2015-32143

[Federal Register Volume 80, Number 246 (Wednesday, December 23, 2015)]

[Proposed Rules]

[Pages 80139-80191]

From the Federal Register Online via the Government Publishing Office [www.gpo.gov]

[FR Doc No: 2015-32143]

[[Page 80139]]

Vol. 80

Wednesday,

No. 246

December 23, 2015

Part V

Commodity Futures Trading Commission

-----------------------------------------------------------------------

17 CFR Part 37, 38 and 49

System Safeguards Testing Requirements; Proposed Rules

Federal Register / Vol. 80, No. 246 / Wednesday, December 23, 2015 /

Proposed Rules

[[Page 80140]]

-----------------------------------------------------------------------

COMMODITY FUTURES TRADING COMMISSION

17 CFR Parts 37, 38, and 49

RIN 3038-AE30

System Safeguards Testing Requirements

AGENCY: Commodity Futures Trading Commission.

ACTION: Proposed rulemaking; advanced notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The Commodity Futures Trading Commission (``Commission'' or

``CFTC'') is amending its system safeguards rules for designated

contract markets, swap execution facilities, and swap data

repositories, by enhancing and clarifying existing provisions relating

to system safeguards risk analysis and oversight and cybersecurity

testing, and adding new provisions concerning certain aspects of

cybersecurity testing. The Commission is clarifying the existing system

safeguards rules for all designated contract markets, swap execution

facilities, and swap data repositories by specifying and defining the

types of cybersecurity testing essential to fulfilling system

safeguards testing obligations, including vulnerability testing,

penetration testing, controls testing, security incident response plan

testing, and enterprise technology risk assessment. The Commission is

also clarifying rule provisions respecting the categories of risk

analysis and oversight that statutorily-required programs of system

safeguards-related risk analysis and oversight must address; system

safeguards-related books and records obligations; the scope of system

safeguards testing; internal reporting and review of testing results;

and remediation of vulnerabilities and deficiencies. The new provisions

concerning certain aspects of cybersecurity testing, applicable to

covered designated markets (as defined) and all swap data repositories,

include minimum frequency requirements for conducting the essential

types of cybersecurity testing, and requirements for performance of

certain tests by independent contractors. In this release, the

Commission is also issuing an Advance Notice of Proposed Rulemaking

requesting public comment concerning whether the minimum testing

frequency and independent contractor testing requirements should be

applied, via a future Notice of Proposed Rulemaking, to covered swap

execution facilities (to be defined).

DATES: Comments must be received on or before February 22, 2016.

ADDRESSES: You may submit comments, identified by RIN number 3038-AE30,

by any of the following methods:

CFTC Web site: http://comments.cftc.gov. Follow the

instructions for submitting comments through the Comments Online

process on the Web site.

Mail: Send to Christopher Kirkpatrick, Secretary of the

Commission, Commodity Futures Trading Commission, Three Lafayette

Centre, 1155 21st Street NW., Washington, DC 20581.

Hand Delivery/Courier: Same as Mail, above.

Federal eRulemaking Portal: http://www.regulations.gov.

Follow the instructions for submitting comments.

Please submit your comments using only one method. All comments

must be submitted in English, or must be accompanied by an English

translation. Contents will be posted as received to http://www.cftc.gov. You should submit only information that you wish to make

available publicly. If you wish the Commission to consider information

that may be exempt from disclosure under the Freedom of Information

Act, a petition for confidential treatment of the exempt information

may be submitted according to the established procedures in CFTC

Regulation 145.9.

FOR FURTHER INFORMATION CONTACT: Rachel Berdansky, Deputy Director,

Division of Market Oversight, 202-418-5429, [email protected]; David

Taylor, Associate Director, Division of Market Oversight, 202-418-5488,

[email protected], or David Steinberg, Associate Director, Division of

Market Oversight, 202-418-5102, [email protected]; Commodity Futures

Trading Commission, Three Lafayette Centre, 1155 21st Street NW.,

Washington, DC 20851.

