CCO Resource Center: DTCC Client Cybersecurity Program and Sampling Requirements Document

Chief Compliance Officer Committee

Depository Trust & Clearing Corporation (DTCC) Client Cybersecurity Program; Document Request

In December 2019, the Depository Trust & Clearing Corporation (DTCC) announced the launch of its Client Cybersecurity Program (CCSP).  According to the DTCC, the CCSP was implemented to reduce risk and provide reliability to the global financial system.  The CCSP “defines a cybersecurity baseline that [DTCC] members must meet to demonstrate that they have proper safeguards against cyber risks.” It is intended to ensure that all of the DTCC’s members, using the Securely Managed and Reliable Technology (SMART) network or other connectivity, are adequately protected against cyberattacks.  According to the DTCC,

The CSSP establishes cyber due-diligence expectations around member access to DTCC via a Cybersecurity Confirmation.  It is focused on ascertaining that each member firm or prospective new clients have defined and regularly maintain a comprehensive cybersecurity program and framework that considers potential cyber threats that impact the organization and protects the confidentiality, integrity, and availability requirements of the member firm’s systems and information.

All existing or new members connecting to a DTCC network are required to be cybersecurity resilient and follow a specific cybersecurity standard/framework that is widely acknowledged across the industry.  According to the DTCC, examples of such cybersecurity standards and frameworks  include:

  1. FSSCC Security Profile - Financial Services Sector Coordinating Council Security Profile
  2. NIST CSF - National Institute of Standards and Technology Cybersecurity Framework 
  3. ISO27001/27002 - International Organization for Standardization 27001/27002
  4. FFIEC CAT - Federal Financial Institutions Examination Council Cybersecurity Assessment Tool
  5. CSC 20 - Critical Security Controls Top 20
  6. SOC 2 System and Organization Controls 2 
  7. SOC for Cybersecurity – System and Organization Controls for Cybersecurity 
  8. COBIT 5 - Control Objectives for Information and Related Technologies 5
  9. COBIT 2019 - Control Objectives for Information and Related Technologies 2019
  10. OSFI - The Office of the Superintendent of Financial Institutions Cyber Security Self-Assessment Guidance
  11. JASDEC - Japan Securities Depository Center, Inc. Basic Policy on Risk Management and Basic Policy on Information Security

In addition, the designated Senior Executive/Control Officer of a DTCC member must complete and sign a DTCC Certification Form affirming that the member ”has a resilient cybersecurity program that is aligned to an established framework thus [sic] protected against cyber-attacks.” 

The DTCC conducts “sampling review meetings” with members on a random basis from time-to-time to assess their compliance with the CCSP.  We understand that, in advance of these meetings, the DTCC provides the member “Sampling Requirements,” which is a list of documents it will be interested in reviewing during the meeting.  We further understand that the DTCC reviews, but does not collect, documents during these meetings in order to protect the confidentiality of the information they review. 

More information about the CCSP is available on the DTCC’s website at:

A copy of the DTCC’s “Sampling Requirements” is available through this link: DTCC Sampling Requirements.