Cybersecurity has recently become a high priority issue at the US Commodity Futures Trading Commission (CFTC) – the agency overseeing designated contract markets, swap execution facilities, derivatives clearing organizations, swap data repositories (SDRs), swap dealers, futures commission merchants, commodity pool operators and other derivatives market participants.
CFTC Articulates Unique Cybersecurity Concerns
CFTC Chairman Timothy Massad has recognized cybersecurity as “the single most important new risk to market integrity and financial stability.” The Commission is particularly concerned about cyber-attacks on commodity markets and their participants – an exchange, clearing organization or SDR – that lead to the compromise of the integrity of market data. Such a compromise of data integrity could stop commodity markets from functioning and cause significant financial losses to the commodity futures trading ecosystem.
In support of its focus on cybersecurity, the CFTC recently convened a roundtable to articulate the industry’s strategy on addressing cybersecurity concerns. The event brought together representatives from the White House, Department of Homeland Security, FBI, NSA and Treasury, as well as exchanges, clearing organizations, SDRs and commodity market participants. One of the key initial concerns is assessing – through testing – the cybersecurity readiness of exchanges, clearing organizations and SDRs.
Proposed Cybersecurity Rulemaking
In the course of the discussion, CFTC staff indicated that the Commission is considering a rule that would impose cybersecurity obligations aimed at markets and clearing organizations, but not at banks or other market participants. Chairman Massad indicated that the expected rulemaking could be primarily focused on setting standards for cybersecurity systems testing, including system safeguard testing, vulnerability and penetration testing, key control testing, and business continuity and disaster recovery testing.
Panel discussions suggest that the regulations may seek to rely on existing cybersecurity best practices and address issues such as the frequency with which testing should be performed, how to define the scope for each test, and segregation of networks containing sensitive information. Offering further insights into CFTC’s strategy for the expected rulemaking, CFTC staff revealed that it may, for example, define “key controls testing” as an assessment of a registered infrastructure’s operational and automated system controls to determine whether such controls are:
- Implemented correctly,
- Operating as intended,
- Sufficient to address all material identified vulnerabilities, and
- Enabling the registered entity to meet the regulatory requirements.
The panel discussion also suggests that CFTC will impose requirements regarding business continuity and disaster recovery (BC/DR) testing to account for cybersecurity risks. In the course of discussions, CFTC staff asked panelists to estimate the cost of the BC/DR testing that critical infrastructure entities ought to be doing, but panelists were unable to provide definitive numbers.
There is little doubt that laws and regulations imposing a variety of cybersecurity obligations and controls on the nation’s critical infrastructure are imminent. Regulators across industries – from financial to energy – have been ringing alarm bells on cybersecurity concerns. Indeed, cybersecurity is so critical to the nation that the Administration and Congress agreed to a truce to collaborate on cybersecurity legislation. Companies should proactively address cybersecurity concerns not only to be prepared for the coming legislation and regulation, but because cybersecurity is good for business. The Anthem breach – which is thought to have been a “dual purpose” event seeking information for future cyberattacks – is yet another call for the business community to be vigilant and to do something about cybersecurity. The “low hanging” fruit for addressing a company’s cybersecurity concerns is assessing the risks to the company’s information and infrastructure, putting together a plan to fix the weak points, and preparing and testing a plan to handle cyber incidents.