[Federal Register Volume 80, Number 246 (Wednesday, December 23, 2015)]

[Proposed Rules]

[Pages 80113-80138]

From the Federal Register Online via the Government Publishing Office [www.gpo.gov]

[FR Doc No: 2015-32144]

[[Page 80113]]

Vol. 80

Wednesday,

No. 246

December 23, 2015

Part IV

Commodity Futures Trading Commission

———————————————————————–

17 CFR Part 39

System Safeguards Testing Requirements for Derivatives Clearing

Organizations; Proposed Rule

Federal Register / Vol. 80 , No. 246 / Wednesday, December 23, 2015 /

Proposed Rules

[[Page 80114]]

———————————————————————–

COMMODITY FUTURES TRADING COMMISSION

17 CFR Part 39

RIN 3038-AE29

System Safeguards Testing Requirements for Derivatives Clearing

Organizations

AGENCY: Commodity Futures Trading Commission.

ACTION: Notice of proposed rulemaking.

———————————————————————–

SUMMARY: The Commodity Futures Trading Commission (“Commission”) is

proposing enhanced requirements for a derivatives clearing

organization’s testing of its system safeguards, as well as additional

amendments to reorder and renumber certain paragraphs within the

regulations and make other minor changes to improve the clarity of the

rule text.

DATES: Comments must be received by February 22, 2016.

ADDRESSES: You may submit comments, identified by RIN 3038-AE29, by any

of the following methods:

CFTC Web site: http://comments.cftc.gov. Follow the

instructions for submitting comments through the Comments Online

process on the Web site.

Mail: Send to Christopher Kirkpatrick, Secretary of the

Commission, Commodity Futures Trading Commission, Three Lafayette

Centre, 1155 21st Street NW., Washington, DC 20581.

Hand Delivery/Courier: Same as Mail, above.

Federal eRulemaking Portal: http://www.regulations.gov.

Follow the instructions for submitting comments.

Please submit your comments using only one method. All comments

must be submitted in English, or if not, accompanied by an English

translation. Comments will be posted as received to http://www.cftc.gov. You should submit only information that you wish to make

available publicly. If you wish the Commission to consider information

that may be exempt from disclosure under the Freedom of Information

Act, a petition for confidential treatment of the exempt information

may be submitted under Sec. 145.9 of the Commission’s regulations (17

CFR 145.9).

The Commission reserves the right, but shall have no obligation, to

review, pre-screen, filter, redact, refuse or remove any or all of your

submission from http://www.cftc.gov that it may deem to be

inappropriate for publication, such as obscene language. All

submissions that have been redacted or removed that contain comments on

the merits of the rulemaking will be retained in the public comment

file and will be considered as required under the Administrative

Procedure Act and other applicable laws, and may be accessible under

the Freedom of Information Act.

FOR FURTHER INFORMATION CONTACT: Eileen A. Donovan, Deputy Director,

202-418-5096, [email protected]; M. Laura Astrada, Associate Director,

202-418-7622, [email protected]; or Eileen Chotiner, Senior Compliance

Analyst, (202) 418-5467, [email protected], in each case, at the

Division of Clearing and Risk, Commodity Futures Trading Commission,

Three Lafayette Centre, 1155 21st Street NW., Washington, DC 20581; or

Julie A. Mohr, Deputy Director, (312) 596-0568, [email protected]; or

Joseph Opron, Special Counsel, (312) 596-0653, [email protected], in each

case, at the Division of Clearing and Risk, Commodity Futures Trading

Commission, 525 West Monroe Street, Chicago, Illinois 60661.

SUPPLEMENTARY INFORMATION:

I. Background

A. System Safeguards Requirements for DCOs

Section 5b(c)(2) of the Commodity Exchange Act (“CEA”) 1 sets

forth core principles with which a derivatives clearing organization

(“DCO”) must comply in order to be registered and to maintain

registration with the Commission. In November 2011, the Commission

adopted regulations 2 to establish standards for compliance with the

core principles, including Core Principle I, which concerns a DCO’s

system safeguards.3 In 2013, the Commission adopted additional

standards for compliance with the core principles for systemically

important DCOs (“SIDCOs”) and DCOs that elect to opt-in to the SIDCO

regulatory requirements (“Subpart C DCOs”).

—————————————————————————

1 7 U.S.C. 7a-1.

2 Derivatives Clearing Organization General Provisions and

Core Principles, 76 FR 69334 (Nov. 8, 2011) (codified at 17 CFR part

39).

3 Core Principle I requires a DCO to: (1) Establish and

maintain a program of risk analysis and oversight to identify and

minimize sources of operational risk; (2) establish and maintain

emergency procedures, backup facilities, and a plan for disaster

recovery that allows for the timely recovery and resumption of the

DCO’s operations and the fulfillment of each of its obligations and

responsibilities; and (3) periodically conduct tests to verify that

the DCO’s backup resources are sufficient.

—————————————————————————

Regulation 39.18 implements Core Principle I and, among other

things, specifies: (1) The requisite elements, standards, and resources

of a DCO’s program of risk analysis and oversight with respect to its

operations and automated systems; (2) the requirements for a DCO’s

business continuity and disaster recovery plan, emergency procedures,

and physical, technological, and personnel resources described therein;

(3) the responsibilities, obligations, and recovery time objective of a

DCO following a disruption of its operations; and (4) other system

safeguards requirements related to reporting, recordkeeping, testing,

and coordination with a DCO’s clearing members and service providers.

As discussed below, the Commission is proposing clarifications and

enhanced requirements for a DCO’s testing of its system safeguards, as

well as additional amendments to reorder and renumber certain

paragraphs and make other minor changes to improve the clarity of the

rule text. The Commission is also proposing corresponding technical

corrections to Sec. 39.34.

B. Escalating and Evolving Cybersecurity Threats

Recent studies have identified a consistent, growing cybersecurity

threat to the financial sector. A survey of 46 global securities

exchanges conducted by the International Organization of Securities

Commissions (“IOSCO”) and the World Federation of Exchanges (“WFE”)

found that as of July 2013, over half of exchanges worldwide had

experienced a cyber attack during the previous year.4 Indeed,

cybersecurity now ranks as the number one concern for nearly half of

financial institutions in the United States.5 Further, the sheer

volume of cyber attacks today is remarkable. The annual Pricewaterhouse

Coopers Global State of Information Security Survey (“PWC Survey”)

for 2015, which included 9,700 participants, found that the total

number of security incidents detected in 2014 increased by 48% over

2013, for a total of 42.8 million incoming attacks, the equivalent of

more than 117,000 attacks per day, every day.6 As the PWC Survey

pointed out, these numbers do not include undetected attacks. Verizon’s

2015 Data Breach Investigations Report noted that during

[[Page 80115]]

2014, the financial services sector experienced an average of 350

malware attacks per week.7

—————————————————————————

4 OICV-IOSCO and WFE, Cyber-crime, securities markets and

systemic risk, Staff Working Paper (SWP2/2013), July 16, 2013

(“IOSCO-WFE Staff Report”), p. 3, available at: https://www.iosco.org/library/pubdocs/pdf/IOSCOPD460.pdf.

5 Depository Trust & Clearing Corporation, Systemic Risk

Barometer Study, Q1 2015, p. 1, available at: http://dtcc.com/~/

media/Files/pdfs/Systemic-Risk-Report-2015-Q1.pdf.

6 Pricewaterhouse Coopers, Managing Cyber Risks in an

Interconnected World: Key Findings from the Global State of

Information Security Survey 2015, Sept. 30, 2014, p. 7, available

at: www.pwc.com/gsiss2015.

7 Verizon, 2015 Data Breach Investigations Report, p. 21,

available at: http://www.verizonenterprise.com/DBIR/2015/.

—————————————————————————

Concerned about these developments, in March 2015, Commission staff

held a Roundtable on Cybersecurity and System Safeguards Testing

(“CFTC Roundtable”) to, among other things, discuss the issue and

identify critical areas of concern.8 Similarly, a June 2015 Market

Risk Advisory Committee (“MRAC”) meeting focused on cybersecurity.

Commissioner Sharon Bowen, the sponsor of MRAC, noted that cyber

attacks on U.S. businesses have been “alarmingly increasing” and

stated that “it’s critical that the financial industry have strong

protections in place.” 9

—————————————————————————

8 See generally CFTC Staff Roundtable on Cybersecurity and

System Safeguards Testing, Transcript, Mar. 18, 2015 (“CFTC

Roundtable”), pp. 11-91, available at: http://www.cftc.gov/ucm/groups/public/@newsroom/documents/file/transcript031815.pdf.

9 See Market Risk Advisory Committee Meeting, Transcript, June

2, 2015, p. 6, available at: http://www.cftc.gov/ucm/groups/public/@aboutcftc/documents/file/mrac_060215_transcript.pdf.

—————————————————————————

Experts have identified a number of important topics surrounding

cybersecurity that financial institutions should take into

consideration. First, the financial sector is facing increasing numbers

of more dangerous cyber adversaries, with expanding and worsening

motivations and goals.10 Until recently, most cyber attacks on

financial sector institutions were conducted by criminals whose aim was

monetary theft or fraud.11 While such attacks continue, recently

there has been a rise in attacks by politically motivated

“hacktivists” or terrorists, and by state-sponsored intruders, aimed

at disruption of their targets’ operations; theft of data or

intellectual property; extortion, cyber espionage, corruption or

destruction of data; and degradation or destruction of automated

systems.12 IOSCO and the WFE note that attacks on securities

exchanges now tend to be disruptive in nature, which “suggests a shift

in motive for cyber-crime in securities markets, away from financial

gain and towards more destabilizing aims.” 13

—————————————————————————

10 CFTC Roundtable, supra note 8, at 22-24.

11 Id. at 18-24, 42-43.

12 Id. at 12, 14-15, 17-24, 42-44, 47.

13 IOSCO-WFE Staff Report, supra note 4, at 3-4.

—————————————————————————

Second, financial institutions face increasing cyber capabilities

from both non-state actors and state-sponsored intruders. For example,

there has been an increase in sophistication on the part of most actors

in the cyber arena, both in terms of technical capability and the

capacity to organize and carry out attacks.14

—————————————————————————

14 Statement of Mr. Michael Daniel, White House Cybersecurity

Coordinator, CFTC Roundtable, supra note 8, at 21-23.

—————————————————————————

Third, the financial sector is experiencing an increase in the

duration of cyber attacks.15 While attacks aimed at monetary theft or

fraud tend to manifest themselves quickly, today’s more sophisticated

attacks may involve cyber adversaries having a presence inside a

target’s automated systems for an extended period of time, while

avoiding detection.16

—————————————————————————

15 Id. at 77, 82-83.

16 IOSCO and the WFE noted in 2013: “The rise of a relatively

new class of cyber-attack is especially troubling. This new class is

referred to as an `Advanced Persistent Threat’ (APT). . . . [APTs]

are usually directed at business and political targets for political

ends. APTs involve stealth to persistently infiltrate a system over

a long period of time, without the system displaying any unusual

symptoms.” IOSCO-WFE Staff Report, supra note 4, at 3.

—————————————————————————

Fourth, financial institutions face a broadening cyber threat

field. They must consider cyber vulnerabilities not only with respect

to desktop computers and their own automated systems, but also with

respect to mobile devices and data in the cloud.17 Further, adequate

risk analysis must address not just the vulnerabilities of the entity’s

automated systems, but also the human vulnerabilities posed by social

engineering 18 or disgruntled employees.19 Notably, today’s cyber

threat environment also includes automated systems that are not

directly internet-facing.20 For example, internet-facing corporate

information technology and non-internet-facing operations technology

can be, and often are, connected for maintenance purposes or in

error.21 Non-internet-facing systems are also vulnerable to insertion

of malware-infected removable media, phishing attacks, and other social

engineering techniques, and to supply-chain risk involving both

hardware and software.22

—————————————————————————

17 CFTC Roundtable, supra note 8, at 22.

18 “In a social engineering attack, an attacker uses human

interaction (social skills) to obtain or compromise information

about an organization or its computer systems. An attacker may seem

unassuming and respectable, possibly claiming to be a new employee,

repairperson, or researcher and even offering credentials to support

that identity. However, by asking questions, he or she may be able

to piece together enough information to infiltrate an organization’s

network. If an attacker is not able to gather enough information

from one source, he or she may contact another source within the

same organization and rely on the information from the first source

to add to his or her credibility.” See U.S. Computer Emergency

Readiness Team, Dep’t of Homeland Sec., Security Tip (ST04-014),

Avoiding Social Engineering and Phishing Attacks, available at:

https://www.us-cert.gov/ncas/tips/ST04-014 (last visited Sept. 14,

2015).

19 CFTC Roundtable, supra note 8, at 14, 79-80.

20 Id. at 60-70.

21 Id. at 73.

22 Id. at 62-66, 77-79.

—————————————————————————

Finally, financial institutions cannot achieve cyber resilience by

addressing threats to themselves alone: They also face threats due to

the increasing interconnectedness of financial services firms.23 As

such, a financial entity’s risk assessments need to consider

cybersecurity across the breadth of the financial sector, from

exchanges and clearing organizations to counterparties and customers,

technology providers, other third party service providers, and the

businesses and products in the entity’s supply chain.24

—————————————————————————

23 Id. at 25-26.

24 Id. at 48-57.

—————————————————————————

C. Need for Cybersecurity Testing

In the current environment, cybersecurity testing is crucial to

efforts by exchanges, clearing organizations, swap data repositories,

and other entities in the financial sector to strengthen cyber

defenses; mitigate operational, reputational, and financial risk; and

maintain cyber resilience and the ability to recover from cyber

attacks. To maintain the effectiveness of cybersecurity controls, such

entities must regularly test their system safeguards in order to find

and fix vulnerabilities before an attacker exploits them.

An entity’s testing should be informed by how its controls and

countermeasures stack up against the techniques, tactics, and

procedures used by its potential attackers.25 Adequate testing needs

to include periodic risk assessments made in light of changing business

conditions, the changing threat landscape, and changes to automated

systems. It also needs to include recurring tests of controls and

automated system components to verify their effectiveness and

operability, as well as continuous monitoring and scanning of system

operation and vulnerabilities. Testing should include a focus on the

entity’s ability to detect, contain, respond to, and recover from cyber

attacks within its systems, not just on its defenses designed to

prevent intrusions.26 This should include detection, containment, and

recovery from compromise of data integrity–perhaps the greatest threat

with respect to financial sector data–in addition to addressing

compromise of data availability or confidentiality, which tend to be

the main focus of many best

[[Page 80116]]

practices.27 Finally, both internal testing by the entity itself and

independent testing by third party service providers are essential

components of an adequate testing regime.28

—————————————————————————

25 Id. at 45-46.

26 Id. at 80-84.

27 Id. at 15-16, 65, 71-74, 82-83.

28 Id. at 89-90, 101-108, 167-168, 172-173, 244-253.

—————————————————————————

Cybersecurity testing is a well-established best practice generally

and for financial sector entities. The Federal Information Security

Management Act (“FISMA”), which is a source of cybersecurity best

practices and also establishes legal requirements for federal

government agencies, calls for “periodic testing and evaluation of the

effectiveness of information security policies, procedures, and

practices, to be performed with a frequency depending on risk, but no

less than annually. . . .” 29 The National Institute of Standards

and Technology (“NIST”) Framework for Improving Critical

Infrastructure Cybersecurity calls for testing of cybersecurity

response and recovery plans and cybersecurity detection processes and

procedures.30 The Financial Industry Regulatory Authority (“FINRA”)

2015 Report on Cybersecurity Practices notes that “[r]isk assessments

serve as foundational tools for firms to understand the cybersecurity

risks they face across the range of the firm’s activities and assets,”

and calls for firms to develop, implement, and test cybersecurity

incident response plans.31 FINRA notes that one common deficiency

with respect to cybersecurity is “failure to conduct adequate periodic

cybersecurity assessments.” 32 The Council on Cybersecurity’s

Critical Security Controls for Effective Cyber Defense (the

“Controls”) call for entities to “[c]ontinuously acquire, assess,

and take action on new information in order to identify

vulnerabilities, remediate, and minimize the window of opportunity for

attackers.” 33 The Controls further state that “[o]rganizations

that do not scan for vulnerabilities and proactively address discovered

flaws face a significant likelihood of having their computer systems

compromised.” 34 The Controls also call for entities to “[t]est the

overall strength of an organization’s defenses (the technology, the

processes, and the people) by simulating the objectives and actions of

an attacker.” 35 The Controls recommend conducting “regular

external and internal penetration tests to identify vulnerabilities and

attack vectors that can be used to exploit enterprise systems

successfully,” from both outside and inside the boundaries of the

organization’s network perimeter,36 and also call for use of

vulnerability scanning and penetration testing in concert.37

—————————————————————————

29 44 U.S.C. 3544(b)(5).

30 NIST, Framework for Improving Critical Infrastructure

Cybersecurity, Feb. 2014, v.1, Subcategory PR.IP-10, p. 28, and

Category DE.DP, p. 31, available at: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.

31 FINRA, Report on Cybersecurity Practices, Feb. 2015

(“FINRA Report”), pp. 1-2, available at: https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf.

32 Id. at 8.

33 Council on Cybersecurity, The Critical Security Controls

for Effective Cyber Defense, v. 5.1 (“Council on Cybersecurity”),

p. 28, available at: http://www.counciloncybersecurity.org/bcms-media/Files/Download?id=a52977d7-a0e7-462e-a4c0-a3bd01512144.

34 Id.

35 Id. at 102.

36 Id.

37 Id. at 103.

—————————————————————————

The Federal Financial Institutions Examination Council

(“FFIEC”),38 another important source of cybersecurity best

practices for financial sector entities, summarized the need for

cybersecurity testing in today’s cyber threat environment:

—————————————————————————

38 The FFIEC includes the Board of Governors of the Federal

Reserve System, the Federal Deposit Insurance Corporation, the

Office of the Comptroller of the Currency, the Consumer Financial

Protection Bureau, the National Credit Union Administration, and the

State Liaison Committee of the Conference of State Bank Supervision.

Financial institutions should have a testing plan that

identifies control objectives; schedules tests of the controls used

to meet those objectives; ensures prompt corrective action where

deficiencies are identified; and provides independent assurance for

compliance with security policies. Security tests are necessary to

identify control deficiencies. An effective testing plan identifies

the key controls, then tests those controls at a frequency based on

the risk that the control is not functioning. Security testing

should include independent tests conducted by personnel without

direct responsibility for security administration. Adverse test

results indicate a control is not functioning and cannot be relied

upon. Follow-up can include correction of the specific control, as

well as a search for, and correction of, a root cause. Types of

tests include audits, security assessments, vulnerability scans, and

penetration tests.39

—————————————————————————

39 See FFIEC, E-Banking Booklet: IT Examination Handbook, Aug.

2003, p. 30, available at: http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_E-Banking.pdf.

Some experts further note that cybersecurity testing may become a

requirement for obtaining cyber insurance. Under such an approach,

insurance coverage might be conditioned on cybersecurity testing and

assessment, followed by implementation of appropriate prevention and

detection procedures.40

—————————————————————————

40 See PricewaterhouseCoopers, Insurance 2020 and Beyond:

Reaping the Dividends of Cyber Resilience, 2015, available at:

http://www.pwc.com/gx/en/insurance/publications/assets/reaping-dividends-cyber-resilience.pdf.

—————————————————————————

Cybersecurity testing is also supported internationally. IOSCO has

emphasized the importance of testing to ensure effective controls, in

light of risks posed by the complexity of markets caused by

technological advances.41 According to IOSCO, “regulatory

authorities have also recognized the need for [t]rading [v]enues to

appropriately monitor critical systems and have appropriate control

mechanisms in place.” 42 Similarly, the European Securities and

Markets Authority (“ESMA”) guidelines for automated trading systems

call for trading platforms to test trading systems and system updates

to ensure that systems meet regulatory requirements, that risk

management controls work as intended, and that the systems can function

effectively in stressed market conditions.43 Further, the Principles

for Financial Market Infrastructures published by the Bank for

International Settlements’ Committee on Payments and Market

Infrastructures (“CPMI”) and IOSCO’s Technical Committee (together,

“CPMI-IOSCO”) note that with respect to operational risks, which

include cyber risk, “[a financial market infrastructure]’s

arrangements with participants, operational policies, and operational

procedures should be periodically, and whenever necessary, tested and

reviewed, especially after significant changes occur to the system or a

major incident occurs. . . .” 44 The Commission also notes that

Sec. 39.18(j)(1)(i) currently requires DCOs to conduct regular,

periodic, and objective testing and review of their automated systems

to ensure that these systems are reliable, secure, and have adequate

scalable capacity. Finally, the Commission notes that this requirement

must be satisfied by following, at a

[[Page 80117]]

minimum, generally accepted standards and industry best practices.45

As further explained below, the proposed rules would clarify existing

system safeguards requirements by identifying relevant generally

accepted standards and industry best practices. With few exceptions,

such as requirements for independent contractors to conduct certain

testing, the Commission is not changing the regulatory requirement for

DCOs as it exists today.

—————————————————————————

41 IOSCO Consultation Report, Mechanisms for Trading Venues to

Effectively Manage Electronic Trading Risks and Plans for Business

Continuity, Apr. 2015, p. 3, available at: https://www.iosco.org/library/pubdocs/pdf/IOSCOPD483.pdf.

42 Id. at 9.

43 ESMA, Guidelines: Systems and controls in an automated

trading environment for trading platforms, investment firms and

competent authorities, Feb. 24, 2012, p. 7, available at: http://www.esma.europa.eu/system/files/esma_2012_122_en.pdf.

44 CPMI-IOSCO, Principles for Financial Market

Infrastructures, Apr. 2012, at 96, available at: http://www.iosco.org/library/pubdocs/pdf/IOSCOPD377.pdf. See also CPMI,

Cyber resilience in financial market infrastructures, Nov. 2014,

available at: http://www.bis.org/cpmi/publ/d122.pdf.

45 For a more detailed discussion of current testing

requirements for DCOs, please see the System Safeguards Requirements

for DCOs in section I.A. above and the Consideration of Costs and

Benefits in section IV.C. below.

—————————————————————————

II. Proposed Amendments

A. Enhanced Testing Requirements

As discussed above, Sec. 39.18 requires a DCO to establish and

maintain a program of risk analysis and oversight with respect to its

operations and automated systems. As part of this program, a DCO is

required to conduct regular, periodic, and objective testing and review

of its automated systems to ensure that they are reliable, secure, and

have adequate scalable capacity. DCOs are specifically required, under

Sec. 39.18(d), to follow “generally accepted standards and industry

best practices with respect to the development, operation, reliability,

security, and capacity of automated systems” in addressing the

categories of risk analysis and oversight specified in Sec. 39.18. As

discussed in the Commission’s proposing release for Sec. 39.18, “DCO

compliance with generally accepted standards and best practices with

respect to the development, operation, reliability, security, and

capacity of automated systems can reduce the frequency and severity of

automated system security breaches or functional failures, thereby

augmenting efforts to mitigate systemic risk.” 46 This requirement

was further designed to allow DCOs flexibility in adapting their

programs to current industry best practices, which the Commission

recognized would evolve over time. Similarly, the additional testing

provisions that the Commission is proposing have been constructed to

set forth certain minimum requirements, with the expectation that DCOs’

testing may change as accepted standards and industry best practices

develop over time and are reflected in the DCO’s risk analysis.

—————————————————————————

46 See Risk Management Requirements for Derivatives Clearing

Organizations, 76 FR 3698, 3713 (Jan. 20, 2011).

—————————————————————————

Specifically, the Commission is proposing to strengthen the current

system safeguards regulatory framework by specifying five fundamental

types of systems testing and assessment that are required under Sec.

39.18. The Commission is proposing to require that these types of

testing and assessment be conducted at a frequency determined by an

appropriate risk analysis, but no less frequently than a proposed

minimum, which varies based on the particular type of testing or

assessment. To strengthen the objectivity and reliability of the

testing, assessment, and information available to the Commission in

this regard, the Commission is proposing to require that independent

contractors perform a significant portion of the testing and

assessment. In developing these requirements, the Commission has relied

on various industry standards and best practices for assessment of

information security systems, which are referenced in the following

discussion. The Commission has not proposed a definition of the term

“independent contractor.” Proposed definitions of terms related to

the proposed testing requirements are discussed in the respective

section setting forth each proposed testing requirement.

1. Vulnerability Testing

Identification of cyber and automated system vulnerabilities is a

critical component of a DCO’s ongoing assessment of risks to its

systems. NIST standards call for organizations to scan for automated

system vulnerabilities both on a regular and ongoing basis, and when

new vulnerabilities potentially affecting their systems are identified

and reported.47 NIST adds that organizations should employ

vulnerability scanning tools and techniques that automate parts of the

vulnerability management process.48 NIST also calls for the

organization to remediate vulnerabilities identified by vulnerability

testing, in accordance with its assessments of risk.49 Similarly, the

Controls recommend that organizations “continuously acquire, assess,

and take action on new information in order to identify

vulnerabilities, remediate, and minimize the window of opportunity for

attackers.” 50

—————————————————————————

47 NIST Special Publication 800-53, Security and Privacy

Controls for Federal Information Systems and Organizations, rev. 4

(“NIST SP 800-53”), Control RA-5, available at: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

48 Id.

49 Id.

50 Council on Cybersecurity, supra note 33, at 28.

—————————————————————————

The proposed minimum standards and frequencies for vulnerability

testing are intended to strengthen a DCO’s systems oversight program.

Accordingly, in Sec. 39.18(a) the Commission is proposing to define

“vulnerability testing” as the testing of a DCO’s automated systems

to determine what information may be discoverable through a

reconnaissance analysis of those systems and what vulnerabilities may

be present on those systems. This definition is consistent with NIST

standards for such testing.51 For purposes of this definition, the

term “reconnaissance analysis” is used to combine various aspects of

vulnerability testing.52 The proposed definition deliberately refers

broadly to vulnerability testing in order to avoid prescribing use of

any particular technology or tools, because vulnerability assessments

may not always be automated, and technology may change.53

—————————————————————————

51 See NIST SP 800-53, supra note 47, at F-153.

52 See, e.g., NIST Special Publication 800-115, Technical

Guide to Information Security Testing and Assessment, Sept. 2008

(“NIST SP 800-115”), p. 24, available at: http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf (noting that

“[e]xternal testing often begins with reconnaissance techniques

that search public registration data, Domain Name System (DNS)

server information, newsgroup postings, and other publicly available

information to collect information (e.g., system names, Internet

Protocol [IP] addresses, operating systems, technical points of

contact) that may help the assessor to identify vulnerabilities”).

53 See SANS Institute, Penetration Testing: Assessing Your

Overall Security Before Attackers Do, p. 7, available at: https://www.sans.org/reading-room/whitepapers/analyst/penetration-testing-assessing-security-attackers-34635 (last visited Sept. 30, 2015)

(noting, “A wide variety of tools may be used in penetration

testing. These tools are of two main types; reconnaissance or

vulnerability testing tools and exploitation tools. While

penetration testing is more directly tied to the exploitation tools,

the initial scanning and reconnaissance is often done using less

intrusive tools.”).

—————————————————————————

Proposed Sec. 39.18(e)(2) would also require that vulnerability

testing include automated vulnerability scanning, as well as an

analysis of the test results to identify and prioritize all identified

vulnerabilities that require remediation.54 Moreover, the Commission

recognizes that automated scans may be authenticated (i.e., conducted

using usernames or passwords) or unauthenticated (i.e., conducted

without using usernames or

[[Page 80118]]

passwords). However, the Commission proposes requiring that, where

indicated by appropriate risk analysis, a DCO conduct such scanning on

an authenticated basis.55 Where scanning is conducted on an

unauthenticated basis, a DCO would be required to implement effective

compensating controls.56

—————————————————————————

54 See Security Standards Council, Payment Card Industry Data

Security Standards, Apr. 2015, v. 3.1 (“PCI-DSS”), p. 94,

available at: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf (defining a vulnerability scan as “a combination

of automated or manual tools, techniques, and/or methods run against

external and internal network devices and servers, designed to

expose potential vulnerabilities that could be found and exploited

by malicious individuals”). See also NIST SP 800-115, supra note

52, at 2-2 (noting that testing techniques that include

vulnerability scanning “can identify systems, ports, services, and

potential vulnerabilities, and may be performed manually but are

generally performed using automated tools”).

55 See Securities Standards Council, The PCI Monitor: Weekly

news, updates and insights from PCI SSC, June 25, 2014, available

at: http://training.pcisecuritystandards.org/the-pci-monitor-weekly-news-updates-and-insights-from-pci-ssc2?ecid=ACsprvuuirRbrU3vDlk76s_ngGKJKEYlvaBJzvvUMldZv4KKh6V1guIKOR5VLTNfAqPQ_Gmox3zO&utm_campaign=Monitor&utm_source=hs_email&utm_medium=email&utm_content=13292865&_hsenc=p2ANqtz-_LIkkHURyUmyq1p2OxB39R5nOpRh1XHE_jW6wCC6EEUAow15E7AuExcIGwdYxyh_6YNxVvKorcurk6r90E3d7dG71fbw&_hsmi=13292865#web.

56 See PCI-DSS, supra note 54, app. B at 112 (“Compensating

controls may be considered . . . when an entity cannot meet a

requirement explicitly as stated, due to legitimate technical or

documented business constraints, but has sufficiently mitigated the

risk associated with the requirement through implementation of

other, or compensating, controls.”).

—————————————————————————

Furthermore, the Commission is proposing to require DCOs to conduct

vulnerability testing at a frequency determined by an appropriate risk

analysis, but no less frequently than quarterly.57 The Commission

notes that while “[t]he frequency of testing should be determined by

the institution’s risk assessment,” 58 best practices call for risk

assessments to include consideration of a number of important factors,

including, for example, the frequency and extent of changes in the

organization’s automated systems and operating environment; the

potential impact if risks revealed by testing are not addressed

appropriately; the degree to which the relevant threat environment or

potential attacker profiles and techniques are changing; and the

results of other testing.59 Frequency appropriate to risk analysis

can also vary depending on the type of monitoring involved; for

example, with whether automated monitoring or procedural testing is

being conducted.60 Nonetheless, the Commission notes that the PCI-DSS

standards provide that entities should run internal and external

network vulnerability scans “at least quarterly,” as well as after

any significant network changes, new system component installations,

firewall modifications, or product upgrades.61 Because best practices

call for vulnerability testing at a frequency determined by an

appropriate risk analysis, and call for such testing to be conducted no

less than quarterly, this proposed rule does not impose new

requirements on DCOs. Rather, it is designed to give additional clarity

to DCOs concerning what is currently required under existing

regulations. In light of these best practices and the current level of

cyber threat to the financial sector discussed above, the Commission

believes that this proposed rule is appropriate in today’s

cybersecurity environment. For the same reasons, and because the

Commission understands that DCOs currently conduct vulnerability

testing on at least a quarterly basis and in many cases more

frequently, the Commission also believes that this minimum frequency

requirement for vulnerability testing will impose only de minimis

additional costs, if any, on DCOs.

—————————————————————————

57 See FFIEC, Information Security Booklet, IT Examination

Handbook, July 2006 (“FFIEC Handbook”), p. 82, available at:

http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf (noting that “firewall

policies and other policies addressing access control between the

financial institution’s network and other networks should be audited

and verified at least quarterly”).

58 Id.

59 See NIST Special Publication 800-39, Managing Information

Security Risk, Mar. 2011 (“NIST SP 800-39”), pp. 47-48, available

at: http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf; see also FFIEC Handbook, supra note 57, at 82.

60 Id.

61 See Requirement 11.2, PCI-DSS, supra note 54, at 94.

—————————————————————————

In addition, the proposed rule would require DCOs to engage

independent contractors to conduct two of the required quarterly

vulnerability tests each year, while permitting DCOs to conduct other

vulnerability testing using employees who are not responsible for

development or operation of the systems or capabilities being tested.

The Commission believes that important benefits are provided when a

testing program includes both testing by independent contractors and

testing by entity employees not responsible for building or operating

the system being tested. While testing needs to be performed

internally, it also needs to be conducted from the viewpoint of an

outsider, particularly where testing against the possible tactics or

techniques of a particular threat actor is concerned.62 For example,

entity employees can use viewpoints that the outside world would not

have, based on intimate knowledge of the entity.63 Conversely,

independent contractors provide an outsider’s perspective, and may

search for vulnerabilities in a system that entity employees may not

have contemplated during the design or operation of the system

involved.64

—————————————————————————

62 See generally CFTC Roundtable, supra note 8, at 89-90.

63 Id. at 178.

64 Id. at 172-173.

—————————————————————————

The Commission also notes that best practices support having

testing conducted by both independent contractors and entity employees.

Regarding the benefits provided by independent contractor testing, NIST

notes that engaging third parties (e.g., auditors, contractor support

staff) to conduct the assessment offers an independent view and

approach that internal assessors may not be able to provide.

Organizations may also use third parties to provide specific subject

matter expertise that is not available internally.65 FFIEC states

that testing by independent contractors provides credibility to test

results.66 Acknowledging the use of entity employees to conduct

testing, FFIEC calls for such tests to be performed “by individuals

who are also independent of the design, installation, maintenance, and

operation of the tested system.” 67 Similarly, with respect to

system safeguards testing by internal auditors, FFIEC further states

that the auditors should have both independence and authority from the

Board of Directors to access all records and staff necessary for their

audits, and that auditors should not participate in activities that may

compromise or appear to compromise their independence.68 Further, the

data security standards of the Payment Card Industry Security Standards

Council call for conducting both internal and external vulnerability

scans, with external scans performed by an approved vendor.69

—————————————————————————

65 NIST SP 800-115, supra note 52, at 6-6. NIST also notes

that giving outsiders access to an organization’s systems can

introduce additional risk, and recommends proper vetting and

attention to contractual responsibility in this regard.

66 FFIEC Handbook, supra note 57, at 81.

67 Id.

68 FFIEC, Audit Booklet: IT Examination Handbook, Apr. 2012,

p.6, available at: http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Audit.pdf.

69 See Requirement 11, PCI-DSS, supra note 54, at 94-96.

—————————————————————————

Accordingly, following consideration of the recommendations set

forth in the standards mentioned above, the Commission believes that

requiring two of the four tests to be conducted by independent

contractors is a balanced approach. Other vulnerability tests may be

performed by employees of the DCO who are not responsible for

development or operation of the systems or capabilities being tested.

In light of the best practices and the current level of cyber threat to

the financial sector discussed above, the Commission believes that the

proposed rule provisions regarding vulnerability testing by independent

contractors are

[[Page 80119]]

appropriate in today’s cybersecurity environment.

2. Penetration Testing

Though complementary to vulnerability testing, penetration testing

differs from vulnerability testing in that its purpose is to identify

ways that the vulnerabilities identified above could be exploited.70

In other words, penetration testing attempts to exploit cyber and

automated system vulnerabilities, and subjects the system to real-world

attacks by testing personnel in order to identify both the extent to

which an attacker could compromise the system before the organization

detects and counters the attack, and the effectiveness of the

organization’s response mechanisms.71

—————————————————————————

70 See Security Standards Council, PCI-DSS Information

Supplement: Penetration Testing Guidance, Mar. 2015 (“PCI-DSS

Penetration Testing”), p. 3, available at: https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf.

71 See FFIEC Handbook, supra note 57, at 81.

—————————————————————————

NIST defines penetration testing as “[a] test methodology in which

assessors, typically working under specific constraints, attempt to

circumvent or defeat the security features of an information system.”

72 As noted in the FINRA Report, “[a]n advanced persistent attack

may involve an outsider gaining a progressively greater foothold in a

firm’s environment, effectively becoming an insider in the process. For

this reason, it is important to perform penetration testing against

both external and internal interfaces and systems.” 73 As further

explained, external security testing “is conducted from outside the

organization’s security perimeter[, which] offers the ability to view

the environment’s security posture as it appears outside the security

perimeter–usually as seen from the Internet–with the goal of

revealing vulnerabilities that could be exploited by an external

attacker.” 74 Internal penetration testing, on the other hand, is

conducted “from the internal network and [assessors] assume the

identity of a trusted insider or an attacker who has penetrated the

perimeter defenses.” 75 Internal penetration testing can therefore

reveal vulnerabilities that could be exploited, and demonstrates the

potential damage this type of attacker could cause.76

—————————————————————————

72 NIST SP 800-53, supra note 47, app. B at B-16.

73 FINRA Report, supra note 31, at 22.

74 NIST SP 800-115, supra note 52, at 2-4.

75 Id. at 2-5. See also, e.g., SANS, Penetration Testing in

the Financial Services Industry, 2010, p. 17, available at: https://www.sans.org/reading-room/whitepapers/testing/penetration-testing-financial-services-industry-33314 (“Penetration testing is

essential given the context of high operational risk in the

financial services industry.”).

76 See NIST SP 800-115, supra note 52, at 2-5.

—————————————————————————

In addition, generally accepted standards and industry best

practices support annual penetration testing. For example, NIST calls

for at least annual penetration testing of an organization’s network

and systems.77 Moreover, the FFIEC calls for independent penetration

testing of high risk systems at least annually, and for quarterly

testing and verification of the efficacy of firewall and access control

defenses.78 Data security standards for the payment card industry

provide that entities should perform both external and internal

penetration testing at least annually, as well as after any significant

network changes, new system component installations, firewall

modifications, or product upgrades.79

—————————————————————————

77 Id. at 5-6.

78 FFIEC Handbook, supra note 57, at 82.

79 See Requirements 11.3.1 and 11.3.2, PCI-DSS, supra note 54.

—————————————————————————

The primary benefit of a penetration test is that it identifies the

extent to which a system can be compromised before the attack is

identified and assesses the effectiveness of the response

mechanism.80 Accordingly, the Commission is proposing to require both

external and internal penetration testing. In Sec. 39.18(a), the

Commission proposes to define “external penetration testing” as

attempts to penetrate a DCO’s automated systems or networks from

outside the system and network boundaries to identify and exploit

vulnerabilities (including, but not limited to, methods for

circumventing the security features of an application, system, or

network).81 Proposed Sec. 39.18(e)(3) would require external

penetration testing to be conducted at a frequency determined by an

appropriate risk analysis, but no less frequently than annually.82

The Commission proposes to define “internal penetration testing” in

Sec. 39.18(a) as attempts to penetrate a DCO’s automated systems or

networks from inside the system and network boundaries to identify and

exploit vulnerabilities (including, but not limited to, methods for

circumventing the security features of an application, system, or

network).83 In Sec. 39.18(e)(4), the Commission also proposes to

require that internal penetration testing be conducted at a frequency

determined by an appropriate risk analysis, but no less frequently than

annually.

