X

CFTC Adopts Cybersecurity Requirements for DCOs, SEFs and SDRs

Bob Zwirb Commentary by Bob Zwirb

The CFTC voted unanimously to approve two proposals to amend existing regulations that address cybersecurity testing and safeguards for automated systems.

The approved proposals would (i) require that exchanges, clearing organizations, swap execution facilities and swap data repositories conduct tests of cyber protections; (ii) set forth the kinds of tests that must be conducted and the frequency of the testing periods, and determine whether the tests should be conducted by independent parties; and (iii) establish standards for incident response planning and enterprise technology risk assessments. The proposals also include governance requirements; e.g., that a firm's Board of Directors receive and review all reports setting forth the results of all testing. The proposed rules build on the CFTC's core principles - which require regulated entities to focus on system safeguards - by setting standards that are consistent with best practices.

In particular, the proposals include the following requirements:

  • Specified Cybersecurity Testing: All derivatives clearing organizations ("DCOs"), designated contract markets, swap execution facilities ("SEFs") and swap data repositories ("SDRs") would be required to conduct the following types of cybersecurity testing: (i) vulnerability testing, (ii) penetration testing, (iii) controls testing, (iv) security incident response plan testing and (v) enterprise technology risk assessments.
  • Minimum Testing Frequency: Specified registered entities would be subject to minimum testing frequency requirements for the kinds of cybersecurity testing that are listed above.
  • Use of Independent Contractors: Specified registered entities would be required to use independent contractors for certain types of cybersecurity testing.
  • Testing Scope: The scope of the testing and assessments that are required by CFTC regulations must be broad enough to include all tests of automated systems and controls that are necessary to identify any vulnerability which, if exploited or accidentally triggered, could enable an intruder or unauthorized user or insider to (i) interfere with the registrant's operations; (ii) impair or degrade the reliability, security or capacity of the registrant's automated systems; or (iii) undertake any other unauthorized action affecting the registrant's regulated activities or the hardware or software used in connection with those activities.

The proposals also augment the required categories of system-safeguards-related risk analysis and oversight by adding enterprise risk management and governance. The new category would include the following five areas:

  • the assessment, mitigation and monitoring of security and technology risks;
  • capital planning and investment with respect to security and technology;
  • board of directors and management oversight of system safeguards;
  • information technology audit and controls assessments; and
  • the remediation of deficiencies.

The CFTC gave advance notice that it is considering whether to apply minimum testing frequency and independent contractor testing requirements to certain SEFs that could be defined as "covered SEFs" in a future proposal.

Commentary

Bob Zwirb
Bob Zwirb

Like the CFTC's recent enactment of Regulation Automated Trading ("Regulation AT"), this proposed rulemaking adds rigorous CFTC requirements that include a "comprehensive testing regime" on top of a private system of safeguards based on industry "best practices" that are driven by practical necessity. This resurrects an obvious question that was posed by Commissioner Bowen: what value is added by the proposed rules? Her response is that they add "a great deal," since they "incentivize all firms under our purview to engage in these effective practices."

Such a view assumes that the significant firms that are subject to this regulation would not take commercially reasonable steps to maintain cybersecurity otherwise. Is there a reason to believe that assumption? A more practical question might be this: do the formal requirements of the cybersecurity rule (i) motivate firms to fortify their cybersecurity practices in reasonable ways with which firms would not have bothered otherwise or (ii) detract from firms' cybersecurity efforts by imposing a rigid structure that drains resources from the real work that must be done? To put the question differently: does the CFTC believe that firms' current cybersecurity efforts are inadequate or that firms are devoting an insufficient amount of care to the area? If the CFTC does not believe that firms' efforts are inadequate, then what is the justification for the rule? If it does believe those efforts to be inadequate, then shouldn't it find less prescriptive means to address those deficiencies than this rulemaking?

Here's what Commissioner Bowen had to say about the efforts of market participants to improve cybersecurity practices:

"I wanted to hear what market participants were doing to address the challenge of our cybersecurity landscape so I met with several of our large registrant dealers and asked them about their cybersecurity efforts. After these discussions, I was both alarmed by the immensity of the problem and heartened by efforts of these larger participants to meet that problem head on. They were employing best practices such as reviewing the practices of their third party providers, using third parties to audit systems, sharing information with other market participants, integrating cybersecurity risk management into their governance structure, and staying in communication with their regulators."

Her comment raises her own question yet again: (i) is this rule necessary to change current conduct (based on Commissioner Bowen's observations, apparently not) or (ii) is it potentially a formalistic distraction from what firms must do as a practical necessity?

Primary Sources

  1. CFTC Press Release
  2. CFTC Fact Sheet and Notice of Proposed Rulemaking
  3. CFTC Q&A on Proposed Rulemaking
  4. CFTC Chair Timothy Massad's Opening Statement before CFTC Open Meeting
  5. Chair Massad's Supporting Statement
  6. CFTC Commissioner Sharon Y. Bowen's Supporting Statement
  7. CFTC Commissioner J. Christopher Giancarlo's Supporting Statement

Related Articles

Tags

Regulated Activities
Data Protection / Cybersecurity
Regulated Entities
Markets
Sub-Entity
SEFs / SBSEFs, Clearing Organizations, SDRs/SBSDRs
Regulated Products
Swaps / SBS
Body of Law
CEA Regulation
Jurisdiction
US - Federal
Organization
CFTC, NFA, CFTC Markets
Sub-Author
CFTC