U.S. derivatives regulators have proposed rule changes that will require infrastructure firms to ramp up their efforts at ensuring cybersecurity.
The U.S. Commodity Futures Trading Commission (CFTC) on Wednesday voted unanimously in favour of proposing rule amendments designed to bolster the industry’s cyber defences by stepping up testing and safeguards for the automated systems used by infrastructure firms, such as derivatives clearing organizations, markets, swap execution facilities, and data repositories.
The proposals, which will go out for a 60-day comment period, set out five types of testing that the regulator believes are essential to a program of sound system safeguards, including: vulnerability testing; penetration testing; controls testing; security incident response plan testing; and enterprise technology risk assessments. In addition, the proposals will require infrastructure firms to carry out each of the five types of testing based on risk assessments.
The proposed rules also specify minimum testing frequency requirements for all derivatives clearing organizations, swap data repositories, and certain markets, which will require them to have certain tests performed by independent contractors.