On December 16, 2015, the Commodity Futures Trading Commission (“CFTC”) released two Notices of Proposed Rulemaking (“NPRMs” or “Proposed Rules”) that would, if finalized, supplement existing regulations covering the cybersecurity practices of commodity exchanges and clearing organizations. Although the Proposed Rules would not impose direct changes to most aspects of regulated entities’ cybersecurity policies and practices, the Proposed Rules would mandate an extensive cybersecurity testing regime that likely would trigger significant changes in how regulated entities manage cybersecurity risks. These entities would need to shoulder the added costs of extensive testing internally and by independent professionals. It remains to be seen whether regulated entities would need to adjust current policies and practices, and to what extent, to remediate issues identified by those tests.
The Proposed Rules are said to reflect the collective sentiments of participants at the CFTC’s 2015 Staff Roundtable on Cybersecurity and System Safeguards Testing, which addressed the threats to financial institutions and cybersecurity best practices. The NPRMs also exhaustively cite public and private sector standards, regulations and guidance as a foundation for the Proposed Rules.
Risk assessments and vulnerability testing are key aspects of comprehensive cybersecurity practices, but perhaps taking a step even beyond NIST’s risk-based Cybersecurity Framework, the CFTC appears to identify extensive testing as the focal point of its approach to ensuring the adequacy of cybersecurity practices at regulated entities. Regulated entities therefore would be directed through the Proposed Rules to conduct a variety of risk assessments, including vulnerability testing, penetration testing, controls testing, security incident response plan testing and an enterprise technology risk assessment. At least some of these assessments would have to be conducted by independent professionals, and the CFTC provides a minimum frequency for many assessments, such as quarterly or annually. The NPRMs provide four sets of proposed rules, with slight deviations to the precise rules and timing, for different types of exchanges and clearing organizations.
The Proposed Rules would require regulated entities to report to senior management and the Board of Directors regarding their risk assessments, and regulated entities would be expected to remediate all identified vulnerabilities or deficiencies to the extent necessary for compliance with statutory and regulatory obligations.
The Proposed Rules are being reviewed at the same time regulated entities are also working to achieve compliance with recent cybersecurity “guidance” from the National Futures Association (“NFA”), a self-regulatory body for the futures industry that operates under CFTC oversight. On October 23, 2015, the CFTC approved the NFA’s Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49 entitled Information Systems Security Programs. The “Cybersecurity Interpretive Notice” becomes effective on March 1, 2016 and applies to all NFA members. It “provides guidance regarding information systems security practices that Member firms should adopt and tailor to their particular business activities and risks” and provides entities regulated by the CFTC and NFA with specific direction on adopting a written information systems security program (“ISSP”), performing risk assessments, deploying proactive measures to secure customer data and access to electronic systems, developing incident response plans, and training employees regarding security risks. King & Spalding attorneys recently published an article in Finance Magnate regarding the NFA’s Interpretive Notice.
The CFTC’s first big foray into cybersecurity regulation takes an approach noticeably different from the SEC and other regulatory agencies given its specific focus on testing. Regulated entities will need to quickly consider what impact these Proposed Rules will have on their on existing practices, and evaluate the burden and costs of maintaining compliance with the new NFA guidance and CFTC rules. Only a short window remains for submission of feedback to the CFTC to address concerns and potential pitfalls with the Proposed Rules. The 60-day period for comments ends on February 22, 2016.
The CFTC press release, NPRMs, Q&A, and supporting statements of the CFTC commissioners are available here.
Reporter, Mark H. Francis, New York, +1 212 556 2117, mfrancis@kslaw.com.