—————————————————————————

80 FFIEC Handbook, supra note 57, at 81.

81 See NIST SP 800-53, supra note 47, app. B at B-16 (defining

“penetration testing” as “[a] test methodology in which

assessors, typically working under specific constraints, attempt to

circumvent or defeat the security features of an information

system”); see also NIST Special Publication 800-137, Information

Security Continuous Monitoring for Federal Information Systems and

Organizations, Sept. 2011 (“NIST SP 800-137”), app. B, p. B-10,

available at: http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf.

82 See PCI-DSS Penetration Testing, supra note 70, at 8

(noting that “[p]enetration testing should be performed at least

annually and after any significant change–for example,

infrastructure or application upgrade or modification–or new system

component installations”).

83 Id. at 2.

—————————————————————————

As discussed above, the Commission notes that generally accepted

standards and industry best practices require annual penetration

testing. Moreover, DCOs currently are required to follow generally

accepted standards and industry best practices, which support a minimum

frequency of annually for internal penetration testing, and as

discussed in more detail in the Cost-Benefit Analysis in Section IV.C.

below, DCOs are conducting penetration testing on at least an annual

basis. However, the Commission acknowledges that Securities and

Exchange Commission (“SEC”) Regulation SCI, which is applicable to

DCOs that are registered with the SEC as clearing agencies,84

requires that penetration testing be conducted every three years.85

Nonetheless, given the importance of DCOs to the U.S. financial system,

the Commission believes that annual internal penetration testing is

appropriate in order to sufficiently address risks to a DCO’s systems.

—————————————————————————

84 Of the 15 DCOs currently registered with the Commission,

four also are registered with the SEC as clearing agencies: Chicago

Mercantile Exchange, Inc. (“CME”), ICE Clear Credit LLC, ICE Clear

Europe Limited, and Options Clearing Corporation. However, on August

3, 2015, CME filed with the SEC a written request to withdraw from

registration as a clearing agency. See Securities Exchange Act

Release No. 34-75762 (Aug. 26, 2015), 80 FR 52815 (Sept. 1, 2015).

85 17 CFR 240.1003. The SEC noted in its adopting release that

“SCI entities may, however, determine that based on its [sic] risk

assessment, it is appropriate and/or necessary to conduct such

penetration test reviews more frequently than once every three

years.” Regulation Systems Compliance and Integrity, 79 FR 72252,

72344 (Dec. 5, 2014).

—————————————————————————

In addition, and consistent with generally accepted standards and

industry best practices, proposed Sec. 39.18(e)(3) would require DCOs

to engage independent contractors to perform the required annual

external penetration tests. Independent testing provides for

impartiality, meaning that penetration testers are free from conflicts

of interest with respect to the development, operation, or management

of the system(s) that are the targets of the testing.86 The

Commission believes that the impartiality provided by independent

contractors, including their lack of a stake in the outcome, is an

[[Page 80120]]

important factor in conducting external penetration testing and

enhances the credibility of the test results.87 Proposed Sec.

39.18(e)(4) would, however, permit internal penetration testing to be

conducted by either independent contractors or employees of the DCO who

are not responsible for development or operation of the systems or

capabilities being tested.88

—————————————————————————

86 NIST SP 800-53, supra note 47, app. F-CA at F-62.

87 FFIEC Handbook, supra note 57, at 81 (noting that

“[i]ndependence provides credibility to the test results”).

88 See, e.g., PCI-DSS, supra note 54, at 97.

—————————————————————————

3. Controls Testing

Controls provide reasonable assurance that security management is

effective, and adequate control testing is therefore critical to

ensuring the confidentiality, integrity, and availability of

information and information systems.89 Regular, ongoing testing of

all of an organization’s system safeguards-related controls for these

purposes is a crucial part of a DCO’s risk analysis and oversight

program.90

—————————————————————————

89 See generally U.S. Gov’t Accountability Office, GAO-09-

232G, Federal Information System Controls Audit Manual, Feb. 2009,

available at: http://www.gao.gov/assets/80/77142.pdf.

90 See generally 17 CFR 39.18 and 17 CFR 39.34.

—————————————————————————

Generally accepted standards and industry best practices call for

organizations to conduct regular, ongoing controls testing that over

time includes testing of all their system safeguards-related controls.

For example, NIST calls for organizations to assess “the security

controls in the information system and its environment of operation to

determine the extent to which the controls are implemented correctly,

operating as intended, and producing the desired outcome with respect

to meeting established security requirements.” 91 NIST notes that

the results of such testing can allow organizations to, among other

things, identify potential cybersecurity problems or shortfalls,

identify security-related weaknesses and deficiencies, prioritize risk

mitigation decisions and activities, confirm that weaknesses and

deficiencies have been addressed, and inform related budgetary

decisions and capital investment.92 FFIEC calls for controls testing

because “[c]ontrols should not be assumed to be completely

effective,” and states that a controls testing program “is sound

industry practice and should be based on an assessment of the risk of

non-compliance or circumvention of the institution’s controls.” 93

—————————————————————————

91 NIST SP 800-53, supra note 47, app. F-CA at F-55.

92 NIST Special Publication 800-53A, Assessing Security and

Privacy Controls in Federal Information Systems and Organizations,

rev. 4 (“NIST SP 800-53A”), p. 3, available at: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf.

93 FFIEC Handbook, supra note 57, at 12.

—————————————————————————

Consistent with industry best practices, the Commission proposes to

define “controls testing” in Sec. 39.18(a) as an assessment of a

DCO’s controls to determine whether such controls are implemented

correctly, are operating as intended, and are enabling the DCO to meet

the system safeguards requirements set forth in Sec. 39.18.94

Furthermore, the Commission proposes to define “controls” as the

safeguards or countermeasures 95 employed by the DCO in order to

protect the reliability, security, or capacity of its automated systems

or the confidentiality, integrity, or availability of its data and

information, in order to enable the DCO to fulfill its statutory and

regulatory responsibilities. Regulation 39.18(a) would also define

“key controls” as those controls that an appropriate risk analysis

determines are either critically important for effective system

safeguards or intended to address risks that evolve or change more

frequently and therefore require more frequent review to ensure their

continuing effectiveness in addressing such risks. In today’s

cybersecurity threat environment, the Commission believes that

effective testing of this subset of the system safeguards controls

maintained by a DCO is particularly important.

—————————————————————————

94 See generally NIST SP 800-53A, supra note 92.

95 NIST SP 800-53, supra note 47, app. B at B-5 (defining

“countermeasures” as “[a]ctions, devices, procedures, techniques,

or other measures that reduce the vulnerability of an information

system. Synonymous with security controls and safeguards”).

—————————————————————————

In addition, the Commission is proposing to require controls

testing in Sec. 39.18(e)(5), which would include testing of each

control included in the DCO’s risk analysis and oversight program, to

be conducted at a frequency indicated by an appropriate risk analysis,

but no less frequently than every two years. The Commission believes

that this would ensure that each such control is tested with sufficient

frequency to confirm the continuing adequacy of the DCO’s system

safeguards. The Commission recognizes, however, that appropriate risk

analysis may well determine that more frequent testing of either

certain key controls or all controls is necessary. The Commission notes

that industry best practices support information security continuous

monitoring (“ISCM”), which is defined as “maintaining ongoing

awareness of information security, vulnerabilities, and threats to

support organizational risk management decisions.” 96 Nonetheless,

recognizing that it is impractical to test every security control at

all times, these standards note that “[t]he frequency of assessments

should be sufficient to assure adequate security commensurate with

risk, as determined by system categorization and ISCM strategy

requirements.” 97 Thus, consistent with industry best practices, the

Commission is proposing minimum frequency for the testing of each

control of no less than every two years.

—————————————————————————

96 NIST SP 800-137, supra note 81, at vi.

97 Id. at 11.

—————————————————————————

The Commission also proposes to permit such testing to be conducted

on a rolling basis over the course of the period determined by

appropriate risk analysis in recognition of the fact that an adequate

system safeguards program for a DCO must necessarily include large

numbers of controls, and therefore it could be impracticable and unduly

burdensome to require testing of all controls in a single test. This

provision is designed to give a DCO flexibility concerning how and when

to test controls during the applicable minimum period, and is intended

to reduce burdens associated with testing every control to the extent

possible while still safeguarding and managing the DCO’s security.98

—————————————————————————

98 Id. at 25-27.

—————————————————————————

The proposed rule would also require testing of key controls to be

conducted by independent contractors. As noted above, the Commission

believes that the impartiality and credibility provided by independent

testing supports the proposed requirement that testing of key controls

be done by independent contractors. However, the Commission is

proposing to give DCOs the discretion to test other controls using

either independent contractors or employees of the DCO who are

independent of the systems being tested.99

—————————————————————————

99 See discussion supra section II.A.1.

—————————————————————————

4. Security Incident Response Plan Testing

The Commission recognizes that adequate cyber resilience requires

organizations to have sufficient capacity to detect, contain,

eliminate, and recover from a cyber intrusion, and believes that

security incident response plans,100 and testing of those plans, are

essential to such capabilities.

—————————————————————————

100 As discussed in more detail below, the Commission proposes

to define “security incident response plan testing” as the testing

of a DCO’s security incident response plan to determine the plan’s

effectiveness, identify potential weaknesses or deficiencies, enable

regular plan updating and improvement, and maintain organizational

preparedness and resiliency with respect to security incidents.

—————————————————————————

[[Page 80121]]

NIST urges organizations to have a security incident response plan

that “establishes procedures to address cyber attacks against an

organization’s information systems. These procedures are designed to

enable security personnel to identify, mitigate, and recover from

malicious computer incidents, such as unauthorized access to a system

or data, denial of service, or unauthorized changes to system hardware,

software, or data (e.g., malicious logic, such as a virus, worm, or

Trojan horse).” 101

—————————————————————————

101 NIST Special Publication 800-34, Contingency Planning

Guide for Federal Information Systems, rev. 1 (“NIST SP 800-34”),

p. 10, available at: http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf. Specifically, NIST

recommends that an organization develop, document, and distribute to

the appropriate personnel “[a]n incident response policy that

addresses purpose, scope, roles, responsibilities, management

commitment, coordination among organizational entities, and

compliance,” as well as “[p]rocedures to facilitate the

implementation of the incident response policy and associated

incident response controls.” NIST SP 800-53, supra note 47, at F-

103. See also NIST Special Publication 800-61, Computer Security

Incident Handling Guide, rev. 2 (“NIST SP 800-61”), p. 8,

available at: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf. Such incident response plan should:

a. Provide the organization with a roadmap for implementing its

incident response capability;

b. Describe the structure and organization of the incident

response capability;

c. Provide a high-level approach for how the incident response

capability fits into the overall organization;

d. Meet the unique requirements of the organization, which

relate to mission, size, structure, and functions;

e. Define reportable incidents;

f. Provide metrics for measuring the incident response

capability within the organization;

g. Define the resources and management support needed to

effectively maintain and mature an incident response capability; and

h. Be reviewed and approved by [appropriate organization-defined

personnel or roles].

Id. at F-109. Finally, copies of the plan should be distributed

to appropriate personnel; reviewed at an appropriate frequency;

updated to address system or organizational changes, or problems

encountered during plan implementation, execution, or testing, with

plan changes communicated to appropriate personnel; and protected

from unauthorized disclosure and modification. Id.

—————————————————————————

In addition, NIST states that organizations should test their

security incident response capabilities, at appropriate frequencies, to

determine their effectiveness, and to document test results.102

—————————————————————————

102 NIST SP 800-53, supra note 47, app. F-IR at F-104.

—————————————————————————

FINRA’s best practices also call for firms to have security

incident response plans. FINRA’s 2015 Report on Cybersecurity Practices

states: “Firms should establish policies and procedures, as well as

roles and responsibilities for escalating and responding to

cybersecurity incidents. Effective practices for incident response

include . . . involvement in industry-wide and firm-specific simulation

exercises as appropriate to the role and scale of a firm’s business.”

103 Similarly, the FFIEC also calls for security incident response

plan testing, stating that “[f]inancial institutions should assess the

adequacy of their preparation by testing incident response guidelines

to ensure that the procedures correspond with business continuity

strategies.” 104 Moreover, the Controls argue that organizations

should protect their information, as well as their reputations, by

developing and implementing a security incident response plan,105 and

“conduct[ing] periodic incident scenario sessions for personnel

associated with the incident handling team, to ensure that they

understand current threats and risks, as well as their responsibilities

in supporting the incident handling teams.” 106

—————————————————————————

103 FINRA Report, supra note 31, at 23.

104 FFIEC, Business Continuity Planning Booklet: IT

Examination Handbook, Feb. 2015 (“FFIEC BCP Booklet”), p. 26,

available at: http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_BusinessContinuityPlanning.pdf.

105 Council on Cybersecurity, supra note 33, at 96.

106 Id. at 97.

—————————————————————————

The Commission believes that industry best practices require the

development, implementation, and testing of a security incident

response plan.107 Proposed Sec. 39.18(e)(6) would require that DCOs

have a security incident response plan that is tested at a frequency

determined by an appropriate risk analysis, but no less frequently than

annually. Because Sec. 39.18 already calls for a DCO’s risk analysis

and oversight program to follow best practices, this requirement should

not impose any additional burdens or costs on DCOs. In addition, the

Commission notes that having such plans regularly tested will help DCOs

address security incidents more quickly and effectively when they

actually happen. Moreover, the Commission notes that annual testing is

consistent with industry best practices and an important part of a

DCO’s business continuity and disaster recovery plan.

—————————————————————————

107 See, e.g., FINRA Report, supra note 31, at 23; and FFIEC

BCP Booklet, supra note 104, at 25 (noting that “[e]very financial

institution should develop an incident response policy that is

properly integrated into the business continuity planning

process”).

—————————————————————————

The proposed rule would define a “security incident” as a

cybersecurity or physical security event that actually or potentially

jeopardizes automated system operation, reliability, security, or

capacity, or the availability, confidentiality, or integrity of

data.108 The Commission further proposes defining a “security

incident response plan” as a written plan documenting the DCO’s

policies, controls, procedures, and resources for identifying,

responding to, mitigating, and recovering from security incidents, and

the roles and responsibilities of its management, staff, and

independent contractors in responding to security incidents. Under the

proposed definition, a security incident response plan may be a

separate document or a business continuity-disaster recovery plan

section or appendix dedicated to security incident response. However,

the Commission proposes requiring the DCO’s security incident response

plan to include the DCO’s definition and classification of security

incidents; its policies and procedures for reporting security incidents

and for internal and external communication and information sharing

regarding security incidents; and the hand-off and escalation points in

its security incident response process.

—————————————————————————

108 NIST defines an “incident” as “[a]n occurrence that

actually or potentially jeopardizes the confidentiality, integrity,

or availability of an information system or the information the

system processes, stores, or transmits, or that constitutes a

violation or imminent threat of violation of security policies,

security procedures, or acceptable use policies.” NIST SP 800-53,

supra note 47, at B-9. NIST further defines a “computer security

incident” as “a violation or imminent threat of violation of

computer security policies, acceptable use policies, or standard

security practices.” NIST SP 800-61, supra note 101, at 6. The

FFIEC notes that a security incident represents “the attempted or

successful unauthorized access, use, modification, or destruction of

information systems or customer data. If unauthorized access occurs,

the financial institution’s computer systems could potentially fail

and confidential information could be compromised.” FFIEC BCP

Booklet, supra note 104, at 25.

—————————————————————————

The Commission proposes to define “security incident response plan

testing” in Sec. 39.18(a) as the testing of a DCO’s security incident

response plan to determine the plan’s effectiveness, identify potential

weaknesses or deficiencies, enable regular plan updating and

improvement, and maintain organizational preparedness and resiliency

with respect to security incidents. Methods of conducting security

incident response plan testing may include, but would not be limited

to, checklist completion, walk-through or table-top exercises,

simulations, and comprehensive exercises.109 Pursuant to

[[Page 80122]]

proposed Sec. 39.18(e)(6), a DCO would also be permitted to coordinate

its security incident response plan testing with other testing required

by proposed Sec. 39.18(e),110 or with the testing of its other

business continuity-disaster recovery and crisis management plans. In

addition, a DCO would be permitted to conduct security incident

response plan testing by engaging independent contractors or by using

employees of the DCO who are not responsible for development or

operation of the systems or capabilities being tested. The Commission

notes that discussion at the CFTC Roundtable included concerns about

performing tests in a production environment, as the tests could have

the unintended consequence of disrupting business as usual and

potentially cause an event.111 Accordingly, the Commission proposes

to give DCOs discretion to decide whether the testing is completed in a

production or non-production environment.

—————————————————————————

109 See NIST SP 800-53, supra note 47, app. F-IR at F-104

(stating that “[i]ncident response testing includes, for example,

the use of checklists, walk-through or tabletop exercises,

simulations (parallel/full interrupt), and comprehensive exercises.

Incident response testing can also include a determination of the

effects on organizational operations (e.g., reduction in mission

capabilities), organizational assets, and individuals due to

incident response”).

110 In addition to the changes proposed herein, the Commission

is proposing to renumber Sec. 39.18(j) as Sec. 39.18(e).

111 CFTC Roundtable, supra note 8, at 87-88, 118, 321-326,

345-346.

—————————————————————————

5. Enterprise Technology Risk Assessment (“ETRA”)

ETRA is an important part of a DCO’s risk assessment program

because it helps the DCO produce a broad determination of its system

safeguards-related risks.112 In a sense, ETRA can be seen as a

strategic approach through which a DCO identifies risks and aligns its

systems goals accordingly. A well-conducted ETRA, and the knowledge and

prioritization of risks that it provides, can also inform and guide the

ongoing testing process and result in more effective cybersecurity risk

management.

—————————————————————————

112 NIST SP 800-39, supra note 59, at 1.

—————————————————————————

The Commission notes that with respect to ETRA, best practices

provide a number of sources for such risk assessment frameworks,113

and a DCO would generally be free to choose the assessment framework it

believes most appropriate to its particular circumstances, provided

that its choice is congruent with best practices and is consistent with

the DCO’s risk profile. For example, FINRA notes that approaches to

integrating threats and vulnerabilities in an overall risk assessment

report often differ, with some organizations following proprietary risk

assessment methodologies and other using vendor products tailored to

their particular needs, and with firms using a variety of cyber

incident and threat intelligence inputs for their risk

assessments.114

—————————————————————————

113 See, e.g., FFIEC Handbook, supra note 57; NIST SP 800-39,

supra note 59.

114 FINRA Report, supra note 31, at 14.

—————————————————————————

The Commission proposes to define “ETRA” in Sec. 39.18(a) as a

written assessment that includes, but is not limited to, an analysis of

threats and vulnerabilities in the context of mitigating controls. An

ETRA identifies, estimates, and prioritizes risks to a DCO’s operations

or assets (which include, for example, mission, functions, image, and

reputation risks), or to market participants, individuals, and other

entities, resulting from impairment of the confidentiality, integrity,

or availability of data and information or the reliability, security,

or capacity of automated systems.115 Proposed Sec. 39.18(e)(7) would

provide DCOs flexibility by permitting the ETRA to be completed by

independent contractors or employees of the DCO not responsible for

development or operation of the systems or capabilities being assessed.

The proposal would, however, require an ETRA to be completed at a

frequency determined by an appropriate risk analysis by the DCO, but no

less frequently than annually.116 As noted in the PCI-DSS standards,

“[p]erforming risk assessments at least annually and upon significant

changes allows the organization to keep up to date with organizational

changes and evolving threats, trends, and technologies.” 117

However, the Commission emphasizes that the proposed requirement to

prepare a written assessment on at least an annual basis is not

intended to substitute for the DCO’s obligation to conduct risk

assessment and monitoring on an ongoing basis; rather, its purpose is

to formalize the risk assessment process and ensure that it is

documented at a minimum frequency. As noted in the FFIEC Handbook:

“Monitoring and updating the security program is an important part of

the ongoing cyclical security process. Financial institutions should

treat security as dynamic with active monitoring; prompt, ongoing risk

assessment; and appropriate updates to controls.” 118

—————————————————————————

115 NIST SP 800-53, supra note 47, app. B at B-19.

116 See, e.g., FINRA Report, supra note 31, at 14 (stating

that firms conducting defined risk assessment processes do so either

annually or on an ongoing basis throughout the year, in either case

culminating in an annual risk assessment report).

117 See, e.g., PCI-DSS, supra note 54, at 100.

118 FFIEC Handbook, supra note 57, at 86.

—————————————————————————

B. Scope of Testing and Assessment

The Commission believes that the scope of a DCO’s testing should be

based on a proper risk analysis that takes into account the DCO’s

particular automated systems and networks and vulnerabilities,

including any recent changes to them, as well as the nature of the

DCO’s possible adversaries and their capabilities as revealed by

current cybersecurity threat analysis.119 The Commission recognizes

that, however, the scope set for particular instances of the various

types of cybersecurity testing can vary appropriately.120 Thus,

proposed Sec. 39.18(e)(8) would give a DCO flexibility in setting the

scope of particular cybersecurity tests, so long as its overall testing

program is sufficient to provide adequate assurance of the overall

effectiveness of its cybersecurity controls with respect to its system

safeguards-related risks. The Commission believes that such flexibility

should reduce costs and burdens associated with the proposed scope

while still effectively measuring the resilience of the DCO system

safeguards.

—————————————————————————

119 CFTC Roundtable, supra note 8, at 98, 101-103, 108-113,

128-130, 140-142, 173-180.

120 Id.

—————————————————————————

Accordingly, the Commission is proposing that the scope of all

testing and assessment required by its system safeguards regulations

for DCOs should be broad enough to include all testing of automated

systems and controls necessary to identify any vulnerability which, if

exploited or accidentally triggered, could enable an intruder or

unauthorized user or insider to: Interfere with the DCO’s operations or

with fulfillment of its statutory and regulatory responsibilities;

impair or degrade the reliability, security, or capacity of the DCO’s

automated systems; add to, delete, modify, exfiltrate, or compromise

the integrity of any data related to the DCO’s regulated activities; or

undertake any other unauthorized action affecting the DCO’s regulated

activities or the hardware or software used in connection with those

activities. The Commission believes that this proposed scope is broad

enough to address all significant threats to the DCO, while still

providing sufficient guidance regarding the elements of the DCO’s

program.

C. Internal Reporting, Review, and Remediation

Under current Sec. 39.18(j)(3) 121 reports on testing protocols

and results must be communicated to, and reviewed by,

[[Page 80123]]

senior management of the DCO. However, consistent with industry best

practices, in Sec. 39.18(e)(9) the Commission is proposing to expand

this reporting requirement to include communication to, and review by,

the DCO’s board of directors. The Commission notes that active

management with board level involvement “is an essential effective

practice to address cybersecurity threats[, because] [w]ithout that

involvement and commitment, a firm is unlikely to achieve its

cybersecurity goals.” 122 Further, the Commission notes that FINRA

observes that “[b]oards should play a leadership role in overseeing

firms’ cybersecurity efforts,” and states that the board of directors

should understand and approach cybersecurity as an enterprise-wide risk

management issue rather than merely an information technology

issue.123 The Commission also notes that FFIEC states that regular

reports to the board of directors should address the results of the

organization’s risk assessment process and of its security monitoring

and testing, including both internal and external audits and

reviews.124 In addition, FFIEC calls for boards to review

recommendations for changes to the information security program

resulting from testing and assessment, and to review the overall

effectiveness of the program.125

—————————————————————————

121 The Commission is further proposing to renumber Sec.

39.18(j)(3) as Sec. 39.18(e)(9).

122 FINRA Report, supra note 31, at 7.

123 Id.

124 FFIEC Handbook, supra note 57, at 5.

125 Id.

—————————————————————————

Accordingly, proposed Sec. 39.18(e)(10) would also require DCOs to

establish and follow appropriate procedures for the remediation of

issues identified through such review, and for evaluation of the

effectiveness of testing and assessment protocols. The proposed rule

would also add a provision requiring a DCO to analyze the results of

the testing and assessment required by the applicable system safeguards

rules, in order to identify all vulnerabilities and deficiencies in its

systems, and to remediate those vulnerabilities and deficiencies to the

extent necessary to enable the DCO to fulfill the requirements of part

39 and meet its statutory and regulatory obligations. The proposed rule

would require such remediation to be timely in light of appropriate

risk analysis with respect to the risks presented.

D. Additional Amendments

In addition to the changes discussed above, the Commission is

proposing to reorder and renumber certain paragraphs in Sec. 39.18 to

make certain technical corrections to improve the clarity of the rule

text.

1. Definitions

The Commission is proposing to amend the introductory text of Sec.

39.18(a) to make clear that the definitions therein are also applicable

to Sec. 39.34, which sets forth additional system safeguards

requirements for SIDCOs and Subpart C DCOs.

The Commission also is proposing to revise the definitions of

“relevant area” and “recovery time objective” to make the language

consistent with that used elsewhere in Sec. 39.18.

Finally, the Commission is proposing to change references to “the

clearing and settlement of existing and new products” to “the

processing, clearing, and settlement of transactions” and a single

reference to “an entity” to “a [DCO].”

2. Program of Risk Analysis and Oversight

Regulation 39.18(b) requires a DCO to have a program of risk

analysis and oversight with respect to its operation and systems that

addresses the following elements, set forth in Sec. 39.18(c): (1)

Information security; (2) business continuity and disaster recovery

planning and resources; (3) capacity and performance planning; (4)

systems operations; (5) systems development and quality assurance; and

(6) physical security and environmental controls. Specific requirements

concerning business continuity and disaster recovery are addressed in

Sec. 39.18(e), but the regulation does not provide any further

guidance on the other five elements. Therefore, the Commission is

proposing to amend Sec. 39.18(c) (renumbered as Sec. 39.18(b)(2))

126 to provide more detail for each of those other five

elements.127

—————————————————————————

126 The Commission is further proposing to renumber Sec.

39.18(d) as Sec. 39.18(b)(3); renumber Sec. 39.18(e)(2) as Sec.

39.18(b)(4); and delete Sec. 39.18(e)(3) and fold its requirements

into Sec. 39.18(c)(2). The Commission is also proposing conforming

changes to the text of the renumbered provisions.

127 Although the Commission is proposing, in a concurrent

notice of proposed rulemaking, to require that the program of risk

analysis and oversight for designated contract markets (“DCMs”)

include enterprise risk management and governance applicable

specifically to security and technology, at this time the Commission

is not proposing such a requirement for DCOs. The Commission

believes that DCOs face a wider array of risks than DCMs, and

therefore any enterprise risk management requirements for DCOs would

not be limited to the system safeguards context but rather would

need to be addressed in a more comprehensive fashion. The Commission

is considering this issue and may address it in a future rulemaking.

—————————————————————————

3. Business Continuity and Disaster Recovery Plan

Regulation 39.18(e)(1) requires that a DCO maintain a business

continuity and disaster recovery plan, emergency procedures, and

physical, technological, and personnel resources sufficient to enable

the timely recovery and resumption of operations and the fulfillment of

each obligation and responsibility of the DCO following any disruption

of its operations. Regulation 39.18(e)(2) explains that the

“responsibilities and obligations” described in Sec. 39.18(e)(1)

include the daily processing, clearing, and settlement of transactions.

Because these provisions are so closely linked, the Commission is

proposing to combine them into a new Sec. 39.18(c)(1).128

—————————————————————————

128 The Commission is further proposing to renumber Sec.

39.18(e)(3) as Sec. 39.18(c)(2), and Sec. 39.18(k) as Sec.

39.18(c)(3). The Commission is also proposing conforming changes to

the text of the renumbered provisions.

—————————————————————————

4. Location of Resources; Outsourcing

Regulation 39.18(f) allows a DCO to satisfy the resource

requirement in Sec. 39.18(e)(1) (renumbered as Sec. 39.18(c)(1))

using its own employees and property or through written contractual

arrangements with another DCO or other service provider (i.e.,

outsourcing). The Commission is proposing to amend this provision (and

renumber it as Sec. 39.18(d)) to clarify that a DCO is also permitted

to use outsourcing to satisfy Sec. 39.18(b)(2) (renumbered as Sec.

39.18(b)(4)), which requires a DCO to establish and maintain resources

that allow for the fulfillment of each obligation and responsibility of

the DCO in light of the risks identified by the DCO’s program of risk

analysis and oversight.

In addition, the Commission is proposing to amend Sec.

39.18(f)(2)(i) (renumbered as Sec. 39.18(d)(2)), which states that, if

a DCO chooses to use outsourced resources, the DCO retains liability

for any failure to meet the responsibilities specified in Sec.

39.18(e)(1) (renumbered as Sec. 39.18(c)(1)), “although it is free to

seek indemnification from the service provider.” Regulation 39.18

contains no restrictions that would prevent a DCO from seeking

indemnification from its service provider; therefore, the Commission is

proposing to delete this unnecessary language.

5. Recordkeeping

Under current Sec. 39.18(i), a DCO is required to maintain, and

provide to Commission staff upon request, current

[[Page 80124]]

copies of its business continuity plan and other emergency procedures,

its assessments of its operational risks, and records of testing

protocols and results. The Commission is proposing to renumber Sec.

39.18(i) as Sec. 39.18(f), and to amend the language to conform with

the testing requirements proposed herein.

6. Notice of Exceptional Events

Under current Sec. 39.18(g)(1), a DCO is required to promptly

notify Commission staff of any cybersecurity incident that materially

impairs, or creates a significant likelihood of material impairment of,

automated system operation, reliability, security, or capacity. The

Commission is proposing a conforming amendment to Sec. 39.18(g)(1), to

replace the term “cybersecurity incident” with “security incident,”

as the proposed definition of “security incident” would include a

cybersecurity incident.

7. System Safeguards for SIDCOs and Subpart C DCOs

The Commission is proposing to amend Sec. 39.34 to update several

cross-references to various provisions of Sec. 39.18.

III. Request for Comment

The Commission requests comment on all aspects of the proposed

amendments to Sec. Sec. 39.18 and 39.34. With respect to testing, the

Commission is particularly interested in the following:

Are the testing requirements being proposed in Sec. 39.18

consistent with the DCO core principles set forth in the CEA,

particularly the goals of Core Principle I? If so, in what ways? If

not, why not?

Are the proposed testing frequencies sufficient to safeguard DCOs

against cyber attacks? In particular, should the proposed control

testing be done more frequently, or less frequently? In each case,

please provide any data you may have that supports an alternate

frequency for such testing.

Should the Commission define the term “independent contractor”?

If so, how should such term be defined? If not, why not?

What alternatives, if any, would be more effective in reducing

systemic risk, mitigating the growing cybersecurity threats faced by

DCOs, and achieving compliance with the DCO core principles set forth

in the CEA?

The Commission requests that commenters include a detailed

description of any such alternatives and estimates of the costs and

benefits of such alternatives. Can the proposed changes to Sec. 39.18

be effectively implemented and complied with? If not, what changes

could be made to increase the likelihood of effective implementation

and compliance?

IV. Related Matters

A. Regulatory Flexibility Act

The Regulatory Flexibility Act (“RFA”) requires that agencies

consider whether the regulations they propose will have a significant

economic impact on a substantial number of small entities and, if so,

provide a regulatory flexibility analysis respecting the impact.129

The rules proposed by the Commission will impact DCOs. The Commission

has previously established certain definitions of “small entities” to

be used by the Commission in evaluating the impact of its regulations

on small entities in accordance with the RFA.130 The Commission has

previously determined that DCOs are not small entities for the purpose

of the RFA.131 Accordingly, the Chairman, on behalf of the

Commission, hereby certifies pursuant to 5 U.S.C. 605(b) that the

proposed rules will not have a significant economic impact on a

substantial number of small entities.

—————————————————————————

129 5 U.S.C. 601 et seq.

130 See 47 FR 18618, 18618-21 (Apr. 30, 1982).

131 See New Regulatory Framework for Clearing Organizations,

66 FR 45604, 45609 (Aug. 29, 2001).

—————————————————————————

B. Paperwork Reduction Act

The Paperwork Reduction Act of 1995 (“PRA”) 132 imposes certain

requirements on Federal agencies, including the Commission, in

connection with their conducting or sponsoring any collection of

information, as defined by the PRA. An agency may not conduct or

sponsor, and a person is not required to respond to, a collection of

information unless it displays a currently valid control number. This

proposed rulemaking contains recordkeeping and reporting requirements

that are collections of information within the meaning of the PRA.

—————————————————————————

132 44 U.S.C. 3501 et seq.

—————————————————————————

The proposed rulemaking contains provisions that would qualify as

collections of information, for which the Commission has already sought

and obtained a control number from the Office of Management and Budget

(“OMB”). The title for this collection of information is “Risk

Management Requirements for Derivatives Clearing Organizations” (OMB

Control Number 3038-0076). If adopted, responses to this collection of

information would be mandatory. As discussed below, the Commission

believes the proposal will not impose any new recordkeeping or

reporting requirements that are not already accounted for in collection

3038-0076.133 Accordingly, the Commission invites public comment on

the accuracy of its estimate that no additional recordkeeping or

information collection requirements or changes to existing collection

requirements would result from the proposal.

—————————————————————————

133 See Risk Management Requirements for Derivatives Clearing

Organizations, OMB Control No. 3038-0076, available at: http://www.reginfo.gov/public/do/PRAOMBHistory?ombControlNumber=3038-0076.

—————————————————————————

The Commission will protect proprietary information according to

the Freedom of Information Act (“FOIA”) and 17 CFR part 145,

“Commission Records and Information.” In addition, section 8(a)(1) of

the CEA strictly prohibits the Commission, unless specifically

authorized by the Act, from making public “data and information that

would separately disclose the business transactions or market positions

of any person and trade secrets or names of customers.” The Commission

is also required to protect certain information contained in a

government system of records according to the Privacy Act of 1974.

1. Clarification of Collection 3038-0076

The Commission notes that DCOs are already subject to system

safeguard-related recordkeeping and reporting requirements. As

discussed above in section II, the Commission is proposing to amend and

renumber current Sec. 39.18(i) as Sec. 39.18(f), to clarify the

system safeguard recordkeeping and reporting requirements for DCOs. The

proposed regulation would require DCOs, in accordance with Sec.

1.31,134 to provide the Commission with the following documents

promptly upon request of Commission staff: (1) Current copies of the

DCO’s business continuity and disaster recovery plan and other

emergency procedures; (2) all assessments of the DCO’s operational

risks or system safeguard-related controls; (3) all required reports

concerning system safeguards testing and assessment, whether conducted

by independent contractors or employees of the DCO; and (4) all other

documents requested by staff of the Division of Clearing and Risk, or

any successor division, in connection with Commission oversight of

system

[[Page 80125]]

safeguards pursuant to the CEA or Commission regulations, or in

connection with Commission maintenance of a current profile of the

DCO’s automated systems. The pertinent recordkeeping and reporting

requirements of proposed Sec. 39.18(f) are contained in the provisions

of current Sec. 39.18(i), which was adopted on November 8, 2011.135

Accordingly, the Commission believes that proposed Sec. 39.18(f) would

not impact the burden estimates currently provided for in collection

3038-0076.

—————————————————————————

134 Regulation 1.31(a)(1) specifically provides that “all

books and records required to be kept by the CEA or by these

regulations shall be kept for a period of five years from the date

thereof and shall be readily accessible during the first 2 years of

the 5-year period. The rule further provides that “all such books

and records shall be open to inspection by any representative of the

Commission or the United States Department of Justice.” See 17 CFR

1.31(a)(1).

135 76 FR 69334.

—————————————————————————

2. Information Collection Comments

The Commission invites comment on any aspect of the proposed

information collection requirements discussed above. Pursuant to 44

U.S.C. 3506(c)(2)(B), the Commission will consider public comments on

such proposed requirements in: (1) Evaluating whether the proposed

collection of information is necessary for the proper performance of

the functions of the Commission, including whether the information will

have a practical use; (2) evaluating the accuracy of the Commission’s

estimate of the burden of the proposed collection of information,

including the validity of the methodology and assumptions used; (3)

enhancing the quality, utility, and clarity of the information proposed

to be collected; and (4) minimizing the burden of collection of

information on those who are to respond, including through the use of

appropriate automated, electronic, mechanical, or other technological

information collection techniques.

Copies of the submission from the Commission to OMB are available

from the CFTC Clearance Officer, 1155 21st Street NW., Washington, DC

20581, (202) 418-5160 or from http://RegInfo.gov. Persons desiring to

submit comments on the proposed information collection requirements

should send those comments to: The Office of Information and Regulatory

Affairs, Office of Management and Budget, Room 10235, New Executive

Office Building, Washington, DC 20503, Attention: Desk Officer of the

Commodity Futures Trading Commission; (202) 395-6566 (fax); or

[email protected] (email). Please provide the Commission with

a copy of submitted comments so that all comments can be summarized and

addressed in the final rulemaking, and please refer to the ADDRESSES

section of this rulemaking for instructions on submitting comments to

the Commission. OMB is required to make a decision concerning the

proposed information collection requirements between thirty (30) and

sixty (60) days after publication of the proposal in the Federal

Register. Therefore, a comment to OMB is best assured of receiving full

consideration if OMB (as well as the Commission) receives it within

thirty (30) days of publication of the proposal.

C. Consideration of Costs and Benefits

1. Introduction

Section 15(a) of the CEA requires the Commission to consider the

costs and benefits of its actions before promulgating a regulation

under the CEA or issuing certain orders.136 Section 15(a) further

specifies that the costs and benefits shall be evaluated in light of

five broad areas of market and public concern: (1) Protection of market

participants and the public; (2) efficiency, competitiveness and

financial integrity of futures markets; (3) price discovery; (4) sound

risk management practices; and (5) other public interest

considerations. The Commission’s cost and benefit considerations in

accordance with section 15(a) are discussed below.

—————————————————————————

136 7 U.S.C. 19(a).

