On September 29, 2015, Commodity Futures Trading Commission (CFTC) Chairman Timothy Massad delivered a “State of the Derivatives Marketplace” speech before the 3rd Annual OTC Derivative Summit North America. The speech highlighted risks facing derivatives clearinghouses, including cybersecurity. Chairman Massad said: “We’re stepping up efforts to protect against cyber threats – as well as technological and operational risk generally. That’s because clearinghouse risk does not come only from credit or market risk.” To address cyber threats, the CFTC will add cybersecurity system safeguards, including information security programs, as part of the core principles and regulations applicable to clearinghouses, designated contract markets, swap execution facilities, swap data repositories (SDRs) and other entities. CFTC examinations will focus on an institution’s information security programs to determine whether it’s practicing good cyber hygiene and following written policies and procedures designed to mitigate cybersecurity risks. Furthermore, the CFTC will require that core infrastructure entities – clearinghouses, exchanges and SDRs – undertake adequate evaluation and testing of cyber risks. According to Chairman Massad, the CFTC will propose the new cybersecurity standards this fall. To be sure, given the recent proposed cybersecurity interpretative notice by the National Futures Association and keynote address by CFTC Commissioner Bowen before the International Swaps and Derivatives Association, market participants can expect in the near future additional cybersecurity risk standards, as well as standards addressing technological and operational risk generally.
The CFTC’s new standards will likely be consistent with the Interagency Guidelines Establishing Information Security Standards applicable to banking organizations and largely based on the CFTC’s information security best practices (CFTC Best Practices) applicable to futures commission merchants, commodity trading advisors, commodity pool operators, introducing brokers, retail foreign exchange dealers, swap dealers and major swap participants (Covered Entities). The CFTC Best Practices recommend that Covered Entities each develop, implement and maintain a written information security program that is appropriate to its size and complexity, and the nature and scope of its activities, and which requires such entities to, at a minimum, perform the following:
- Designate a specific employee with privacy and security management oversight responsibilities, who develops strategic organizational plans for implementing the required controls, is part of or reports directly to senior management or the board of directors, and designates employee(s) to coordinate, implement and regularly assess the effectiveness of the program.
- Identify, in writing, all reasonably foreseeable internal and external risks to security, confidentiality, and integrity of personal information and systems processing personal information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information or systems, and establish processes and controls to assess and mitigate such risks; also, identify such risks, and establish processes and controls to assess and mitigate risks, before implementing new or material changes to internal systems.
- Design and implement safeguards to control the identified risks, and maintain a written record of such designs.
- Train staff to implement the program, and provide regular refresher training.
- Regularly test or otherwise monitor the safeguards’ controls, systems, policies and procedures, and maintain written records of the effectiveness of the controls, including the effectiveness of:
a) access controls on personal information;
b) encryption of electronic information in storage and transit;
c) controls to detect, prevent and respond to incidents of unauthorized access to or use of personal information; and
d) employee training and supervision relating to the program.
- At least once every two years, arrange for an independent party to test and monitor the safeguards’ controls, systems, policies and procedures, while maintaining written records of the effectiveness of the controls, as explained above.
- To the extent that third-party service providers have access to customer records and information, oversee service providers and document in writing that in such oversight the entity is:
a) taking reasonable steps to select and retain service providers capable of maintaining appropriate safeguards; and
b) contractually requiring service providers to implement and maintain appropriate safeguards.
- Regularly evaluate and adjust the program in light of:
a) the results of the risk-assessment process;
b) relevant changes in technology and business processes;
c) any material changes to operations or business arrangements; and
d) any other circumstances that the entity knows or reasonably believes may have a material impact on the program.
- Design and implement policies and procedures for responding to an incident involving unauthorized access, disclosure or use of personal information, including policies and procedures to:
a) assess the nature and scope of any such incident, and maintain a written record of the systems and information involved;
b) take appropriate steps to contain and control the incident to prevent further unauthorized access, disclosure or use, and maintain a written record of steps taken;
c) promptly conduct a reasonable investigation, determine the likelihood that personal information has or will be misused, and maintain a written record of such determination; and
d) if the covered entity determines that misuse of information has occurred or is reasonably possible, then as soon as possible notify individuals whose information was or may be misused and notify the CFTC in writing explaining the situation and possible risks (unless law enforcement requests in writing that notification be delayed).
- Provide the Board of Directors an annual assessment of the program, including updates to the program, the effectiveness of the program, and instances during the year of unauthorized access or disclosure of personal information.
While the CFTC’s cybersecurity standards due out this fall may initially be applicable to clearinghouses, exchanges and SDRs, Covered Entities and other market participants should prepare for additional CFTC risk standards by reviewing their current policies and procedures and adjusting their risk management programs as appropriate.