CFTC Commissioner Proposes New Rules for Algorithmic Trading and Cybersecurity (with Lofchie Comment)
Commentary by Steven Lofchie
CFTC Commissioner Sharon Y. Bowen recommended additional rules to address algorithmic trading and cybersecurity. She delivered her remarks in a keynote address at the ISDA North America Conference.
Commissioner Bowen also proposed new requirements to address cybersecurity risk in CFTC markets including:
- The designation of a Cybersecurity Expert or Chief Information Security Officer by each CFTC registrant;
- Annual or quarterly confidential reports submitted to the CFTC regarding the state of a registrant's cybersecurity programs;
- Prompt reporting of "any material cybersecurity event . . . within minutes" to the CFTC; and
- An independent audit of each registrant, or annual penetration testing by an independent auditor, to ensure industry-wide adoption of best practices that "would have the additional benefit of facilitating the establishment of industry benchmarks."
Commissioner Bowen recommended subjecting algorithmic traders to the following CFTC requirements:
- Maintain pre-trade risk controls and institute processes for disconnecting any algorithm from the market immediately when appropriate;
- Require individuals who design or maintain algorithms to know their obligations under the CEA or consult with a knowledgeable person;
- Maintain ongoing and comprehensive communication between the professionals handling the algorithms and those in the compliance department;
- Disclose the proportion of orders that are self-trades;
- Disclose granular information about market-maker programs, including (i) the date on which a given program will run, (ii) the products involved, (iii) the nature of the program, (iv) who is eligible to take part in the program and (iv) why some persons are not eligible; and
- Restrict market-maker programs and disallow entities from receiving market-maker program incentives for self-trades.
Commissioner Bowen also proposed the following requirements for cybersecurity in CFTC markets:
- A Cybersecurity Expert or Chief Information Security Officer designated by each CFTC registrant;
- Annual or quarterly confidential reports submitted to the CFTC regarding the state of a registrant's cybersecurity programs;
- Prompt reporting of "any material cybersecurity event . . . within minutes" to the CFTC; and
- An independent audit of each registrant, or annual penetration testing by an independent auditor, to ensure industry-wide adoption of best practices that "would have the additional benefit of facilitating the establishment of industry benchmarks."
Commissioner Bowen described her proposals as taking a diagnostic approach to technological issues. "The answer, of course, is not to ask the world to slow down, but for regulators to redouble [their] efforts to understand what is going on."
Commentary
To her credit, Commissioner Bowen advances the discussion of technology change and the markets by simply acknowledging that algorithmic trading is here to stay. Many of her recommendations seem entirely reasonable; e.g., that there is no reason for market-makers to be provided with economic incentives to self-trade, even when the self-trades are accidental (as is virtually always the case).
One fundamental question for the Commissioner is this: whether she sees her recommendations as focused primarily on aiding market participants by encouraging the sharing of information or as a way to frighten them with threats of regulatory sanctions if anything goes wrong. The former objective seems better given the impossibility of thwarting all of the bad guys. It is also fair to ask whether some of her recommendations are simply too burdensome. Surely it is impractical for every firm to employ a cybersecurity expert.