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Preamble

A. Background: The Current Cybersecurity Threat Environment and

the Need for Cybersecurity Testing

B. Categories of Risk Analysis and Oversight Applicable to All

DCMs, SEFs, and SDRs

C. Requirements To Follow Best Practices, Ensure Testing

Independence, and Coordinate BC-DR Plans

D. Updating of Business Continuity-Disaster Recovery Plans and

Emergency Procedures

E. System Safeguards-Related Books and Records Obligations

F. Cybersecurity Testing Requirements for DCMs, SEFs, and SDRs

G. Additional Testing-Related Risk Analysis and Oversight

Program Requirements Applicable to All DCMs, SEFs, and SDRs

H. Required Production of Annual Total Trading Volume

I. Advance Notice of Proposed Rulemaking Regarding Minimum

Testing Frequency and Independent Contractor Testing Requirements

for Covered SEFs

II. Related Matters

A. Regulatory Flexibility Act

B. Paperwork Reduction Act

C. Consideration of Costs and Benefits

III. Requests for Comment

A. Comments Regarding Notice of Proposed Rulemaking

B. Comments Regarding Advance Notice of Proposed Rulemaking

Concerning Covered SEFs

I. Preamble

A. Background: The Current Cybersecurity Threat Environment and the

Need for Cybersecurity Testing

1. Current Cybersecurity Landscape

Cyber threats to the financial sector continue to expand. As the

Commission was informed by cybersecurity experts participating in its

2015 Staff Roundtable on Cybersecurity and System Safeguards Testing,

these threats have a number of noteworthy aspects.\1\

---------------------------------------------------------------------------

\1\ See generally CFTC Staff Roundtable on Cybersecurity and

System Safeguards Testing (March 18, 2015) (``CFTC Roundtable''), at

11-91, transcript available at http://www.cftc.gov/ucm/groups/public/@newsroom/documents/file/transcript031815.pdf. The Commission

held the CFTC Roundtable due to its concern about the growing

cybersecurity threat discussed in the following paragraphs, and in

order to, among other things, discuss the issue and identify

critical areas of concern. Similarly, a June 2015 Market Risk

Advisory Committee (``MRAC'') meeting focused on cybersecurity. See

generally MRAC Meeting (June 2, 2015), at 6, transcript available at

http://www.cftc.gov/ucm/groups/public/@aboutcftc/documents/file/mrac_060215_transcript.pdf.

---------------------------------------------------------------------------

First, the financial sector faces an escalating volume of cyber

attacks. According to the Committee on Payments and Market

Infrastructures (``CPMI'') of the Bank for International Settlements

(``BIS''), ``Cyber attacks against the financial system are becoming

more frequent, more sophisticated and more widespread.'' \2\ A survey

of 46 global securities exchanges conducted by the International

Organization of Securities Commissions (``IOSCO'') and the World

Federation of Exchanges (``WFE'') found that as of July 2013, over half

of exchanges world-wide had experienced a cyber attack during the

previous year.\3\ Cybersecurity now ranks as the number

[[Page 80141]]

one concern for nearly half of financial institutions in the U.S.

according to a 2015 study by the Depository Trust & Clearing

Corporation (``DTCC'').\4\ The annual Price Waterhouse Coopers Global

State of Information Security Survey for 2015, which included 9,700

participants, found that the total number of security incidents

detected in 2014 increased by 48 percent over 2013, for a total of 42.8

million incoming attacks, the equivalent of more than 117,000 attacks

per day, every day.\5\ As the PWC Survey pointed out, these numbers do

not include undetected attacks. Verizon's 2015 Data Breach

Investigations Report noted that during 2014 the financial services

sector experienced an average of 350 malware attacks per week.\6\

---------------------------------------------------------------------------

\2\ Committee on Payments and Market Infrastructures of the Bank

for International Settlements, Cyber resilience in financial market

infrastructures (November 2014), at 1, available at http://www.bis.org/cpmi/publ/d122.pdf.

\3\ IOSCO and WFE, Cyber-crime, securities markets and systemic

risk, Staff Working Paper (SWP2/2013) (July 16, 2013) (``IOSCO-WFE

Staff Report''), at 3, available at http://www.iosco.org/research/pdf/swp/Cyber-Crime-Securities-Markets-and-Systemic-Risk.pdf.

\4\ DTCC, Systemic Risk Barometer Study (Q1 2015), at 1,

available at http://dtcc.com/~/media/Files/pdfs/Systemic-Risk-

Report-2015-Q1.pdf.

\5\ PricewaterhouseCoopers, Managing Cyber Risks in an

Interconnected World: Key Findings from the Global State of

Information Security Survey 2015 (September 30, 2014), at 7,

available at www.pwc.com/gsiss2015 (``PWC Survey'').

\6\ Id.