—————————————————————————

As an initial matter, the Commission considers the incremental

costs and benefits of these regulations, that is the costs and benefits

that are above the current system safeguard practices and requirements

under the CEA and the Commission’s regulations for DCOs. Where

reasonably feasible, the Commission has endeavored to estimate

quantifiable costs and benefits. Where quantification is not feasible,

the Commission identifies and describes costs and benefits

qualitatively.137

—————————————————————————

137 For example, to quantify benefits such as enhanced

protections for market participants and the public and financial

integrity of the futures and swaps markets would require

information, data and/or metrics that either do not exist, or to

which the Commission generally does not have access.

—————————————————————————

The Commission requests comment on the costs and benefits

associated with the proposed regulations. As discussed below, the

Commission has identified certain costs and benefits associated with

the proposed regulations and requests comment on all aspects of its

proposed consideration of costs and benefits, including identification

and assessment of any costs and benefits not discussed herein. In

addition, the Commission requests that commenters provide data and any

other information or statistics that the commenters relied on to reach

any conclusions regarding the Commission’s proposed consideration of

costs and benefits, including the series of questions in section 3(f).

2. Background and Baseline for the Proposal

As discussed above, the Commission believes that the current cyber

threats to the financial sector have expanded dramatically over recent

years.138 Accordingly, the current cyber threat environment

highlights the need to consider an updated regulatory framework with

respect to cybersecurity testing for DCOs. Although the Commission

acknowledges that the proposed amendments would likely result in some

additional costs for DCOs, the proposal would also bring several

overarching benefits to the futures and swaps industry. As discussed

more fully below, a comprehensive cybersecurity testing program is

crucial to efforts by DCOs to strengthen cyber defenses, to mitigate

operational, reputational, and financial risk, and to maintain cyber

resilience and ability to recover from cyber attack.139

Significantly, to ensure the effectiveness of cybersecurity controls, a

DCO must test in order to find and fix its vulnerabilities before an

attacker exploits them.140

—————————————————————————

138 See supra section I.B.

139 See also supra section I.C.

140 See supra section II.A.

—————————————————————————

The Commission recognizes that any economic effects, including

costs and benefits, should be compared to a baseline that accounts for

current regulatory requirements. The baseline for this cost and benefit

consideration is the set of requirements under the CEA and the

Commission’s regulations for DCOs. Currently, Sec. 39.18(j)(1)(i)

requires a DCO to conduct regular, periodic, and objective testing and

review of its automated systems to ensure that they are reliable,

secure, and have adequate scalable capacity.141 This requirement,

which forms part of the DCO risk analysis program required under Sec.

39.18(b), must be satisfied by following, at a minimum, “generally

accepted standards and industry best practices.” 142 In addition to

the generally accepted standards and industry best practices discussed

in section II above, this cost and benefit discussion uses information

provided by DCOs in connection with a recent survey of DCO system

safeguard costs and practices conducted by Commission staff (“February

2015 DCR Survey”).143

—————————————————————————

141 17 CFR 39.18(j).

142 See 17 CFR 39.18(d).

143 On February 19, 2015, the Division of Clearing and Risk

requested, pursuant to Sec. 39.19(c)(5)(i), information from each

registered DCO regarding the scope and costs of its current system

safeguard testing. Of the 14 DCOs contacted, 13 responded. ICE Clear

Credit, ICE Clear Europe, Ice Clear US, and the Clearing

Corporation, each subsidiaries of Intercontinental Exchange, Inc.,

provided a single response, indicating that their testing costs are

shared. LCH.Clearnet Ltd, LCH.Clearnet LLC, and LCH.Clearnet SA,

each subsidiaries of LCH.Clearnet Group Ltd., also provided a single

response, indicating that their testing costs are shared.

—————————————————————————

[[Page 80126]]

The Commission notes, however, that in certain instances the cost

estimates provided by the DCOs included estimates at the parent company

level of the DCO. Where parent level estimates were provided, the DCOs

explained that they generally share the same automated systems and

system safeguard programs with other entities within the corporate

structure and were therefore unable to apportion the actual costs to

particular entities. The Commission further notes that some of the DCOs

that supplied cost information are also registered with the Commission

in other capacities (as DCMs and/or swap data repositories). These DCOs

provided cost estimates that cover all of their Commission-regulated

functions because they generally share the same automated systems and

system safeguard programs. Therefore, the Commission has attempted to

account for these distinctions, where appropriate.

The Commission believes that certain entities that would be subject

to the proposal already comply with most of the testing requirements

while others may need some modest enhancements to their system

safeguard program to achieve compliance. In this same regard, the

Commission notes that some DCOs are larger or more complex than others,

and the proposed requirements may impact DCOs differently depending on

their size and the complexity of their systems. Thus, the Commission

expects that the costs and benefits may vary somewhat among DCOs. The

Commission also believes that to the extent the new requirements impose

additional costs, the primary costs will be in the form of more

frequent testing, including some testing that would have to be carried

out by independent contractors on behalf of the DCO. As a result, the

proposed rules may increase operational costs for DCOs by requiring

additional resources. The Commission is sensitive to the economic

effects of the proposed regulations, including costs and benefits.

Accordingly, the Commission seeks comment on the costs and benefits of

the proposed regulations, including where possible, quantitative data.

While certain costs are amenable to quantification, other costs are

not easily estimated, such as the costs to the public or market

participants in the event of a cybersecurity incident at a DCO. The

Commission’s proposed regulations are intended to further mitigate the

frequency and severity of system security breaches or functional

failures, and therefore, serve an important, if unquantifiable, public

benefit. Although the benefits of effective regulation are difficult to

value in dollar terms, the Commission believes that they are no less

important to consider given the Commission’s mission to protect market

participants and the public and to promote market integrity.

The discussion of costs and benefits that follows begins with a

summary of the current testing requirements and sources for industry

best practices as well as a summary of each proposed regulation and a

consideration of the corresponding costs and benefits. At the

conclusion of this discussion, the Commission considers the costs and

benefits of the proposed regulations collectively in light of the five

factors set forth in section 15(a) of the CEA.

3. Consideration of Costs and Benefits Related to the Proposed Rules

a. Regulation 39.18(a)–Definitions

(i) Summary of Proposed Regulations

As discussed above in section II, proposed Sec. 39.18(a) would add

to the existing list of definitions, definitions for the following

terms: (1) Controls; (2) controls testing; (3) enterprise technology

risk assessment; (4) external penetration testing; (5) internal

penetration testing; (6) key controls; (7) security incident; (8)

security incident response plan; (9) security incident response plan

testing; and (10) vulnerability testing.

(ii) Costs and Benefits

The proposed definitions simply provide context to the specific

system safeguard tests and assessments that a DCO would be required to

conduct on an ongoing basis. Accordingly, the costs and benefits of

these terms are attributable to the substantive testing requirements

and, therefore, are discussed in the cost and benefit considerations

related to the rules describing the requirements for each test.

b. Regulation 39.18(e)(2)–Vulnerability Testing

(i) Summary of Proposed Regulations

As discussed above in section II(A)(1), proposed Sec. 39.18(a)

defines “vulnerability testing” as testing of a DCO’s automated

systems to determine what information may be discoverable through a

reconnaissance analysis of those systems and what vulnerabilities may

be present on those systems. Regulation 39.18(e)(2) requires such

testing to be of a scope sufficient to satisfy the testing scope

requirements of proposed Sec. 39.18(e)(8). Regulation 39.18(e)(2)(i)

requires a DCO to conduct vulnerability testing at a frequency

determined by an appropriate risk analysis, but at a minimum no less

frequently than quarterly. Among the four vulnerability tests conducted

annually, the proposed regulations would require a DCO to engage

independent contractors to perform two of the required quarterly tests

each year for the DCO, although other vulnerability testing may be

conducted by employees of the DCO who are not responsible for

development or operation of the systems or capabilities being tested.

The vulnerability test would also require automated vulnerability

scanning, which may be authenticated or unauthenticated.

(ii) Costs

The Commission believes that the scope requirement of proposed

Sec. 39.18(e)(2) will not impose new costs on DCOs. Comprehensive

vulnerability testing is an industry best practice,144 and therefore

required to be conducted under current Commission regulations.

Moreover, the Commission believes, based on the representations made by

DCOs to Commission staff in administering the Commission’s examination

program and DCO responses to the February 2015 DCR Survey, that most

DCOs are currently conducting vulnerability testing sufficient to meet

the scope requirements of proposed Sec. 39.18(e)(2). The Commission

also believes that the frequency requirement of proposed Sec.

39.18(e)(2)(i) will not impose new costs on DCOs. The Commission notes

that industry best practices state that vulnerability testing should be

conducted “at least quarterly.” 145 Accordingly, current Sec.

39.18 requires DCOs to conduct vulnerability testing on a quarterly

basis. In addition, the Commission notes that all 13 DCOs responding to

the February 2015 DCR Survey conduct vulnerability testing on a

quarterly basis at a minimum.146

—————————————————————————

144 See, e.g., NIST SP-800-53, supra note 47, at F-153; FFIEC

Handbook, supra note 57, at 10 (“Financial institutions should

assess potential threats and vulnerabilities of their information

systems.”); PCI-DSS, supra note 54, at 94.

145 See supra section II.A.1.; see also supra note 57 and

accompanying text.

146 The frequency of vulnerability testing ranged from 5 to

200 tests per year.

—————————————————————————

Proposed Sec. 39.18(e)(2)(ii) would require a DCO to conduct

vulnerability tests that include automated vulnerability scanning on an

[[Page 80127]]

authenticated basis, or, where not conducted on an authenticated basis,

to implement compensating controls.147 The Commission notes that

industry best practices specifically recommend authenticated

scanning.148 Likewise, current Sec. 39.18 requires DCOs to conduct

authenticated scanning and Commission staff has examined DCOs for

compliance with such requirement. Accordingly, the Commission does not

believe that DCOs will incur additional costs as a result of the

adoption of proposed Sec. 39.18(e)(2)(ii).

—————————————————————————

147 See supra notes 55 and 56 and accompanying text.

148 See, e.g., NIST SP 800-53, supra note 47, at F-154

(“Privileged access authorization to selected system components

facilitates more thorough vulnerability scanning and also protects

the sensitive nature of such scanning.”).

—————————————————————————

Under proposed Sec. 39.18(e)(2)(iii), for at least two of the

required quarterly vulnerability tests each year, vulnerability testing

must be conducted by an independent contractor. However, the remaining

two vulnerability tests may be conducted by a DCO’s employees so long

as those employees are not responsible for development or operation of

the systems or capabilities being tested.149 The Commission notes

that at least 9 of the 13 DCOs responding to the February 2015 DCR

Survey currently conduct at least some of their vulnerability testing

using independent contractors. The Commission does not, however, have

quantification or estimation of the costs associated with proposed

Sec. 39.18(e)(2)(iii). Nonetheless, in qualitative terms, the

Commission recognizes that, compared to the status quo, this proposed

requirement may impose some costs on DCOs equal to the difference

between conducting vulnerability testing in-house and hiring an

independent contractor. In particular, these proposed regulations may

require DCOs to establish and implement internal policies and

procedures that are reasonably designed to address the workflow

associated with the test, which may include the communication and

cooperation between the entity and independent contractor,

communication and cooperation between the entity’s legal, business,

technology, and compliance departments, appropriate authorization to

remediate vulnerabilities identified by the independent contractor,

implementation of the measures to address such vulnerabilities, and

verification that these measures are effective and appropriate. The

Commission requests comment on the potential costs of proposed Sec.

39.18(e)(2)(iii) on DCOs, including, where possible, quantitative data.

—————————————————————————

149 See supra section II.A.1.

—————————————————————————

(iii) Benefits

Vulnerability testing identifies, ranks, and reports

vulnerabilities that, if exploited, may result in an intentional or

unintentional compromise of a system.150 The complex analysis and

plan preparation that a DCO undertakes to complete vulnerability

testing, including designing and implementing changes to existing

plans, are likely to contribute to a better ex ante understanding by

the DCO’s management of the challenges the DCO would face in a cyber

threat scenario, and thus better preparation to meet those challenges.

This improved preparation helps reduce the possibility of market

disruptions and financial losses to clearing members and their

customers. Regularly conducting vulnerability tests enables a DCO to

mitigate the impact that a cyber threat to, or a disruption of, a DCO’s

operations would have on customers, clearing members, and, more

broadly, the stability of the U.S. financial markets. Accordingly, the

Commission believes that such testing strengthens DCOs’ systems,

thereby protecting clearing members and their customers from a

disruption in clearing services.

—————————————————————————

150 PCI-DSS Penetration Testing, supra note 70, at 3.

—————————————————————————

The Commission acknowledges, as described above, that some DCOs may

incur additional costs as a result of the new requirement in proposed

Sec. 39.18(e)(2)(iii) that independent contractors complete the

vulnerability testing. Nevertheless, the Commission believes that the

use of independent contractions for vulnerability testing–a practice

that many DCOs report already doing–will strengthen this important

system safeguard, significantly benefitting the DCO, financial markets,

and the public by mitigating systemic risk.

The Commission requests comments on the potential benefits to a DCO

in complying with all aspects of proposed Sec. 39.18(e)(2), and any

benefits that would be realized by members of DCOs and their customers,

as well as other market participants or the financial system more

broadly. The Commission specifically requests comment on alternative

means to address these issues, and the benefits associated with such

alternatives.

c. Regulation 39.18(e)(3)–External Penetration Testing

(i) Summary of Proposed Regulations

As discussed above in section II(A)(2), proposed Sec. 39.18(a)

defines “external penetration testing” as “attempts to penetrate a

[DCO’s] automated systems from outside the systems’ boundaries to

identify and exploit vulnerabilities,” and proposed Sec. 39.18(e)(3)

requires such testing to be of a scope sufficient to satisfy the

testing scope requirements of proposed Sec. 39.18(e)(8). Proposed

Sec. 39.18(e)(3)(i) would require a DCO to conduct external

penetration testing at a frequency determined by an appropriate risk

analysis, but at a minimum no less frequently than annually. The

proposed rule also provides that independent contractors must perform

the required annual external penetration test on behalf of the DCO.

However, other external penetration testing may be performed by

appropriately qualified DCO employees not responsible for development

or operation of the systems or capabilities being tested.

(ii) Costs

The Commission believes that the scope requirement of proposed

Sec. 39.18(e)(3) will not impose new costs on DCOs. Comprehensive

external penetration testing is an industry best practice 151 and,

based on the representations made by DCOs to Commission staff in

administering the Commission’s examination program and DCO responses to

the February 2015 DCR Survey, the Commission believes that most DCOs

are currently conducting external penetration testing sufficient to

meet the scope requirements of proposed Sec. 39.18(e)(3).

—————————————————————————

151 See, e.g., NIST SP 800-53, supra note 47, app. F-CA at F-

62; FFIEC Handbook, supra note 57, at 81; PCI-DSS, supra note 54, at

96-97; see also section II.A.2.

—————————————————————————

In addition, the Commission believes that the frequency requirement

of proposed Sec. 39.18(e)(3)(i) will not impose new costs on DCOs. The

Commission notes that industry best practices specifically state that

external penetration testing should be conducted “at least annually.”

152 Therefore current Commission regulations require annual

penetration testing. Moreover, the Commission notes that at least 11 of

the 13 DCOs responding to the February 2015 DCR Survey conduct, at a

minimum, annual external penetration testing, with two DCOs responding

that they conduct periodic external penetration testing.

—————————————————————————

152 See, e.g., PCI-DSS, supra note 54, at 96-97; see also

section II.A.2.

—————————————————————————

[[Page 80128]]

The Commission believes that the requirement of proposed Sec.

39.18(e)(3)(ii) to use an independent contractor will not impose new

costs on DCOs. Current Sec. 39.18(j)(2) requires external penetration

testing to be conducted by a qualified, independent professional, who

can be employed by the DCO so long as he or she is not responsible for

development or operation of the systems or capabilities being tested.

However, as discussed above,153 the Commission notes that it is

industry best practice for DCOs to employ independent contractors to

conduct their external penetration testing, and therefore it is

currently required under Sec. 39.18. The Commission notes that at

least 11 of the 13 DCOs responding to the February 2015 DCR Survey

already employ independent contractors to conduct their external

penetration testing. The Commission is proposing Sec. 39.18(e)(3)(ii)

to make clear that independent contractors must conduct the required

annual external penetration test.

—————————————————————————

153 See supra section II.A.2.

—————————————————————————

The Commission requests comment on the potential costs of proposed

Sec. 39.18(e)(3) on DCOs, including, where possible, quantitative

data.

(iii) Benefits

External penetration testing benefits DCOs by identifying the

extent to which its systems can be compromised before an attack is

identified.154 Such testing is conducted outside a DCO’s security

perimeter to help reveal vulnerabilities that could be exploited by an

external attacker. Accordingly, the Commission believes that the

external penetration testing strengthens DCOs’ systems, thereby

protecting clearing members and their customers from a disruption in

clearing services, which could potentially disrupt the functioning of

the broader financial markets.

—————————————————————————

154 FFIEC Handbook, supra note 57, at 81; see also supra

section II.A.2.

—————————————————————————

As stated above, industry best practices require DCOs to engage

independent contractors to conduct annual external penetration testing.

Further, to the extent there is a lack of clarity regarding the

applicability of certain industry best practices in light of the

language in current Sec. 39.18(j)(2), proposed Sec. 39.18(e)(3)(ii)

would provide additional clarity. Moreover, the Commission believes

that testing by an independent contractor has particular value with

respect to external penetration testing because the test comes from the

viewpoint of an outsider, which may differ from the views of current

tactics, techniques, and threat vectors of current threat actors held

by DCO employees. The Commission believes that external penetration

testing helps DCOs, which constitute critical infrastructures important

to the national economy, to be adequately protected against the level

of cybersecurity threat now affecting the financial sector.

The Commission requests comments on the potential benefits to a DCO

in complying with all aspects of proposed Sec. 39.18(e)(3), and any

benefits that would be realized by members of DCOs and their customers,

as well as other market participants or the financial system more

broadly. The Commission specifically requests comment on alternative

means to address these issues, and the benefits associated with such

alternatives.

d. Regulation 39.18(e)(4)–Internal Penetration Testing

(i) Summary of Proposed Regulations

As discussed above in section II(A)(2), proposed Sec. 39.18(a)

defines “internal penetration testing” as “attempts to penetrate a

[DCO’s] automated systems from inside the systems’ boundaries to

identify and exploit vulnerabilities.” Proposed Sec. 39.18(e)(4)

requires such testing to be of a scope sufficient to satisfy the

testing scope requirements of proposed Sec. 39.18(e)(8). Proposed

Sec. 39.18(e)(4)(i) requires a DCO to conduct internal penetration

testing at a frequency determined by an appropriate risk analysis, but

no less frequently than annually. The test may be conducted by

independent contractors, or by appropriately qualified DCO employees

not responsible for development or operation of the systems or

capabilities being tested.

(ii) Costs

The Commission believes that the scope requirement of proposed

Sec. 39.18(e)(4) will not impose new costs on DCOs. Comprehensive

internal penetration testing is an industry best practice,155 and is

therefore required under current regulations. In addition, based on the

representations made by DCOs to Commission staff in administering the

Commission’s examination program and responses to the February 2015 DCR

Survey, the Commission believes that most DCOs are currently conducting

internal penetration testing sufficient to meet the scope requirements

of proposed Sec. 39.18(e)(4).

