A performance audit of the U.S. Commodity Futures Trading Commission’s (CFTC) policies and procedures for reviewing CFTC registrant’s cybersecurity polies was recently posted online. The goal of the audit was to reduce the cybersecurity risks of the financial organizations that are overseen by the CFTC. The audit was conducted by the CFTC’s Office of the Inspector General, which contracted with a third party to perform the actual review. The CFTC’s response to the report highlights recently approved rules regarding cybersecurity testing by registrants that require external and internal penetration and vulnerability testing at a frequency determined by appropriate risk analysis. See here and here. The report also recommends use of a risk-based approach to test registrants’ cybersecurity preparedness, which testing is currently conducted by the National Future Association rather than the CFTC directly.
TIP: The audit and the new rules referenced in the CFTC’s responses thereto highlight the growing importance of cybersecurity. Registrants that fall within CFTC oversight should keep in mind the significance that both the CFTC and the NFA place on preventing cybersecurity incidents by registrants, the additional testing requirements and the increased focus on registrant’s cybersecurity preparedness.