On Wednesday, December 16, 2015, the Commodity Futures Trading Commission (CFTC or Commission) approved for publication two proposed rules to amend existing regulations addressing cybersecurity. The proposed rules would establish testing obligations and safeguards for the automated systems used by designated contract markets (DCMs), swap execution facilities (SEFs), swap data repositories (SDRs) (the Exchange Proposal), and derivatives clearing organizations (DCOs) (the Clearing Proposal and, together, the Proposals).1
The Commission’s Proposals grant regulated entities with significant deference with respect to the development and implementation of policies and procedures reasonably designed to demonstrate compliance with the new cybersecurity provisions. However, these new regulatory burdens will come with significant operational, technology, and other resource burdens, including ongoing testing and engagement with third-party service providers. Furthermore, the scope of the Proposals for testing may extend further than similar cybersecurity standards established by other federal agencies.
The Commission unanimously approved the Proposals. They were published in the Federal Register on December 23, 2015 and are subject to a 60-day public comment period ending on February 22, 2016.
CFTC staff, in presenting the Proposals for Commission action, stated that the Proposals address cybersecurity and system safeguard requirements for DCMs, SEFs, SDRs, and DCOs. Specifically, the Proposals would enhance and clarify existing rule provisions related to cybersecurity testing and system safeguard risk analysis and oversight by specifying and defining the types of cybersecurity testing that these entities would be required to conduct in order to fulfill their regulatory system safeguard testing obligations. Cybersecurity testing by these entities can strengthen their cyber defenses, mitigate risks to their operations, and maintain their cyber resilience and ability to detect, contain, respond to, and recover from cyberattacks.
The Proposals would require DCMs, SEFs, SDRs, and DCOs to conduct five essential types of cyber testing: (1) vulnerability testing; (2) penetration testing; (3) controls testing; (4) security incident response testing; and (5) enterprise technological risk assessment. The Proposals also would establish minimum testing frequencies and independent contractor testing requirements for DCOs, SDRs, and covered DCMs (i.e., those whose total annual trading volume is five percent or more of the total annual trading volume of DCMs regulated by the CFTC for the year in question). The Exchange Proposal includes an Advance Notice of Proposed Rulemaking, through which the Commission is considering whether, in a future proposal, to apply minimum testing frequency and independent contractor testing requirements to certain SEFs to be defined as “covered SEFs.”
Below is an overview of the five types of systems safeguards and cybersecurity testing proposed by the CFTC:
- Vulnerability testing is the process of scanning a system for weaknesses. CFTC staff explained that vulnerability testing is covered by generally accepted practices and standards, e.g. developed by the National Institute of Standards and Technology. The Proposals would require vulnerability testing by DCMs, SEFs, SDRs, and DCOs at a frequency determined by an appropriate risk analysis. In addition, under the Proposals, DCOs, SDRs, and covered DCMs would be required to use independent contractors for testing during at least two of the quarterly tests each year.
- Penetration testing is the process (external or internal) of simulating an attack on a system to discover and exploit its weaknesses. CFTC staff stated that the Proposals call for DCMs, SEFs, SDRs, and DCOs to conduct penetration testing at a frequency determined by an appropriate risk analysis, and at least annually by DCOs, SDRs, covered DCMs. The annual external penetration test of DCOs, SDRs, and covered DCMs would need to be performed by an independent contractor.
- Controls testing relates to the safeguard or countermeasures used by an entity to protect its automated systems or the confidentiality and integrity of its data and information. CFTC staff stated that, under the Proposals, DCOs, SDRs, and covered DCMs would be required to conduct controls testing no less frequently than every two years. DCOs, SDRs, and covered DCMs would be required to use independent contractors to test each of the defined key controls no less frequently than every two years.
- Security incident response plan testing would mean testing of a registrant’s security incident response plan to determine the plan’s effectiveness, identify its potential weaknesses or deficiencies, enable regular plan updating and improvement, and maintain organizational preparedness and resiliency with respect to security incidents. CFTC staff stated that, at minimum, the Proposals call for DCOs, SDRs, and covered DCMs to have testing performed no less than annually.
- Enterprise technology risk assessment would mean a written assessment that includes an identification and analysis of threats and vulnerability. CFTC staff stated that, at minimum, the Proposals would require DCOs, SDRs, and covered DCMs to perform this function no less frequently than annually.
CFTC staff further explained that the Proposals would require the scope of all testing and assessments required by CFTC rules to be sufficiently broad. This would include testing of the automated system and controls necessary to identify any vulnerability, which could enable an intruder or unauthorized user to interfere with the registrant’s operations or fulfillment of regulatory responsibilities, impair the reliability or security of an automated system, modify or compromise data related to the registrant’s regulated activities, or undertake any unauthorized action affecting the registrant’s regulated activities. Commission staff also stated that reports on the testing protocols and results would need to be communicated to and reviewed by senior management and the board of directors. Under the Proposals, registrants would also be required to establish and follow appropriate procedures for remediation of identified issues.
With respect to the scope of the Proposals, CFTC staff noted that certain National Futures Association-registered entities, including swap dealers, major swap participants, introducing brokers, and futures commission merchants, would not be covered under the Proposals. These entities must comply with the NFA’s October 2015 cybersecurity interpretive notice, which defines the core components of an effective information systems security program.
CFTC Chairman Timothy Massad strongly supported the Proposals, calling them “an important step toward enhancing the protections in [financial] markets.” He added that “the risk of cyberattacks is perhaps the most important single issue we face in terms of financial market stability and integrity.” He also noted that, while he previously stated he did not expect such proposed rules to apply to SEFs because they are in the early stages of operation, Commissioner Sharon Bowen and Commissioner J. Christopher Giancarlo expressed concern about the potential vulnerability and believed that the CFTC should propose requirements that apply to SEFs as well at this time. As a result, the Proposals apply “the base standards” to these registered entities.
Commissioner Bowen supported the Proposals regarding system safeguards and cybersecurity, stating that, without effective cybersecurity, the financial system cannot be confident that important data will not be compromised. She remarked that, “while some firms are clearly engaging in best practices . . . in a system as electronically interconnected as our financial markets, we’re collectively only as strong as our weakest link, and so we need a high baseline level of protection for everyone.”
Commissioner Giancarlo supported the Proposals, stating that they generally reflect the “bottom-up” approach to cybersecurity that he has previously advocated. He acknowledged that the Proposals would impose additional costs on some SEFs and stated that the Commission must find ways to alleviate unnecessary costs by correcting the flawed swap trading rules that remain mismatched with the liquidity and trading dynamics of the global swap markets. Commissioner Giancarlo warned against a “‘double whammy’ of a destructive cyber-attack followed shortly thereafter by a CFTC enforcement action.” He encouraged the CFTC to “offer clear guidance to market participants regarding their obligations under the rule and designate safe harbors for compliance” with the rules.