability, and integrity; (ii) designing efficiency into OCC processes through automation and near-frictionless capabilities; (iii) providing outcome-focused solutions; (iv) prioritizing collaboration and accountability within the information technology team; (v) ensuring protection for OCC, its clearing members, and the broader financial market; and (vi) incorporating a “continuous learning” mindset.

As a SIFMU and the only provider of clearance and settlement services for listed options in the US, it is vital that OCC's critical services remain continuously available with sufficient security measures in place to detect and defend against possible security threats. The Cloud Implementation will present OCC with an agile operating environment that can scale throughput to match workloads nearly instantaneously and that will enable OCC to build a “secure by design” pervasive security methodology that incorporates the NIST Cybersecurity Framework's functions, categories, and subcategories as a roadmap for Cloud security. Movement to an agile, Cloud-based operating environment further reinforces OCC's commitment to building in a comprehensive and adaptable risk-based security methodology instead of a traditional perimeter-centric model.

OCC's Cloud Implementation does not alter OCC's responsibility to maintain compliance with applicable regulations. Consistent with FFIEC Guidance, OCC's plan for Cloud Implementation supports OCC's ability to comply with the SEC's Regulation Systems, Compliance, and Integrity (“Reg SCI”) and the CFTC's Systems Safeguards. Reg SCI imposes certain information security and incident reporting standards on OCC and requires OCC to adopt an information technology governance framework reasonably designed to ensure that “SCI systems,” and for purpose of security, “indirect SCI systems,” have adequate levels of capacity, integrity, resiliency, availability, and security. As the “SCI Entity,” OCC remains solely responsible for meeting all Regulation SCI obligations. Similarly, Systems Safeguards requires OCC to have cybersecurity programs with risk analysis and oversight that ensure automated systems are secure, reasonably reliable, and have adequate scalable capacity. Within its agreement with the CSP (“Cloud Agreement”), OCC has established obligations on the CSP to provide support for OCC's compliance with all applicable regulations.

OCC believes the combination of the following provides OCC reasonable assurance that the proposed Cloud Implementation would enable OCC to continue to fully satisfy its Regulation SCI obligations: (i) The Cloud Agreement; (ii) CSP's compliance programs as described in its Whitepapers and publicly available policies ( e.g., its Penetration Testing Policy), user guides, and other documents; (iii) CSP's Service Level Agreements; (iv) CSP's Systems Organization Controls reports ( e.g., SOC 1, SOC 2, SOC 3) and ISO certifications ( e.g., ISO 27001); (v) CSP's size, scale, and ability to deploy extensive resources to protect and secure its facilities and services; and (vi) CSP's commercial incentive to perform.

OCC and the CSP rely on the shared responsibility model, which differentiates between the security “of” the Cloud and security “in” the Cloud. The CSP maintains sole responsibility and control over the security “of” the Cloud, and their customers are responsible for the security “in” the Cloud; i.e., security of hosted applications and data. Thus, OCC remains responsible for managing and maintaining the operating system and all applications, including security and patching, running in the Cloud. There is no primary/secondary relationship as each partner has a specific set of responsibilities which, when combined, address the entire risk space.

The CSP performs its own risk and vulnerability assessments of the CSP infrastructure on which OCC will run its core clearing, risk management, and data management applications. In published documentation and in meetings conducted with members of CSP's staff, the CSP asserts that it maintains an industry-leading automated test system, with strong executive oversight, and conducts full-scope assessments of its hardware, infrastructure, internal threats, and application software. The CSP asserts that it has an aggressive program for conducting internal adversarial assessments (Red Team) designed not only to evaluate system security but also the processes used to monitor and defend its infrastructure. The CSP also uses external, third-party assessments as a cross-check against its own results and to ensure that testing is conducted in an independent fashion. Per the CSP's documentation, results of these processes are reviewed weekly by the CSP CISO and the CEO with senior CSP leaders to discuss security and action plans.

OCC has the responsibility to perform risk assessments and technical security testing, including control validation, penetration testing, and adversarial testing, of OCC applications running on the CSP. This includes testing of the application interface layer of some CSP provided services such as storage and key management. OCC's security testing model will remain as it is for the on-premises operations: The Security Engineering team will define security control requirements and validate their correct implementation on OCC systems and deployed core clearing, risk management, and data management applications; automated tools will be used to scan OCC application code and open source for security defects during the development process; and automated vulnerability management tools will conduct periodic scans of deployed software and devices to ensure that security patches and fixes are correctly implemented within required timelines.

As mentioned, OCC's testing includes assessing the configuration of CSP provided services: Security Services will work with Information Technology staff to ensure that CSP tools are configured to appropriately manage and mitigate potential sources of risk and will assess the effectiveness of those configurations. The OCC Red Team will operate freely “in the Cloud,” attempting to subvert or circumvent controls; their testing will include probing of CSP provided services to look for weaknesses in OCC's deployment of those tools.

Security Services will routinely report test results to Enterprise Risk Management, appropriate functional Operations and Information Technology management, senior management, and the Board of Directors. Automated vulnerability scanning reports, source code analysis, and results of specific assessments will be risk-rated and assigned a priority for remediation in accordance with OCC policy.

Management and oversight of the Cloud Implementation follows standard governing principles for large information technology projects. OCC's Board of Directors has established a Technology Committee to assist the Board of Directors in overseeing OCC's information technology strategy and other company-wide operational capabilities. The Risk and Technology Committees are responsible for different aspects of the oversight of the Cloud Implementation. Information Technology and Security Services, in collaboration with Enterprise Risk Management, are responsible for the identification, management, monitoring, and reporting on the risks associated with the Cloud Implementation. To that end, management presents the Technology Committee (with copies to the Risk Committee and the Board of Directors) with reports on the status and progress of the Cloud Implementation on at least a quarterly basis. This report includes an overall risk and issue summary and an analysis of key risk indicators for the Cloud Implementation. Finally, OCC's Internal Audit Department is responsible for auditing security controls and configurations, including those related to the Cloud, prior to OCC's planned Cloud Implementation. Starting in 2021 and going forward, the Internal Audit Annual Plan is designed to assess important elements of the new core clearing, risk management, and data management application roll-out. For example, the 2021 Audit Plan includes an audit on the Cloud Implementation. These audits will help assess OCC's readiness for the Cloud Implementation as discussed below, in “Audit and Controls Assessment.”

