The U.S. Securities and Exchange Commission’s unexpected approval of a two-hour window for participants of Depository Trust Company (DTC), National Securities Clearing Corp. (NSCC) and Fixed Income Clearing Corp. (FICC) to notify the market infrastructures of a potential cybersecurity breach or other data outage has chief information security officers (CISOs) and others at U.S. broker-dealers and banks scrambling to prepare.
The two-hour timetable stands in sharp contrast to 48-hour or 72-hour window that DTC, and its sister clearinghouses must fulfill to notify a multitude of U.S, national, state and foreign agencies about any cyberbreaches they experience. It also stands out as one of the world’s shortest deadlines, which will likely translate into a substantial compliance burden for U.S. CISOs, information technology, and compliance directors. “Meeting the two-hour window for notification requires an immediate overhaul of discovery, triage, and escalation playbooks,” explained Tony Pietrocola, president and co-founder of AgileBlue, a Cleveland-based global cybersecurity firm. “The two-hour clock forces an organization to treat potential market-impacting incidents not as an investigative challenge, but as a time critical emergency response.” He recommended that to minimize the market-wide impact of a cyberbreach CISOs implement the following four-step process: update the incident response times and playbooks to coincide with the compliance frameworks; engineer all 24/7 security operations capabilities to meet these requirements; develop modern training and assessment curriculums for all employees; and audit test and refine all procedures at a minimum quarterly. AgileBlue offers securities operations center (SOC) as a service.
In ignoring pleas from the broker-dealer watchdog Securities Industry and Financial Markets Association (SIFMA) to veto the DTC’s request for a two-hour notification timetable, the SEC published its approval in a 33-page ruling appearing on November 20 in the Federal Register. (The DTC said its request also reflected the wishes of NSCC and FICC). The SEC’s decision has surprisingly received no other media attention so far despite the likely need for CISOs to revamp their entire cybersecurity programs designed to mitigate the potential for a cyberbreach and to reduce potential financial damage if one has occurred. NSCC previously said it would implement the new rule no later than 60 days after its publication in the Federal Register, but no date was given in the SEC’s final ruling. In fact, the SEC’s decision appeared in the category of proposed rule change filings for self-regulatory agencies and on the final page of the November 20th bulletin. Based on the contentious nature of the interactions between the DTCC and SIFMA about the two-hour notification, one can only presume that DTCC is negotiations with either the SEC and/or SIFMA on an implementation timetable. Short for Depository Trust & Clearing Corp., DTCC is the parent firm of DTC, NSCC and FICC. The DTCC, SIFMA and SEC did not respond to requests for comment for this article.
Industry Shock
Although Wall Streeters had expected the DTC’s request for a short timeframe for cyberbreach notification to be approved, industry consensus was that it would likely be between 12 hours and 24 hours. “No one anticipated this result, and we have no choice but to start preparing,” one dismayed CISO at an East Coast brokerage told FinOps Report. Yet another said,” It’s just too mindboggling.” The DTC did tweak some of its initial requirements in its amended rule but certainly not enough to appease its participants. Opinions differed as to why the SEC would agree to DTC’s two-hour request based on such vigorous industry opposition. One conclusion was that the SEC was following its historic trend of rubber-stamping DTC’s requested rule change. No one could remember a time when the SEC overruled DTC’s wishes. However, a more practical reason could be at play, some CISOs acknowledged. As the U.S. umbrella organization for clearing and settling U.S. securities transactions, Depository Trust & Clearing Corp. (DTCC) serves as the lynchpin for the financial market with subsidiary DTC alone processing a whopping USDS$3.8 quadrillion in total value of securities in 2024. A cyberbreach or data outage at a member firm could affect its connectivity to DTC, NSCC, FICC and other counterparties.
