The Commodity Futures Trading Commission adopted final amended rules implementing enhanced cybersecurity testing and other requirements for derivative clearing organizations as well as for designated contract markets, swap execution facilities and swap data repositories. For DCOs, the CFTC indicated that cybersecurity programs must address information security; business continuity and disaster recovery planning and resources; capacity and performance planning; system operations; systems development and quality assurance; and physical security and environmental controls. All DCOs must have physical, technological and personnel resources to ensure a recovery by no later than the next business day following a disruption. The CFTC also mandated that DCOs conduct periodic vulnerability testing, external penetration testing, and internal penetration testing, among other requirements. The CFTC’s amended rules would impose similar testing requirements on DCMs, SEFs and SDRs. Although the new provisions for all market infrastructures are effective upon their publication in the Federal Register, there are different compliance dates for different provisions, stretching out to within one year following the effective date for some rules.

Compliance Weeds: All members of the National Futures Association were required by March 1 to have adopted and begun enforcing formal written policies regarding cybersecurity. These policies must be “reasonably designed by members to diligently supervise the risks of unauthorized access to or attack of their information technology systems, and to respond appropriately should unauthorized access or attack occur.” (Click here for further details on NFA’s requirements in the article, “NFA Proposes Cybersecurity Guidance” in the September 13, 2015 edition of Bridging the Week.)