Cloud Security Management

OCC has established a robust Cloud security program to both: (i) Manage the security of the core clearing, risk management, and data management applications that will be running on the Cloud Infrastructure hosted by the CSP, and (ii) assess and monitor the CSP management of security of the Cloud Infrastructure that it operates. The security program is designed to encompass all OCC assets existing in OCC offices, data centers, and within the CSP's Cloud Infrastructure. The security program is built upon enterprise security standards that establish requirements that apply to any technology system as well as any tool that provides technology services. The following paragraphs in this section describe elements of OCC's Cloud security management in the areas of: (i) Network and IAM controls ( e.g., determining who is accessing the systems, granting access to the applications, and then controlling what information they can access); (ii) security governance and controls for sensitive data; (iii) security configuration, provisioning, logging, and monitoring; and (iv) security testing.

i. Network and IAM Controls

OCC recognizes that robust network security configuration and IAM will provide reasonable assurance that users—including OCC employees, market participants, and service accounts for systems —are granted least-privileged access to the network, applications, and data. OCC will use third-party tools to automate appropriate role-based access to the core clearing, risk management, and data management applications running in the Cloud. By enforcing strict separation of duties and least-privileged access for infrastructure, applications, and data, OCC will protect the confidentiality, availability, and integrity of the data.

The maintenance of an on-premises backup data center necessitates additional network controls. The on-premises data center will be physically separate from networks supporting routine business functions, which will make the overall protection of the environment easier simply by eliminating connectivity other than for critical operations. OCC will explicitly provision all connectivity and will manage and mitigate risks through use of jump hosts that are heavily monitored ( e.g., data feeds in and out, provisioned mechanisms for the delivery of the software, and a minimum management interface that requires multi-factor authentication for access). This connection model, coupled with limited access via dedicated private circuits, eliminates the most common threat exposures such as internet connectivity and email. The default physical separation defined in the on-premises backup architecture will be overlaid with industry standard monitoring and blocking tools to ensure that lateral movement between SCI and non-SCI environments is controlled in accordance with the risk.

OCC has established IAM requirements that build upon the least-privileged model. As part of the IAM program, all users must be assigned an appropriate enterprise identification. Users will be granted access to systems via a standardized and auditable approval process. The user identifications and granted access will be managed through their full lifecycle from a centralized IAM system maintained and administered by OCC. Role-, attribute-, and context-based access controls will be used as defined by internal standards consistent with industry recommended practices to promote the principles of least-privileged access and separation of duties.

OCC will use and manage third party tools not otherwise provided by nor managed by the CSP for single sign-on and least-privileged access. The network will also include hardware and software to limit and monitor ingress and egress traffic, encrypt data in transmission, and isolate traffic between OCC and the Virtual Private Cloud. Since OCC will continue to provide cryptographic services, including key management, the CSP and other network service providers will not be able to decrypt OCC data either at rest or while in transit.

ii. Security Governance and Controls for Sensitive Data

OCC's data governance framework that applies to the Cloud Implementation is identified within the OCC Enterprise Security Standards. The Enterprise Security Standards address data moving between systems within the Cloud as well as data transiting and traversing both trusted and untrusted networks. For example, the Enterprise Security Standards require a system or Software as a Solution to: (i) Store data and information, including all copies of data and information in the system, in the United States throughout its lifecycle; (ii) be able to retrieve and access the data and information throughout its lifecycle; (iii) for data in the system hosted in the Cloud, encrypt such data with key pairs kept and owned by OCC; (iv) comply with United States federal and applicable state data regulations regarding data location; and (v) enable secure disposition of non-records in accordance with OCC's Information Governance Policy.

Furthermore, OCC policies establish the overall data governance framework applied to the management, use, and governance of OCC information to include digital instantiations, storage media, or whether the information is located, processed, stored, or transmitted on OCC's information systems and networks, public, private, or hybrid Cloud infrastructures, third-party data centers and data repositories, or Software-as-a-Service (SaaS) applications. The Information Classification and Handling Policy classifies OCC's information into three categories. System owners of technology that enable classification and/or labeling of information are responsible for ensuring the correct classification level is designated in the system of record and the applicable controls are enforced. All information requiring disposal is required to be disposed of securely in accordance with all applicable procedures. Sensitive data must be handled in a manner consistent with requirements in the Information Classification and Handling Policy.