---------------------------------------------------------------------------

Second, financial sector entities also face increasing numbers of

more dangerous cyber adversaries with expanding and worsening

motivations and goals. Until recently, most cyber attacks on financial

sector institutions were conducted by criminals whose aim was monetary

theft or fraud.\7\ As noted at the CFTC Roundtable, while such attacks

continue, there has also been a rise in attacks by politically

motivated hacktivists or terrorists, and by nation state actors, aimed

at disruption of their targets' operations, at theft of data or

intellectual property, at extortion, at cyber espionage, at corruption

or destruction of data, or at degradation or destruction of automated

systems.\8\ IOSCO and the WFE note that attacks on securities exchanges

now tend to be disruptive in nature, and note that ``[t]his suggests a

shift in motive for cyber-crime in securities markets, away from

financial gain and towards more destabilizing aims.'' \9\

---------------------------------------------------------------------------

\7\ CFTC Roundtable, at 41-42.

\8\ See CFTC Roundtable, at 12, 14-15, 17-24, 42-44, 47.

\9\ IOSCO-WFE Staff Report, at 3-4, available at http://www.iosco.org/research/pdf/swp/Cyber-Crime-Securities-Markets-and-Systemic-Risk.pdf.

---------------------------------------------------------------------------

Third, financial institutions may now encounter increasing cyber

threat capabilities. According to a CFTC Roundtable participant, one

current trend heightening cyber risk for the financial sector is the

emergence of cyber intrusion capability--typically highest when

supported by nation state resources--as a key tool of statecraft for

most states.\10\ Another trend noted by Roundtable participants is an

increase in sophistication on the part of most actors in the cyber

arena, both in terms of technical capability and of capacity to

organize and carry out attacks.\11\

---------------------------------------------------------------------------

\10\ CFTC Roundtable, at 20-21.

\11\ Id. at 21-22.

---------------------------------------------------------------------------

Fourth, the cyber threat environment includes an increase in cyber

attack duration.\12\ While attacks aimed at monetary theft or fraud

tend to manifest themselves quickly, more sophisticated attacks may

involve cyber adversaries having a cyber presence inside a target's

automated systems for an extended period of time, and avoiding

detection.\13\ IOSCO and the WFE noted in 2013 that:

---------------------------------------------------------------------------

\12\ Id. at 74-76, 81-82.

\13\ Id.

The rise of a relatively new class of cyber-attack is especially

troubling. This new class is referred to as an `Advanced Persistent

Threat.' Advanced Persistent Threats (APTs) are usually directed at

business and political targets for political ends. APTs involve

stealth to persistently infiltrate a system over a long period of

time, without the system displaying any unusual symptoms.\14\

---------------------------------------------------------------------------

\14\ IOSCO-WFE Staff Report, at 3, available at http://www.iosco.org/research/pdf/swp/Cyber-Crime-Securities-Markets-and-Systemic-Risk.pdf.

Fifth, there is now a broadening cyber threat field. Financial

institutions should consider cyber vulnerabilities not only with

respect to their desktop computers, but also with respect to mobile

devices used by their employees.\15\ In some cases, their risk analysis

should address not only protecting the integrity of data in their own

automated systems, but also protecting data in the cloud.\16\ Adequate

risk analysis should also address both the vulnerabilities of the

entity's automated systems and human vulnerabilities such as those

posed by social engineering or by disgruntled or coerced employees.\17\

The cyber threat field includes automated systems that are not directly

internet-facing, which can be vulnerable to cyber attacks despite their

isolation behind firewalls.\18\ In practice, there is interconnectivity

between internet-facing and corporate information technology (``IT'')

and operations technology, since the two can be and often are connected

for maintenance purposes or in error.\19\ Non-internet-facing systems

are also vulnerable to insertion of malware-infected removable media,

phishing attacks, and other social engineering techniques, and to

supply-chain risk involving both hardware and software.\20\

---------------------------------------------------------------------------

\15\ CFTC Roundtable, at 22-23.

\16\ Id.

\17\ Id. at 14, 79-80.

\18\ Id. at 60-69.

\19\ Id. at 72-74. As Roundtable panelists also noted,

experienced penetration testers are finding that when they are able

to penetrate a financial institution, they often are able to move

between internet-facing and non-internet-facing systems by

harvesting passwords and credentials and exploiting access

privileges associated with them. Id.

\20\ Id. at 62-64, 77-79.

---------------------------------------------------------------------------

Finally, financial institutions cannot achieve cyber resilience by

addressing threats to themselves alone: They also face threats relating

to the increasing interconnectedness of financial services firms.\21\

In today's environment, a financial entity's risk assessments should

consider cybersecurity across the financial sector, from exchanges and

clearinghouses to counterparties and customers, technology providers,

other third party service providers, and the businesses and products in

the entity's supply chain.\22\

---------------------------------------------------------------------------

\21\ Id. at 24-25.