For some third-party cybersecurity experts, the DTC’s stance is reasonable. “I do think there is a meaningful misconception in how the two-hour window is being characterized,” Christian Geyer, founder and CEO of Reston, Virginia-based Actfore told FinOps Report. “The obligation is not two hours from the moment an attacker gains access, which would be unrealistic, but from the point at which a firm has determined a reportable incident or system disruption has occurred.” That decision is typically governed by established escalation, review, and interpretation of processes. Why does the distinction on when the two-hour clock begins matter? It materially reduces the compliance burden compared to how the two-hour rule is often portrayed, according to Geyer, whose firm provides artificial intelligence-based software to analyze cybersecurity breaches. Nonetheless, it won’t be easy for broker-dealers and banks to meet an explicit timetable. “Broker-dealer and bank participants of DTCC will have a create a specific playbook for DTCC notification,” said Michael Sarlo, chief information officer for HaystackID, a Chicago-headquartered firm offering cybersecurity consulting services. “Due to the short timeframe, DTCC’s participants will lean heavily on their CISOs to decide whether to notify the depository and clearinghouses rather than having input from their legal departments.” That outcome simply isn’t fair, for some. “No one wants the CISO and tech team wordsmithing a report,” cautions Joanna Fields, managing director of New York-based regulatory compliance, risk and cybersecurity consultancy Aplomb Strategies. “The CISO and tech team should be figuring out what happened and how to protect the firm.”
Preparations in Play
Despite the lack of an effective date for implementing the DTCC’s new rule, cybersecurity specialists at U.S. broker-dealers and banks are starting to reevaluate their procedures. The CISOs who spoke with FinOps Report insist they will be in “overdrive mode” over the holidays to consult with external legal counsel, redesign the notification process for cyberbreaches, and rewrite compliance manuals. Mock sessions will also be necessary to determine how the two-hour process would work based on specific triggers such as any cyberbreach or IT glitch that would affect the firm’s connectivity with the DTC, NSCC, or FICC. The issue will become how to define a cyberbreach or IT glitch. Mike Summers, an attorney with Reed Smith in Denver specializing in data privacy and cybersecurity regulations, recommended that CISOs discuss the new two-hour timetable with their IT departments to operationalize the necessary changes. “It is important to bring IT executives into the discussion early rather than having management [the legal department or CISO] force compliance documents onto the IT team, which I have seen done,” he said. “From there, hopefully, a practical plan can be produced knowing the first notification will likely have nots of unknowns.”
CISOs appear to have the greatest worry about managing their interactions with vendors, which are considered the weakest link in the cybersecurity chain. “Third party service providers are not regulated and might not be able to meet the two-hour deadline,” warns Fields. “Regulated entities, such as banks and broker-dealer members of DTCC can’t limit themselves to only using vendors that can meet the timetable.” Since broker-dealers and banks typically have at least several dozen critical third-party relationships, rewriting contracts and reeducating external staff could become the most-time consuming and costly aspect of changing to DTCC’s new environment. Miscommunication with vendors can lead to catastrophic results as shown in the recent case of global derivatives trading giant CME Group. Although human error was cited as the reason the CME Group had to shut down its trading platform for over 10 hours between November 27 and November 28, unclear information also played a big role. According to media reports, CyrusOne, which operates the CME’s primary data center, did not implement the necessary procedures to adjust cooling systems at CME’s primary data center leading to internal temperatures rising too high for CME’s servers to function. CyrusOne initially downplayed the seriousness of the situation but subsequently changed its description to severe. The CME could have switched over to a backup center somewhere in New York, but CyrusOne’s repeated reassurance it was working on the problem likely led CME to decide there was no need for drastic action. Fixing the cooling issue was deemed less risky than relying on another operating center. (One of the conspiracy theories that has emerged that the CME wanted to temporarily pull the plug on trading to protect large commodity futures makers facing massive financial losses from a potential short squeeze on silver).
As reported by FinOps Report, the controversy between the DTCC and member firms over how quickly to notify the DTC and its sister organizations in case of a cyberbreach or IT loss erupted back in March 2025 when the DTCC requested the two-hour timetable. After that point, the tit-for-tat match between DTCC and SIFMA, representing DTCC’s member firms. was lit as shown by the flurry of letters exchanged between the organizations through the SEC until June 2025. Although the DTCC’s new request about on the time limit was one of several in its amended rule change, it generated the biggest controversy. Among the other requirements approved by the SEC were allowing DTC and sister clearinghouses a say in how the member firm corrects the cybersecurity breach or data outage. Member firms must also offer a summarized or detailed report from a third-party cybersecurity specialist firm as to how the situation could be rectified.