OCC will implement key components of a “zero trust” control environment, namely ubiquitous authentication and encryption via use of an automated public key infrastructure, coupled with responsive, highly available authentication, authorization tools, and key management strategies to ensure appropriate industry standard security controls are in place for sensitive data both in transit and at rest. External connectivity to OCC systems hosted by the CSP will be provided as it is now, through dedicated private circuits or over encrypted tunnels through the internet. These network links will also have additional security controls, including encryption during transmission and restrictions on network access to and from the Virtual Private Cloud. Additionally, OCC will use dedicated redundant private network connections between OCC data centers and the CSP infrastructure. OCC currently maintains two data centers and will do so in the future to provide redundant, geographically diverse connectivity for market participants. All network communications between OCC and the Cloud Infrastructure will rely on industry standard encryption for traffic while in transit. Data at rest will be safeguarded through pervasive encryption. OCC's Encryption Standards describe requirements for implementation of the minimum required strengths, encryption at rest, and cryptographic algorithms approved for use in cryptographic technology deployments across OCC. All OCC identifying data is encrypted in transit using industry standard methods. The Key Management Service (“KMS”) Strategy dictates that all CSP endpoints support HTTPS for encrypting data in transit. OCC also secures connections to the endpoint service by using virtual private computer endpoints and ensures client applications are properly configured to ensure encapsulation between minimum and maximum Transport Layer Security (TLS) versions per OCC encryption standard. OCC will have exclusive control over the key management system; only OCC authorized users will be able to access that data. CSP systems and staff will not have access to the OCC certificate management and/or key management system. OCC is responsible for the application architecture, software, configuration and use of the CSP services, and for the maintenance of the environment, including ongoing monitoring of the application environment to achieve the appropriate security posture. To do this, OCC follows: (i) Existing security design and controls; (ii) Cloud-specific information security controls defined in “Enterprise Security Controls;” and (iii) regulatory compliance requirements detailed in sources or information technology practices that are widely available and issued by an authoritative body that is a U.S. governmental entity or agency including NIST-CSF, COBIT, and the FFIEC Guidelines.

OCC uses third-party tools for CSP security compliance monitoring, security scanning, and reporting. Alerts and all API-level actions are gathered using both CSP provided and third-party monitoring tools. The CSP provided monitoring tool is enabled by default at the organization level to monitor all CSP services activity. Centralized logging provides near real-time analysis of events and contains information about all aspects of user and role management, detection of unauthorized, security relevant configuration changes, and inbound and outbound communication.

As previously discussed, OCC uses a KMS Strategy to encrypt data in transit and at rest in the Cloud. KMS is designed so that no one, including CSP employees, can retrieve customer plaintext keys and use them. The Federal Information Processing Standards (“FIPS”) 140-2 validated Host Security Modules (HSMs) in KMS protect the confidentiality and integrity of OCC customer keys. Customer plaintext keys are never written to disk and only ever used in protected, volatile memory of the HSMs for the time needed to perform the customer's requested cryptographic operation. KMS keys are never transmitted outside of the Cloud regions in which they were created. Updates to the KMS HSM firmware are controlled by quorum-based access control that is audited and reviewed by an independent group within the CSP. This tightly controlled deployment process minimizes the risk that the security properties of the service will be changed as new software, firmware, or hardware is introduced. With these security measures, only users granted access by OCC to the core clearing, risk management, or data management applications will be able to interact with the information contained therein.

iii. Security Configuration, Provisioning, Logging, and Monitoring

Automated delivery of business and security capability via the use of “Infrastructure as Code” and continuous integration/continuous deployment pipeline methods will permit security controls to be consistently and transparently deployed on-demand. OCC will provision Cloud Infrastructure using pre-established system configurations that are deployed through infrastructure as code, then scanned for compliance to secure baseline configuration standards. OCC also employs continuous configuration monitoring and periodic vulnerability scanning. OCC will continue to perform regular reviews and testing of OCC systems running on the Cloud while relying upon information provided by the CSP through the CSP's SOC2 and Audit Symposiums. Finally, configuration, security incident, and event monitoring will rely on a blend of CSP native and third-party solutions.

OCC also plans to use tools offered by the CSP and third-parties to monitor the core clearing, risk management, and data management applications run on the Cloud Infrastructure. OCC will track metrics, monitor log files, set alarms, and have the ability to act on changes to OCC core clearing, risk management, and data management applications and the environment in which they operate. The CSP will provide a dashboard to reflect- general health ( e.g., up/down status of a region) but will not give additional insights into performance of services and applications which run on those services. The OCC operated centralized logging system will provide for a single frame of reference for log aggregation, access, and workflow management by ingesting the CSP's logs coming from native detective tools and OCC instrumented controls for logging, monitoring, and vulnerability management. This instrumentation will give OCC a real-time view into the availability of Cloud services as well as the ability to track historical data. By using the enterprise monitoring tools OCC has in place, OCC will be able to integrate the availability and capacity management of Cloud into OCC's existing processes, whether hosted on the Cloud or running in the local on-premises backup, and respond to issues in a timely manner.

OCC will also use specialized third-party tools, as discussed above, to programmatically configure Cloud services and deploy security infrastructure. This automation of configuration and deployment will ensure Cloud services are repeatably and consistently configured securely and validated. Change detection tools providing event logs into the incident management system are also vital for reacting to and investigating unexpected changes to the environment.

Security has implemented tools for the core clearing, risk management, and data management applications and back office environments that will be hosted at the CSP; notably, the IAM system, monitoring and Security Information and Event Management (“SIEM”) systems, the workflow system of record for incident handling, KMS, and enterprise Data Loss Prevention (“DLP”). Most of these services can also be run on-premises in a fully Cloud-independent mode, and Security Services has identified potential alternatives for those that will be needed for isolated on-premises operations and cannot operate independently. All required technical controls deployed via or reliant on CSP services will be replaced or supplemented to ensure equivalent independent operation of the on-premises backup.

Finally, the CSP prioritizes assurance programs and certifications, underscoring its ability to comply with financial services regulations and standards and to provide OCC with a secure Cloud Infrastructure.

iv. Security Testing and Verification by the 2nd and 3rd Line

Security testing is integrated into business-as-usual processes as outlined in relevant policy and procedures. These documents define how testing is initiated, executed, and tracked.

For new assets and application (or code) releases, Security determines whether and what type of security testing is required through a risk-based analysis. If required, testing is conducted prior to implementation and the different testing techniques are outlined below:

• Automated Security Testing: Using industry standard security testing tools and/or other security engineering techniques specifically configured for each test, Security will test to identify vulnerabilities and deliver payloads with the intent to break, change, or gain access to unauthorized areas within an application, data, or system.