\22\ Id. at 47-55.

---------------------------------------------------------------------------

2. Need for Cybersecurity Testing

Cybersecurity testing by designated contract markets (``DCMs''),

swap execution facilities (``SEFs''), derivatives clearing

organizations (``DCOs''), swap data repositories (``SDRs''), and other

entities in the financial sector can harden cyber defenses, mitigate

operations, reputation, and financial risk, and maintain cyber

resilience and ability to recover from cyber attack.\23\ To ensure the

effectiveness of cybersecurity controls, a financial sector entity must

test in order to find and fix its vulnerabilities before an attacker

exploits them. A financial sector entity's testing should assess, on

the basis of information with respect to current threats, how the

entity's controls and countermeasures stack up against the techniques,

tactics, and procedures used by its potential adversaries.\24\ Testing

should include periodic risk assessments made in light of changing

business conditions, the changing threat landscape, and changes to

automated systems. It should also include recurring tests of controls

and automated system components to verify their effectiveness and

operability, as well as continuous monitoring and scanning of system

operation and vulnerabilities.\25\ Testing should focus on the entity's

ability to detect, contain, respond to, and recover from cyber attacks,

not just on its perimeter defenses designed to prevent

[[Page 80142]]

intrusions.\26\ It should address detection, containment, and recovery

from compromise of data integrity--perhaps the greatest threat with

respect to financial sector data--in addition to compromise of data

availability or confidentiality, which tend to be the main focus of

many best practices.\27\ Both internal testing by the entity itself and

independent testing by third party service providers are essential

components of an adequate testing regime.\28\

---------------------------------------------------------------------------

\23\ Id. at 24.

\24\ Id. at 44.

\25\ Id. at 46.

\26\ Id. at 80-84. As one cybersecurity expert has remarked,

``Organizations are too focused on firewalls, spam filters, and

other Maginot Line-type defenses that have lost their effectiveness.

That's a misguided philosophy. There's no such thing as a perimeter

anymore.'' Associated Press, Cyber theft of personnel info rips hole

in espionage defenses (June 15, 2015), available at http://bigstory.ap.org/article/93077d547f074bed8ce9eb292a3bbd47/cybertheft-personnel-info-rips-hole-espionage-defenses.

\27\ CFTC Roundtable, at 15-16, 65, 71-73, 80-83.

\28\ Id. at 87-88.

---------------------------------------------------------------------------

Cybersecurity testing is a well-established best practice generally

and for financial sector entities. The Federal Information Security

Management Act (``FISMA''), which is a source of cybersecurity best

practices and also establishes legal requirements for federal

government agencies, calls for ``periodic testing and evaluation of the

effectiveness of information security policies, procedures, and

practices, to be performed with a frequency depending on risk, but no

less than annually.'' \29\ The National Institute of Standards and

Technology (``NIST'') Framework for Improving Critical Infrastructure

Cybersecurity (``NIST Framework'') calls for testing of cybersecurity

response and recovery plans and cybersecurity detection processes and

procedures.\30\ The Financial Industry Regulatory Authority (``FINRA'')

2015 Report on Cybersecurity Practices notes that ``Risk assessments

serve as foundational tools for firms to understand the cybersecurity

risks they face across the range of the firm's activities and assets,''

and calls for firms to develop, implement and test cybersecurity

incident response plans.\31\ FINRA notes that one common deficiency

with respect to cybersecurity is ``failure to conduct adequate periodic

cybersecurity assessments.'' \32\ The critical security controls

established by the Council on CyberSecurity (``the Council'') call for

entities to ``[c]ontinuously acquire, assess, and take action on new

information in order to identify vulnerabilities, remediate, and

minimize the window of opportunity for attackers.'' \33\ The Council

notes that ``[o]rganizations that do not scan for vulnerabilities and

proactively address discovered flaws face a significant likelihood of

having their computer systems compromised.'' \34\ The Council's

critical security controls also call for entities to ``test the overall

strength of an organization's defenses (the technology, the processes,

and the people) by simulating the objectives and actions of an

attacker.'' \35\ The Council calls for implementation of this control

by conducting ``regular external and internal penetration tests to

identify vulnerabilities and attack vectors that can be used to exploit

enterprise systems successfully,'' from both outside and inside the

boundaries of the organization's network perimeter,\36\ and also calls

for use of vulnerability scanning and penetration testing in

concert.\37\

---------------------------------------------------------------------------

\29\ FISMA section 3544(b)(5), available at http://csrc.nist.gov/drivers/documents/FISMA-final.pdf.

