CFTC proposes new rule on cyber and operational resilience

Rule proposed to protect agriculture, energy, metals, and financial markets.

The US Commodity Futures Trading Commission (CFTC) has proposed a rule to require futures commission merchants (FCMs), swap dealers and major swap participants to establish an “operational resilience framework”.

It is the CFTC’s first proposed cyber and operational resilience rule that would apply to swap dealers (including banks) and FCMs.

The proposal would require firms to “identify, monitor, manage and assess risks” in three areas: 

  • information and technology security;
  • third-party relationships;
  • emergencies and other significant disruptions.

“This rule proposes to help advance our markets from a mentality of incident response to one of cyber resilience.”

Christy Goldsmith Romero, Commissioner, CFTC

The framework would include three components – an information and technology security program, a third-party relationship program, and a business continuity and disaster recovery plan – supported by broad requirements relating to governance, training, testing, and recordkeeping. The proposed rule would also require certain notifications to the CFTC and customers or counterparties.

New rule not “one size fits all”

During the open meeting at which the commissioners discussed the proposed cybersecurity rule last week, CFTC Chairman Rostin Behnam noted that the new rule is not one that has a “one size fits all” approach; instead it is “tailored to accommodate firms that vary in size and complexity”. In other words, the proposed rule would require swap dealers and FCMs to ensure their operational resilience programs are proportionate to the nature and risk profile of their business. 

That includes corporate structures in which operational resilience programs are handled at an enterprise level, rather than by an individual business unit such as a futures brokerage, as well as smaller futures commission merchants that have relatively limited resources, Benham said. 

Behnam explained that although these firms are covered by the CFTC’s existing risk management requirements, those requirements were drafted more than 10 years ago and needed to be updated.

“The Commission must bolster that foundational framework to promote operational resilience in the face of increasingly sophisticated cyberattacks and heightened technological disruptions,” Behnam said. “A strong ORF [operational resilience framework] is especially important as the financial sector increasingly relies on third-party service providers; the disruption of which can lead to major interruptions in – and potential corruption of – FCM and swap dealer operations.”

Rule leverages existing standards

“This is a critical rule for the CFTC,” said Commissioner Christy Goldsmith Romero in a statement on Tuesday. Romero oversees the agency’s Technology Advisory Committee that has a dedicated cybersecurity subcommittee within it.

“This rule proposes to help advance our markets from a mentality of incident response to one of cyber resilience. This would further President Biden’s White House National Cybersecurity Strategy and Executive Order on Improving the Nation’s Cybersecurity,” she said.

Romero pointed out that the CFTC oversees significant swap dealers, such as the ones that are also considered Globally Systemically Important Banks; plus some of its swap dealers and FCMs are involved in US critical infrastructure such as in the energy or agricultural sectors, or in supply chains. “Our nation cannot do without the commercial agriculture, energy, metals, and financial markets, on which derivatives markets are based,” she said, speaking of the need for greater cyber resiliency.

The CFTC is further proposing guidance relating to the management of risks stemming from third-party relationships to be included as appendices to these regulations.

The new cybersecurity proposal includes provisions to allow recognition of equivalent rules in other jurisdictions, which could reduce the compliance burden for firms operating internationally. The agency set a 75-day comment period, which will start after the proposal has been formally published in the Federal Register.