The CFTC Proposes Enhanced Cybersecurity Testing Rules
On February 22, 2016, the Commodity Futures Trading Commission (“CFTC”) closed the public comment period on its recently proposed enhanced cybersecurity rules for derivatives clearing house organizations, trading platforms, designated contract markets, and swap data repositories. At the heart of the new regulations are rules that would require registered entities to conduct five categories of cybersecurity testing:
1. Vulnerability testing: to “determine what information may be discoverable through a reconnaissance analysis.”
2. Penetration testing: a “methodology in which assessors, typically working under specific constraints, attempt to circumvent or defeat the security features of an information system.”
3. Controls testing: to determine whether an organization’s safeguard-related controls are operating as intended.
4. Security incident response plan testing: to test an organization’s capacity to detect, contain, eliminate, and recover from a cyber intrusion.
5. Enterprise technology risk assessments: a written assessment that includes an analysis of threats and vulnerabilities to automated systems.
Depending on the type of regulated entity, this testing must be conducted on a quarterly, annual, or biannual basis—with the exception of swap execution facilities, which may determine the frequency of testing based on their own risk assessment.
These new proposed rules are consistent with the CFTC’s heightened focus on cybersecurity risks in the financial industry. Since 2014, the CFTC has stressed the importance of firms updating their cyber defenses, calling cybersecurity the “single most important new risk to financial stability.” The proposed rules also come on the heels of similar efforts by other financial regulators to address cyber risks—including the Securities and Exchange Commission, the New York State Department of Financial Services, and the Federal Deposit Insurance Corporation. Moreover, the CFTC’s specific proposed testing rules also come as no surprise: the National Institute of Standards and Technology and Federal Financial Institutional Examination Council have long supported the CFTC’s proposed testing protocol.
Notably, the CFTC’s commentary to the proposed rules suggests that organizations should review the cyber credentials of their boards of directors or board committee members, and (if necessary) hire outside independent consultants for cyber security assistance. The CFTC also has proposed that organizations, as part of their capital planning process, ensure that effective resources are devoted to data security issues.
The CFTC’s focus on directors’ data security credentials follows from another proposed rule, Rule 37.1401(l), which would require senior management and the board of directors of certain registered entities to receive and review reports setting forth the results of all testing and assessment under the new proposed testing rules. Under several proposed rules, the registered entity must “identify all vulnerabilities and deficiencies in its system” and “remediate those vulnerabilities” in a “timely matter.”
Finally, CFTC Proposed Rule 39.18(g) will require that derivative clearing houses notify the CFTC of any cybersecurity incident that “materially impairs, or creates a significant likelihood of materially impairment” of any automated system’s operation, reliability, or capacity. The CFTC did not, however, include similar language for trading platforms, designated contract markets, and data swap repositories.
We will continue to monitor the rulemaking process and provide further updates when the CFTC issues its final rules.