The Commodity Futures Trading Commission has proposed rules that would require all derivatives clearing organizations (DCOs), swap data repositories (SDRs), designated contract markets (DCMs) and swap execution facilities (SEFs) to conduct cybersecurity testing with respect to: (1) vulnerability testing; (2) internal and external penetration testing; (3) controls testing; (4) security incident response plan testing; and (5) enterprise technology risk assessments.
The proposal sets forth specific testing timeframes for DCOs, SDRs and covered DCMs. (For these purposes, a “covered” DCM is a DCM with 5 percent or more of the combined annual trading volume of all DCMs.) Specifically, these entities would be required to conduct vulnerability testing on a quarterly basis, and penetration testing, security incident response plan testing and enterprise technology risk assessments annually. Controls testing would be required to be conducted on a biennial basis. Certain tests may be conducted by employees who are not responsible for the development or operation of the systems or capabilities being assessed, whereas certain other tests must be conducted by independent contractors.
The proposal does not specify the frequency with which SEFs and non-covered DCMs would be required to conduct cybersecurity tests. In addition, SEFs and non-covered DCMs may choose whether to engage independent contractors or rely on independent employees to conduct testing.
The proposal also would require testing protocols and results to be reviewed by each entity’s senior management and board of directors.
The CFTC’s proposed rules and related fact sheet and Q&A may be accessed here. Upon publication in the Federal Register, the proposed rules will be subject to a 60-day comment period.