CFTC’s Proposed Rules on Cybersecurity

Dan Ryan is Leader of the Financial Services Advisory Practice at PricewaterhouseCoopers LLP. This post is based on a PwC publication by Mr. Ryan, Sean Joyce, Joseph Nocera, Jeff Lavine, Didier Lavion, and Armen Meyer.

Last week, the Commodity Futures Trading Commission (CFTC) proposed cybersecurity regulations for electronic trading platforms, clearing organizations, and data repositories. Most importantly, the proposal calls for five types of systems testing, the most impactful of which is the requirement that organizations test key controls (e.g., access to sensitive data or procedures that control changes to critical systems).

Guidance from other regulators thus far has come in the form of examination guidelines or self-assessment tools rather than regulations. [1] The CFTC’s proposal would be the first cybersecurity regulation, and some other regulators are likely to follow suit. [2]

The proposal requires that organizations conduct five specified types of cybersecurity tests. More significant organizations will be required to increase the frequency of their testing and use independent contractors to perform certain tests, while smaller organizations will have flexibility to conduct the required testing at a frequency determined by internal risk analysis. Additionally, the proposal requires that senior management and the board review the results of the required tests, and that organizations establish procedures for the remediation of identified issues.

To meet these requirements, current testing programs will need to be adjusted or expanded at nearly every organization. Specifically, the CFTC’s call for organizations to conduct controls testing and enterprise technology risk assessments (two of the five required tests) presents challenges for all but the most robust cybersecurity programs. For more significant organizations, the proposed regulation requires more frequent testing than that called for by existing guidance and in place at most organizations.

Finally, the proposed regulation’s requirement for board review of cybersecurity test results goes beyond existing CFTC guidance, which suggests that organizations only provide the board with an annual cybersecurity program assessment. [3] Therefore, boards will need appropriate education and context in cybersecurity reporting to best exercise their governance duties, and organizations will need to establish procedures to produce standardized and accessible summaries of tests.

This post analyzes the CFTC proposal’s requirements, identifying key challenges.

Proposed testing requirements

The proposed regulations require that organizations conduct five types of testing: controls testing, enterprise technology risk assessment, vulnerability testing, penetration testing, and security incident response plan testing. Most organizations have programs in place to perform the latter three—vulnerability testing, penetration testing, and security incident response testing—but may be required to enhance the scope or increase the frequency of such testing. However, organizations will need to focus on developing programs to perform controls testing and risk assessments because most organizations lack such programs or perform them informally.

Additionally, the proposal contains testing frequency and independent contractor requirements for more significant organizations—i.e., derivatives clearing organizations (DCOs), swap data repositories (SDRs), and larger [4] designated contract markets (DCMs). These requirements go beyond existing CFTC guidance, which does not provide any minimum testing frequency and only suggests that organizations use an independent contractor once every two years. These organizations will be required to perform certain tests quarterly, and will need to use independent contractors to perform these tests as often as twice per year. Smaller organizations—i.e., swap execution facilities (SEFs) and smaller DCMs—are not subject to increased testing frequency or independent contractor requirements.

The five proposed testing requirements are as follows:

Controls testing

Organizations must test all key controls included in their cybersecurity program, such as reviewing who has access to sensitive data and procedures that control changes to critical systems.

This requirement will be the most difficult of the proposed requirements because most organizations do not have controls testing programs in place. Therefore, creating an inventory and defining key controls will be a challenging exercise for all but the most robust cybersecurity programs. Additionally, larger organizations will need to use independent contractors to conduct controls testing.

The impact of this requirement is somewhat mitigated by the ability of controls to be tested over a two year rolling window, allowing a dedicated controls testing team to gradually test different controls.

Enterprise technology risk assessment

Organizations must conduct on an annual basis a written assessment that identifies cyber threats and assesses the damage they may cause. As part of this assessment, organizations can leverage the results of other cybersecurity testing to identify and mitigate threats and vulnerabilities.

Because most organizations do not conduct enterprise technology risk assessments on an annual basis, this requirement will be new for most entities. Cybersecurity risk assessment methodologies will need to be developed. Cybersecurity teams should look to their organization’s other risk management functions when establishing these assessment methodologies, so risks can be reported in a standardized way.

