What are the new CFTC regulations on cybersecurity testing?

With concerns growing over cyberattacks on the financial services industry, the U.S. Commodity Futures Trading…


* remove unnecessary class from ul
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

* Replace “errorMessageInput” class with “sign-up-error-msg” class
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {

* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
return validateReturn;

* DoC pop-up window js – included in moScripts.js which is not included in responsive page
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {, “Consent”, “width=500,height=600,scrollbars=1”);

Commission is getting ready to finalize new cybersecurity regulations this year for automated systems and trading platforms. What are these proposed CFTC regulations and what affect might they have on trading firms that rely heavily on IT to do business?

Companies trading in the U.S. commodity futures market will soon have to perform five types of cybersecurity testing at certain minimum frequencies. The U.S. Commodity Futures Trading Commission, or CFTC, aims to finalize new cybersecurity rules in 2016, along with regulations on safeguards on automated trading systems and trading position limits. Certain types of cybersecurity testing will also have to be performed by independent contractors.

In particular, derivatives clearing organizations, certain contract markets, swap execution facilities and swap data repositories will have to comply with the following five control categories in the CFTC regulations:

  1. Vulnerability testing — Includes the scanning of systems and networks to detect known vulnerabilities and provide a roadmap for fixing them.
  2. Penetration testing — Uses skilled security professionals armed with hacking tools to attempt to break into IT resources as a test of security. Any security holes uncovered are flagged for appropriate remediation.
  3. Controls testing — Verifies that the controls used to meet security objectives are functioning correctly.
  4. Security incident response plan testing — Uses realistic conditions to validate organization, drills, first responder actions and the overall incident response process.
  5. Enterprise technology risk assessments — Identifies and evaluates threats, vulnerabilities and priorities for handling them.

The frequency of cybersecurity testing required will be determined by relevant risk analysis, or by minimum testing frequency requirements specified in the amendments to the existing regulations. Through improved cybersecurity, automated trading and position limits, the aim of the CFTC regulations is to make the commodity futures market a safer place for all concerned.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Discover whether cyberwar games are a good way to test enterprise security

Find out what the best risk assessment frameworks are for your organization

Check out these four pen testing tools that can improve midmarket security

Dig Deeper on Enterprise Risk Management: Metrics and Assessments

Source link