Systems Safeguards Testing Requirements Comparison

September 13, 2016

On September 8, the Commodity Futures Trading Commission (CFTC or Commission) unanimously approved two final rules to amend existing regulations addressing cybersecurity testing and system safeguard requirements for the automated systems used by designated contract markets (DCMs), swap execution facilities (SEFs), and swap data repositories (SDRs) (the DMO Final Rule), and those used by derivatives clearing organizations (DCOs) (the DCR Final Rule) (collectively, the System Safeguard Rules).  Specifically, the System Safeguard Rules enhance and clarify existing CFTC rule provisions related to cyber testing and system safeguards risk analysis and oversight.

In many respects, the System Safeguard Rules mirror the December 2015 proposed rules (DMO proposal; DCR proposal), requiring DCMs, SEFs, and SDRs, and DCOs to conduct five essential types of cyber testing: (1) vulnerability testing; (2) penetration testing; (3) controls testing; (4) security incident response plan testing; and (5) enterprise technological risk assessment testing.  Additionally, as a general matter, for DCMs, SEFs, SDRs, and DCOs, each testing would be required at a frequency determined by an appropriate risk analysis.  The rule, however, does establish minimum testing frequencies and independent contractor testing requirements for DCOs, SDRs, and covered DCMs (i.e., those whose total annual trading volume is five percent or more of the total annual trading volume of DCMs regulated by the CFTC). These requirements are lower than those contemplated by the proposed rules.

The following chart explains how the frequency and independent contractor requirements changed in the System Safeguard Rules between the December 2015 proposals and the final rules adopted in September 2016.

Application of the System Safeguards Testing Requirements to DCOs, SDRs, and Covered DCMs 

Testing TypeFrequencyIndependent Contractor & Internal Resources
Proposed Final Proposed Final
Controls Testing The entity would be required to conduct testing on a rolling basis every two years or for the period determined by an appropriate risk analysis (whichever is shorter).  This would apply to each control included in the entity’s program of risk analysis and oversight.  

The entity would be required to conduct testing on a rolling basis for non-key controls.

The entity would be required to conduct testing on “key controls”1 every three years. 

Independent contractors would be required to test the entity’s “key controls.”

The entity would have the choice of having non-key controls testing conducted by either independent contractors or employees of the entity not responsible for development or operation of the systems of capabilities involved in the test.

 
 

Independent contractors would be required to test the entity’s “key controls.”  The Commission clarified, however, that the independent contractors may consult with independent employees of the entity when conducting the testing so long as they produce an independent report.

The entity would have the choice of having non-key controls testing of conducted by either independent contractors or employees of the entity not responsible for development or operation of the systems of capabilities involved in the test.
Enterprise Technology Risk Assessments (ETRA)  Annually Annually.  The Commission clarified that an entity that has conducted an ETRA that complies with the requirements set forth in the Final Rules may conduct subsequent assessments by updating the previous assessment.  The entity would have the choice of having ETRAs conducted by either independent contractors or by employees not responsible for development or operation of the systems or capabilities being assessed. The entity would have the choice of having ETRAs conducted by either independent contractors or by employees not responsible for development or operation of the systems or capabilities being assessed.
Penetration Testing  Annually  Annually Independent contractors would be required to conduct the external penetration testing. Internal penetration testing (and any additional external penetration testing) may be conducted by either independent contractors or entity employees who are not responsible for the development or operations of the systems or capabilities being tested.  Independent contractors would be required to conduct the external penetration testing. Internal penetration testing (and any additional external penetration testing) may be conducted by either independent contractors or entity employees who are not responsible for the development or operations of the systems or capabilities being tested.

Security Incident Response Plan Testing (SIRP)

 Annually  Annually The entity would have the choice of having SIRP testing conducted by either independent contractors or by employees not responsible for development or operation of the systems or capabilities being tested. The entity would have the choice of having SIRP testing conducted by either independent contractors or by employees not responsible for development or operation of the systems or capabilities being tested.

Vulnerability Testing

 Quarterly  Quarterly Independent contractors would be required to conduct at least two of the quarterly tests each year.  Other vulnerability testing may be conducted by employees not responsible for the development or operation of the systems of capabilities being tested. The entity would have the choice of having vulnerability testing conducted by either independent contractors or by employees of the entity who are not responsible for the development or operation of the systems or capabilities being tested.  

1 “Key controls” are defined as controls that an appropriate risk analysis determines are either critically important for effective system safeguards or intended to address risks that evolve or change more frequently and therefore require more frequent review to ensure their continuing effectiveness in addressing such risks.