The Commodity Futures Trading Commission (CFTC) Thursday approved a set of rules that will require frequent testing of information technology at U.S. commodities and derivatives firms, including exchanges and clearinghouses.
Systems will undergo vulnerability testing,penetration testing, controls testing, security incident response testing, and enterprise technology risk assessment, according to a government fact sheet.
Key elements of the rules include, specified cybersecurity testing, minimum testing frequency, use of independent contractors, testing scope, and internal reporting, review and remediation.
The CFTC’s comprehensive approach to this new regulation demonstrates a clear appreciation of the reality that between 40 and 70 percent of data breaches originate from third party vendors and partners, Jeff Hill, director of product management for the security firm Prevalent told SCMagazine.com via emailed comments.
“Federal Agencies like the CFTC are recognizing the cyber vulnerabilities of interconnected ecosystems that underpin major financial markets,” Hill said. “An organization in the commodities industry relies on a large community of partner companies, vendors, and customers to transact business, and each connection represents a pathway to sensitive financial and other data.”
The new rules are designed to enhance and clarify existing requirements relating to cybersecurity testing and system safeguards risk analysis by specifying and defining each type of cybersecurity testing but some security experts aren’t confident the rules will hold up to its expectations.
“The new cybersecurity rules expected from the Commodity Futures Trading Commission have already failed a key test,” Lieberman Software Vice President of Product Strategy Jonathan Sander told SCMagazine.com via emailed comments. “They say that the rules will require quarterly vulnerability probes, but vulnerabilities evolve on daily, even hourly scales.”
Sander said the CFTC’s approach sounds more like compliance than it does security and that he saw a statement which said the agency will test responses to incidents once a year while the most security forward organizations in the world have a continuous reaction exercise.
“These are often called red team, blue team exercises, which run like war games with the red team on the attack and the blue team defending,” he said. “It’s only through this sort of constant vigilance that we can hope to win any fights.”