The Office of Inspector General of Commodity Futures Trading Commission’s said the agency’s Division of Swap Dealer and Intermediary Oversight should use a risk-based approach to independently test the cybersecurity preparedness of future commission merchants and swap dealers. However, in response to the recommendations made by Brown & Company, certified public accountants and management consultants, in a report commissioned by OIG, the CFTC said that, “due to current budgetary constraints, the creation of an independent testing program is not feasible.” The CFTC also noted that, since March 1, 2016, the National Futures Association requires all members to maintain a cybersecurity program that NFA reviews. Among other recommendations in the OIG report are that the CFTC should verify that all registrants use a secure file transfer protocol when sending sensitive financial information to the agency and that the CFTC should encourage exchanges, clearinghouses and swap data repositories to increase the frequency of their internal and external penetration testing, as well as vulnerability testing particularly after significant changes in a registrant’s systems.

Compliance Weeds: All NFA members were required by March 1 to have adopted and begun enforcing formal written policies regarding cybersecurity. These policies must be “reasonably designed by members to diligently supervise the risks of unauthorized access to or attack of their information technology systems, and to respond appropriately should unauthorized access or attack occur.” (Click here for further details on NFA’s requirements in the article, “NFA Proposes Cybersecurity Guidance” in the September 13, 2015 edition of Bridging the Week.)