—————————————————————————

155 See, e.g., NIST SP 800-53, supra note 47, at F-62; FFIEC

Handbook, supra note 57, at 81; PCI-DSS, supra note 54, at 96-97;

see also supra section II.A.2.

—————————————————————————

Proposed Sec. 39.18(e)(4)(i) would require a DCO to conduct

internal penetration testing at a frequency determined by an

appropriate risk analysis, but no less frequently than annually. As

discussed above, industry best practices require annual internal

penetration testing, as well as after any significant infrastructure or

application upgrade or modification.” 156 Moreover, the Commission

notes that the February 2015 DCR Survey indicated that most DCOs

conduct internal penetration testing at least annually.

—————————————————————————

156 See, e.g., PCI-DSS, supra note 54, at 96-97; see also

supra section II.A.2.

—————————————————————————

The Commission also believes that proposed Sec. 39.18(e)(4)(ii)

will not impose new costs on DCOs. Proposed Sec. 39.18(e)(4)(ii)

requires DCOs to conduct internal penetration testing by engaging

independent contractors, or by using employees of the DCO who are not

responsible for development or operation of the systems or capabilities

being tested. Regulation 39.18(j)(2) currently requires testing to be

conducted by a qualified, independent professional, who can be employed

by the DCO so long as he or she is not responsible for development or

operation of the systems or capabilities being tested. Accordingly,

proposed Sec. 39.18(e)(4)(ii) would not change current regulatory

requirements.

The Commission requests comment on the potential costs of proposed

Sec. 39.18(e)(4) on DCOs, including, where possible, quantitative

data.

(iii) Benefits

By attempting to penetrate a DCO’s automated systems from inside

the systems’ boundaries, internal penetration tests allow DCOs to

assess system vulnerabilities from attackers that penetrate the DCO’s

perimeter defenses and from trusted insiders, such as former employees

and contractors. In addition to being an industry best practice, the

Commission believes that an annual internal penetration testing is

important because such potential attacks by trusted insiders generally

pose a unique and substantial threat due to their more sophisticated

understanding of a DCO’s systems. Moreover, “[a]n advanced persistent

attack may involve an outsider gaining a progressively greater foothold

in a firm’s environment, effectively becoming an insider in the

process. For this reason, it is important to perform penetration

testing against both external and internal interfaces and systems.”

157

[[Page 80129]]

The Commission also believes that internal penetration testing

strengthens DCOs’ systems, thereby protecting clearing members and

their customers from a disruption in clearing services, which could

potentially disrupt the functioning of the broader financial markets.

—————————————————————————

157 FINRA Report, supra note 31, at 22.

—————————————————————————

The Commission requests comments on the potential benefits to a DCO

in complying with all aspects of proposed Sec. 39.18(e)(4), and any

benefits that would be realized by members of DCOs and their customers,

as well as other market participants or the financial system more

broadly. The Commission specifically requests comment on alternative

means to address these issues, and the benefits associated with such

alternatives.

e. Regulation 39.18(e)(5)–Controls Testing

(i) Summary of Proposed Regulations

As discussed above in section II(A)(3), proposed Sec. 39.18(a)

defines “controls testing” as an assessment of the DCO’s controls to

determine whether such controls are implemented correctly, are

operating as intended, and are enabling the DCO to meet the

requirements of proposed Sec. 39.18, and proposed Sec. 39.18(e)(5)

requires such testing to be of a scope sufficient to satisfy the

testing scope requirements of proposed Sec. 39.18(e)(8). Proposed

Sec. 39.18(e)(5)(i) would require a DCO to conduct controls testing,

which includes testing of each control included in its program of risk

analysis and oversight, at a frequency determined by an appropriate

risk analysis, but no less frequently than every two years.

Pursuant to proposed Sec. 39.18(e)(5)(ii), a DCO would be required

to engage independent contractors to test and assess its “key

controls,” which are defined in proposed Sec. 39.18(a) as “controls

that an appropriate risk analysis determines are either critically

important for effective system safeguards or intended to address risks

that evolve or change more frequently and therefore require more

frequent review to ensure their continuing effectiveness in addressing

such risks.” DCOs may conduct any other non-key controls testing by

using independent contractors or employees of the DCO who are not

responsible for development or operation of the systems or capabilities

being tested.

(ii) Costs

The Commission does not believe that the scope requirement of

proposed Sec. 39.18(e)(5) will impose new costs on DCOs. Comprehensive

controls testing is an industry best practice.158 Accordingly,

current Sec. 39.18 requires DCOs to conduct comprehensive controls

testing. In addition, based on the representations made by DCOs to

Commission staff in administering the Commission’s examination program

and responses to the February 2015 DCR Survey, the Commission believes

that most DCOs are currently conducting controls testing sufficient to

meet the scope requirements of proposed Sec. 39.18(e)(5).

—————————————————————————

158 See, e.g., NIST SP 800-137, supra note 81, at vi; PCI-DSS,

supra note 54, at 13; see also supra section II.A.3.

—————————————————————————

Proposed Sec. 39.18(e)(5)(i) would require control testing to be

conducted at a frequency determined by an appropriate risk analysis,

but no less frequently than every two years. The Commission recognizes,

however, that appropriate risk analysis may well determine that more

frequent testing of either certain key controls or all controls is

necessary. For example, the Commission notes that the February 2015 DCR

Survey indicated that most DCOs conduct controls testing at least

annually.159

—————————————————————————

159 Seven of the responding DCOs conduct controls testing

annually, three DCOs conduct controls testing biannually, two DCOs

conduct controls testing triennially, and one DCO does not conduct

controls testing.

—————————————————————————

Proposed Sec. 39.18(e)(5)(ii) would require DCOs to engage

independent contractors to test and assess its key controls. Regulation

39.18(j)(2) currently requires testing to be conducted by a qualified,

independent professional, who can be employed by the DCO so long as he

or she is not responsible for development or operation of the systems

or capabilities being tested. The Commission notes that at least 11 of

the 13 DCOs responding to the February 2015 DCR Survey already employ

independent contractors to conduct key controls testing.

The Commission does not have quantification or estimation of the

costs associated with proposed Sec. 39.18(e)(5)(i) or proposed Sec.

39.18(e)(5)(ii). Nonetheless, in qualitative terms, the Commission

recognizes that, compared to the status quo, this proposed requirement

may impose some costs on DCOs equal to the difference between

conducting controls testing every two years in-house and hiring an

independent contractor to do so. In addition, with respect to the

frequency requirement in the proposed rule, a DCO would be required to

test each control included in its program of system safeguards-related

risk analysis oversight, at a frequency determined by appropriate risk

analysis, but no less frequently than every two years. The Commission

further recognizes that actual costs may vary as a result of numerous

factors, including the size of the DCO and the complexity of the

automated systems. Moreover, these proposed regulations may require

DCOs to establish and implement internal policies and procedures that

are reasonably designed to address the workflow associated with the

controls test, which may include the communication and cooperation

between the DCO and independent contractor, communication and

cooperation between the DCO’s legal, business, technology, and

compliance departments, appropriate authorization to remediate

vulnerabilities identified by the independent contractor,

implementation of the measures to address such vulnerabilities, and

verification that these measures are effective and appropriate.

The Commission requests comment on the potential costs of proposed

Sec. 39.18(e)(5) on DCOs, including, where possible, quantitative

data.

(iii) Benefits

Controls testing is essential in determining risk to an

organization’s operations and assets, to individuals, and to other

organizations, and to the Nation resulting from the use of the

organization’s systems.160 In other words, controls testing is vital

because it allows firms to be nimble in preventing, detecting, or

recovering from an attack.161 The Commission believes that the

complex analysis and plan preparation that a DCO undertakes with

respect to controls testing, including designing and implementing

changes to existing plans, likely contributes to a better ex ante

understanding by the DCO’s management of the challenges the DCO would

face in a cyber threat scenario, and thus better preparation to meet

those challenges. This improved preparation would help reduce the

possibility of market disruptions and financial losses to clearing

members and their customers. Moreover, regularly conducting controls

testing enables a DCO to mitigate the impact that a cyber threat to, or

a disruption of, a DCO’s operations would have on customers, clearing

members, and, more broadly, the stability of the U.S. financial

markets. Accordingly, the Commission believes that such testing

strengthens a DCO’s systems, thereby protecting

[[Page 80130]]

clearing members and their customers from a disruption in clearing

services

—————————————————————————

160 See NIST SP 800-53A, supra note 92, at 1; see also supra

section II.A.3.

161 Statement of Mr. Mark Clancy, Chief Executive Officer,

Soltra, CFTC Roundtable, supra note 8.

—————————————————————————

In addition, the Commission acknowledges that, as described above,

some DCOs may incur some additional costs as a result of the need to

conduct testing by an independent contractor. However, the Commission

believes that testing by an independent contractor has particular value

because the test comes from the viewpoint of an outsider, which may

differ from the views of current tactics, techniques, and threat

vectors of current threat actors held by DCO employees. The Commission

also acknowledges that, as described above, some DCOs may incur some

additional costs as a result of the need to accelerate the testing of

some controls in order to comply with the two-year cycle requirement.

Nevertheless, the Commission believes that it is essential for each

control to be tested within the two-year cycle requirement in order to

confirm the continuing adequacy of the DCO’s system safeguards and

maintain market stability. Additionally, the Commission notes that the

proposed rule would permit such testing to be conducted on a rolling

basis over the course of a two year period or period determined by

appropriate risk analysis. The rolling basis provision in the proposed

rule is designed to give a DCO flexibility concerning when controls are

tested during the required minimum frequency period. This flexibility

is intended to reduce burdens associated with testing every control

while still ensuring the needed minimum testing frequency. The

Commission also notes that testing on a rolling basis is consistent

with best practices.

The Commission requests comments on the potential benefits to a DCO

in complying with all aspects of proposed Sec. 39.18(e)(5), and any

benefits that would be realized by members of DCOs and their customers,

as well as other market participants or the financial system more

broadly. The Commission specifically requests comment on alternative

means to address these issues, and the benefits associated with such

alternatives.

f. Regulation 39.18(e)(6)–Security Incident Response Plan Testing

(i) Summary of Proposed Regulations

As discussed above in section II(A)(4), proposed Sec. 39.18(a)

defines security incident response plan testing as testing of a DCO’s

security incident response plan to determine the plan’s effectiveness,

identifying its potential weaknesses or deficiencies, enabling regular

plan updating and improvement, and maintaining organizational

preparedness and resiliency with respect to security incidents. Methods

of conducting security incident response plan testing would include,

but not be limited to, checklist completion, walk-through or table-top

exercises, simulations, and comprehensive exercises.

Proposed Sec. 39.18(e)(6)(i) would require DCOs to conduct such

testing at a frequency determined by an appropriate risk analysis, but

at a minimum no less frequently than annually. Proposed Sec.

39.18(e)(6)(ii) would require the DCO’s security incident response plan

to include, without limitation, the entity’s definition and

classification of security incidents, its policies and procedures for

reporting security incidents and for internal and external

communication and information sharing regarding security incidents, and

the hand-off and escalation points in its security incident response

process. Under proposed Sec. 39.18(e)(6)(iii), the DCO may coordinate

its security incident response plan testing with other testing required

by this section or with testing of its other business continuity-

disaster recovery and crisis management plans. Moreover, proposed Sec.

39.18(e)(6)(iv) would permit the DCO to conduct security incident

response plan testing by engaging independent contractors or by using

its own employees.

(ii) Costs

The Commission believes that proposed Sec. 39.18(e)(6)(i) will not

impose new costs on DCOs. Security incident response plan testing is an

industry best practice and therefore is required to be conducted under

current Commission regulations.162 Moreover, the Commission notes

that industry best practices state that security incident response plan

testing should be conducted annually.163 Accordingly, proposed Sec.

39.18(e)(6)(ii) will not impose new costs on DCOs because current Sec.

39.18 requires DCOs to conduct security incident response plan testing

on an annual basis. Finally, as stated above, Sec. 39.18(e)(6)(iii)

and (iv) do not contain explicit requirements, but rather provide a DCO

with flexibility to: (1) Coordinate its security incident response plan

testing with other testing required by Sec. 39.18 or with testing of

its other business continuity-disaster recovery and crisis management

plans; and (2) consistent with current Sec. 39.18(j)(2), engage

independent contractors or use employees of the DCO who are not

responsible for development or operation of the systems or capabilities

being tested. Accordingly, these provisions will not impose new costs

on DCOs.

—————————————————————————

162 See e.g., NIST SP 800-34, supra note 101, at 11; FINRA

Report, supra note 31, at 23; FFIEC BCP Booklet, supra note 104, at

25; and Council on Cybersecurity, supra note 33, at CSC 18; see also

supra section II.A.4. Similarly, the Commission proposes to

expressly require DCOs to update their business continuity and

disaster recovery plans and other emergency plans at least annually.

The Commission notes that updating such plans and procedures at

least annually is an industry best practice. See NIST SP 800-61,

supra note 101, at 8. Thus, annual updates are required under

current Commission regulations. Therefore, the Commission does not

believe that this proposal would impose new costs on DCOs. The

Commission acknowledges that this proposal could impose additional

burdens or costs on DCOs. The Commission believes, however, that

DCOs must be adequately protected in today’s environment.

163 See, e.g., NIST Special Publication 800-84, Guide to Test,

Training, and Exercise Programs for IT Plans and Capabilities, Sept.

2006, p. ES-2, available at: http://csrc.nist.gov/publications/nistpubs/800-84/SP800-84.pdf; PCI-DSS, supra note 54, at 108; see

also supra section II.A.4.

—————————————————————————

The Commission requests comment on the potential costs of proposed

Sec. 39.18(e)(6) on DCOs, including, where possible, quantitative

data.

(iii) Benefits

Security incident response plans, and adequate testing of such

plans, reduce the damage caused by breaches of a DCO’s network

security. Network security breaches are highly likely to have a

substantial negative impact on a DCO’s operations. They can increase

costs through lost productivity, lost current and future market

participation or swap data reporting, compliance penalties, and damage

to the DCO’s reputation and brand. Moreover, the longer a cyber

intrusion continues, the more its impact may be compounded.

As noted above, and consistent with industry best practices, the

Commission believes that annual security incident response testing

increases the ability of a DCO to mitigate the duration and impact in

the event of a security incident.164 Thus, a DCO may be better

positioned to minimize any potential impacts to automated system

operations, reliability, security, or capacity, or the availability,

confidentiality, or integrity of its derivatives data.

—————————————————————————

164 As noted above, the proposed provision that would require

DCOs to update their business continuity and disaster recovery plans

and other emergency plans at least annually reflects what is already

considered an industry best practice. Further, annual updates are

important because once an organization has developed a business

continuity and disaster recovery plan, “the organization should

implement the plan and review it at least annually to ensure the

organization is following the roadmap for maturing the capability

and fulfilling their [sic] goals for incident response.” NIST SP

800-61, supra note 101, at 8.

—————————————————————————

[[Page 80131]]

The Commission requests comments on the potential benefits to a DCO

in complying with all aspects of proposed Sec. 39.18(e)(6), and any

benefits that would be realized by members of DCOs and their customers,

as well as other market participants or the financial system more

broadly. The Commission specifically requests comment on alternative

means to address these issues, and the benefits associated with such

alternatives.

g. Regulation 39.18(e)(7)–Enterprise Technology Risk Assessment

(i) Summary of Proposed Regulations

Proposed Sec. 39.18(a) defines an “enterprise technology risk

assessment” as a written assessment that includes, but is not limited

to, an analysis of threats and vulnerabilities in the context of

mitigating controls. Proposed Sec. 39.18(a) also provides that an

enterprise technology risk assessment identifies, estimates, and

prioritizes risks to a DCO’s operations or assets, or to market

participants, individuals, or other entities, resulting from impairment

of the confidentiality, integrity, or availability of data and

information or the reliability, security, or capacity of automated

systems. Proposed Sec. 39.18(e)(7) requires such assessment to be of a

scope sufficient to satisfy the requirements of proposed Sec.

39.18(e)(8). Proposed Sec. 39.18(e)(7)(i) requires DCOs to conduct an

enterprise technology risk assessment at a frequency determined by an

appropriate risk analysis, but no less frequently than annually.

Proposed Sec. 39.18(e)(7)(ii) provides that DCOs may use independent

contractors or employees of the DCO not responsible for development or

operation of the systems or capabilities being assessed to conduct an

enterprise technology risk assessment.

(ii) Costs

The Commission does not believe that the scope requirement of

proposed Sec. 39.18(e)(7) will impose new costs on DCOs. Comprehensive

enterprise technology risk assessments are an industry best

practice.165 Accordingly, current Sec. 39.18 requires DCOs to

conduct enterprise technology risk assessments. In addition, based on

the representations made by DCOs to Commission staff in administering

the Commission’s examination program and responses to the February 2015

DCR Survey, the Commission believes that most DCOs are currently

conducting enterprise technology risk assessments sufficient to meet

the scope requirements of proposed Sec. 39.18(e)(7).

—————————————————————————

165 See, e.g., NIST SP 800-39, supra note 59; FFIEC Handbook,

supra note 57, at 86; PCI-DSS, supra note 54, at 100; see also supra

section II.A.5.

—————————————————————————

Proposed Sec. 39.18(e)(7)(i) would require a DCO to conduct an

enterprise technology risk assessment at a frequency determined by an

appropriate risk analysis, but no less frequently than annually. As

discussed above,166 industry best practices require enterprise

technology risk assessments at least annually and upon significant

changes to the environment.167 Thus, current regulations require DCOs

to conduct enterprise technology risk assessments on an annual basis.

Accordingly, the Commission does not believe that proposed Sec.

39.18(e)(7)(i) will impose new costs on DCOs. Moreover, the Commission

notes that responses to the February 2015 DCR Survey indicated that

most DCOs conduct an enterprise technology risk assessment at least

annually.

—————————————————————————

166 See supra section II.A.5.

167 PCI-DSS, supra note 54, at 100.

—————————————————————————

Proposed Sec. 39.18(e)(7)(ii) requires DCOs to conduct enterprise

technology risk assessments by using independent contractors or

employees of the DCO not responsible for development or operation of

the systems or capabilities being assessed. Regulation 39.18(j)(2)

currently requires testing to be conducted by a qualified, independent

professional, who can be employed by the DCO so long as he or she is

not responsible for development or operation of the systems or

capabilities being tested. Accordingly, the Commission does not believe

that DCOs will incur additional costs as a result of the adoption of

proposed Sec. 39.18(e)(7)(ii).

(iii) Benefits

The Commission believes that enterprise technology risk assessments

are essential components of a comprehensive system safeguard program.

Enterprise technology risk assessments can be viewed as a strategic

approach through which a DCO identifies risks and aligns its systems

goals accordingly. The Commission believes that these requirements are

necessary to support a strong risk management framework for DCOs,

thereby helping to protect DCOs, their members, and other market

participants, and helping to mitigate the risk of market disruptions.