• Manual Penetration Testing: Using information gathered from automated testing and/or other information sources, Security will manually test to identify vulnerabilities and deliver payloads with the intent to break, change, or gain access to the unauthorized area within an application or system.

• Blue Team Testing: The Blue Team identifies security threats and risks in the operating environment and analyzes the network, system, and SaaS environments and their current state of security readiness. Blue Team assessment results guide risk mitigation and remediation, validate the effectiveness of controls, and provide evidence to support authorization or approval decisions. Blue Team testing ensures that OCCs networks, systems, and SaaS solutions are as secure as possible before deploying to a production environment.

The results of Security controls testing are risk-rated and managed to remediation via the Security Observation Risk Tracking process.

Change Management

Consistent with FFIEC Guidance, OCC's use of the Cloud will have sufficient change management controls in place to effectively transition systems and information assets to the Cloud and will help ensure the security and reliability of microservices in the Cloud. OCC's enterprise software development lifecycle processes help ensure the same control environment for all OCC resources, irrespective of whether they reside in an on-premises environment or in the Cloud. OCC has established baselines for design inputs and control requirements and enforces workload isolation and segregation through a Virtual Private Cloud using existing Cloud native technical controls and added new tools. OCC also plans to use other specialized platform monitoring tools for logging, scanning of configuration, and systems process scanning. OCC also has oversight as a code owner for the OCC infrastructure security containers and will have final review and approval for related changes and code merges before deployment of secure containers into production. Finally, OCC will periodically conduct static code scanning and perform vulnerability scanning for external dependencies prior to deployment in production, along with manual penetration testing of the provided application code. In addition, OCC will perform routine scans of Compute resources with the existing enterprise scanning tools. Any identified vulnerabilities will be reviewed for severity, prioritized, and logged for remediation tracking in upcoming development releases.

OCC will create a “user acceptance plan” prior to promoting code to production. This user acceptance plan will include tests of all major functions, processes, and interfacing systems, as well as security tests. Through acceptance tests, OCC users will be able to simulate complete application functionality of the live environment. The change will move to the next stage of the OCC delivery model only after satisfying the criteria for this phase.

OCC plans to use microservices in its use of the Cloud. OCC has internal projects that will address change management of the various microservices. In particular, OCC runs a suite of supporting services that enable building, running, scaling, and monitoring of OCC's business applications in the Cloud in an automated, resilient, and secure manner. The application platform relies on various CSP and third-party tools for different components, including Infrastructure as a Service, Infrastructure as Code, CI/CD, Container as a Service, Continuous Delivery, and Platform Monitoring. For example, OCC will use a third-party tool for managing containers and a different third-party tool for distributing containers and workloads to assist with platform automation. Security measures for planned production microservices are already incorporated within the overall security architecture and Enterprise Security Standards.

With respect to software development in the Cloud, OCC has established a closed Virtual Private Cloud non-production environment that allows OCC to develop, test, and integrate new capabilities, including those related to security enhancements, while preventing direct external access to the development environment and tightly controlling on-premises access from OCC to the non-production environment. This OCC Virtual Private Cloud non-production environment (hosted in the Cloud) focuses on the foundational security, operations, and infrastructure requirements with the intent to take lessons learned to implement into future production. OCC developed and maintains a Cloud Reference Architecture that defines necessary capabilities and controls required to securely host core clearing, risk management, and data management applications on the CSP. The minimum foundational security requirements are based on the NIST CSF and CIS benchmarks and include the design and implementation requirements of a secure Cloud account structure within a multi-region Cloud environment. OCC maintains enterprise security requirements that provide structure for current and future development. As the Virtual Private Cloud environment is further developed and expanded, there is a comprehensive process to identify any incremental risks and develop and implement controls to manage and mitigate those risks.

Resiliency and Recovery

As noted earlier, given OCC's role as a SIFMU, it is vital that OCC work to ensure operations moved to Cloud Infrastructure have appropriately robust resilience and recovery capabilities. Below is a discussion of how OCC has evaluated resiliency including: (i) The steps taken by OCC and the CSP to help ensure the persistent availability of Compute, Storage, and Network capabilities in the Cloud; (ii) the resiliency of the CSP's method for deploying updates to help ensure that consequences of incidents are limited to the fullest extent possible; (iii) the on-premises backup; and (iv) the use of “store and forward” messaging technology.

i. Resiliency of the Cloud Infrastructure

OCC believes the Cloud Implementation will enhance the resiliency of OCC's core clearing, risk management, and data management applications by virtue of its built-in six levels of redundancy that will provide OCC with easy access to multiple zones within multiple and geographically diverse regions. The redundancy provided to OCC in the Cloud Infrastructure helps ensure that Compute, Storage, and Network resources will be available to OCC on a persistent basis.

OCC will provision Compute, Storage, and Network resources in two autonomous and geographically diverse regions, in a hot/warm configuration to increase resources on demand, maintained by the CSP. Each region will maintain independent and identical copies of all applications that are deployed by OCC, allowing OCC to transition its core clearing, risk management, and data management applications from one region to another seamlessly. Production workloads would be run across and shifted between regions regularly to protect OCC against disruptions from regionalized incidents. In the unlikely event that a region is temporarily disabled as a result of an extreme event, OCC would failover to run core clearing, risk management, and data management applications in the other region. This will necessarily require that both regions be maintained with full and expansion capacity. At any point, OCC will have active primary and standby instances of the core clearing, risk management, and data management applications that can be moved to any of the six instances ( i.e. three zones in each of the two regions). This is analogous to having six physical data centers with primary and backup running out of any two instances at a given point in time.

