Securities Regulation Daily Final cyber rules feature unity on system safety duties
News
Thursday, September 8, 2016

Final cyber rules feature unity on system safety duties

By Mark S. Nelson, J.D.

The CFTC unanimously approved two sets of system safeguards rules for an array of entities subject to oversight by the agency’s Divisions of Market Oversight and Clearing and Risk. The rules update spells out the monitoring and testing requirements for designated contract markets, swap execution facilities, swap data repositories, and derivatives clearing organizations. The so-called "Exchange Final Rules" also include an enterprise risk component, and the Commission could mull additional requirements for systemically important SEFs.

CFTC Chairman Timothy Massad said cybersecurity is one of the biggest threats to markets and the updated system safeguards rules will help to ensure the integrity of markets. Massad noted that the rules are principles-based and rooted in industry best practices that will enable the new requirements to function alongside existing rules and other regulatory efforts aimed at combating cybersecurity risks. The chairman also said the rules were crafted with an eye to the evolving nature of cybersecurity.

Commissioner Sharon Bowen likewise praised the rules’ focus on testing and governance. But Commissioner J. Christopher Giancarlo, while backing the new rules, voiced worries about the costs implementation will bring to smaller DCOs.

Testing, frequency, independence. One set of rules called the Exchange Final Rules apply to DCMs, SEFs, and SDRs, while another set, called the Clearing Final Rules, apply to DCOs. For the most part, both sets of rules contain similar requirements, although the exchange rules have additional requirements for dealing with enterprise-wide risks.

Fact Sheet and Q&A provided by the CFTC said the rules mandate testing by registrants that is "broad enough" to cover a registrant’s automated systems and controls. Likewise, registrants’ senior managers and boards will need to review their policies and registrants must document their risk analyses and their determinations to remediate or accept risks.

Julie Mohr, the DCR’s Deputy Director for Examinations, and David Taylor, the DMO’s Associate Director, explained the several types of required systems testing: (1) vulnerability; (2) penetration; (3) controls; (4) security incident response plan testing; and (5) enterprise technology risk assessments.

For example, vulnerability and penetration testing generally would follow guidance offered by the Commerce Department’s National Institute of Standards and Technology, the Federal Financial Institutions Examination Council, or standards developed by the payment card industry. Vulnerability testing looks for weaknesses, such as new features or changed software locations that could unwittingly invite hackers. By contrast, penetration testing involves simulated externally- and internally-launched attacks.

The several different kinds of testing will be defined in the final rules. Some registrants also will have to abide by minimum frequency requirements, which can range from quarterly, to annually, or to at least every three years. Still other registrants will have to employ independent third parties for some kinds of testing.

Enterprise risk. The Exchange Final Rules include a requirement for conducting enterprise risk management and governance analyses. This requirement establishes a baseline of things for registrants to consider, including: (1) assessment, mitigation, and monitoring of risks; (2) capital planning and investment; (3) board and management oversight of system safeguards; (4) information technology audit and controls assessments; and (5) remediation.

More rules for SEFs? Commission staff also said they are preparing a related advance notice of proposed rulemaking on whether to impose additional system safeguards requirements on systemically important SEFs. The advance notice could lead to further rulemaking. The CFTC plans to hold a roundtable on the need for heightened standards for SEFs later this year.

Commissioner Bowen reiterated her prior support for bringing SEFs into the system safeguards regime. She also expressed interest in the upcoming roundtable to consider whether "significant" SEFs should be held to even higher cybersecurity standards.

MainStory: TopStory CFTCNews ClearanceSettlement CyberPrivacyFeed Derivatives ExchangesMarketRegulation FinancialIntermediaries RiskManagement Swaps

Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More