The Commission requests comments on the potential benefits to a DCO

in complying with all aspects of proposed Sec. 39.18(e)(7), and any

benefits that would be realized by members of DCOs and their customers,

as well as other market participants or the financial system more

broadly. The Commission specifically requests comment on alternative

means to address these issues, and the benefits associated with such

alternatives.

h. Regulation 39.18(e)(8)–Scope of Testing and Assessment

(i) Summary of Proposed Regulations

As discussed above in section II(B), proposed Sec. 39.18(e)(8)

provides that the scope for all system safeguards testing and

assessment required by proposed Sec. 39.18 must be broad enough to

include all testing of automated systems, networks, and controls

necessary to identify any vulnerability which, if exploited or

accidentally triggered, could enable an intruder or unauthorized user

or insider to: (1) Interfere with the entity’s operations or with

fulfillment of the entity’s statutory and regulatory responsibilities;

(2) impair or degrade the reliability, security, or adequate scalable

capacity of the entity’s automated systems; (3) add to, delete, modify,

exfiltrate, or compromise the integrity of any data related to the

entity’s regulated activities; and (4) undertake any other unauthorized

action affecting the entity’s regulated activities or the hardware or

software used in connection with those activities.

(ii) Costs and Benefits

The Commission believes that the costs and benefits associated with

the scope for testing and assessment are generally attributable to the

substantive testing requirements, and therefore, are discussed above in

the cost and benefit considerations related to the rules describing the

requirements for each test or assessment.

i. Regulation 39.18(e)(9)–Internal Reporting and Review

(i) Summary of Proposed Regulations

As discussed above in section II(C), proposed Sec. 39.18(e)(9)

provides that both the senior management and the board of directors of

the DCO must receive and review reports setting forth the results of

the testing and assessment required by proposed Sec. 39.18. Moreover

the DCO would be required to establish and follow appropriate

procedures for the remediation of issues identified through such

review, as provided in proposed Sec. 39.18(e)(10), and for evaluation

of the effectiveness of testing and assessment protocols.

(ii) Costs

As discussed above, review of system safeguard testing and

assessments by

[[Page 80132]]

senior management and the DCO’s board of directors is an industry best

practice and is therefore required to be conducted under current

Commission regulations.168 Accordingly, the Commission does not

believe that DCOs will incur additional costs as a result of the

adoption of the proposed rules.

—————————————————————————

168 See supra section II.C.

—————————————————————————

Nevertheless, the Commission requests comment on any potential

costs of proposed Sec. 39.18(e)(9) on DCOs, including, where possible,

quantitative data.

(iii) Benefits

The Commission believes that internal reporting and review are an

essential component of a comprehensive and effective system safeguard

program. While senior management and the DCO’s board of directors may

have to devote resources to reviewing testing and assessment reports,

active supervision by these individuals promotes responsibility and

accountability by ensuring they receive and review the results of all

system safeguard testing and assessments, thereby affording them the

opportunity to evaluate the effectiveness of the testing and assessment

protocols. Moreover, the attention by the board of directors and senior

management should help to promote a focus on such reviews and issues,

and enhance communication and coordination regarding such reviews and

issues among the business, technology, legal, and compliance personnel

of the DCO. Such focus could cause a DCO to internalize and/or more

appropriately allocate certain costs that would otherwise be borne by

clearing members, customers of clearing members, and other relevant

stakeholders. Active supervision by senior management and the board of

directors also promotes a more efficient, effective, and reliable DCO

risk management and operating structure. Consequently, the DCO should

be better positioned to strengthen the integrity, resiliency, and

availability of its automated systems.

The Commission requests comments on the potential benefits to a DCO

in complying with all aspects of proposed Sec. 39.18(e)(9), and any

benefits that would be realized by members of DCOs and their customers,

as well as other market participants or the financial system more

broadly. The Commission specifically requests comment on alternative

means to address these issues, and the benefits associated with such

alternatives.

j. Regulation 39.18(e)(10)–Remediation

(i) Summary of Proposed Regulations

As discussed above in section II(C), proposed Sec. 39.18(e)(10)

requires a DCO to analyze the results of the testing and assessment

required by proposed Sec. 39.18 to identify all vulnerabilities and

deficiencies in its systems. The DCO would also be required to

remediate those vulnerabilities and deficiencies to the extent

necessary to enable the DCO to fulfill its statutory and regulatory

obligations. The remediation would have to be timely in light of

appropriate risk analysis with respect to the risks presented by such

vulnerabilities and deficiencies.

(ii) Costs

The Commission believes that, based on a DCO’s risk analysis, the

DCO generally remediates the vulnerabilities and deficiencies revealed

by testing and assessment in the ordinary course of business to

mitigate harm to the DCO and to satisfy current statutory and

regulatory requirements. As discussed above, remediation of

vulnerabilities and deficiencies revealed by cybersecurity testing is

an industry best practice,169 and DCOs are already required to comply

with this requirement. Accordingly, the Commission does not believe

that DCOs will incur additional costs as a result of the adoption of

the proposed rules.

—————————————————————————

169 See, e.g., FFIEC Handbook, supra note 57, at 5; see also

supra section II.C.

—————————————————————————

The Commission requests comment on any potential costs of proposed

Sec. 39.18(e)(10) on DCOs, including, where possible, quantitative

data.

(iii) Benefits

The Commission believes that effective remediation is a critical

component of a comprehensive and effective system safeguard program. As

discussed above, the Commission believes that the remediation of

vulnerabilities and deficiencies revealed by cybersecurity testing is a

current industry best practice and therefore already required under

current regulations. Moreover, remediation may reduce the frequency and

severity of systems disruptions and breaches for DCOs. In addition,

remediation helps ensure that DCOs dedicate appropriate resources to

timely address system safeguard-related deficiencies and would place an

emphasis on mitigating harm to market participants while promoting

market integrity. Without a timely remediation requirement, the impact

of the vulnerabilities or deficiencies identified by the testing or

assessment could persist and have a detrimental effect on the

derivatives markets generally, as well as market participants. The

Commission also believes that remediation could potentially result in

DCOs reviewing and revising their existing policies and procedures to

ensure that they are sufficiently thorough in the context of the new

regulatory requirements, which would also assist their staffs in

responding appropriately to vulnerabilities or deficiencies identified

by the testing and assessments.

The Commission requests comments on the potential benefits to a DCO

in complying with all aspects of proposed Sec. 39.18(e)(10), and any

benefits that would be realized by members of DCOs and their customers,

as well as other market participants or the financial system more

broadly. The Commission specifically requests comment on alternative

means to address these issues, and the benefits associated with such

alternatives.

4. Section 15(a) Factors

a. Protection of Market Participants and the Public

Automated systems are critical to a DCO’s operations, which provide

essential counterparty credit risk protection to market participants

and the investing public. Proposed Sec. 39.18 is designed to further

enhance DCOs’ risk analysis programs in order to ensure that such

automated systems are reliable, secure, and have an adequate scalable

capacity. Accordingly, the Commission believes that the proposed rules

will further help protect the derivatives markets by promoting more

robust automated systems and therefore fewer disruptions and market-

wide closures, systems compliance issues, and systems intrusions.

Additionally, providing the Commission with reports concerning the

system safeguards testing and assessments required by the proposed

regulations will further facilitate the Commission’s oversight of

derivatives markets, augment the Commission’s efforts to monitor

systemic risk, and will further the protection of market participants

and the public by helping to ensure that a DCO’s automated systems are

available, reliable, secure, have adequate scalable capacity, and are

effectively overseen.

The costs of this proposed rulemaking would be mitigated by the

countervailing benefits of improved design, more efficient and

effective processes, and enhanced planning that would lead to increased

safety and soundness of DCOs and the reduction of

[[Page 80133]]

systemic risk, which protect market participants and the public from

the adverse consequences that would result from a DCO’s failure or a

disruption in its functioning.

b. Efficiency, Competitiveness and Financial Integrity

The proposed amendments to Sec. 39.18 would help preserve the

efficiency and financial integrity of the derivatives markets by

promoting comprehensive oversight and testing of a DCO’s operations and

automated systems. Specifically, the proposed amendments will further

reduce the probability of a cyber attack that could lead to a

disruption in clearing services which could, in turn, cause disruptions

to the efficient functioning and financial integrity of the derivatives

markets. Preventing cyber attacks could prevent monetary losses to

DCOs, and thereby help protect their financial integrity.

The Commission does not anticipate the proposed amendments to have

a significant impact on the competitiveness of the derivatives markets.

c. Price Discovery

The Commission does not anticipate the proposed amendments to Sec.

39.18 to have a direct effect on the price discovery process. However,

ensuring that DCOs’ automated systems function properly to clear trades

protects the price discovery process to the extent that a prolonged

disruption or suspension in clearing at a DCO may cause potential

market participants to refrain from trading.

d. Sound Risk Management Practices

The proposed amendments to Sec. 39.18 would strengthen and promote

sound risk management practices across DCOs. Specifically, the proposed

amendments would build upon the current system safeguards requirements

by ensuring that tests of DCOs’ key system safeguards are conducted at

minimum intervals and, where appropriate, by independent professionals.

The applicable tests are each recognized by industry best practices as

essential components of a sound risk management program. Moreover, the

benefits of the proposed rules will be shared by market participants

and the investing public as DCOs, by their nature, serve to provide

such parties with counterparty credit risk protection.

In addition, reliably functioning computer systems and networks are

crucial to comprehensive risk management, and being able to request

reports of the system safeguards testing required by the proposed

regulations will assist the Commission in its oversight of DCOs and

will bolster the Commission’s ability to assess systemic risk levels.

e. Other Public Interest Considerations

The Commission notes the public interest in promoting and

protecting public confidence in the safety and security of the

financial markets. DCOs are essential to risk management in the

financial markets, both systemically and on an individual firm level.

Proposed Sec. 39.18, by explicating current requirements and

identifying several additional key tests and assessments, promotes the

ability of DCOs to perform these functions free from disruption due to

both internal and external threats to its systems.

5. Request for Comment

In addition to the requests for comment specified above, the

Commission requests comment on the following:

What are the potential costs and benefits resulting from, or

arising out of, requiring DCOs to comply with the proposed changes to

Sec. 39.18? In considering costs and benefits, commenters are

requested to address the effect of the proposed regulation not only on

a DCO, but also on the DCO’s clearing members, the customers of

clearing members, and the financial system more broadly. The Commission

requests that, where possible, commenters provide quantitative data in

their comments, particularly with respect to estimates of costs and

benefits.

The Commission has identified the baseline as current regulatory

requirements. Is this baseline correct? If not, what should the

baseline be, and how would the alternative baseline change the costs

and benefits associated with the proposed changes to Sec. 39.18?

Do rules impose costs above those required by current system

safeguards rule and identified by the Commission? Specify and provide

data to support.

Do rules provide benefits above those required by current system

safeguards rule and identified by the Commission? Specify and provide

data to support.

Do the costs or impacts of the proposed rules differ depending on

the size of a DCO? Do they differ depending on the complexity of a

DCO’s systems?

List of Subjects in 17 CFR Part 39

Commodity futures, Reporting and recordkeeping requirements, System

safeguards.

For the reasons stated in the preamble, the Commodity Futures

Trading Commission proposes to amend 17 CFR part 39 as follows:

PART 39–DERIVATIVES CLEARING ORGANIZATIONS

0

1. The authority citation for part 39 continues to read as follows:

Authority: 7 U.S.C. 2, 7a-1, and 12a; 12 U.S.C. 5464; 15 U.S.C.

8325.

0

2. Revise Sec. 39.18 to read as follows:

Sec. 39.18 System safeguards.

(a) Definitions. For purposes of this section and Sec. 39.34:

Controls mean the safeguards or countermeasures employed by the

derivatives clearing organization in order to protect the reliability,

security, or capacity of its automated systems or the confidentiality,

integrity, or availability of its data and information, in order to

enable the derivatives clearing organization to fulfill its statutory

and regulatory responsibilities.

Controls testing means assessment of the derivatives clearing

organization’s controls to determine whether such controls are

implemented correctly, are operating as intended, and are enabling the

derivatives clearing organization to meet the requirements established

by this section.

Enterprise technology risk assessment means a written assessment

that includes, but is not limited to, an analysis of threats and

vulnerabilities in the context of mitigating controls. An enterprise

technology risk assessment identifies, estimates, and prioritizes risks

to a derivatives clearing organization’s operations or assets, or to

market participants, individuals, or other entities, resulting from

impairment of the confidentiality, integrity, or availability of data

and information or the reliability, security, or capacity of automated

systems.

External penetration testing means attempts to penetrate a

derivatives clearing organization’s automated systems from outside the

systems’ boundaries to identify and exploit vulnerabilities. Methods of

conducting external penetration testing include, but are not limited

to, methods for circumventing the security features of an automated

system.

Internal penetration testing means attempts to penetrate a

derivatives clearing organization’s automated systems from inside the

systems’ boundaries to identify and exploit vulnerabilities. Methods of

conducting internal penetration testing include, but are not limited

to, methods for circumventing the security features of an automated

system.

[[Page 80134]]

Key controls means those controls that an appropriate risk analysis

determines are either critically important for effective system

safeguards or intended to address risks that evolve or change more

frequently and therefore require more frequent review to ensure their

continuing effectiveness in addressing such risks.

Recovery time objective means the time period within which a

derivatives clearing organization should be able to achieve recovery

and resumption of processing, clearing, and settlement of transactions,

after those capabilities become temporarily inoperable for any reason

up to or including a wide-scale disruption.

Relevant area means the metropolitan or other geographic area

within which a derivatives clearing organization has physical

infrastructure or personnel necessary for it to conduct activities

necessary to the processing, clearing, and settlement of transactions.

The term “relevant area” also includes communities economically

integrated with, adjacent to, or within normal commuting distance of

that metropolitan or other geographic area.

Security incident means a cybersecurity or physical security event

that actually or potentially jeopardizes automated system operation,

reliability, security, or capacity, or the availability,

confidentiality or integrity of data.

Security incident response plan means a written plan documenting

the derivatives clearing organization’s policies, controls, procedures,

and resources for identifying, responding to, mitigating, and

recovering from security incidents, and the roles and responsibilities

of its management, staff, and independent contractors in responding to

security incidents. A security incident response plan may be a separate

document or a business continuity-disaster recovery plan section or

appendix dedicated to security incident response.

Security incident response plan testing means testing of a

derivatives clearing organization’s security incident response plan to

determine the plan’s effectiveness, identify its potential weaknesses

or deficiencies, enable regular plan updating and improvement, and

maintain organizational preparedness and resiliency with respect to

security incidents. Methods of conducting security incident response

plan testing may include, but are not limited to, checklist completion,

walk-through or table-top exercises, simulations, and comprehensive

exercises.

Vulnerability testing means testing of a derivatives clearing

organization’s automated systems to determine what information may be

discoverable through a reconnaissance analysis of those systems and

what vulnerabilities may be present on those systems.

Wide-scale disruption means an event that causes a severe

disruption or destruction of transportation, telecommunications, power,

water, or other critical infrastructure components in a relevant area,

or an event that results in an evacuation or unavailability of the

population in a relevant area.

(b) Program of risk analysis and oversight–(1) General. A

derivatives clearing organization shall establish and maintain a

program of risk analysis and oversight with respect to its operations

and automated systems to identify and minimize sources of operational

risk through:

(i) The development of appropriate controls and procedures; and

(ii) The development of automated systems that are reliable,

secure, and have adequate scalable capacity.

(2) Elements of program. A derivatives clearing organization’s

program of risk analysis and oversight with respect to its operations

and automated systems, as described in paragraph (b)(1) of this

section, shall address each of the following elements:

(i) Information security, including, but not limited to, controls

relating to: Access to systems and data (e.g., least privilege,

separation of duties, account monitoring and control); user and device

identification and authentication; security awareness training; audit

log maintenance, monitoring, and analysis; media protection; personnel

security and screening; automated system and communications protection

(e.g., network port control, boundary defenses, encryption); system and

information integrity (e.g., malware defenses, software integrity

monitoring); vulnerability management; penetration testing; security

incident response and management; and any other elements of information

security included in generally accepted best practices;

(ii) Business continuity and disaster recovery planning and

resources, including, but not limited to, the controls and capabilities

described in paragraph (c) of this section; and any other elements of

business continuity and disaster recovery planning and resources

included in generally accepted best practices;

(iii) Capacity and performance planning, including, but not limited

to, controls for monitoring the derivatives clearing organization’s

systems to ensure adequate scalable capacity (e.g., testing,

monitoring, and analysis of current and projected future capacity and

performance, and of possible capacity degradation due to planned

automated system changes); and any other elements of capacity and

performance planning included in generally accepted best practices;

(iv) Systems operations, including, but not limited to, system

maintenance; configuration management (e.g., baseline configuration,

configuration change and patch management, least functionality,

inventory of authorized and unauthorized devices and software); event

and problem response and management; and any other elements of system

operations included in generally accepted best practices;

(v) Systems development and quality assurance, including, but not

limited to, requirements development; pre-production and regression

testing; change management procedures and approvals; outsourcing and

vendor management; training in secure coding practices; and any other

elements of systems development and quality assurance included in

generally accepted best practices; and

(vi) Physical security and environmental controls, including, but

not limited to, physical access and monitoring; power,

telecommunication, and environmental controls; fire protection; and any

other elements of physical security and environmental controls included

in generally accepted best practices.

(3) Standards for program. In addressing the elements listed under

paragraph (b)(2) of this section, a derivatives clearing organization

shall follow generally accepted standards and industry best practices

with respect to the development, operation, reliability, security, and

capacity of automated systems.

(4) Resources. A derivatives clearing organization shall establish

and maintain resources that allow for the fulfillment of each

obligation and responsibility of the derivatives clearing organization,

including the daily processing, clearing, and settlement of

transactions, in light of any risk to its operations and automated

systems. The derivatives clearing organization shall periodically

verify the adequacy of such resources.

(c) Business continuity and disaster recovery–(1) General. A

derivatives clearing organization shall establish and maintain a

business continuity and disaster recovery plan, emergency procedures,

and physical, technological, and personnel resources sufficient to

enable the timely recovery and resumption of operations and the

[[Page 80135]]

fulfillment of each obligation and responsibility of the derivatives

clearing organization, including, but not limited to, the daily

processing, clearing, and settlement of transactions, following any

disruption of its operations.

(2) Recovery time objective. A derivatives clearing organization’s

business continuity and disaster recovery plan, as described in

paragraph (c)(1) of this section, shall have, and the derivatives

clearing organization shall maintain physical, technological, and

personnel resources sufficient to meet, a recovery time objective of no

later than the next business day following a disruption.

(3) Coordination of plans. A derivatives clearing organization

shall, to the extent practicable:

(i) Coordinate its business continuity and disaster recovery plan

with those of its clearing members, in a manner adequate to enable

effective resumption of daily processing, clearing, and settlement of

transactions following a disruption;

(ii) Initiate and coordinate periodic, synchronized testing of its

business continuity and disaster recovery plan with those of its

clearing members; and

(iii) Ensure that its business continuity and disaster recovery

plan takes into account the plans of its providers of essential

services, including telecommunications, power, and water.

(d) Outsourcing. (1) A derivatives clearing organization shall

maintain the resources required under paragraphs (b)(4) and (c)(1) of

this section either:

(i) Using its own employees as personnel, and property that it

owns, licenses, or leases; or

(ii) Through written contractual arrangements with another

derivatives clearing organization or other service provider.

