The Commodity Futures Trading Commission proposed rules aimed to enhance cybersecurity at designated contract markets, swap execution facilities, derivatives clearing organizations and swap data repositories. All such entities would be required to conduct five types of testing on an ongoing basis, consistent with best practices, subject to minimum frequencies specified by the Commission: vulnerability testing, penetration testing, controls testing, security incident testing and enterprise technology testing. The CFTC will accept comments to its proposed new rules through 60 days following their publication in the Federal Register. (Click here for more details regarding the CFTC’s proposed rules in the article, “CFTC Proposes Cybersecurity Testing for DCOs, DCMs, SEFs and SDRs” in the December 18, 2015 edition ofCorporate and Financial Weekly Digest by Katten Muchin Rosenman LLP.)
Compliance Weeds: All National Futures Association members must adopt and enforce written policies regarding cybersecurity by March 1, 2016. Under the NFA’s recently published NFA’s Interpretive Notice on Information Systems Security Programs, NFA members must institute formal, written information systems security programs (ISSP). Although the NFA makes clear that its “policy is not to establish specific technology requirements,” it will require all relevant members to have supervisory procedures that are “reasonably designed to diligently supervise the risks of unauthorized access to or attack of their information technology systems, and to respond appropriately should unauthorized access or attack occur.” NFA members should be, by now, conducting a gap analysis between NFA’s recommendations and their current practices, and to try to begin to close any gap by drafting and implementing enhanced provisions to their ISSPs as necessary.