Enter to open, tab to navigate, enter to select
CFTC Finalizes Enhanced Cybersecurity Testing Rules for Market Infrastructures
Practical Law Legal Update w-003-4582 (Approx. 4 pages)
CFTC Finalizes Enhanced Cybersecurity Testing Rules for Market Infrastructures
by Practical Law Finance
| Published on 21 Sep 2016 • USA (National/Federal) |
The CFTC finalized a rule regarding system safeguards testing for market infrastructures including DCOs, DCMs, SEFs, and SDRs.
On September 8, 2016 the CFTC finalized a final rule regarding cybersecurity-system safeguards testing for the following core market infrastructures:
- Designated contract markets (DCM).
- Swap execution facilities (SEF).
- Swap data repositories (SDR).
The rule is designed to ensure that private market infrastructures are regularly evaluating cyber risks and testing their cybersecurity and operational risk defenses. While these are already general requirements for these infrastructures, the new rules add greater definition by setting out principles-based standards and requiring specific types of testing. Some changes to the rules include:
- A reduced frequency of controls testing.
- Narrower instances where independent contractor testing is required.
- Clarification of key definitions.
- Clarification that the scope of required testing is based on appropriate risk and threat analysis.
The rules set up a comprehensive testing regime which:
- Defines the types of cybersecurity testing that fulfill system-safeguards testing obligations, including:
- vulnerability testing;
- penetration testing;
- controls testing;
- security incident response plan testing; and
- enterprise technology risk assessment.
- Requires internal reporting and reviews of testing results.
- Mandates remediation of vulnerabilities and deficiencies.
- Requires additional measures such as minimum frequency requirements for conducting certain testing for certain significant entities based on trading volume.
The rules require that market infrastructures must:
- Probe for vulnerabilities at least once a quarter.
- Test their planned responses to breaches at least once a year.
- Annually test if their systems can be penetrated from outside and within.
Independent contractors must conduct the annual external penetration tests, as well as conduct exams at least every three years to assess whether the market infrastructures have adequate controls to identify risks that change more frequently.
Under the final rule, firms must probe for vulnerabilities at least once a quarter and test their planned responses to breaches at least once a year. Also annually, they will test if their systems can be penetrated from outside and within.
The rules aim to:
- Promote flexibility as hacking methods evolve.
- Help firms stay up to date on the best responses to cyberattacks.
- Assist with quick recovery after incursions.
This rule is effective on September 19, 2016.
In connection with these final rules, the CFTC released the following: