U.S. commodities and derivatives firms, including exchanges and clearinghouses, would have to frequently test their information technology for vulnerabilities under final rules approved Thursday by the Commodity Futures Trading Commission (CFTC).
The CFTC’s rules are intended to promote flexibility as hacking methods evolve, and to help firms stay up-to-date on the best responses to cyber attacks. The new rules also aim to help companies recover quickly from incursions.
“They will apply to the core infrastructure in our markets – the exchanges, clearinghouses, trading platforms and trade repositories. And they will ensure that those private companies are adequately evaluating cyber risks and testing their cybersecurity and operational risk defenses,” said CFTC Chairman Timothy Massad before the unanimous vote, adding that the rules were not “overly prescriptive.”
“I’ve said many times that as regulators, we must not just look backwards to address the causes of past failures or crises. We also must look ahead,” he said.
Under the rules, firms will probe for vulnerabilities at least once a quarter and test their planned responses to breaches at least once a year. Also annually, they will test if their systems can be penetrated from outside and within.
Independent contractors will conduct the external penetration tests, as well as exams at least every three years on whether the companies have adequate controls to identify risks that change more frequently. CFTC officials said the commission will not recommend contractors for the testing.
Officials did not present data on the current state of cybersecurity in U.S. commodities and derivatives.