Amid growing concern regarding cybersecurity preparedness, the US derivatives regulator recently issued regulations aimed at strengthening cybersecurity obligations for certain financial services entities. On September 8, 2016, the Commodity Futures Trading Commission (CFTC) adopted amendments to its system safeguard rules for designated contract markets (DCMs), swap execution facilities (SEFs), and swap data repositories (SDRs) (collectively, Exchanges), as well as for derivatives clearing organizations (Clearinghouses).
The final rules for Exchanges and Clearinghouses are part of two parallel rulemakings, collectively referred to herein as the CFTC Final Rules.
CFTC FINAL RULES ON SYSTEM SAFEGUARDS TESTING REQUIREMENTS
To enhance and clarify existing requirements for cybersecurity testing and system safeguard risk analysis, the CFTC Final Rules specify and define the five types of testing critical to a sound system safeguards program. These critical testing types, which Exchanges and Clearinghouses must conduct, include:
- Vulnerability testing – testing automated systems to determine what information may be discoverable through a reconnaissance analysis of those systems and what vulnerabilities may be present on those systems
- Penetration testing – attempting to penetrate automated systems from outside (external) or inside (internal) the systems’ boundaries to identify and exploit vulnerabilities
- Controls testing – assessing controls (i.e., safeguards and countermeasures) to determine whether they are implemented correctly, operating as intended, and enabling the Exchange or Clearinghouse to meet its regulatory obligations
- Security incident response plan testing – testing such a plan’s effectiveness to identify potentially weaknesses or deficiencies, enable regular plan updating and improvement, and maintain organizational preparedness and resiliency with respect to security incidents and
- Enterprise technology risk assessments – writing assessments that include, but are not limited to, an analysis of threats and vulnerabilities in the context of mitigating controls.
While the Final Rules prescribe these particular types of testing as part of a sound system safeguards program, they provide Exchanges and Clearinghouses with some degree of flexibility to determine, based on an “appropriate risk analysis,” the frequency of certain types of testing. However, SDRs and “covered” DCMs (as defined in the Final Rules) are subject to minimum frequency and independent contractor requirements for certain types of cybersecurity testing. The compliance dates for these five types of testing vary, ranging from 180 days to three years after the publication of the Final Rules in the Federal Register (September 16, 2016).
The Final Rules also require that testing protocols and results are communicated to, and reviewed by, senior management and the board of directors, and that Exchanges and Clearinghouses establish and follow appropriate procedures for the remediation of issues identified through such a review. In addition to testing obligations discussed above, current CFTC requirements mandate, among other things, that Covered Entities conduct: (1) regular, periodic, and objective testing and review of their automated systems to ensure that their systems are reliable, secure and have adequate scalable capacity; and (2) regular periodic testing and review of their business continuity-disaster recovery capabilities.
The rulemakings described above are the latest indication that US financial regulators are stepping up oversight efforts with respect to cyber, which CFTC Chairman Timothy Massad recently referred to as “the biggest threat facing financial markets today.” Shortly after publication of the CFTC Final Rules, the New York State Department of Financial Services (NYDFS) issued a proposed regulationthat would require banks, insurance companies and other NYDFS-regulated financial services institutions to establish and maintain a cybersecurity program, among other measures (NYDFS Proposed Regulation). Similar to the CFTC Final Rules, the NYDFS Proposed Regulation would require that certain financial institutions conduct penetration testing and vulnerability assessments as part of their cybersecurity program, and establish a written incident response plan detailing how it will respond to cybersecurity events. Please refer to our previous alert on this subject.
Collectively, these cybersecurity efforts are largely consistent with but more prescriptive than cybersecurity guidance promulgated by other US regulatory bodies, such as the Federal Financial Institution Examination Council. While several of the measures discussed above have already been implemented by regulated entities in the financial services industry, financial institutions, market infrastructure providers and other industry participants should examine their current cybersecurity practices and testing procedures to ensure compliance with existing and anticipated regulatory obligations.