Recognizing cyber security as one of the most important issues facing financial markets today, and identifying cyber-attacks as a top threat, the U.S. Commodity Futures Trading Commission (CFTC) unanimously approved proposed enhanced rules on cybersecurity for derivatives clearing house organizations, trading platforms, and swap data repositories.
The proposals, published in separate Federal Register Notices as Part IV and Part V of Vol. 80 No. 246, identify fives types of cybersecurity testing as essential to a sound system safeguards program: (1) vulnerability testing, (2) penetration testing, (3) controls testing, (4) security incident response plan testing, and (5) enterprise technology risk assessments.
The two proposals would require all derivatives clearing organizations, designated contract markets, swap execution facilities, and swap data repositories to conduct each of the five types of cybersecurity testing, as frequently as indicated by appropriate risk analysis. In addition, the proposals would specify minimum testing frequency requirements for all derivatives clearing organizations and swap data repositories and specified designated contract markets, and require them to have certain tests performed by independent contractors.
As currently drafted, the proposals require the scope of all testing and assessment required by CFTC be broad enough to include all testing of automated systems and controls necessary to identify any vulnerability which, if exploited or accidentally triggered, could enable an intruder or unauthorized user or insider to:
- interfere with the registrant’s operations or with fulfillment of its statutory and regulatory responsibilities;
- impair or degrade the reliability, security, or capacity of the registrant’s automated systems;
- add to, delete, modify, exfiltrate, or compromise the integrity of any data related to the registrant’s regulated activities; or
- undertake any other unauthorized action affecting the registrant’s regulated activities or the hardware or software used in connection with those activities.
Importantly, CFTC published a Fact Sheet summarizing the proposed rulemaking.
Issuing strong support of the proposals, CFTC Commissioner J. Christopher Giancarlo said, “The job of the Commodity Futures Trading Commission as a regulator is to encourage, support, inform and empower this continuous development so that market participants adopt fully optimized and up-to-date cyber defenses.” Echoing sentiments we have previously expressed, Commission Giancarlo went on to acknowledge that “[g]iven the constantly morphing nature of cyber risk, the best defenses provide no guarantee of protection.”
Whether your organization is a registered entity with CFTC or not, the cybersecurity testing and system risk analysis details set forth in the proposals provide valuable insight into how your organization may take steps to protect itself from a cyber-attack. The proposals are subject to a 60 day public comment period which will end on February 22, 2016.