Article 9
Information technology systems
1.
A CCP shall design and ensure its information technology systems are reliable and secure as well as capable of processing the information necessary for the CCP to perform its activities and operations in a safe and efficient manner.
The information technology architecture shall be well-documented. The systems shall be designed to deal with the CCP’s operational needs and the risks the CCP faces, be resilient, including in stressed market conditions, and be scalable, if necessary, to process additional information. The CCP shall provide for procedures and capacity planning as well as for sufficient redundant capacity to allow the system to process all remaining transactions before the end of the day in circumstances where a major disruption occurs. The CCP shall provide for procedures for the introduction of new technology including clear reversion plans.
2.
In order to ensure a high degree of security in information processing and to enable connectivity with its clearing members and clients as well as with its service providers, a CCP shall base its information technology systems on internationally recognised technical standards and industry best practices. The CCP shall subject its systems to stringent testing, simulating stressed conditions, before initial use, after making significant changes and after a major disruption has occurred. Clearing members and clients, interoperable CCPs and other interested parties shall be involved as appropriate in the design and conduct of these tests.
3.
A CCP shall maintain a robust information security framework that appropriately manages its information security risk. The framework shall include appropriate mechanisms, policies and procedures to protect information from unauthorised disclosure, to ensure data accuracy and integrity and to guarantee the availability of the CCP’s services.
4.
The information security framework shall include at least the following features:
(a)
access controls to the system;
(b)
adequate safeguards against intrusions and data misuse;
(c)
specific devices to preserve data authenticity and integrity, including cryptographic techniques;
(d)
reliable networks and procedures for accurate and prompt data transmission without major disruptions;
(e)
audit trails.
5.
The information technology systems and the information security framework shall be reviewed at least on an annual basis. They shall be subject to independent audit assessments. The results of these assessments shall be reported to the board and shall be made available to the competent authority.