Chairman Massad’s remarks focused, in part, on the importance of the Commission’s oversight of cybersecurity issues for the financial institutions, exchanges and markets that it regulates. This comes on the heels of the Federal Financial Institutions Examination Council’s (FFIEC) November 3, 2014 release of its Cybersecurity Assessment General Observations of more than 500 financial institutions and their preparedness to mitigate cyber risks. See our prior post to read more about that.
Chairman Massad discussed what the Commission is doing regarding cybersecurity, including a description of the safeguards that it has in place. Those safeguards include:
- Risk Analysis—a program of risk analysis and oversight to identify and minimize sources of cyber and operational risk;
- Automated Systems—ones that are reliable, secure, and have adequate scalable capacity;
- Emergency Procedures—including backup facilities and a business continuity disaster recovery plan; and
- Independent Testing—regular, objective, independent testing to verify that the system safeguards program is sufficient to fulfill its regulatory responsibilities.
In addition, Chairman Massad explained that the entities the Commission regulates must have a risk management program that addresses seven key elements, namely:
- Information security
- Systems development
- Quality assurance
- Breach notification
- Recovery procedures
- Resumption of operations within two (2) hours (for some clearinghouses)
Finally, Chairman Massad provided guidance to senior executives and board members on the key areas that the Commission is focused on:
- Governance—Is the board paying sufficient attention to cybersecurity and taking appropriate steps? Does the board have the expertise, and does it devote the time, to do so? Is it setting the right tone as to the importance of these issues? The same questions apply, needless to say, to top management.
- Resources—Are sufficient resources and capabilities being devoted to monitor and control cyber-related risks across all levels of the organization?
- Policies and Procedures—Are adequate plans and policies in place to address information security, physical security, system operations, and other critical areas? And is the regulated entity actually following its plans and policies and considering how plans and policies may need to be amended from time to time in light of technological, market or other security developments?
- Vigilance and Responsiveness to Identified Weaknesses and Problems—If a weakness or deficiency is identified, does the regulated entity take prompt and thorough action to address it? Does it not only fix the immediate problem, but also examine the root causes of the deficiency?
The Chairman concluded his keynote remarks by reminding us that the Commission is focused on using its authority to ensure compliance with these rules and has, in one instance, imposed penalties against a major bank for failing to abide by the Commission’s reporting requirements.
Further guidance from the CFTC on the data security practices that it expects from the institutions that it oversees and the third parties they contract with was provided earlier this year.