What are the new CFTC regulations on cybersecurity testing?

The proposed CFTC regulations on cybersecurity testing are set to finalize in 2016. Expert Mike Chapple discusses the effects these regulations have on IT-reliant trading firms.

Mike Chapple, University of Notre Dame

With concerns growing over cyberattacks on the financial services industry, the U.S. Commodity Futures Trading Commission is getting ready to finalize new cybersecurity regulations this year for automated systems and trading platforms. What are these proposed CFTC regulations and what affect might they have on trading firms that rely heavily on IT to do business?

Companies trading in the U.S. commodity futures market will soon have to perform five types of cybersecurity testing at certain minimum frequencies. The U.S. Commodity Futures Trading Commission, or CFTC, aims to finalize new cybersecurity rules in 2016, along with regulations on safeguards on automated trading systems and trading position limits. Certain types of cybersecurity testing will also have to be performed by independent contractors.

In particular, derivatives clearing organizations, certain contract markets, swap execution facilities and swap data repositories will have to comply with the following five control categories in the CFTC regulations:

Vulnerability testing -- Includes the scanning of systems and networks to detect known vulnerabilities and provide a roadmap for fixing them.
Penetration testing -- Uses skilled security professionals armed with hacking tools to attempt to break into IT resources as a test of security. Any security holes uncovered are flagged for appropriate remediation.
Controls testing -- Verifies that the controls used to meet security objectives are functioning correctly.
Security incident response plan testing -- Uses realistic conditions to validate organization, drills, first responder actions and the overall incident response process.
Enterprise technology risk assessments -- Identifies and evaluates threats, vulnerabilities and priorities for handling them.

The frequency of cybersecurity testing required will be determined by relevant risk analysis, or by minimum testing frequency requirements specified in the amendments to the existing regulations. Through improved cybersecurity, automated trading and position limits, the aim of the CFTC regulations is to make the commodity futures market a safer place for all concerned.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Discover whether cyberwar games are a good way to test enterprise security

Find out what the best risk assessment frameworks are for your organization

Check out these four pen testing tools that can improve midmarket security

This was last published in October 2016

What are the new CFTC regulations on cybersecurity testing?

The proposed CFTC regulations on cybersecurity testing are set to finalize in 2016. Expert Mike Chapple discusses the effects these regulations have on IT-reliant trading firms.

Next Steps

Dig Deeper on Risk assessments, metrics and frameworks

BSO named first non-domestic global connectivity provider for Indian stock exchange

What is the Dodd-Frank voice recording rule for the swaps market?

6 supply chain management tips

U.S. government imposes stricter IoT security measures on D-Link

Related Q&A from Mike Chapple

Stateful vs. stateless firewalls: Understanding the differences

Wired vs. wireless network security: Best practices

The difference between AES and DES encryption