Timothy Massad, chairman of the CFTC
The US Commodity Futures Trading Commission (CFTC) has voted to adopt new rules to govern security testing for contract markets, swap execution facilities, and swap data repositories as well as derivatives clearing organisations. These amendments are in line with the recently released ‘Guidance on Cyber Resilience for Financial Markets’ published by the Bank of International Settlement’s Committee on Payments and Market Infrastructures and the International Organization of Securities Commissions.
Timothy Massad, chairman of the CFTC, said that guidance on how to ensure the integrity of financial market infrastructure is urgent because: “The risk of cyberattack probably represents the single greatest threat to the stability and integrity of our markets today.”
The amendments clarify existing requirements and spell out the five different types of security testing; these are: vulnerability testing, penetration testing, controls testing, security incident response plan testing, and enterprise technology risk assessments.
The rules specify with which frequency financial infrastructure organisations should conduct each type of testing. Vulnerability testing, for example, should be carried out on a quarterly basis, while penetration testing, security incident response plan testing, and enterprise technology risk assessments should be carried out annually. Controls testing should occur at a minimum of every three years.
The CFTC clarifies that certain tests, such as vulnerability testing, can be conducted in-house, by specialists employed by the market infrastructure organisation, provided: “They are not responsible for development or operation of the systems or capabilities being tested”. The rules require that an independent contractor conducts a penetration test annually, as well as a control test every three years.
Speaking about the new rules, Massad said that they are: “One good example of how we are looking ahead and addressing these new challenges. They will serve as a strong and important complement to the many other steps being taken by regulators and market participants to address cybersecurity.”
