What are the new CFTC regulations on cybersecurity testing?

With concerns growing over cyberattacks on the financial services industry, the U.S. Commodity Futures Trading Commission is getting ready to finalize new cybersecurity regulations this year for automated systems and trading platforms. What are these proposed CFTC regulations and what affect might they have on trading firms that rely heavily on IT to do business?

Companies trading in the U.S. commodity futures market will soon have to perform five types of cybersecurity testing at certain minimum frequencies. The U.S. Commodity Futures Trading Commission, or CFTC, aims to finalize new cybersecurity rules in 2016, along with regulations on safeguards on automated trading systems and trading position limits. Certain types of cybersecurity testing will also have to be performed by independent contractors.

In particular, derivatives clearing organizations, certain contract markets, swap execution facilities and swap data repositories will have to comply with the following five control categories in the CFTC regulations:

1. Vulnerability testing -- Includes the scanning of systems and networks to detect known vulnerabilities and provide a roadmap for fixing them.
2. Penetration testing -- Uses skilled security professionals armed with hacking tools to attempt to break into IT resources as a test of security. Any security holes uncovered are flagged for appropriate remediation.
3. Controls testing -- Verifies that the controls used to meet security objectives are functioning correctly.
4. Security incident response plan testing -- Uses realistic conditions to validate organization, drills, first responder actions and the overall incident response process.
5. Enterprise technology risk assessments -- Identifies and evaluates threats, vulnerabilities and priorities for handling them.

The frequency of cybersecurity testing required will be determined by relevant risk analysis, or by minimum testing frequency requirements specified in the amendments to the existing regulations. Through improved cybersecurity, automated trading and position limits, the aim of the CFTC regulations is to make the commodity futures market a safer place for all concerned.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)