Cybersecurity information security officers (CISOs) at U.S. broker-dealers and banks may soon need to overhaul their governance programs if the Depository Trust & Clearing Corporation (DTCC) has its way.
US financial firms are in a logjam with DTCC’s subsidiaries, Depository Trust Company (DTC), (National Securities Clearing Corporation (NSCC), and Fixed Income Clearing Corporation (FICC), over when and under which circumstances to notify the market infrastructures about their cybersecurity breaches. The DTC, NSCC and FICC want their members to inform them any time they experience a data breach within 120 minutes (two hours) of the event’s discovery for any reason. They also want a say in how member firms resolve any data breach, which could compromise connectivity with a DTCC subsidiary, and reassurance about how the situation has been rectified.
Represented by the Securities Industry and Financial Markets Association (SIFMA), DTCC’s members counter that the proposed policies are unreasonable. They exceed any state, and national guidelines, including those about reporting to the Cybersecurity Infrastructure and Security Agency (CISA) by a longshot. Amended in November 2023, the NYCRR500 regulation issued by the New York Department of Financial Services (NYDFS) relies on a 72-hour window of notification to the regulatory agency. So does the Cyber Incident Reporting for Critical Infrastructure Act of 2022 in requiring notification to CISA; the timetable, expected to be published in May 2026, is reduced to 24 hours for a ransomware payment made to a hacker. (The DTCC’s new proposed rule doesn’t mention ransomware). Article 33 of Europe’s General Data Protection Regulation (GDPR), adopted in 2018, also allows a financial firm 72 hours to inform a supervisory authority after a leak of personal identifiable data occurs. The DTCC must report data breaches to the SEC, Commodity Futures Trading Commission (CFTC), Federal Trade Commission (FTC), state agencies such as the NYFDS and even state attorney generals, depending on where the breach occurred. If an international member of the DTCC were involved, the market infrastructure would need to follow foreign laws, such as the GDPR.
The heated interactions between the DTCC and its members are being played out in comment letters with the Securities and Exchange Commission (SEC) published on the regulatory agency’s website. (SIFMA was the only organization which sent a comment letter). The SEC, which must approve of any rule change by the DTC and its sister clearinghouses, has decided not to rubber stamp the DTCC’s request. Instead, there will be administrative proceedings to reach an acceptable compromise between the opposing sides. As the only U.S depository and clearinghouses for processing securities transactions in U.S. dollar-denominated equity and debt, DTC, NSCC and FICC can dictate the terms of engagement for member firms. The market infrastructure is responsible for ensuring the exchange of securities and cash between buyers and sellers with ownership of accounts registered on the books of DTC in the name of a broker-dealer or bank intermediary. The DTC alone processed a whopping USD$3.8 quadrillion in total value of securities in 2024.
The DTCC’s new requirements, if adopted, must be incorporated into a member broker-dealer or bank’s cybersecurity program designed to mitigate cyberattacks and to address them when they occur. First implemented by the DTCC in 2019, DTCC’s client cybersecurity readiness program requires members to confirm their policies follow a national standard such as the NIST Cybersecurity Framework or ISO 2700/27002. Given DTCC’s enhancements to its own cybersecurity breach preparedness program, it stands to reason it would want to also raise the bar for member firms. The market infrastructure has previously elevated its own Securities Operations Center to a CyberThreat Fusion Center to track and curtail cyberbreaches faster by combining cyberthreat intel, threat defense operations, incident response, threat hunting and government compliance. What appears to have been a disjointed effort among DTCC’s units has turned into a seamless coordinated strategy. “We turned every test into a purple team exercise, fostering real time collaboration between red and blue teams,” wrote Shawn Baird, associate director for offensive strategy and tactics at DTCC in a November 2024 article appearing on Pentera’s website. “This approach improved our mean time to respond and contain incidents by 30 percent to 50 percent over the past two years.” DTCC uses Pentera’s security platform to simulate real-world attacks and identify vulnerabilities. DTCC was assigned a cybersecurity rating of 829 out of a maximum of 950 by cyber risk assessment firm Upguard based on its analysis of website security, email security, phishing and malware, brand and reputation risk, and network security.