Each region consists of three zones, each of which has a physical infrastructure with separate and dedicated connections to utility power, standalone backup power sources, independent mechanical services, and independent network connectivity. While not dependent on one another, zones are connected to one another with private fiber-optic networking, enabling the architecture of core clearing, risk management, and data management applications to automatically failover between zones without interruption. Since each zone can operate independently of one another but failover capability is near instantaneous, a loss of one zone will not affect operation in another zone; however, no core clearing, risk management, or data management application will be reliant on the functioning of a single zone. This structural framework offers OCC a wide expanse within which to run its core clearing, risk management, and data management applications while simultaneously restricting the effect of an incident at the CSP to the smallest footprint possible.

As core clearing, risk management, and data management applications will be deployed in a primary (hot)/secondary (warm) mode, each environment will be active, run the same software, and receive the same data, enabling a failover or switch from one region to another within two hours. Software and Infrastructure will be deployed via automated processes to ensure both are identical in each region.

Additional capacity will always be available to support the resiliency of OCC's core clearing, risk management, and data management applications by way of the six-way redundancy. OCC will continue to periodically test the CSP's capacity scaling features and failover capabilities to ensure adequate capacity is always available to OCC.

The CSP may not unilaterally terminate the relationship with OCC absent good cause or without sufficient notice to allow OCC to transition to an alternate CSP or to the on-premises solution for its Compute, Storage, and Network needs. The notice provision in the Cloud Agreement for terminations that are not for cause would give OCC sufficient time to consider and transition its core clearing, risk management, and data management applications to another CSP or to its backup on-premises data center. Specifically, the CSP must provide notice OCC believes is sufficient to transition if it wishes to terminate the Cloud Agreement for convenience or if it wishes to terminate an individual CSP service offering on which OCC relies for all of its Cloud customers.

The CSP is permitted to terminate the Cloud Agreement with shorter notice periods in the event of a critical breach or an uncured material breach of the Cloud Agreement. In the highly unlikely event that a critical breach or uncured material breach occurs, OCC would have sufficient notice to shift operations to the on-premises data center. Contract provisions that allow a party to terminate for uncured material breaches are designed to limit the types of actions that could lead to contract termination (typically, a breach is considered material only if it goes to the root of the agreement between the parties or is so substantial that it defeats the object of the parties in making the contract) and to establish a short period of time to resolve an aggrieved party's claim (often 30 days). This gives the parties time and incentive to address the problem without having to resort to termination. Critical breaches are material breaches: (i) For which OCC knew its behavior would cause a material breach (such as a willful violation of Cloud Agreement terms); (ii) that cause ongoing material harm to the CSP, its services, or its customers ( e.g., criminal misuse of the services); or (iii) for undisputed non-payment under the Cloud Agreement. Even if the CSP notifies OCC of an alleged breach (material or critical), termination of services is not immediate.

OCC believes the risk of termination with a shorter notice period is mitigated by the following factors. In all cases of an alleged breach, the CSP must notify OCC in writing and provide time for OCC to cure the alleged breach (“Notice Period”). With respect to an alleged critical breach, OCC would use the Notice Period to attempt to cure the alleged critical breach while also preparing for a seamless transition to the on-premises data center. With respect to an alleged material breach, which requires the CSP to extend the Notice Period if OCC demonstrates a good faith effort to cure the alleged material breach, OCC would use the Notice Period to attempt to cure the alleged material breach while also preparing for a seamless transition to the on-premises data center. As a result, it is highly unlikely that a critical breach or a material breach would remain uncured beyond the Notice Period; if one does, however, OCC would have ample notice to shift operations to the on-premises data center to avoid a disruption to core clearing, risk management, and data management applications.

ii. Resiliency of the Deployment of Cloud Infrastructure Updates

The CSP will update the Cloud Infrastructure from time to time using a conservative approach for update deployment that helps to ensure that any potential effects of possible incidents are contained to the greatest extent possible. The CSP achieves this by: (i) Fully automating the build and deployment process; and (ii) deploying services to production in a phased manner.

CSP Services are first deployed to cells, which minimizes the chance that a disruption caused by a service update such as a patch in one cell would disrupt other cells. Following a successful cell-based deployment, service updates are next deployed to a specific zone, which limits the potential disruption caused by a service update to that particular zone. Following a successful zone deployment, service updates are then deployed in a staged manner to other zones starting with the same region and later within other regions until the process is complete.

OCC will continue to meet regularly with staff of the CSP, in addition to formal quarterly Briefing Meetings with the CSP as described in the Reg SCI Addendum. The informal discussions and quarterly Briefing Meetings will permit OCC to gather information in advance of the quarterly Systems Change report. Most reportable systems changes will continue to occur based on changes to Compute, Storage, Network, or applications controlled by OCC.

iii. Resiliency Through the Build Out of an On-Premises Data Center

OCC will maintain an on-premises data center to provide the ability to support core clearing, risk management, and data management applications in the unlikely and extraordinary event of either the termination of the Cloud Agreement for uncured breach or a multi-region outage at the CSP that simultaneously impacts OCC operations within all three zones in both regions.

OCC has designed the on-premises data center to operate 30 or more days to permit a smooth transition back to the Cloud (once the Cloud disruption is remediated) on a low volume day. From an architectural perspective, the on-premises data center is similar to adding a third CSP region with a single zone. While most technologies will remain the same with a failover to on-premises, there are several technologies that are only available at the CSP and for which alternative solutions must be devised. All equivalent on-premises core platform technologies that enable Compute, Network, and Storage will be operated by OCC with synchronous data replication between the Cloud and on-premises while member connectivity would remain unchanged. OCC will ensure adequate capacity in the on-premises data center for up to two and a half times observed peak volume. If the circumstances that required OCC to rely on the on-premises data center persist beyond seven days, OCC would take steps necessary to enhance its Storage to enable seamless operation of the on-premises data center for longer than 30 days.

iv. Resiliency Through the Use of “Store and Forward” Messaging Technology

OCC has designed the architecture to ensure it is able to support zero message loss and a quick recovery time. To meet these requirements the architecture places a premium on data integrity and throughput over the latency of any one transaction. The established techniques for this are “store and forward” messaging technology where messages are preserved until delivered to servers that consume the messages and synchronous writes to multiple servers. Unlike OCC's current system, the core clearing, risk management, and data management applications do not rely on block storage replication across CSP regions. The solution is entirely message based and message replication achieves the data redundancy required to deliver high availability services.

