On Sept. 17, 2015, Commissioner Sharon Y. Bowen of the U.S. Commodity Futures Trading Commission (CFTC) gave the keynote address for the International Swaps and Derivatives Association’s 2015 North American Conference in New York. Commissioner Bowen reminded the audience of the National Futures Association’s (NFA’s) recent proposed cybersecurity interpretative notice that would require swap dealers, major swap participants, futures commission merchants, commodity trading advisors, commodity pool operators and introducing brokers to establish, maintain and follow written information system security programs (ISSPs). The NFA’s proposed ISSPs would require member firms to establish and implement a risk governance framework, perform security and risk analyses of its information technology systems, and provide ongoing training for personnel on information security. While the NFA’s proposed ISSPs are consistent with cybersecurity programs already imposed on many financial institutions, the four ideas proposed by Commissioner Bowen would go beyond anything proposed by other financial regulators.
Commissioner Bowen noted that regulators need to create standardized processes for dealing with cybersecurity. While not saying that the financial services industry needs proscriptions on network defenses or even mandated proscriptions at all, Commissioner Bowen said “we should start by requiring that companies create processes in advance for building and testing their cybersecurity systems and a clearer process for sharing information about cybersecurity threats with regulators.” With the overall goal of ensuring a minimum level of cybersecurity protections, Commissioner Bowen suggested that the CFTC could:
- consider requiring each CFTC registrant to designate an employee as a cybersecurity expert or chief information security officer;
- require each registrant to provide the CFTC with regular reports regarding the state of its cybersecurity program;
- explicitly require that all registrants report any material cybersecurity event to the CFTC promptly; and
- require an independent audit of each registrant or annual penetration testing by an independent auditor to ensure industrywide adoption of best practices.
Commissioner Bowen’s ideas would be a giant leap forward for cybersecurity regulation, but may also be a bridge too far for many market participants. While the benefits of designating a cybersecurity expert or chief information security officer may certainly outweigh the burdens, the other ideas are more problematic. For example, the burden of preparing regular cybersecurity reports or undergoing independent audits for the CFTC may drain available time and resources away from other cybersecurity preparedness activities. Furthermore, an explicit requirement that registrants report any material cybersecurity event to the CFTC promptly may be inconsistent with U.S. Securities Exchange Commission (SEC) disclosure regulations (for publicly held registrants) or could damage a firm’s cyber incident response and recovery tactics in certain instances. As an alternative to forced disclosures or mandatory audits, the CFTC could require that a registrant’s ISSPs contain policies and procedures for participating in cyber incident-sharing networks, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) or incorporating the processes described in the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (NIST Framework). By requiring registrants to participate in the FS-ISAC or adopt the NIST Framework, the CFTC would build upon the information security best practices it published in February 2014 and maintain consistency with the NFA and other financial services regulators. While CFTC Commissioner Bowen’s four ideas are a step in the right direction, they may be a step too far for now.