On December 16, 2015, the CFTC proposed two rules which would amend its system safeguards rules relating to cyber security testing and other safety requirements for automated systems used by entities regulated by the CFTC. One of the proposed rules pertains to designated contract markets, swap execution facilities, and swap data repositories, while the other pertains to derivatives clearing organizations.
The proposed rules are intended to improve existing requirements with respect to cyber security testing and system safeguards by defining five types of cyber security testing vital to a comprehensive system safeguards program: (i) vulnerability testing; (ii) penetration testing; (iii) controls testing; (iv) security incident response plan testing; and (v) enterprise technology risk assessment. For certain specified entities the proposals also provide minimum frequency of testing requirements and would require such entities to have certain tests performed by independent contractors. The proposals will be open for public comment during a 60-day comment period after their publication in the Federal Register.
The proposed rule for system safeguards testing requirements is available at: http://www.cftc.gov/idc/groups/public/@newsroom/documents/file/federalregister121615a.pdf.
The proposed rule for system safeguards testing requirements for derivatives clearing organizations is available at: http://www.cftc.gov/idc/groups/public/@newsroom/documents/file/federalregister121615b.pdf.
The CFTC fact sheet regarding the proposed rules is available at: http://www.cftc.gov/idc/groups/public/@newsroom/documents/file/syssafeguard_factsheet121615.pdf.