(2) Retention of responsibility. A derivatives clearing

organization that enters into a contractual outsourcing arrangement

shall retain complete responsibility for any failure to meet the

requirements specified in paragraphs (b) and (c) of this section. The

derivatives clearing organization must employ personnel with the

expertise necessary to enable it to supervise the service provider’s

delivery of the services.

(3) Testing of resources. The testing referred to in paragraph (e)

of this section shall apply to all of the derivatives clearing

organization’s own and outsourced resources, and shall verify that all

such resources will work together effectively. Where testing is

required to be conducted by an independent contractor, the derivatives

clearing organization shall engage a contractor that is independent

from both the derivatives clearing organization and any outside service

provider used to design, develop, or maintain the resources being

tested.

(e) Testing–(1) General. A derivatives clearing organization shall

conduct regular, periodic, and objective testing and review of:

(i) Its automated systems to ensure that they are reliable, secure,

and have adequate scalable capacity; and

(ii) Its business continuity and disaster recovery capabilities,

using testing protocols adequate to ensure that the derivatives

clearing organization’s backup resources are sufficient to meet the

requirements of paragraph (c) of this section.

(2) Vulnerability testing. A derivatives clearing organization

shall conduct vulnerability testing of a scope sufficient to satisfy

the requirements set forth in paragraph (e)(8) of this section.

(i) A derivatives clearing organization shall conduct such

vulnerability testing at a frequency determined by an appropriate risk

analysis, but no less frequently than quarterly.

(ii) Such vulnerability testing shall include automated

vulnerability scanning. Where indicated by appropriate risk analysis,

such scanning shall be conducted on an authenticated basis, e.g., using

log-in credentials. Where scanning is conducted on an unauthenticated

basis, the derivatives clearing organization shall implement effective

compensating controls.

(iii) A derivatives clearing organization shall engage independent

contractors to conduct two of the required quarterly vulnerability

tests each year. A derivatives clearing organization may conduct other

vulnerability testing by using employees of the derivatives clearing

organization who are not responsible for development or operation of

the systems or capabilities being tested.

(3) External penetration testing. A derivatives clearing

organization shall conduct external penetration testing of a scope

sufficient to satisfy the requirements set forth in paragraph (e)(8) of

this section.

(i) A derivatives clearing organization shall conduct such external

penetration testing at a frequency determined by an appropriate risk

analysis, but no less frequently than annually.

(ii) A derivatives clearing organization shall engage independent

contractors to conduct the required annual external penetration test. A

derivatives clearing organization may conduct other external

penetration testing by using employees of the derivatives clearing

organization who are not responsible for development or operation of

the systems or capabilities being tested.

(4) Internal penetration testing. A derivatives clearing

organization shall conduct internal penetration testing of a scope

sufficient to satisfy the requirements set forth in paragraph (e)(8) of

this section.

(i) A derivatives clearing organization shall conduct such internal

penetration testing at a frequency determined by an appropriate risk

analysis, but no less frequently than annually.

(ii) A derivatives clearing organization shall conduct internal

penetration testing by engaging independent contractors, or by using

employees of the derivatives clearing organization who are not

responsible for development or operation of the systems or capabilities

being tested.

(5) Controls testing. A derivatives clearing organization shall

conduct controls testing of a scope sufficient to satisfy the

requirements set forth in paragraph (e)(8) of this section.

(i) A derivatives clearing organization shall conduct controls

testing, which includes testing of each control included in its program

of risk analysis and oversight, at a frequency determined by an

appropriate risk analysis, but no less frequently than every two years.

A derivatives clearing organization may conduct such testing on a

rolling basis over the course of the period determined by such risk

analysis.

(ii) A derivatives clearing organization shall engage independent

contractors to test and assess the key controls, as determined by

appropriate risk analysis, included in the derivatives clearing

organization’s program of risk analysis and oversight no less

frequently than every two years. A derivatives clearing organization

may conduct any other controls testing required by this section by

using independent contractors or employees of the derivatives clearing

organization who are not responsible for development or operation of

the systems or capabilities being tested.

(6) Security incident response plan testing. A derivatives clearing

organization shall conduct security incident response plan testing

sufficient to satisfy the requirements set forth in paragraph (e)(8) of

this section.

(i) The derivatives clearing organization shall conduct such

security incident response plan testing at a frequency determined by an

appropriate risk analysis, but no less frequently than annually.

(ii) The derivatives clearing organization’s security incident

response plan shall include, without limitation, the derivatives

clearing organization’s definition and

[[Page 80136]]

classification of security incidents, its policies and procedures for

reporting security incidents and for internal and external

communication and information sharing regarding security incidents, and

the hand-off and escalation points in its security incident response

process.

(iii) The derivatives clearing organization may coordinate its

security incident response plan testing with other testing required by

this section or with testing of its other business continuity-disaster

recovery and crisis management plans.

(iv) The derivatives clearing organization may conduct security

incident response plan testing by engaging independent contractors or

by using employees of the derivatives clearing organization who are not

responsible for development or operation of the systems or capabilities

being tested.

(7) Enterprise technology risk assessment. A derivatives clearing

organization shall conduct enterprise technology risk assessments of a

scope sufficient to satisfy the requirements set forth in paragraph

(e)(8) of this section.

(i) A derivatives clearing organization shall conduct an enterprise

technology risk assessment at a frequency determined by an appropriate

risk analysis, but no less frequently than annually.

(ii) A derivatives clearing organization may conduct enterprise

technology risk assessments by using independent contractors or

employees of the derivatives clearing organization not responsible for

development or operation of the systems or capabilities being assessed.

(8) Scope of testing and assessment. The scope of all testing and

assessment required by this section shall be broad enough to include

testing of all automated systems and controls necessary to identify any

vulnerability which, if exploited or accidentally triggered, could

enable an intruder or unauthorized user or insider to:

(i) Interfere with the derivatives clearing organization’s

operations or with fulfillment of its statutory and regulatory

responsibilities;

(ii) Impair or degrade the reliability, security, or capacity of

the derivatives clearing organization’s automated systems;

(iii) Add to, delete, modify, exfiltrate, or compromise the

integrity of any data related to the derivatives clearing

organization’s regulated activities; or

(iv) Undertake any other unauthorized action affecting the

derivatives clearing organization’s regulated activities or the

hardware or software used in connection with those activities.

(9) Internal reporting and review. Both the senior management and

the board of directors of the derivatives clearing organization shall

receive and review reports setting forth the results of the testing and

assessment required by this section. The derivatives clearing

organization shall establish and follow appropriate procedures for the

remediation of issues identified through such review, as provided in

paragraph (e)(10) of this section, and for evaluation of the

effectiveness of testing and assessment protocols.

(10) Remediation. A derivatives clearing organization shall analyze

the results of the testing and assessment required by this section to

identify all vulnerabilities and deficiencies in its systems. The

derivatives clearing organization shall remediate those vulnerabilities

and deficiencies to the extent necessary to enable the derivatives

clearing organization to fulfill the requirements of this chapter and

meet its statutory and regulatory obligations. Such remediation must be

timely in light of appropriate risk analysis with respect to the risks

presented by such vulnerabilities and deficiencies.

(f) Recordkeeping. A derivatives clearing organization shall

maintain, and provide to staff of the Division of Clearing and Risk, or

any successor division, promptly upon request, pursuant to Sec. 1.31

of this chapter:

(1) Current copies of the derivatives clearing organization’s

business continuity and disaster recovery plan and other emergency

procedures. Such plan and procedures shall be updated at a frequency

determined by an appropriate risk analysis, but no less frequently than

annually;

(2) All assessments of the derivatives clearing organization’s

operational risks or system safeguards-related controls;

(3) All reports concerning testing and assessment required by this

section, whether conducted by independent contractors or by employees

of the derivatives clearing organization; and

(4) All other documents requested by staff of the Division of

Clearing and Risk, or any successor division, in connection with

Commission oversight of system safeguards pursuant to the Act or

Commission regulations, or in connection with Commission maintenance of

a current profile of the derivatives clearing organization’s automated

systems.

(5) Nothing in this paragraph (f) of this section shall be

interpreted as reducing or limiting in any way a derivatives clearing

organization’s obligation to comply with Sec. 1.31 of this chapter.

(g) Notice of exceptional events. A derivatives clearing

organization shall notify staff of the Division of Clearing and Risk,

or any successor division, promptly of:

(1) Any hardware or software malfunction, security incident, or

targeted threat that materially impairs, or creates a significant

likelihood of material impairment, of automated system operation,

reliability, security, or capacity; or

(2) Any activation of the derivatives clearing organization’s

business continuity and disaster recovery plan.

(h) Notice of planned changes. A derivatives clearing organization

shall provide staff of the Division of Clearing and Risk, or any

successor division, timely advance notice of all material:

(1) Planned changes to the derivatives clearing organization’s

automated systems that may impact the reliability, security, or

capacity of such systems; and

(2) Planned changes to the derivatives clearing organization’s

program of risk analysis and oversight.

0

3. Revise paragraphs (a), (b)(3), and (c) of Sec. 39.34 to read as

follows:

Sec. 39.34 System safeguards for systemically important derivatives

clearing organizations and subpart C derivatives clearing

organizations.

(a) Notwithstanding Sec. 39.18(c)(2), the business continuity and

disaster recovery plan described in Sec. 39.18(c)(1) for each

systemically important derivatives clearing organization and subpart C

derivatives clearing organization shall have the objective of enabling,

and the physical, technological, and personnel resources described in

Sec. 39.18(c)(1) shall be sufficient to enable, the systemically

important derivatives clearing organization or subpart C derivatives

clearing organization to recover its operations and resume daily

processing, clearing, and settlement no later than two hours following

the disruption, for any disruption including a wide-scale disruption.

(b) * * *

(3) The provisions of Sec. 39.18(d) shall apply to these resource

requirements.

(c) Each systemically important derivatives clearing organization

and subpart C derivatives clearing organization must conduct regular,

periodic tests of its business continuity and disaster recovery plans

and resources and its capacity to achieve the required recovery time

objective in the event of a wide-scale disruption. The

[[Page 80137]]

provisions of Sec. 39.18(e) shall apply to such testing.

* * * * *

Issued in Washington, DC, on December 17, 2015, by the

Commission.

Christopher J. Kirkpatrick,

Secretary of the Commission.

Note: The following appendices will not appear in the Code of

Federal Regulations.

Appendices to System Safeguards Testing Requirements for Derivatives

Clearing Organizations–Commission Voting Summary, Chairman’s

Statement, and Commissioner’s Statement

Appendix 1–Commission Voting Summary

On this matter, Chairman Massad and Commissioners Bowen and

Giancarlo voted in the affirmative. No Commissioner voted in the

negative.

Appendix 2–Statement of Chairman Timothy G. Massad

I strongly support this proposed rule.

The risk of cyberattacks is perhaps the most important single

issue we face in terms of financial market stability and integrity.

The examples of cyberattacks or significant technological

disruptions from inside and outside the financial sector are all too

frequent and familiar.

Today, the aims of these attacks can go beyond traditional

financial motives. Today, we must be concerned about the possibility

of attacks intended to destroy information and disrupt or

destabilize our markets.

The risk to American businesses and the economy is dramatic. And

the interconnectedness of our financial institutions and markets

means that a failure in one institution can have significant

repercussions throughout the system.

The proposed rule that we are issuing today is an important step

toward enhancing the protections in our markets. It builds on our

core principles–which already require clearinghouses to focus on

system safeguards–by setting standards consistent with best

practices. It requires robust testing of cyber protections, setting

forth the types of testing that must be conducted, the frequency of

testing and whether tests should be conducted by independent

parties. In addition, it enhances standards for incident response

planning and enterprise technology risk assessments.

Our requirements should come as no surprise–clearinghouses

should already be doing extensive testing. Indeed, we hope that

today’s proposal sets a baseline that is already being met.

The proposal also complements what we as a Commission already

do. We focus on these issues in our examinations to determine

whether an institution is following good practices and paying

adequate attention to these risks at the board level and on down.

This rule is largely in line with another system safeguards

proposal that the Commission also approved today, which applies the

same standards to other critical market infrastructure.

Since the 2009 G-20 agreement and the enactment of Dodd-Frank,

clearinghouses have become increasingly important the financial

system. As a result, I believe we must do all we can to ensure their

strength and stability. This proposed rule is a critical component

of this effort.

I thank the staff for their hard work on this proposal. Of

course, we welcome public comment on both our system safeguards

proposals, which will be carefully taken into account before we take

any final action.

Appendix 3–Statement of Commissioner Sharon Y. Bowen

Today, we are considering two rule proposals that address an

issue which is right at the heart of systemic risk in our markets–

cybersecurity. The question that we face is: with a problem as

immense as cybercrime, and the many measures already being employed

to combat it, what would today’s proposed rules accomplish? In

answer to that question, I want to say a few words about our

cybercrime challenge, what is currently being done to address it,

and what I hope these proposed regulations would add to these

efforts.

The problem is clear–our firms are facing an unrelenting

onslaught of attacks from hackers with a number of motives ranging

from petty fraud to international cyberwarfare. We have all heard of

notable and sizable companies that have been the victim of

cybercrime, including: Sony, eBay, JPMorgan, Target, and Staples–

even the U.S. government has fallen victim.

In recent testimony before the House Committee on Financial

Services, Subcommittee on Oversight and Investigations about

cybercrime, the Director of the Center for Cyber and Homeland

Security noted that the “U.S. financial services sector in

particular is in the crosshairs as a primary target.” 1 He cited

one US bank which stated that it faced 30,000 cyber-attacks in one

week–averaging an attack every 34 seconds.2

—————————————————————————

1 Testimony of Frank J. Cilluffo, Director, Center for Cyber

and Homeland Security, Before the U.S. House of Representatives,

Committee on Financial Services, Subcommittee on Oversight and

Investigations, 1 (June 16, 2015) (noting that “the following

figures which were provided to me recently by a major U.S. bank on a

not-for-attribution basis: just last week, they faced 30,000 cyber-

attacks. This amounts to an attack every 34 seconds, each and every

day. And these are just the attacks that the bank actually knows

about, by virtue of a known malicious signature or IP address. As

for the source of the known attacks, approximately 22,000 came from

criminal organizations; and 400 from nation-states.”), available at

https://cchs.gwu.edu/sites/cchs.gwu.edu/files/downloads/A%20Global%20Perspective%20on%20Cyber%20Threats%20-%2015%20June%202015.pdf.

2 Id.

—————————————————————————

Given the magnitude of the problem, it is not at all surprising

that a lot is already being done to address it. The Department of

Homeland Security and others have been working with private firms to

shore up defenses. Regulators have certainly been active. The

Securities and Exchange Commission (SEC), the Federal Deposit

Insurance Corporation (FDIC), the Federal Reserve Board (FRB), the

Federal Housing Finance Agency (FHFA), and our self-regulatory

organization, the National Futures Association (NFA), have issued

cybersecurity guidance. In Europe, the Bank of England (BOE)

introduced the CBEST program to conduct penetration testing on

firms, based on the latest data on cybercrime. We heard a

presentation from the BOE about CBEST at a meeting of the Market

Risk Advisory Committee this year.

I wanted to hear what market participants were doing to address

the challenge of our cybersecurity landscape so I met with several

of our large registrant dealers and asked them about their

cybersecurity efforts. After these discussions, I was both alarmed

by the immensity of the problem and heartened by efforts of these

larger participants to meet that problem head on. They were

employing best practices such as reviewing the practices of their

third party providers, using third parties to audit systems, sharing

information with other market participants, integrating

cybersecurity risk management into their governance structure, and

staying in communication with their regulators.

We have also been vigilant in our efforts to address

cybersecurity. Under our current rule structure, many of our

registrants have system safeguards requirements. They require, among

other things, that the registrants have policies and resources for

risk analysis and oversight with respect to their operations and

automated systems, as well as reporting, recordkeeping, testing, and

coordination with service providers. These requirements clearly

include appropriate cybersecurity measures. We also regularly

examine registrants for their adherence to the system safeguards

requirements, including effective governance, use of resources,

appropriate policies, and vigilant response to attacks.

So if all of this is happening, what would more regulation

accomplish? In other words, what is the “value add” of the rules

being proposed today? The answer is: A great deal. While some firms

are clearly engaging in best practices, we have no guarantee that

all of them are. And as I have said before, in a system as

electronically interconnected as our financial markets, “we’re

collectively only as strong as our weakest link, and so we need a

high baseline level of protection for everyone . . .” 3 We need

to incentivize all firms under our purview to engage in these

effective practices.

—————————————————————————

3 Commissioner Sharon Y. Bowen, Commodity Futures Trading

Commission, “Remarks of CFTC Commissioner Sharon Y. Bowen Before

the 17th Annual OpRisk North America,” March 25, 2015, available at

http://www.cftc.gov/PressRoom/SpeechesTestimony/opabowen-2.

—————————————————————————

We have to do this carefully though because once a regulator

inserts itself into the cybersecurity landscape at a firm–the firm

now has two concerns: Not just fighting the attackers, but managing

its reputation with its regulator. So, if not done carefully, a

regulator’s attempt to bolster cybersecurity at a firm can instead

undermine it by incentivizing the firm to cover up any weaknesses in

its cybersecurity

[[Page 80138]]

infrastructure, instead of addressing them. Further, we must be

careful not to mandate a one-size-fits-all standard because firms

are different. Thus, we must be thoughtful about how to engage on

this issue. We need to encourage best practices, while not hampering

firms’ ability to customize their risk management plan to address

their cybersecurity threats.

I think these rulemakings are a great first step in

accomplishing that balance. There are many aspects of these

proposals that I like. First, they set up a comprehensive testing

regime by: (a) Defining the types of cybersecurity testing essential

to fulfilling system safeguards testing obligations, including

vulnerability testing, penetration testing, controls testing,

security incident response plan testing, and enterprise technology

risk assessment; (b) requiring internal reporting and review of

testing results; and (c) mandating remediation of vulnerabilities

and deficiencies. Further, for certain significant entities, based

on trading volume, it requires heightened measures such as minimum

frequency requirements for conducting certain testing, and specific

requirements for the use of independent contractors.

Second, there is a focus on governance–requiring, for instance,

that firms’ Board of Directors receive and review all reports

setting forth the results of all testing. And third, these

rulemakings are largely based on well-regarded, accepted best

practices for cybersecurity, including The National Institute of

Standards and Technology Framework for Improving Critical

Infrastructure Cybersecurity (“NIST Framework”).4

—————————————————————————

4 NIST Framework, Subcategory PR.IP-10, at 28, and Category

DE.DP, at 31, available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.

—————————————————————————

In all, I think the staff has put together two thoughtful

proposals. Clearly, however, this is only a first step since all our

registrants, not just exchanges, SEFs, SDRs and DCOs, need to have

clear cybersecurity measures in place. I am also very eager to hear

what the general public has to say about these proposals. Do they go

far enough to incentivize appropriate cybersecurity measures? Are

they too burdensome for firms that do not pose significant risk to

the system? And given that this is a dynamic field with a constantly

evolving set of threats, what next steps should we take to address

cybercrime? Please send in all your thoughts for our consideration.

[FR Doc. 2015-32144 Filed 12-22-15; 8:45 am]

BILLING CODE 6351-01-P

 

Last Updated: December 23, 2015