OCC will continue to rely on the existing “store and forward” messaging technology as the primary technology for exchanging messages with both exchanges & clearing members for the intake of clearing and settlement related information. The “store and forward” messaging technology manager is hosted on-premises and is replicated across all OCC on-premises data centers. The “store and forward” messaging technology will then forward messages to the hot/warm instances at the CSP and the redundant on-premises data center applications.

Core clearing, risk management, and data management applications rely on a platform for managing containerized workloads and messaging services. This platform enables multi-region message replication with synchronous acknowledgement. The platform will treat the on-premises data center as another region, with messages being replicated to all three regions (the two Cloud regions and on-premises).

The core clearing, risk management, and data management application architecture deployed across the two CSP regions and on-premises will maximize data integrity and throughput during routine operations and enhance failover should it be necessary.

Audit and Controls Assessment

OCC has a plan in place to continually test the Cloud security controls and OCC's readiness for the Cloud Implementation, and also has processes in place to regularly audit and test security controls and configurations, including by monitoring the CSP's technical, administrative, and physical security controls that support OCC's systems in the Cloud Infrastructure.

i. Internal Risk Assessments

In addition to existing OCC Third Party Vendor Risk Management activities, OCCs Third Party Risk Management department (“TPRM”) will assess the operational risks of the CSP as a critical vendor annually. Additionally, OCC conducts a technology risk assessment, which is an evaluation of risks to OCC's critical systems, monitoring of key risk indicators (“KRI”), risk events, security events, and key controls, and which will encompass all risks presented by the CSP, on an annual basis.

ii. External Risk Assessment

OCC engaged a third-party familiar with Cloud Infrastructure best practices to conduct a design effectiveness review of the OCC's proposed Cloud strategy, application architecture, and related security and resiliency controls. The External Risk Assessment focused on: (i) Cloud reference architecture, capabilities, and controls required to host applications in the Cloud; (ii) existing and planned resiliency capabilities to meet a two-hour recovery time objective of OCC's critical services; and (iii) design of the existing and planned security controls during and after the Cloud Implementation.

The External Risk Assessment identified strengths in OCC's planned Cloud Implementation, including that OCC incorporated several leading security practices as well as support for elastic capacity and the ability to scale effectively into its plan. The External Risk Assessment also included recommendations to supplement OCC's execution plan for the Cloud Implementation and were broadly categorized into six technical areas: (i) Workload isolation and networking; (ii) automation and pipelines; (iii) data fabric and data lifecycle management; (iv) platform shared services and support model; (v) security shared services and support model; and (vi) resiliency. Recommendations were categorized across two dimensions: (i) Program priority (high, medium, or low) and (ii) implementation action (start, accelerate, or continue). A recommendation does not necessarily mean OCC would not have implemented the recommended action absent the recommendation, as several of the recommendations were for OCC to continue an activity it had already begun. OCC has a plan in place to address the recommendations provided in the External Risk Assessment and will track the plan to completion.

iii. Internal Audit Department Plan Related to Cloud Implementation

As mentioned above, starting in 2021 and going forward, the Internal Audit Annual Plan is designed to assess important elements of the new core clearing, risk management, and data management applications roll-out. For example, the 2021 Audit Plan includes an audit on the Cloud Implementation. This audit included an analysis of OCC's disposition of the findings in the External Risk Assessment, determined if the risks associated with findings have been adequately addressed, evaluated OCC's strategy in the event it needs to transition from the CSP at any time, evaluated the adequacy of OCC's remediation plans and timelines, and OCC's assessment of the third-party CSP attestation report (SOC). The Internal Audit Department plans to augment internal resources with co-source resources with specific expertise in Cloud-based controls and has conducted a department-wide training of Cloud auditing, with additional training to be conducted as necessary.

iv. Audit Symposium and Access Rights

The CSP hosts an annual Audit Symposium, which will allow OCC to review evidence supporting the CSP's control environment. The CSP also hosts an annual Cloud security conference focused on Security, Governance, Risk and Compliance.

OCC Information Technology staff currently meets with CSP representatives weekly to focus on technical issues related to OCC's proposed Cloud environment. In addition, OCC will be holding compliance briefings with the CSP quarterly, wherein the CSP will provide OCC with documentation ( e.g., SOC 2 Report) and assist OCC's preparation for the Audit Symposium. OCC management, including Security, Information Technology, and the Internal Audit Department, will coordinate to ensure appropriate representation during the planned briefings. TPRM will help initiate and orchestrate the annual reviews.

v. Key Risk and Key Performance Indicators

OCC has also established several key risk indicators (“KRI”) and key performance indicators (“KPI”) to evaluate OCC's management of risk and the CSP's performance during the Cloud implementation and ongoing operation. The KRIs are approved by and regularly reported to OCC's Management Committee, Board of Directors, and the Risk Committee of the Board of Directors.

