Statement of Commissioner J. Christopher Giancarlo Regarding System Safeguards Testing Requirements for Derivatives Clearing Organizations
September 8, 2016
Good regulation should be balanced. It should have a positive impact on the marketplace while mitigating costs to the extent possible. I believe today’s system safeguards final rule for derivatives clearing organizations (DCOs) generally achieves such balance although I have concerns about the cost impact on smaller DCOs.
As I have said, cyber and system security is one of the most important issues facing markets today in terms of integrity and financial stability.1 Given its importance, it is right that the Commission implements rules requiring DCOs and other registrants to conduct regular testing of their systems. I am pleased that the final rule requires DCOs to follow industry adopted standards and best practices. I believe this approach recognizes the rapid evolution of cyber threats and will allow DCOs the flexibility to continually update their cyber defenses in response to these threats. I also recognize that the final rule addresses my concern that being hacked by itself cannot be considered a rule violation subject to enforcement. The final rule clarifies that the Commission it is not seeking to hold DCOs strictly liable for being attacked.
While the final rule generally takes the right approach, I am concerned about its cost on smaller DCOs. I have expressed my concern about the cost of regulation on smaller market participants on numerous past occasions.2 One commenter to this rulemaking noted that its costs will likely increase two to three times if these rules are finalized as proposed.3 The independent contractor and employee testing requirement is especially costly for these small DCOs. While the parallel designated contract market (DCM) system safeguards rulemaking addresses this cost concern through the “covered-DCM” concept, the DCO rule does not. Although the DCO rule does not have such a concept, I understand from our Division of Clearing and Risk that they are willing to discuss the concerns of smaller DCOs. I encourage those DCOs to raise their concerns with the Division and encourage the Division to act with appropriate practicality.
I note approvingly that the Commission has alleviated some burdens from the proposed rulemaking such as increasing the frequency of key controls testing from two years to three years, removing the requirement for independent contractors to conduct vulnerability testing and removing the explicit requirement for authenticated scanning, among other requirements.
I support the final DCO system safeguards rule despite concerns about its costs. Although I would have preferred that the rule take a less one-size-fits-all approach, I am a firm supporter of effective cyber and system security policies and procedures given the serious threat that cyber belligerents pose. I commend staff for their hard work and generally practical approach to system safeguards for DCOs. I also appreciate that they responded to many comments in an effort to reduce some of the burdens of the final rule. I therefore vote to adopt this rule.
1 System Safeguards Testing Requirements, 80 Fed. Reg. 80140, 80190-191 (Dec. 23, 2015).
2 See e.g., Regulation Automated Trading, 80 Fed. Reg. 78824, 78946 (Dec. 17, 2015); Guest Lecture of Commissioner J. Christopher Giancarlo, Harvard Law School, Fidelity Guest Lecture Series on International Finance, Dec. 1, 2015.
3 Minneapolis Grain Exchange, Inc. Comment Letter at 13, Feb. 22, 2016.
Last Updated: September 8, 2016