A Trade Repository should identify the plausible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures, and controls. Systems should be designed to ensure a high degree of security and operational reliability and should have adequate, scalable capacity. Business continuity management should aim for timely recovery of operations and fulfilment of the Trade Repository’s obligations, including in the event of a wide-scale or major disruption.
|
| 8.1. | A Trade Repository should establish a robust operational risk-management framework with appropriate systems, policies, procedures, and controls to identify, monitor, and manage operational risks.
|
| 8.2. | A Trade Repository board of directors should clearly define the roles and responsibilities for addressing operational risk and should endorse the Trade Repository operational risk-management framework. Systems, operational policies, procedures, and controls should be reviewed, audited, and tested periodically and after significant changes.
|
| 8.3. | A Trade Repository should have clearly defined operational reliability objectives and should have policies in place that are designed to achieve those objectives.
|
| 8.4. | A Trade Repository should ensure that it has scalable capacity adequate to handle increasing stress volumes and to achieve its service-level objectives.
|
| 8.5. | A Trade Repository should have comprehensive physical and information security policies that address all potential vulnerabilities and threats.
|
| 8.6. | A Trade Repository should have a business continuity plan that addresses events posing a significant risk of disrupting operations, including events that could cause a wide-scale or major disruption. The plan should incorporate the use of a secondary site and should be designed to ensure that critical information technology (IT) systems can resume operations within two hours following disruptive events. The plan should be designed to enable the Trade Repository to complete settlement by the end of the day of the disruption, even in case of extreme circumstances. A Trade Repository should regularly test these arrangements.
|
| 8.7. | A Trade Repository should identify, monitor, and manage the risks that key participants, other FMIs, and service and utility providers might pose to its operations. In addition, a Trade Repository should identify, monitor, and manage the risks its operations might pose to other Trade Repository or FMIs.
|
| 8.8. | A Trade Repository must comply with SAMA Business Continuity Framework issued via SAMA circular 381000058504 dated 01/06/1438 H, and applicable national regulatory guidelines over Business Continuity, Outsourcing, Cybersecurity, IT Governance, and Data Privacy and must ensure that:
|
| | 8.8.1. | A Trade Repository’s services are provided at all times in a secure, efficient and effective manner.
|
| | 8.8.2. | A Trade Repository have in place processes for regular review of whether the Trade Repository’s operations are efficient and effective in meeting the requirements of participants, SAMA, and the markets it serves. These may include, for example, a review of its minimum service levels, operational reliability, cost-effectiveness pricing, and controls. Trade repository should also address IT operational risks as part of overall operational risk management through identifying and mitigating IT risks via mandating them to ensure control consideration from SAMA Information Technology Governance Framework issued via SAMA circular 43028139 dated 29/03/1443 H.
|
| | 8.8.3. | Cyber security risks are managed effectively and that the Trade Repository’s assets are protected. In this regard, a Trade Repository is also required to comply with SAMA Cyber Security Framework and applicable national Cybersecurity guidelines, and ensure effectiveness of its security controls through periodical evaluation.
|
| | 8.8.4. | A Trade Repository should define and develop data classification in organized categories based on the level of data sensitivity. A Trade Repository’s data classification should ensure its confidentiality, integrity, and availability; Where access to data should provide based on need to know principles
|
| | 8.8.5. | A Trade Repository should implement adequate mechanism to ensure the privacy of the data collected throughout its lifecycle in the Trade Repository and protection of personal data in compliance with national laws and regulations.
|
| | 8.8.6. | For the purposes of integrity and cyber security of the Trade Repository, a Trade Repository must establish, implement, maintain and enforce policies, procedures, physical and electronic controls over its systems for accepting, retaining, using, disclosing and providing access to Derivative Trade Data designed to:
|
| | | 8.8.6.1. | Maintain the integrity and confidentiality of Derivative Trade Data at all times during transmission between the Trade Repository, SAMA and Participants, and while retained in the Trade Repository; and
|
| | | 8.8.6.2. | Prevent unauthorized use or disclosure of, or access to, Derivative Trade Data in line with business requirements based on the need-to-have or need-to-know principle.
|
| | 8.8.7. | SAMA may make a direction relating to Derivative Trade Data if a Trade Repository ceases to be authorised, including a direction requiring the Trade Repository to destroy or transfer to another Trade Repository or SAMA all records of the Derivative Trade Data over which the Trade Repository has control.
|
| | 8.8.8. | A Trade Repository must report all incidents of disruption including IT and Cyber classified as “Medium" or “High” to SAMA immediately. A post-incident report should be communicated to SAMA after Trade Repository resumes to normal operations.
|
| | 8.8.9. | A Trade Repository must seek approval from SAMA when selecting a new site for its main or alternative data center, or when relocating the current main or alternative data center taking in consideration that Trade Repository’s information/data hosting and storage must be inside the KSA.
|
| | 8.8.10. | A Trade Repository must define the scope and coverage of backups to cover all critical technologies, information and data assets and implement backup and recovery processes with a periodic testing of their effectiveness.
|
| 8.9. | The Trade Repository must establish, implement, maintain and enforce plans, including escalation plans, for its internal communications and its communications with Participants and SAMA in circumstances of an operational outage or other disruption to the Trade Repository’s services.
|
