Cybersecurity attacks have increasingly garnered significant attention this summer—and financial regulators are taking notice and taking action. Earlier in August, the Securities and Exchange Commission (“SEC”) announced the indictment of nine players in a major hacking ring. The ring was designed to obtain corporate announcements prior to their public release, to give purchasers of the illegally obtained information an edge in securities trading. The attack combined old-school securities fraud with new-school cybercrime, and served as a reminder of financial markets’ potential vulnerabilities from the ingenuity of cybercriminals.
SEC Commissioner Continues to Highlight Cybersecurity. Continued high profile security breaches and the consistent, escalating threats facing financial institutions have elevated cybersecurity as a concern for corporate entities and regulators alike. Commissioner Luis A. Aguilar of the SEC remarked in June at the SINET Innovation Summit in New York, “What was once a problem only for IT professionals is now a fact of life for all of us. …[I]t is not an overstatement to say that cybersecurity is one of the defining issues of our time.” Indicating the growing threat to financial markets, Commissioner Aguilar highlighted the SEC’s efforts to study the cybersecurity protocols of 57 broker-dealers and 49 investment advisors which found that most of the firms had been subject to an attack within the last year. See U.S. Securities and Exchange Commission, Office of Compliance Inspections and Examinations, Cybersecurity Examination Sweep Summary, National Exam Program Risk Alert, Vol. IV, Issue 4 (Feb. 3, 2015). Commissioner Aguilar noted that these attacks, orchestrated by various actors including nation states, have caught the attention of the SEC, as well as other regulators of the financial markets in the U.S. and Europe.
Attention on the Hill. Cognizant of the important role played by the SEC in addressing cybersecurity threats, two Congressmen—Jim Langevin and Jim Himes—contacted SEC Chair Mary Jo White in mid-June emphasizing the significant negative effect cyber attacks pose to individual firms, their customers and the marketplace as a whole. The Congressmen called for a more thorough explanation of how the SEC manages cybersecurity protocols and regulates its registrant’s cybersecurity practices. While the Congressmen’s letter seemed to focus on recent high-profile attacks involving public companies, it’s unlikely that the SEC would cabin any cybersecurity protocols that it issues only to those entities. In a similar vein, on June 24, 2015, the U.S. House Committee on Financial Services held a hearing aimed at evaluating the security of the U.S. financial sector.
CFTC’s Recent Cybersecurity Focus. While it’s no surprise that addressing cybersecurity threats remains a priority for Congress and the SEC, market participants were intrigued by the recent focus applied to the issue by the Commodity Futures Trading Commission (“CFTC”). On Tuesday, June 2, 2015, the Market Risk Advisory Committee of the CFTC held a hearing on cybersecurity focused on the Bank of England’s CBEST cyber threat testing program and in so doing indicated the agency’s growing awareness of the cybersecurity issues facing the financial markets. Bank of England (“BOE”) representatives were asked to discuss their CBEST program, a cyber attack readiness program focusing on the testing of financial institutions for cybersecurity readiness and protection that was developed by the BOE and the Council for Registered Ethical Security Testers (a trade organization for the information security industry). While many firms already conduct systems testing to gauge their resilience against cyber attacks, the CBEST program aims to fill the gaps often created through a piecemeal approach to an industry-wide problem such as cybersecurity. Specifically, the CBEST program aims to provide financial firms with the ability to actively test their systems, share useful data with other market participants and utilize the results to help form industry best practices for guarding against cyber threats.
Further, the program provides accreditation for cybersecurity service providers so that financial firms can have a greater degree of confidence in the results of cybersecurity testing and to encourage more robust cyber threat testing. While participation in the CBEST program is formally voluntary, the BOE has stated that regulators will address non-participation on a case-by-case basis. Further, David Evans, Senior Manager, BOE indicated that as of June 2, 2015, roughly 90% of the BOE-targeted institutions had agreed to participate and that the program could be made mandatory in the future.
As outlined in a recent Sidley Update, numerous federal agencies are seemingly moving toward addressing cybersecurity threats more directly, but clear and specific cybersecurity standards for private-sector programs has been set. The CFTC’s recent hearing no doubt indicates its growing focus. Indeed, CFTC Chairman Timothy Massad has recognized cybersecurity as “the single most important new risk to market integrity and financial stability.” The CFTC appears particularly concerned regarding cybersecurity threats to the commodity markets and their participants—exchanges, clearing organizations or swap data repositories–that if successful, could lead to a significant negative impact on market integrity. CFTC Commissioner Christopher Giancarlo, in comments before the IOSCO Annual Conference, went so far as to say that, “There is absolutely no question in my mind that cybercrime is the potential shock that could undo all our best laid plans.” He added, “We need to do everything possible, not just financial regulators but also security forces and security agencies.”
Further highlighting financial regulators’ sense of urgency on these issues, the National Futures Association (“NFA”), the self-regulatory body for the U.S. derivatives industry, submitted an Interpretive Notice addressing information security programs to the CFTC on August 28, 2015. The Interpretive Notice uses a principles-based risk approach that requires NFA-member firms to have written policies and supervisory procedures in place to address the risk of cybersecurity attacks. The guidance would potentially affect futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers and major swap participants.
While it is not yet clear how aggressively the CFTC will confront the threats of cybercrime, it would be a safe bet for entities subject to the jurisdiction of the CFTC to anticipate that the agency will dedicate increased time, resources and attention to cybersecurity issues.
The guidance is aimed at NFA registrants including futures commission merchants (FCMs), commodity trading advisors (CTAs), commodity pool operators (CPOs), introducing brokers (IBs), retail foreign exchange dealers (RFEDs), swap dealers (SDs) and major swap participants (MSPs).