In an April 17, 2025 letter to the SEC, SIFMA urged the DTCC to consider a 36-hour window as feasible. Two hours simply isn’t enough time to gather all the necessary information, and the 36-hour timetable is based on a requirement imposed by the Office of the Comptroller of the Currency in 2021, which is far shorter than the industry standard. The New York Department of Financial Services has a 72-hour window for notification. So does the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which mandates notification to the Cybersecurity Infrastructure and Security Agency (CISA). Europe’s General Data Protection Regulation (GDPR) also calls for financial firms to notify a regulatory agency within 72 hours of a breach involving personal data.
In a June 20, 2025, letter to the SEC, the DTCC countered that the two-hour window wasn’t a revolutionary change. It was simply a clarification of the existing policy of “immediate.” In approving of the DTCC’s two-hour request, the SEC agreed with the market infrastructure that a 36-to-72-hour timeframe would not allow the DTC and clearing agencies sufficient time to affectively address a cyberbreach or systems disruptions. U.S. state and federal timetables simply don’t address situations in which financial firms are connected to a market infrastructure which has widespread ramifications in the event of a breach or outage. It is that interconnectivity which makes the two-hour window essential.
Global Norm
As a rule of thumb, it appears that overseas securities depositories also call for quick notification — immediate or without undue delay — when a cybersecurity breach is affected but lack explicit times. In its August 2025 manual, Canada’s central securities depository Canadian Depository for Securities (CDS) indicated that a participant must “immediately” notify CDS and promptly confirm the security incident if it becomes aware an incident has occurred or is occurring that involves “a disruption or intrusion of, the participant system(s) that is reasonably likely to impose an imminent risk or threat to CDS’ operation or the operations of the Canadian financial markets.” The “immediate” requirement applies to all of CDS’ participants regardless of which Canadian province they are located. CDS is part of TMX Group, which also owns the Toronto Stock Exchange, TSX Venture Exchange, and the Montreal Exchange. India is a notable exception to the global norm in that members of its two depositories must report “major impactful breaches” to the national Indian Computer Emergency Response Team (CERT-in), the government agency setting cybersecurity policy, within six hours of their discovery. SWIFT’s Customer Security Programme (CSP) requires the immediate reporting of cyberbreaches to the La Hulpe, Belgium-headquartered global network provider. (The exact language is contained in SWIFT’s documentation restricted to members, and SWIFT officials declined to comment). The CSP was implemented in 2017, the year after hackers successfully breached Bangladesh’s central bank Bangladesh Bank to send fraudulent MT-based payment messages through the SWIFT network and ultimately siphon off USD$81 million from the central bank’s account at the Federal Reserve Bank of New York for fake beneficiary accounts. (Insisting its core network was never compromised, SWIFT was never blamed for the cyberheist. Instead, Bangladesh Bank acknowledged vulnerabilities with its security practices. Among the CSP’s requirements are that SWIFT members annually attest to effective cybersecurity programs, strengthen their monitoring and authentication processes, and improve access control.
Just how successful the DTCC will be in imposing a new two-hour window for cyberbreach notification is uncertain. The market infrastructure could accidentally end up defeating its noble purpose, according to some experts. The two-hour timetable simply isn’t feasible given the vast inventory of systems, applications, networks, and protocols that must be reviewed. “There might not be sufficient time to filter out all the noise of false positives that a cybersecurity breach has actually occurred,” explained HaystackID’s Sarlo. “As a result, the decision could be made to report anything that looks suspicious.”
KentourisC@gmail.com
917.510.3226
#AplombStrategies #BankOperations #Banks #Broker-Dealers #BrokerageOperations #CanadianDepositoryForSecurities #CISO #CME #Cyberbreach #Cyberincident #Cybersecurity #Cybsersecuritylaws #CyrusOne #DataBreach #DataLoss #DataPrivacy #DTC #DepositoryTrustCompany #DTCC #FICC #FixedIncomeClearingCorp. #FInOps #FinOpsReport #GDPR #HaystackID #MontrealExchange #NSCC #NationalSecuritiesClearingCorp. #NYDFS #ReedSmith #SEC #SecuritiesandExchangeCommission #ServiceDisruption #TMXGroup #SWIFT #TorontoStockExchange #TSXVentureExchange
Leave a Comment
You must be logged in to post a comment.