OCC has developed Cloud KPIs and socialized these KPIs internally. The KRIs already exist for core clearing, risk management, and data management applications and are aligned to overall systems availability, capacity, data integrity, and security. The CSP KPIs feed into existing KRIs and will continue to be used to evaluate the CSP's performance after the Cloud Implementation. KPIs will be added to monitor the performance and risks of the CSP services for which OCC has contracted. These post-Cloud Implementation KRIs and KPIs will allow OCC to assess its ongoing use of the CSP against its operational and security requirements and will demonstrate the effectiveness of risk controls and the CSP's performance against commitments in the Service Level Agreements, and will be reported on a regular basis to OCC's Management Committee, Board of Directors, and Technology and Risk Committees of the Board of Directors.

vi. Auditing the CSP Post Cloud-Implementation

OCC's Cloud Agreement gives OCC the right to attend the CSP Audit Symposium annually so that OCC may inspect and verify evidence of the design and effectiveness of the CSP's control environment and physical security controls in place at the CSP's data centers. Through preparation for and attendance at this symposium, OCC may also provide feedback and make requests of the CSP for future modifications of the control environment. The CSP is also required to maintain an information security program, including controls and certifications, that is as protective as the program evidenced by the CSP's SOC-2 report. The CSP must make available on demand to OCC its SOC-2 report as well as the CSP's other certifications from accreditation bodies and information on its alignment with various frameworks, including NIST, CSF, and ISO. TPRM will coordinate an annual risk assessment of OCC's relationship with the CPS. TPRM, Security, and Business Continuity will determine the adequacy and reasonableness of the documentation received to complete the Third-Party Risk Assessment. Finally, the Cloud Agreement provides that OCC's regulators may visit the facilities of the CSP under specified conditions.

OCC plans to use the CSP's services combined with additional third-party tools to monitor systems deployed by ingesting logs into a security incident and event monitoring tool to provide a single pane of glass view into the Cloud Infrastructure (and the on-premises data center to the extent it is used). When incidents are detected, OCC will follow its existing incident response governance to identify, detect, contain, eradicate, and recover from incidents.

Consistency With the Payment, Clearing and Settlement Supervision Act

The stated purpose of the Clearing Supervision Act is to mitigate systemic risk in the financial system and promote financial stability by, among other things, promoting uniform risk management standards for systemically important financial market utilities and strengthening the liquidity of systemically important financial market utilities. Section 805(a)(2) of the Clearing Supervision Act also authorizes the Commission to prescribe risk management standards for the payment, clearing and settlement activities of designated clearing entities, like OCC, for which the Commission is the supervisory agency. Section 805(b) of the Clearing Supervision Act states that the objectives and principles for risk management standards prescribed under Section 805(a) shall be to:

• Promote robust risk management;
• promote safety and soundness;
• reduce systemic risks; and
• support the stability of the broader financial system.

The Commission has adopted risk management standards under Section 805(a)(2) of the Clearing Supervision Act and the Exchange Act in furtherance of these objectives and principles. Rule 17Ad-22 requires registered clearing agencies, like OCC, to establish, implement, maintain, and enforce written policies and procedures that are reasonably designed to meet certain minimum requirements for their operations and risk management practices on an ongoing basis. Therefore, the Commission has stated that it believes it is appropriate to review changes proposed in advance notices against Rule 17Ad-22 and the objectives and principles of these risk management standards as described in Section 805(b) of the Clearing Supervision Act.

OCC believes that the proposed changes are consistent with Section 805(b)(1) of the Clearing Supervision Act and the requirements of Rules 17Ad-22(e)(17) and (e)(21) under the Act because the Cloud Implementation would provide OCC with resilient, secure, and scalable core clearing, risk management, and data management systems that far exceeds what is currently possible in an on-premises infrastructure.

Rule 17Ad-22(e)(17)(ii) requires OCC to establish, implement, maintain, and enforce written policies and procedures reasonably designed to manage OCC's operational risk by “ensuring that systems have a high degree of security, resiliency, operational reliability, and adequate, scalable capacity.” OCC maintains several policies specifically designed to manage the risks associated with maintaining adequate levels of system functionality, confidentiality, integrity, availability, capacity and resiliency for systems that support core clearing, risk management, and data management services. As stated above, resiliency of the Cloud Infrastructure is built into the system with functionality for OCC's core clearing, risk management, and data management applications to run in multiple zones within multiple regions. Regions are isolated from one another and are designed in part to minimize the possibility of a multi-region outage. OCC has designed the infrastructure to have primary (hot)/secondary (warm) zones at all times ensuring Compute, Storage, and Network resources would be available in a new redundant region in the event of a primary region failure. As a result, the Cloud Infrastructure offers OCC multiple redundancies within which to run its core clearing, risk management, and data management applications while simultaneously restricting the effect of an incident at the CSP to the smallest footprint possible. Furthermore, in the unlikely and extraordinary event OCC loses access to each of the six levels of resiliency within the CSP environment, OCC can failover to an on-premises backup that will permit continued operations of core clearing, risk management, and data management applications.

OCC has established a robust Cloud security program to manage the security of the core clearing, risk management, and data management applications that will be running in the Cloud and to monitor the CSP's management of security of the Cloud Infrastructure that it operates. Processes are formally defined, automated to the fullest extent, repeatable with minimal variation, accessible, adhered to, and timely. The enterprise security program encompasses all OCC assets existing in OCC offices, data centers, and within the Cloud Provider's Cloud Infrastructure, and IAM controls ensure least-privileged user access to applications on the Cloud. OCC has appropriate controls in place to ensure the security of confidential information in-transit between OCC data centers and the Cloud Infrastructure, between systems within the Cloud Infrastructure, and at-rest. All network communications between OCC and the Cloud will rely on industry standard encryption for traffic while in transit, and data at rest will be safeguarded through pervasive encryption. Finally, automated delivery of business and security capability via the use of the “Infrastructure as Code,” Cloud agnostic tools, and continuous integration/continuous deployment pipeline methods ensure security controls are consistently and transparently deployed.

