Thursday, December 17, 2015

CFTC Proposes Cybersecurity Rules for Critical Infrastructure

By Lene Powell, J.D.

The CFTC proposed new rules to increase system safeguards for critical infrastructure including derivatives exchanges, swap execution facilities, clearinghouses, and swap data repositories. The rules would require entities to periodically conduct five specific types of cybersecurity testing, analyze the results, and remediate vulnerabilities. The proposals also add new enterprise risk management and governance requirements. In addition, the CFTC issued an advance notice of proposed rulemaking seeking feedback on whether to apply certain requirements to the most systemically important swap execution facilities. The proposals will be open for public comment for 60 days after publication in the Federal Register.

The Commission voted unanimously to propose the rules.

Cybersecurity testing. The proposed rules are presented in two releases: one for derivatives clearing organizations and the other for covered designated contract markets, swap execution facilities (SEFs), and swap data repositories. All covered entities would need to conduct five types of cybersecurity testing:
  • Vulnerability: scanning for weaknesses to determine what information can be discovered through a reconnaissance of a registrant’s automated systems (quarterly);
  • Penetration: attempting to breach a registrant’s automated systems, both internally and externally (annually);
  • Controls: assessing whether a registrant’s safeguards and countermeasures are working as intended (every two years);
  • Security incident response plan: testing a registrant’s written response plan in various ways including checklists, walk-through and table-top exercises, simulations, and comprehensive exercises (annually);
  • Enterprise technology risk assessment: analyzing threats and vulnerabilities in the context of mitigating controls (annually).
Some tests could be conducted by employees who are not responsible for development or operation of the tested systems, while others would need to be conducted by independent contractors. Reports on test results would have to be communicated to and reviewed by senior management and boards of directors. Entities would be required to analyze results and identify and remediate vulnerabilities.

Enterprise risk management. The proposal relating to contract markets, SEFs, and swap data repositories would also add enterprise risk management and governance to the list of required system safeguards-related risk analysis and oversight. This would include the following:
  • Assessment, mitigation, and monitoring of security and technology risk;
  • Capital planning and investment with respect to security and technology;
  • Board of directors and management oversight of system safeguards;
  • Information technology audit and controls assessments;
  • Remediation of deficiencies.
Systemically important SEFs. The CFTC included an Advance Notice of Proposed Rulemaking stating that the Commission is considering whether to apply, in a future proposal, minimum testing frequency, and independent contractor testing requirements to the most systemically important SEFs.

Commissioner support. The Commission voted 3-0 to propose the rules. Commissioner Bowen said the proposed rules are important because although some firms are using best practices, there is no guarantee that all of them are. The proposed rules are a “great first step” but all CFTC registrants need to have clear cybersecurity measures in place, not just those covered by the proposal, she said. Commissioner Giancarlo agreed that the rules are important and said the CFTC should offer clear guidance to market participants regarding their obligations under the rule and designate safe harbors for compliance with it.

Chairman Massad “strongly supported” the proposed rules. He noted that he did not initially expect that the proposal would apply to SEFs, because they are still in a very early stage of operation, but responded to his colleagues’ concerns about potential vulnerabilities. He said the proposal is an important step toward enhancing protections that builds on existing core principles.

“Our requirements should come as no surprise—clearinghouses should already be doing extensive testing. Indeed, we hope that today’s proposal sets a baseline that is already being met,” said Massad.