The Commodities Futures Trading Commission (CFTC) recently proposed two new rules requiring cybersecurity testing and system safeguards of risk analysis. The CFTC has stated that the proposals are meant to enhance and clarify the existing requirements. According to CFTC Chairman Timothy Massad, “The risk of cyberattacks is perhaps the most important single issue we face in terms of financial market stability and integrity.”
The CFTC’s concerns echo throughout the financial services sector. Cybersecurity is the primary concern of nearly fifty percent of financial institutions in the United States. This makes sense — the financial services sector was victim to an average of 350 malware attacks per week during 2014. In light of this risk, Commissioner Sharon Bowen, the sponsor of the CFTC’s Market Risk Advisory Committee, recognized that “it’s critical that the financial industry have strong protections in place.”
Who would be covered: One of the two rule proposals addresses clearing and applies to derivatives clearing organizations (DCOs), and the other rule proposal addresses exchange-related matters and applies to designated contract markets (DCMs), swap execution facilities (SEFS), and swap data repositories (SDRs).
What would the entities have to implement? All DCOs, DCMs, SEFs, and SDRs would need to implement five core types of cybersecurity testing:
-
Vulnerability testing. An entity would need to test its automated systems for vulnerabilities that permit information to be obtained by outside parties.
-
Penetration testing. Entities would be required to conduct internal and external penetration testing. This testing is meant to identify the extent to which a system can be compromised and to evaluate the effectiveness of the entities’ response mechanism. Internal testing assesses the ability of automated systems within the entity (i.e., on the internal network) to identify and exploit vulnerabilities. External testing assesses the ability of outside sources (i.e., the Internet or wireless frequencies around an organization) to identify and exploit system vulnerabilities.
-
Controls testing. Entities would need to test how well they are safeguarding the reliability, security, or capacity of their data and information. There are three broad types of system safeguards-related controls that entities would need to test: technological controls, operational controls, and management controls. These controls help protect against risks including automated system failures or deficiencies and human errors, deficiencies, or malicious actions.
-
Security incident response plan testing. Entities would be required to test the procedures they have in place and assess the resources available for identifying, responding to, mitigating, and recovering from security breaches. The security incident response plan would need to list the responsibilities of management, staff, and independent contractors in responding to a security incident. Tests could range from running through a checklist to running simulated attacks.
-
Enterprise technology risk assessment. Entities would be required to conduct a written assessment of the threats and risks that face them. The assessment would identify, estimate, and prioritize the risks to an entity’s operations or assets, or to market participants, individuals, and other entities, from a breach.
How should entities conduct the testing? The CFTC rules would require DCOs, covered DCMs, and SDRs to hire independent contractors, or use employees who are not responsible for developing or operating the system, to conduct security incident response plan testing and enterprise technology risk assessment testing. Covered DCMs and SDRs would need to hire independent contractors to perform controls testing, and DCOs would have the option to use employees independent of the system being tested. All entities would need to obtain independent contractors to conduct external penetration testing, but internal penetration testing could be conducted by employees whose work is independent from the system being tested. Additionally, independent contractors would need to conduct at least half of all vulnerability tests.
There are benefits to testing systems with both independent contractors and entity employees. Independent contractors have an outsider’s perspective and can look for vulnerabilities that the employees may not have considered. On the contrary, an entity employee’s intimate knowledge of the entity’s network and systems may lead to testing viewpoints that an outsider would not otherwise consider.
How often should the testing be done? Under the new rules, vulnerability testing would need to be conducted quarterly; penetration testing, security incident response plan testing, and enterprise technology risk assessments would be required annually, and controls testing would be needed at least every two years.
The CFTC unanimously approved the proposed rules. The public comment period will continue through 60 days after the proposed rules are published in the Federal Register.