In mid-December 2015, the U.S. Commodity Futures Trading Commission (CFTC) unanimously passed changes to existing regulations which would require "all derivatives clearing organizations, designated contract markets, swap execution facilities, and swap data repositories to conduct five different types of cybersecurity testing throughout the calendar year.”
While the enhanced rules affect only a subset of the financial services industry, and are certainly not any ground breaking or new technical solutions to prevent the next data breach, they represent a growing and important trend: increased scrutiny on how the financial services industry should protect their most critical assets and sensitive data. The new regulations also stress the importance of implementing a cybersecurity function as part of the overarching risk management program.
The CFTC released the final rules in September of 2016 and they define the basic components for a robust cybersecurity/information security program. Starting in 2017, covered organization are required to perform each of the following:
- Vulnerability Testing – Periodic scanning of applications, databases, networks and other information system components to determine weaknesses.
- Penetration Testing – Knowingly exploiting an information system to proactively identify system weaknesses that may be used by hackers to obtain sensitive information or monetary gain.
- Controls Testing – An assessment of an organization’s risk management procedures to determine if controls are in place to adequately secure information systems and data.
- Security Incident Response Plan – An overarching document and associated plan which helps an organization respond to an actual or perceived data breach or loss. The organization should also periodically self-assess whether personnel are prepared to implement the plan by using scenario-based training.
- Enterprise Technology Risk Assessment – Financial services institutions should maintain a robust enterprise risk management program which includes a review of technology and consider both internal and external threats. The assessment should also include mitigation strategies for each identified risk.
Throughout 2017, it’s important for trading organizations to understand the CFTC’s new requirements for cybersecurity capabilities. With major milestones even in the first few months of this New Year, security organizations (e.g., compliance, internal audit, Office of the CISO) should ensure that they have the people, processes and technologies in place to meet the new compliance standards.
Overall, the new rules mandated by the CFTC should clarify expectations related to how organizations should approach cybersecurity but also provide a window into the future of how the industry is going to regulate cyber risk. Going forward, financial services providers should expect an increase in the number of requirements for the protection of data and assets.