The DTCC’s own Systemic Risk Barometer Survey for 2025 showed cyber risk as the second most cited among the top five risks for two years in a row trailing geopolitical risk. The financial services industry is vulnerable to cyberattacks, because it handles tremendous amounts of money and sensitive personal data. Brief periods of downturn can cause a domino effect which in the case of DTCC means costly delays in clearing and settling securities transactions. In November 2023, ICBC Financial Services, the US financial unit of Chinese bank ICBC, experienced a ransomware attack which disrupted some operating systems such as those to clear U.S. cash Treasury trades and Treasury repo transactions. The disruption made the brokerage unable to settle trades for other market players and it temporarily owed its Treasury clearing agent BNY (BK) US$9 billion. Cyberbreaches can also affect market stability leading to higher volatility and requiring exchanges to follow the SEC regulations to implement circuit breakers temporarily halting trading during significant price declines. However, circuit breakers are not used in after-hours trading, leaving investors vulnerable to large price fluctuations.
Different Strokes
The conflict between the DTCC and member firms dates back to March 2025 when the DTC initially asked the SEC to approve its rule change concerning cybersecurity breach notification. At that time, the DTC said that it spoke for NSCC and FICC as well when it wanted to alter the current policy of “immediate” notification to an explicit two-hour timetable. “The proposed addition of not later than two hours after experiencing the disruption was simply to provide context on what the clearinghouses meant by immediate,” wrote W. Carson McLean, managing director and deputy general counsel for DTCC in its June 20, 2025 letter to the SEC. He also noted that the new deadline would allow DTC and the clearinghouses to access information quicker to reduce the impact of any data breach to the market infrastructures and other participants. Even if a member of DTC, NSCC and FICC doesn’t have all the necessary information about how the breach occurred, it must still inform either the DTC or the appropriate clearinghouse within two hours after the event occurred.
Although DTCC considers its proposed requirement for cyberbreach notification to be nothing more than a clarification of existing policy, member firms are adamant it is a revolutionary change. In SIFMA’s April 17, 2025 comment letter to the SEC, the trade group asserted that a 36-hour window for notifying DTC and its sister clearinghouses is more realistic. That timetable is consistent with requirements of the banking watchdog Office of the Comptroller of the Currency, adopted in 2021. SIFMA pleaded with the SEC to understand the operational challenges its members would face in fulfilling the two-hour requirement. “Two hours is also not sufficient time for participants to gather all the information required by DTCC, nor does it allow time to properly determine impacts which could result in participants significantly over reporting incidents in order to avoid missing deadlines and risk being non-compliant,” wrote Stephen Byron, managing director and head of operations, technology, cyber and business continuity planning for SIFMA. The two-hour deadline is even more unrealistic if the data breach were to have occurred at a third- or fourth-party vendor, such as a cloud service provider.
Based on what five CISOs at U.S. East Coast wirehouses told FinOps Report on condition of anonymity, there could be gap of anywhere from five to 24 hours from the time a data breach is discovered by a business line to the time a CISO is notified. The two reasons given for the delay were surprising. “A business line manager will often try to fix the issue within his or her silo with a junior IT manager before contacting a senior-ranking IT executive,” confessed one CISO. “The manager might also erroneously conclude that if no customer information were leaked, there would be no need to immediately notify a CISO. All of the CISOs, who spoke on condition of anonymity, insisted the two-hour deadline was not feasible based on their current operating procedures. They refused to say what they would do if they were forced to meet the DTCC’s new requirement. Tyler Thompson, a partner specializing in data privacy at the law firm of Reed Smith in Denver, called the DTCC’s proposed two-hour notification policy counterproductive. “When an incident becomes a notifiable breach can be a gray area,” he said. “The reality is that a two-hour timetable forces firms to operate in that gray area and discourages them from labeling an incident a breach until they know they can hit the timing.”
As for what constitutes a cybersecurity breach, the DTCC made it clear in its request for a rule change that it wants to include any event which could cause the potential disruption of service and prevent a firm from connecting with DTC and its sister clearinghouses. DTCC even wants member firms to report any anticipated unavailability of a system, a stance SIFMA believes is “subjective, vague and impractical.” The trade organization is eager to change the scope of when notification is made to only “substantial incidents caused by malicious cybersecurity breaches,” based on a definition used by the Options Clearing Corporation (OCC), the Chicago-based clearinghouse for U.S. listed options. However, DTCC believes SIFMA’s criteria are too narrow. “First, concepts such as substantial, critical, and malicious are subjective and would likely result in different interpretations and applications among participants,” wrote DTCC’s McLean in its June letter to the SEC. “Second, there is no direct correlation between a substantial or critical incident at a Participant and the corresponding or subsequent effect at the Clearing Agencies.” A malware incident may appear to be unimportant, but it could still cause a significant disruption at DTCC. It also doesn’t matter whether malicious intent was involved. Malfunctions and corruptions in a participant’s system could still harm DTCC’s systems, according to the market infrastructure. The five CISOs who spoke with FinOps Report, said they can’t predict the unavailability of a system, and they don’t want to increase the number of incident filings with the DTCC. For Thompson, the DTCC’s definition of a data breach is “unreasonable.” Because the criteria don’t align with the typical standard, financial firms may have to deal with two separate meanings within the same organization, he said.