Since additional computing power can be launched on demand, the scalability in a Cloud computing environment is considerable and instantaneous. OCC could provision or de-provision Compute, Storage, and Network resources to meet demand at any given point in time. In the current on-premises environment, immediate scalability is limited by the capacity of the on-premises hardware: OCC would need to obtain additional physical servers and network equipment to scale beyond the limits of the on-premises hardware, potentially affecting the ability to quickly adapt to evolving market conditions, including spikes in trading volume.

Rule 17Ad-22(e)(21) requires OCC to establish, implement, maintain, and enforce written policies and procedures reasonably designed to “be efficient and effective in meeting the requirements of its participants and the markets it serves,” and to have OCC's management regularly review the “efficiency and effectiveness of, [ inter alia, ] its (i) clearing and settlement arrangements and (ii) operating structure, including risk management policies, procedures, and systems.” OCC maintains policies designed to enable the regular review of the efficiency and effectiveness of the arrangements and operating structures supporting OCC's identified goals and objectives. There are several significant efficiency benefits to the Cloud Implementation, including:

• Ad-hoc reporting capability with new filtering functionality and application programming interfaces to make it easier to procure and submit data to and from the system.
• The capability to quickly add or remove Compute, Storage, or Network resources to meet changing application needs and market volatility.
• The capability to (i) run certain back testing processes that used to take days to months in a few hours; (ii) manage multiple back testing processes the same time; and (iii) eliminate any undue delay in the evaluation of potential risk management enhancements for the industry.
• The scalability to more efficiently meet historical data storage needs, provide data access through standard data services, and the ability to respond quickly to regulatory requests.
• Easy and secure access to high-quality, high-fidelity data, including a centralized, enterprise-wide repository to store and provide timely access to system of record data.

Accordingly, the proposed changes: (i) Are designed to promote robust risk management; (ii) are consistent with promoting safety and soundness; and (iii) are consistent with reducing systemic risks and promoting the stability of the broader financial system. The proposed changes also ensure that OCC systems have a high degree of security, resiliency, operational reliability, and adequate, scalable capacity, and enable OCC to be efficient and effective in meeting the requirements of its participants and the markets it serves. For the foregoing reasons, OCC believes that the proposed changes are consistent with Section 805(b)(1) of the Clearing Supervision Act and Rules 17Ad-22(e)(17) and (e)(21) under the Exchange Act.

III. Date of Effectiveness of the Advance Notice

The proposed change may be implemented if the Commission does not object to the proposed change within 60 days of the later of (i) the date the proposed change was filed with the Commission or (ii) the date any additional information requested by the Commission is received. OCC shall not implement the proposed change if the Commission has any objection to the proposed change.

OCC shall post notice on its website of proposed changes that are implemented. The proposal shall not take effect until all regulatory actions required with respect to the proposal are completed.

IV. Solicitation of Comments

Interested persons are invited to submit written data, views, and arguments concerning the foregoing, including whether the advance notice is consistent with the Clearing Supervision Act. Comments may be submitted by any of the following methods:

Electronic Comments

• Use the Commission's internet comment form ( http://www.sec.gov/rules/sro.shtml ); or

• Send an email to rule-comments@sec.gov. Please include File Number SR-OCC-2021-802 on the subject line.

Paper Comments

• Send paper comments in triplicate to Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549.

All submissions should refer to File Number SR-OCC-2021-802. This file number should be included on the subject line if email is used. To help the Commission process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's internet website ( http://www.sec.gov/rules/sro.shtml ). Copies of the submission, all subsequent amendments, all written statements with respect to the advance notice that are filed with the Commission, and all written communications relating to the advance notice between the Commission and any person, other than those that may be withheld from the public in accordance with the provisions of 5 U.S.C. 552, will be available for website viewing and printing in the Commission's Public Reference Room, 100 F Street NE, Washington, DC 20549 on official business days between the hours of 10:00 a.m. and 3:00 p.m. Copies of the filing also will be available for inspection and copying at the principal office of the self-regulatory organization.

All comments received will be posted without change. Persons submitting comments are cautioned that we do not redact or edit personal identifying information from comment submissions. You should submit only information that you wish to make available publicly.

V. Date of Timing for Commission Action

Section 806(e)(1)(G) of the Clearing Supervision Act provides that OCC may implement the changes if it has not received an objection to the proposed changes within 60 days of the later of (i) the date that the Commission receives the Advance Notice or (ii) the date that any additional information requested by the Commission is received, unless extended as described below.

Pursuant to Section 806(e)(1)(H) of the Clearing Supervision Act, the Commission may extend the review period of an advance notice for an additional 60 days, if the changes proposed in the advance notice raise novel or complex issues, subject to the Commission providing the clearing agency with prompt written notice of the extension.

Here, as the Commission has not requested any additional information, the date that is 60 days after OCC filed the Advance Notice with the Commission is December 7, 2021. However, the Commission finds the issues raised by the Advance Notice complex because OCC proposes to migrate its clearing, risk management, and data management applications to a cloud infrastructure with an on-demand network of configurable information technology resources running on virtual infrastructure hosted by a third party. The Commission also finds the issues raised by the Advance Notice novel because the proposed migration of a covered clearing agency's clearing, risk management, and data management applications to a third-party-hosted cloud infrastructure represents a novel circumstance in the U.S. markets that would require careful scrutiny and consideration of its associated risks. Therefore, the Commission finds it appropriate to extend the review period of the Advance Notice for an additional 60 days under Section 806(e)(1)(H) of the Clearing Supervision Act.

Accordingly, the Commission, pursuant to Section 806(e)(1)(H) of the Clearing Supervision Act, extends the review period for an additional 60 days so that the Commission shall have until February 5, 2022 to issue an objection or non-objection to advance notice SR-OCC-2021-802.

All submissions should refer to File Number SR-OCC-2021-802 and should be submitted on or before November 23, 2021.