Security

12:15 PM
Connect Directly
Facebook
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

CFTC Increases Cyber Security Oversight for Market Structure Entities

Tomothy Massad, the new CFTC chairman, tells derivatives exchanges and clearinghouses they need to strengthen cyber security planning and procedures.

Even at an event that usually focuses on financial market structure, regulation, and intricate derivatives products, cyber security was at the top of the agenda during the morning keynotes and panels at the Futures Industry Association Expo in Chicago.

Timothy Massad, the new chairman of the US Commodity Futures Trading Commission (CFTC), didn't begin his speech by focusing on cybertopics, but they did make up a substantial portion of his comments. Likewise, CEOs from the four largest derivatives exchanges -- CME Group, Eurex, Intercontinental Exchange (ICE), and the CBOE -- also spent time discussing how the increase in cyberattacks is changing the focus of senior leaders across their respective organizations.

"An increasingly important aspect of our oversight of CCPs [central counterparty clearinghouses], as well as exchanges and other key institutions that we regulate, is cyber security and business continuity disaster recovery generally," Massad said during this morning's keynote address. "The need to strengthen the security and resilience of our financial markets against cyberattacks is clear."

Highlighting some of the more recent attacks, including those against JPMorgan Chase, Home Depot, and Target, Massad said the frequency of attacks is increasing, and the industry and regulators need to keep pace.

    We are all aware of the risk. Some of our nation's exchanges have also been hit or suffered other technological problems that caused outages or serious concerns. And because of the interconnectedness of financial institutions and markets, a failure in one institution can have significant repercussions in the system.

Jeffrey Sprecher, founder, chairman, and CEO of ICE, called cyber security an important topic for senior leaders at his organization. "Our company has really stepped up" to address the topic. "Every board meeting has hours of cyber discussion." Security experts from across the financial services industry share threat information. "There is a lot of dialogue between staff members across the industry," which is necessary to help prevent attacks.

Massad said the CFTC is increasing its oversight of cyber preparedness in the industry. Its updated cybersecurity safeguards require that exchanges, clearinghouses, and other market infrastructure entities have four things.

  • Risk analysis: "a program of risk analysis and oversight to identify and minimize sources of cyber and operational risk"
  • Automation: "automated systems that are reliable, secure, and have adequate scalable capacity"
  • A plan: "emergency procedures, backup facilities, and a business continuity-disaster recovery plan"
  • Regular testing: "regular, objective, independent testing to verify that the system safeguards program is sufficient to fulfill its regulatory responsibilities"

Market infrastructure providers also need the ability to recover from attacks quickly. "Clearinghouses, exchanges, and these other institutions must also notify the commission promptly of certain incidents and must have recovery procedures in place," Massad said. "Systemically important clearinghouses, for example, must be able to resume operations within two hours."

However, the CFTC cannot test and review all of the market's players.

    We conduct system safeguard examinations to determine compliance with these requirements, but we must remember the limitations of our oversight. Keep in mind that some of our major financial institutions are spending more on cybersecurity each year than our agency's entire budget. We do not engage in independent testing.

Instead of testing each institution separately, the CFTC will look for evidence that an entity is taking cyber security seriously, he said. The commission will look at four key areas:

  • Governance: "Is the board paying sufficient attention to cyber security and taking appropriate steps? Does the board have the expertise, and does it devote the time, to do so? Is it setting the right tone as to the importance of these issues? The same questions apply, needless to say, to top management."
  • Resources: "Are sufficient resources and capabilities being devoted to monitor and control cyber-related risks across all levels of the organization?"
  • Policies and procedures: "Are adequate plans and policies in place to address information security, physical security, system operations, and other critical areas? And is the regulated entity actually following its plans and policies, and considering how plans and policies may need to be amended from time to time in light of technological, market or other security developments?"
  • Vigilance and responsiveness: "If a weakness or deficiency is identified, does the regulated entity take prompt and thorough action to address it? Does it not only fix the immediate problem, but also examine the root causes of the deficiency?"

Greg MacSweeney is editorial director of InformationWeek Financial Services, whose brands include Wall Street & Technology, Bank Systems & Technology, Advanced Trading, and Insurance & Technology. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
11/11/2014 | 5:50:50 PM
Re: Cyber Security World Conference 2014 New York City
I agree. The CEO should be conversant in cybersecurity and be able to discuss it with employees and customers. I keep attending market structure conferences where regulators and panelists say that cybersecurity is going to be important but they don't discuss it. They make reference to the threats but that's the end of the conversation.
Byurcan
50%
50%
Byurcan,
User Rank: Author
11/11/2014 | 5:45:05 PM
Re: Cyber Security World Conference 2014 New York City
I agree, cybersecurity must be a board-level issue and handled from the top down. The days when the CEO and other executives could just leave it all to the CISO and forget about it are over.
IvySchmerken
50%
50%
IvySchmerken,
User Rank: Author
11/10/2014 | 10:17:20 AM
Re: Cyber Security World Conference 2014 New York City
This sounds like a good opportunity to get educated on cybersecurity. There are many conferences offering cybersecurity tracks as this is a hot topic. [Our own Interop event (this past September in New York) and coming to Las Vegas in April, offers confereence tracks on cyber security.]

Typically the security staff and IT staff attends these conferences. Does the CIO really go? It would be nice if the CEO and board members went too. A study recently reported that board members are leaving confidential documents in unscecure places. We could all benefit from more savvy information security practices.
DorisG987
50%
50%
DorisG987,
User Rank: Apprentice
11/9/2014 | 4:11:47 AM
Cyber Security World Conference 2014 New York City
How to improve security is top concern for CIOs, CTOs, CISOs and, ultimately, regulators such as the CFTC. That's why renowned information security gurus and providers will bring their latest thinking to hundreds of senior executives focused on protecting enterprise and government assets at Cyber Security World Conference 2014 New York City on November 21.
Register for Wall Street & Technology Newsletters
White Papers
Current Issue
Wall Street & Technology - Elite 8
The in-depth profiles of this year's Elite 8 honorees focus on leadership, talent recruitment, big data, analytics, mobile, and more.
Video