To Compromise or Not
In its June letter to the SEC, the DTCC didn’t appear willing to budge on its proposed requirement for the two-hour notification and on its broader criteria for when a breach must be disclosed. It also won’t change its mind when it comes to requiring a participant to acquiesce to its wishes as to how it handles the cybersecurity incident. The DTCC could ask the participant to act on its instructions to “either take or refrain from taking action the Corporation considers appropriate to help address, correct, mitigate or alleviate the Major System Event and, as appropriate and practical facilitate the continuation of services,” wrote McLean. “The proposed changes are intended to protect the Clearing Agencies’ systems (i.e. DTCC Systems) and, in turn, the Participants and them to make informed decisions regarding DTCC Systems, in consideration of all their Participants; and establish sufficient authority to act, in the event of a Major System Event, which, by definition must involve DTCC Systems.” Member firms which don’t follow the DTCC’s instructions could be subject to disciplinary action. SIFMA’s members insist the DTCC’s stance is intrusive. “However, while the industry recognizes that there are actions that DTCC can reasonably expect its participant to take (e.g. halting a specific process), it is the affected participants, and not DTCC, who are best placed to determine specific mitigation actions they should take,” countered SIFMA’s Byron in its letter to the SEC.
The DTCC is making some compromises, based on SIFMA’s feedback. However, those are relatively minor for member firms. Two of DTCC’s concessions involve the definitions of a participant and a third-party cybersecurity firm. The biggest accommodation appears to be how much information third-party cybersecurity firms must disclose to DTCC’s subsidiaries about how a data breach has been rectified. The DTCC initially asked for a “detailed, comprehensive and auditable report” while SIFMA’s members wanted to limit how much DTCC knows by “attesting” to the DTCC that they have fixed the situation. In finding a middle ground, DTCC’s McLean wrote to the SEC in June that DTC, NSCC and FICC would agree their members could provide a “summary” of any third-party cybersecurity firm’s evaluation rather than the full-blown analysis.
As FinOps Report went to press, the SEC had not posted any further comments on the DTCC’s amended rule change leading one to believe Wall Street is comfortable with the DTCC’s final amended changes. However, the five CISOs who spoke to FinOps Report hoped that the proposed two-hour timetable for notification would ultimately be lengthened to anywhere from eight hours to 24 hours. The SEC will likely acquiesce to the DTCC’s other provisions, they believe. Therefore, with 2026 budget preparations around the corner, IT project managers and compliance managers should ask their C-level directors for higher operating budgets to prepare for the inevitable. Unfortunately, the opposite might happen. “The burden of complying with the DTCC’s proposed new rule will be so high that financial firms could deliberately stick their heads in the sand and hope for new business-friendly fixes before complying,” cautioned Reed Smith’s Thompson. That isn’t such a good idea given the odds. Although DTCC can still fulfill its aggressive timetable for cyberbreach notification by allowing financial firms more time, it faces the challenge of perception. “Will DTCC be willing to back off without being viewed as being too business-friendly?,” questioned Thompson. The DTCC did not respond to FinOps Report’s emailed questions seeking comment for this article.
#BankOperations #Banks #BNY #Broker-Dealers #BrokerageOperations #CloudServiceProvider #CFTC #CISO #Cyberbreach #Cyberincident #Cybersecurity #CybersecurityLaws #DataBreach #DataLoss #DataPrivacy #DTC #DTCC #FICC #FinOps #FinOpsReport #FTC #GDPR #Hacker #NSCC #NYDFS #OCC #PersonalData #Ransomware #SEC #ServiceDisruption
KentourisC@gmail.com
917.510.3226
Conceptualized by MrMagìqúe © 2025 MrMagìqúe, published in FinOps Report
“Data Destruction” Designed by DionnRenee.com, © 2025 DionnRenee, published in FinOps Report
Leave a Comment
You must be logged in to post a comment.