WavebreakmediaMicro - Fotolia
With concerns growing over cyberattacks on the financial services industry, the U.S. Commodity Futures Trading Commission is getting ready to finalize new cybersecurity regulations this year for automated systems and trading platforms. What are these proposed CFTC regulations and what affect might they have on trading firms that rely heavily on IT to do business?
Companies trading in the U.S. commodity futures market will soon have to perform five types of cybersecurity testing at certain minimum frequencies. The U.S. Commodity Futures Trading Commission, or CFTC, aims to finalize new cybersecurity rules in 2016, along with regulations on safeguards on automated trading systems and trading position limits. Certain types of cybersecurity testing will also have to be performed by independent contractors.
In particular, derivatives clearing organizations, certain contract markets, swap execution facilities and swap data repositories will have to comply with the following five control categories in the CFTC regulations:
- Vulnerability testing -- Includes the scanning of systems and networks to detect known vulnerabilities and provide a roadmap for fixing them.
- Penetration testing -- Uses skilled security professionals armed with hacking tools to attempt to break into IT resources as a test of security. Any security holes uncovered are flagged for appropriate remediation.
- Controls testing -- Verifies that the controls used to meet security objectives are functioning correctly.
- Security incident response plan testing -- Uses realistic conditions to validate organization, drills, first responder actions and the overall incident response process.
- Enterprise technology risk assessments -- Identifies and evaluates threats, vulnerabilities and priorities for handling them.
The frequency of cybersecurity testing required will be determined by relevant risk analysis, or by minimum testing frequency requirements specified in the amendments to the existing regulations. Through improved cybersecurity, automated trading and position limits, the aim of the CFTC regulations is to make the commodity futures market a safer place for all concerned.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Discover whether cyberwar games are a good way to test enterprise security
Find out what the best risk assessment frameworks are for your organization
Check out these four pen testing tools that can improve midmarket security
Dig Deeper on Risk assessments, metrics and frameworks
Related Q&A from Mike Chapple
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading