SEC Greenlights Fixes for Wall Street System Glitches and Outages
Published Date: 11/20/2025
Notice
Summary
The Depository Trust Company, Fixed Income Clearing Corporation, and National Securities Clearing Corporation got the green light to update their rules for handling system disruptions. These changes help protect participants—like banks and brokers—by making sure everyone knows what to do if tech glitches happen. The new rules kick in soon and aim to keep the financial system running smoothly without costly delays.
Analyzed Economic Effects
6 provisions identified: 0 benefits, 6 costs, 0 mixed.
Reconnection requires outside cyber report
Before a disconnected DTCC Systems Participant can be reconnected, it must provide (i) a detailed, comprehensive, and auditable report from a Third‑Party Cybersecurity Firm (or a summary), (ii) an attestation by a Participant Officer, and (iii) an executed indemnity acceptable to the Clearing Agency. The firm report must include a timeline, root cause analysis, confirmation that severe/critical items are resolved, and confirmation of normal operation for at least 72 hours, among other items.
Full cooperation and enforceable penalties
The rules require DTCC Systems Participants to cooperate 'fully and completely' with Clearing Agencies regarding a Major System Event and to follow Clearing Agency instructions when issued. If a participant fails to comply, the Clearing Agencies may impose any disciplinary action permitted under their rules and may require a participant to assume responsibility for a Third‑Party Provider's compliance failures.
Third‑party connections now covered
The rules explicitly expand the definition of DTCC Systems and DTCC Systems Participant to include systems of DTCC Affiliates and connections made through Third‑Party Providers and hardware/applications. This means a DTCC Systems Participant includes Respective Participants connected directly or through a Third‑Party Provider, and those connections are now subject to the Disruption Rules.
Two‑hour disruption notification rule
A DTCC Systems Participant must provide the Clearing Agencies immediate written notice, and in any event within two hours of experiencing a Participant System Disruption. The required notice must include entity names, authorized contact information, and key event details such as event type, event effect, start date, discovery date, end date (if known), scope, and any public notices.
Mandatory reconnection testing and checks
Prior to approval of a Reconnection, the DTCC Systems Participant must demonstrate in a test environment that it can send and receive messages/transactions, replay or resubmit prior messages, reverse or void submissions, confirm message integrity, and have alternative communication methods. Approval of Reconnection requires two or more members of the Clearing Agencies' senior most management committee, after they are satisfied with the information and testing.
Standards for cyber firms and 'Best Practices'
The rules add a defined 'Third‑Party Cybersecurity Firm' that must be 'experienced in financial‑sector cybersecurity' and must employ 'Best Practices' (standards consistent with current financial‑sector cybersecurity standards, including language derived from Reg SCI). Clearing Agencies will require such firms when they are engaged under the Disruption Rules.
Your PRIA Score
Personalized for You
How does this regulation affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this federal register document and every other regulation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Key Dates
Department and Agencies
Take It Personal
Get Your Personalized Policy View
Start a Free Government Policy Watch to see how policy affects your household, then upgrade to PRIA Full Coverage for year-round monitoring.
Already have an account? Sign in