The US government has put the derivatives industry on notice that it must evolve its cyber threat and resiliency plans, following a string of cyber-fuelled breaches and disruptions in recent years.
The Commodity Futures Trading Commission slipped out a notice last week saying that it was proposing rules that would require futures commission merchants, swap dealers and major swap participants to set out resilience frameworks, detail their cybersecurity procedures and put resiliency and continuity plans in place. It has asked for comment on its proposals.
The CFTC oversees the US’ derivatives markets, covering futures, swaps and options across commodities – pork bellies, orange juice and the like – as well as currencies, interest rates and other financial instruments.
While the CFTC set rules on risk management programs over a decade ago, it noted that the industry had seen “a wide variety of challenging conditions” since. It called out Brexit, Covid, the invasion of Ukraine and interest rate rises, amongst others.
Cyber risk was “one area of increased focus”, the CFTC said, adding that in 2022, cyber intelligence firms said the financial sector was one of the most targeted by malicious emails with 566 successful attacks resulting in 254 million leaked records.
Give the reliance on technology, “the need for financial institutions to strengthen, adapt, and prioritize their information and technology risk practices would seem critical to preserving the continued integrity and stability of U.S. financial markets.”
It noted that “A ransomware attack on a U.S. broker-dealer in November 2023 was so significant, news reports indicate that the brokerage required a capital injection from a parent entity to settle $9 billion in trades, an amount many times larger than its net capital.”
Also last year, a ransomware attack on service provider ION Trading UK forced traders to process transactions manually.
The commission is proposing that “FCMs and swap entities establish an Operational Resilience Framework (ORF) … to identify, monitor, manage, and assess risks relating to information and technology security, third-party relationships, and emergencies or other significant disruptions to normal business operations.”
As the commission puts it, an ORF will span an information and technology security program, a third party relationship program, and a business continuity and disaster recovery plan.
Unsurprisingly, the CFTC expects organizations to follow generally accepted standards, and noted “the most commonly relied on by financial institutions are the NIST CSF, ISO, the Center for internet Security (CIS), and FFIEC, whose examination booklets and Cyber Assessment Tool (CAT) are specifically designed to guide financial institutions.”
When it comes to cyber risk, the agency wants firms to carry out risk assessments to identify both external cyber threats and internal vulnerabilities, and to prioritize these.
Companies would also need to establish and document “controls reasonably designed to prevent, detect, and mitigate identified risks to information and technology security.”
These would range from access controls, encryption and development and config practices to areas like background checks and change management programs.
Entities would also be required to set out their incident response plans, with the agency recognising “that although meaningful steps can be taken to prevent and deter risks to information and technology security, such risks may never be entirely eliminated.”
And they would be required to lay out business continuity and disaster recovery plans. The agency said it was not including a “next business day” RTO, as “depending on the circumstances, a next business day recovery standard could be either too short or too long, to the point where it may be misdirecting the focus of the rule.”
Separately, the CFTC has issued a request for comment to “better inform [it] on the current and potential uses and risks of artificial intelligence (AI) in the derivatives markets the CFTC regulates.”
Chairman Rostin Behnam said the RFC, “Prioritizes promoting responsible innovation and ensuring we understand current and potential AI use cases and the associated potential risks to our jurisdictional markets and the larger financial system.”