The CFTC proposed new rules to increase system safeguards for critical infrastructure including derivatives exchanges, swap execution facilities, clearinghouses, and swap data repositories. The rules would require entities to periodically conduct five specific types of cybersecurity testing, analyze the results, and remediate vulnerabilities. The proposals also add new enterprise risk management and governance requirements. In addition, the CFTC issued an advance notice of proposed rulemaking seeking feedback on whether to apply certain requirements to the most systemically important swap execution facilities. The proposals will be open for public comment for 60 days after publication in the Federal Register.
The Commission voted unanimously to propose the rules.
Cybersecurity testing. The proposed rules are presented in two releases: one for derivatives clearing organizations and the other for covered designated contract markets, swap execution facilities (SEFs), and swap data repositories. All covered entities would need to conduct five types of cybersecurity testing:
- Vulnerability: scanning for weaknesses to determine what information can be discovered through a reconnaissance of a registrant’s automated systems (quarterly);
- Penetration: attempting to breach a registrant’s automated systems, both internally and externally (annually);
- Controls: assessing whether a registrant’s safeguards and countermeasures are working as intended (every two years);
- Security incident response plan: testing a registrant’s written response plan in various ways including checklists, walk-through and table-top exercises, simulations, and comprehensive exercises (annually);
- Enterprise technology risk assessment: analyzing threats and vulnerabilities in the context of mitigating controls (annually).
Enterprise risk management. The proposal relating to contract markets, SEFs, and swap data repositories would also add enterprise risk management and governance to the list of required system safeguards-related risk analysis and oversight. This would include the following:
- Assessment, mitigation, and monitoring of security and technology risk;
- Capital planning and investment with respect to security and technology;
- Board of directors and management oversight of system safeguards;
- Information technology audit and controls assessments;
- Remediation of deficiencies.
Commissioner support. The Commission voted 3-0 to propose the rules. Commissioner Bowen said the proposed rules are important because although some firms are using best practices, there is no guarantee that all of them are. The proposed rules are a “great first step” but all CFTC registrants need to have clear cybersecurity measures in place, not just those covered by the proposal, she said. Commissioner Giancarlo agreed that the rules are important and said the CFTC should offer clear guidance to market participants regarding their obligations under the rule and designate safe harbors for compliance with it.
Chairman Massad “strongly supported” the proposed rules. He noted that he did not initially expect that the proposal would apply to SEFs, because they are still in a very early stage of operation, but responded to his colleagues’ concerns about potential vulnerabilities. He said the proposal is an important step toward enhancing protections that builds on existing core principles.
“Our requirements should come as no surprise—clearinghouses should already be doing extensive testing. Indeed, we hope that today’s proposal sets a baseline that is already being met,” said Massad.