In a recent public speech, CFTC Chairman Timothy Massad described cybersecurity as “perhaps the single most important new risk to market integrity and financial stability.” On March 18, 2015, CFTC staff conducted a roundtable regarding this topic, during which CFTC suggested possible proposed rulemaking. CFTC staff said that CFTC is considering a rule imposing cybersecurity requirements on exchanges and clearing organizations, but one that at least initially would not apply to other market participants. Chairman Massad indicated that a proposed rule would focus on setting standards for testing: (a) system safeguards; (b) vulnerability and penetration; (c) key controls; and (d) business recovery and disaster recovery.
Staff suggested that proposed regulations may be based on existing “best practices” in the industry and address frequency of systems testing. For example, staff is considering whether to define “key control testing” as an assessment of operational and automated system controls based on potential risks associated with such systems.
In light of the specificity of some of the staff comments, and the clear suggestion that rules will be forth-coming, it would be prudent for firms to start to address the risks that were noted by the CFTC staff now. Aside from avoiding criticism by the regulator, if a cyber-penetration were to hit a firm, and that firm had failed to implement best practices known to the industry right now, the liability incurred by the firm to its customers and to other industry participants could prove to be devastating to the firm. This is not a topic on which procrastination is prudent!