The Commodity Futures Trading Commission is proposing to amend existing regulations regarding cyber-security testing and safeguards for the automated systems used by the entities it regulates.
The proposals, unanimously approved on Wednesday, identify five types of cyber-security testing as essential to a sound system safeguards program: vulnerability testing, penetration testing, controls testing, security incident response plan testing, and enterprise technology risk assessments. Derivatives clearing organizations, designated contract markets, swap execution facilities, and swap data repositories will be required to conduct each of the five types of cyber-security testing.
The proposals specify minimum testing frequency requirements and require covered firms to have certain tests performed by independent contractors.
The final rule would require that the scope of all testing and assessments be broad enough to include all testing of automated systems and controls necessary to identify any vulnerability which, if exploited or accidentally triggered, could enable an intruder or unauthorized user or insider to: interfere with the registrant’s operations or fulfillment of its regulatory responsibilities; impair or degrade the reliability, security, or capacity of the registrant’s automated systems; add to, delete, modify, or compromise the integrity of any data related to the registrant’s regulated activities; or undertake any other unauthorized action affecting the registrant’s regulated activities or the hardware or software used in connection with those activities.
Also required are that reports on testing protocols and results be reviewed by the registrant’s senior management and board of directors. Firms would also be required to establish and follow appropriate procedures for the remediation of issues identified through such review, and for evaluation of the effectiveness of testing and assessment protocols.
Enterprise risk management and governance requirements in the proposed rule include:
Assessment, mitigation, and monitoring of security and technology risk.
Capital planning and investment with respect to security and technology.
Board of directors and management oversight of system safeguards.
Information technology audit and controls assessments.
Remediation of deficiencies.
The proposals will be open for public comment during a 60-day comment period after their publication in the Federal Register.
In a separate matter, the CFTC adopted (by a 2-1 vote, with Commissioner Sharon Bowen dissenting) a final rule that requires swap dealers and major swap participants to post and collect margin with financial entities with whom they have significant exposures.
The rule requires initial margin, designed to protect against potential future loss on a default, as well as variation margin, which serves as mark-to-market protection. It allows for the use of a broad range of types of collateral, but only with appropriate haircuts. A greater level of margin is required for uncleared swaps, as they are likely to be less liquid than cleared swaps.
By design, the rule is intended to harmonize with similar rules crafted by U.S. bank regulators and be substantially similar to international rules.