Statement of Chairman Timothy Massad on the System Safeguards Testing Final Rules

September 8, 2016

I strongly support the two rules the Commission has finalized today.

The risk of cyberattack probably represents the single greatest threat to the stability and integrity of our markets today. Instances of cyberattacks are all too familiar both inside and outside the financial sector. Today, they often are motivated not just by those with a desire to profit, but by those with a desire deliberately to disrupt or destabilize orderly operations.

That is why these system safeguard rules are so important. The rules we have finalized today will apply to the core infrastructure in our markets—the exchanges, clearinghouses, trading platforms, and trade repositories. And they will ensure that those private companies are regularly evaluating cyber risks and testing their cybersecurity and operational risk defenses. While our rules already require this generally, the measures we approved today add greater definition—not by being overly prescriptive, but by setting some principles-based standards, and requiring specific types of testing, all rooted in industry best practices.

I’ve said many times that as regulators, we must not just look backwards to address the causes of past failures or crises. We also must look ahead—ahead to the new opportunities and challenges facing our markets. Financial markets constantly evolve, and we must ensure our regulatory framework is adapting to these changes.

These new rules are one good example of how we are looking ahead and addressing these new challenges. They will serve as a strong and important complement to the many other steps being taken by regulators and market participants to address cybersecurity. For example, government agencies and market participants are already working together to share information about potential threats and risks – and learn from one another.

I want to thank all those who provided feedback on the proposed rules the Commission approved last December. We received a number of thoughtful comments from market participants, most of which expressed broad support for the proposals. Commenters also highlighted some areas of concern, and we made adjustments based on that feedback. For example, we have reduced the frequency of controls testing and narrowed the instances where independent contractor testing is required. We have also clarified definitions of key terms, and made clear that the scope of required testing will be based on appropriate risk and threat analysis.

I also thank Commission staff for their hard work on these measures, particularly our staff in the Division of Market Oversight and Division of Clearing and Risk, as well as the support that is always provided by staff in the Office of General Counsel, the Office of Chief Economist and other staff who comment on the rules. I also thank my fellow Commissioners Bowen and Giancarlo for their support of and suggestions regarding these final rules.

Last Updated: September 8, 2016