Following a Regulatory Trend, CFTC Inches towards Cybersecurity Testing Requirements

Background

In a series of public addresses this Fall, CFTC Chairman Timothy Massad has repeatedly stated that he expects the CFTC to soon (perhaps by the end of the year) take action to propose principles-based cybersecurity standards for major exchanges, clearinghouses, and swap data repositories.¹

According to Chairman Massad’s recent remarks, the CFTC’s potential cybersecurity standards would ensure that clearinghouses, as well as other “core infrastructure” entities (e.g., major exchanges and swap data repositories), are conducting adequate evaluations of cybersecurity risks and testing their cybersecurity and operational risk protections.

Per Chairman Massad’s recent remarks, a CFTC cybersecurity regulatory proposal would apparently require certain regulated entities to engage in

• Penetration testing (i.e., testing a network for vulnerabilities);
• Vulnerability testing (i.e., identifying, quantifying, and prioritizing vulnerabilities); and
• Control testing (i.e., testing of key controls to counteract these vulnerabilities)

These statements follow a March CFTC Staff Round Table on Cybersecurity and System Safeguards Testing, in which the CFTC sought industry and government agency feedback on what the CFTC’s role should be to “add value” for regulated entities, in the context of cybersecurity. During this roundtable discussion, Chairman Massad noted that cybersecurity is the “most important single issue facing our markets today in terms of integrity and financial stability.”²

Democratic CFTC Commissioner Sharon Bowen has also emphasized the need for enhanced CFTC regulation in the area of cybersecurity. According to Commissioner Bowen, CFTC registrants should be required to: (1) designate a central cybersecurity offer; (2) provide the CFTC with regular reports regarding the state of their cybersecurity programs; (3) report any material cybersecurity events to the CFTC promptly; and (4) sanction annual penetration testing by an independent auditor to ensure adoption of best practices.³

Both Chairman Massad’s and Commissioner Bowen’s remarks align with recent activity by the National Futures Association (the futures industry’s self-regulatory organization), which, itself, has proposed principles-based cybersecurity standards for its members.⁴

It is worth noting that while the CFTC’s Republican Commissioner, J. Christopher Giancarlo, may agree with Chairman Massad and Commissioner Bowen’s expressed ends (protecting firms and the public against cybersecurity incidents), it is unclear whether he would agree with the means. In a recent keynote address, Commissioner Giancarlo supported Chairman Massad’s position that cybersecurity is the most important single issue facing market integrity and financial stability, but at the same time, he disavowed any “top-down” approaches that would impose “dated mandates on firms that consume precious resources responding to last year’s dramatic cyber-attack, causing them to miss the attack that will happen tomorrow….”⁵

Despite these remarks, in light of the CFTC’s current make-up—two Democratic commissioners that actively support CFTC cybersecurity regulations and only one Republican commissioner to potentially vote against them—it appears likely that Chairman Massad’s admonitions will come to fruition.

Read more: Following a Regulatory Trend, CFTC Inches Closer towards Cybersecurity Testing Requirements

1. See e.g., Timothy G. Massad, Chairman, CFTC, Keynote Address before the Beer Institute Annual Meeting (Sep. 9, 2015); see also Timothy G. Massad, Chairman, CFTC, Keynote Remarks before the Risk USA Conference (Oct. 22, 2015); see also Timothy G. Massad, Chairman, CFTC, Keynote Remarks before the Futures Industry Association Futures and Options Expo (Nov. 4, 2015).
2. See CFTC, Staff Roundtable on Cybersecurity and Systems Safeguard Testing (transcript), Washington D.C. (Mar. 18, 2015).
3. See Sharon Y. Bowen, Commissioner, CFTC, Keynote Address before the ISDA North America Conference (Sep. 17, 2015).
4. See National Futures Association, Information Systems Security Programs – Proposed Adoption of the Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs (Aug. 28, 2015). [1] See J. Christopher Giancarlo, Commissioner, CFTC, Keynote Address before the 2015 ISDA Annual Asia Pacific Conference (Oct. 26, 2015).
5. See J. Christopher Giancarlo, Commissioner, CFTC, Keynote Address before the 2015 ISDA Annual Asia Pacific Conference (Oct. 26, 2015).