Vulnerability testing

Organizations must scan their systems to identify security weaknesses. Larger organizations will need to enhance their vulnerability testing programs, as the proposed regulation requires that they conduct quarterly testing, with at least two tests per year being conducted by an independent contractor. Most of these organizations currently perform vulnerability testing less frequently and do not use independent contractors.

However, because most organizations already perform vulnerability testing, and given the availability and maturity of services and technologies in this space, most will not face significant challenges in enhancing their programs to meet this requirement.

Penetration testing

Organizations are required to conduct an exercise that simulates an attack on the system to identify security weaknesses that would allow unauthorized access to the system. The proposed requirement calls for both internal (by an employee or contractor with access to the network) and external (by an outside attacker) penetration testing.

Because penetration testing is a well-established practice, most organizations will not find it challenging to comply with this requirement.

Security incident response plan (SIRP) testing

Organizations must maintain and test their SIRP—i.e., a written plan documenting the organization’s policies and procedures for identifying and responding to security incidents. SIRP testing can take a number of forms, including checklists, practice exercises, and simulations. This testing could be combined with a penetration test using a methodology such as CREST STAR, where a test is performed with the twin goals of identifying security weaknesses and testing the organization’s incident response team.

Because the requirement to maintain a SIRP and conduct tests is consistent with existing regulatory guidance (e.g., under the FFIEC [5] or Gramm Leach Bliley Act), most organizations have already implemented SIRP testing and will not face significant challenges in meeting this requirement.

The below table depicts the testing frequency and independent contractor requirements for the five types of mandated testing:

Testing frequency requirements Independent contractor requirements
System testing requirements  DCOs, SDRs, and larger DCMs SECs and smaller DCMs  DCOs, SDRs, and
larger DCMs
 SEFs and smaller DCMs
SEFs and smaller DCMs Every two years Determine by an appropriate risk analysis Perform testing of the key controls by independent contractor every two years No independent contractor requirements
SEFs and smaller DCMs  Annually  Determine by an appropriate risk analysis Perform annual testing by independent contractors or by employees who are not responsible for the development or operation of the system  No independent contractor requirements
SEFs and smaller DCMs  Quarterly  Determine by an appropriate risk analysis Perform testing by independent contractors for at least two of the quarterly tests during each year  No independent contractor requirements
SEFs and smaller DCMs  Annually  Determine by an appropriate risk analysis
  • External: Perform testing by independent contractors annually.
  • Internal: No independent contractor requirements
No independent contractor requirements
SEFs and smaller DCMs Annually Determine by an appropriate risk analysis Perform annual testing by independent contractors or by employees who are not responsible for the development or operation of the system No independent contractor requirements

Endnotes:

[1] For an analysis of US regulators’ cybersecurity guidance to date, see PwC’s A closer look, Cyber: Think risk, not IT (April 2015).
(go back)

[2] Last month, the New York Department of Financial Services issued a letter outlining a possible upcoming proposal for a cybersecurity regulation for banks and insurers. For more information, see PwC’s Financial crimes observer, Cyber: Is New York’s regulator upping the stakes? (November 2015).
(go back)

[3] For more information regarding governance requirements for market infrastructure, see PwC’s A closer look, Financial market utilities: Is the system safer? (February 2015).
(go back)

[4] The testing frequency and independent contractor requirements apply to DCMs with annual trading volumes of 5% or more of the total annual trading volume of all DCMs regulated by the CFTC.
(go back)

[5] The Federal Financial Institution Examination Council (FFIEC) is a regulatory council composed of the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Consumer Financial Protection Bureau, and the National Credit Union Administration. While FFIEC guidance is not directly applicable to CFTC-regulated organizations, some organizations look to the FFIEC IT Handbook and Cyber Assessment Tool for best cybersecurity practices.
(go back)

Both comments and trackbacks are currently closed.

2 Comments

  1. Dr. Ton van Gessel
    Posted Sunday, January 3, 2016 at 8:52 am | Permalink

    I like the approach very much, but if you want to succeed seriously you need to add also the EU vision and strategy into the process. This will make your RULESET more robust. A positive side effect will be then that non-us based institutions/companies will follow too. Just an idea.

  2. Anzar Hasan
    Posted Tuesday, January 5, 2016 at 11:57 am | Permalink

    I agree with the approach but ” Perform testing of the key controls by independent contractor every two years” is very lenient strategy.