United States: CFTC Among Regulators Demanding Cybersecurity Vigilance

While the Securities and Exchange Commission (SEC) has garnered significant attention for its increased efforts and focus on regulating and enforcing enhanced cybersecurity measures within the U.S. financial markets, the Commodity Futures Trading Commission (CFTC) has also taken extensive steps in this emerging area.

The focus on cybersecurity has grown into an ever-present issue across all industries in recent years as banks and financial firms, national retailers, and companies of all kinds have been hit by breaches affecting confidential customer data. Covered entities must ensure they are — and remain — familiar with the CFTC's cybersecurity and data protection regulations.

The CFTC's efforts come amid a growing emphasis on cybersecurity and data protection by U.S. regulators and legislators alike. In May 2016, then-CFTC Chair Timothy Massad highlighted the growing risk due to the increasing role of technology-based automated trading, which at that time represented 60% to 70% of the markets the CFTC regulates, and the agency's intent to finalize rules on cybersecurity. He further stated that "cyber is the biggest threat facing financial markets today" — a sentiment that echoed comments by then-SEC Chair Mary Jo White. A more detailed look at the SEC's cyber-related regulations and enforcement actions can be found in this previous Funds Talk article.

In response to what it characterized as "the well-documented increase in cyber threats, and the need to enhance its existing requirements for cybersecurity testing in light of this increase," the CFTC made initial steps toward enhancing oversight of cybersecurity measures in late 2015 with the release of two proposed amendments to existing regulations addressing cybersecurity testing and safeguards for the automated systems. The proposals identified five types of cybersecurity testing the CFTC considered "essential to a sound system safeguards program," including vulnerability testing penetration testing, controls testing, security incident response plan testing and enterprise technology risk assessments.

In September 2016, the regulator unanimously approved final rules for system safeguards testing requirements for designated contract markets, swap execution facilities, swap data repositories and derivatives clearing organizations. The final rules focus on the same five types of testing, and covered entities are also required to engage independent contractors to conduct external penetration tests and other required tests. Using industry standards, the CFTC rules provide minimum frequency guidelines for testing, with covered firms required to conduct vulnerability tests at a frequency based on a risk analysis and at least quarterly — a rate that the CFTC says will help ensure derivatives clearing organizations are able to respond to new vulnerabilities as they arise. In addition, covered entities are required to annually test whether their systems can be penetrated by either an internal or an external cyberattack.

The final rules require the scope of all testing and assessments to be broad enough to include the testing of automated systems and controls that its cybersecurity threat analysis indicates is necessary to identify risks and vulnerabilities that could allow an unauthorized user or insider to:

• Interfere with the entity's operations or with fulfillment of its statutory and regulatory responsibilities.
• Impair the reliability, security or capacity of its automated systems.
• Add to, delete, modify, exfiltrate or compromise the integrity of any data related to its regulated activities.
• Undertake any other unauthorized action affecting its regulated activities or the hardware or software used in connection with those activities.

Finally, the rules require reports on testing protocols and results to be communicated to, and reviewed by, a covered entity's senior management and board of directors. Should issues be identified during this review, the senior management and board of directors are required to establish and follow appropriate procedures to ensure the remediation of such issues. Accordingly, registrants are required to identify and document the vulnerabilities and deficiencies revealed by the testing and assessment required by the applicable system safeguards rules.

The CFTC's cybersecurity rules are designed to provide flexibility commensurate with a covered entity's risk in order to adequately respond as hacking methods evolve, and aim to help companies recover quickly after a breach. Similar to the SEC's, the CFTC's regulations emphasize the focus on safeguarding systems and infrastructure in order to prevent hacking attacks and other cyber events through the creation and regular updating of adequate policies and procedures to adapt to the prospect of ever-evolving threats. They also emphasize preparedness to ensure prompt and proper responses in the event of a cyber incident.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.