\30\ NIST Framework, Subcategory PR.IP-10, at 28, and Category

DE.DP, at 31, available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.

\31\ FINRA, Report on Cybersecurity Practices (February 2015),

at 1-2, available at https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf.

\32\ Id. at 8.

\33\ Council on CyberSecurity, The Critical Security Controls

for Effective Cyber Defense Version 5.1, Critical Security Control

(``CSC'') 4, at 27, available at http://www.counciloncybersecurity.org/critical-controls/.

\34\ Id.

\35\ Id., CSC 20, at 102.

\36\ Id., CSC 20-1, at 102.

\37\ Id., CSC 20-6, at 103.

---------------------------------------------------------------------------

The Federal Financial Institutions Examination Council

(``FFIEC''),\38\ another important source of cybersecurity best

practices for financial sector entities, effectively summarized the

need for cybersecurity testing in today's cyber threat environment:

---------------------------------------------------------------------------

\38\ The FFIEC includes the Board of Governors of the Federal

Reserve System, the Federal Deposit Insurance Corporation, the

Office of the Comptroller of the Currency, the Consumer Financial

Protection Bureau, the National Credit Union Administration, and the

State Liaison Committee of the Conference of State Bank Supervision.

Financial institutions should have a testing plan that

identifies control objectives; schedules tests of the controls used

to meet those objectives; ensures prompt corrective action where

deficiencies are identified; and provides independent assurance for

compliance with security policies. Security tests are necessary to

identify control deficiencies. An effective testing plan identifies

the key controls, then tests those controls at a frequency based on

the risk that the control is not functioning. Security testing

should include independent tests conducted by personnel without

direct responsibility for security administration. Adverse test

results indicate a control is not functioning and cannot be relied

upon. Follow-up can include correction of the specific control, as

well as a search for, and correction of, a root cause. Types of

tests include audits, security assessments, vulnerability scans, and

penetration tests.\39\

---------------------------------------------------------------------------

\39\ FFIEC, E-Banking IT Examination Handbook, at 30, available

at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_E-Banking.pdf.

Some experts note that cybersecurity testing may become a

requirement for obtaining cyber insurance. Under such an approach,

coverage might be conditioned on cybersecurity testing and assessment

followed by implementation of appropriate prevention and detection

procedures.\40\

---------------------------------------------------------------------------

\40\ PriceWaterhouseCoopers, Insurance 2020 and Beyond: Reaping

the Dividends of Cyber Resilience, 2015, available at http://www.pwc.com/gx/en/insurance/publications/assets/reaping-dividends-cyber-resilience.pdf.

---------------------------------------------------------------------------

Cybersecurity testing is also supported internationally. IOSCO has

emphasized the importance of testing to ensure effective controls, in

light of risks posed by the complexity of markets caused by

technological advances.\41\ IOSCO has stated that trading venues should

``appropriately monitor critical systems and have appropriate control

mechanisms in place.'' \42\ The European Securities and Markets

Authority (``ESMA'') Guidelines for automated trading systems call for

trading platforms to test trading systems and system updates to ensure

that the system meets regulatory requirements, that risk management

controls work as intended, and that the system can function effectively

in stressed market conditions.\43\ Further, the Principles for

Financial Market Infrastructures (``PFMIs'') published by the Bank for

International Settlements' Committee on Payments and Market

Infrastructures (``CPMI'') and IOSCO's Technical Committee (together,

``CPMI-IOSCO'') note that with respect to operational risks, which

include cyber risk, ``[a financial market infrastructure]'s

arrangements with participants, operational policies, and operational

procedures should be periodically, and whenever necessary, tested and

reviewed, especially after significant changes occur to the system or a

major incident occurs. . . .'' \44\

---------------------------------------------------------------------------

\41\ IOSCO Consultation Report, Mechanisms for Trading Venues to

Effectively Manage Electronic Trading Risks and Plans for Business

Continuity (April 2015) (``IOSCO 2015 Consultation Report''), at 3,

available at http://www.iosco.org/library/pubdocs/pdf/IOSCOPD483.pdf.

\42\ Id. at 9.

\43\ European Securities and Markets Authority (``ESMA''),

Guidelines: Systems and controls in an automated trading environment

for trading platforms, investment firms and competent authorities

(February 24, 2012), at 7, available at http://www.esma.europa.eu/system/files/esma_2012_122_en.pdf.

\44\ CPMI-IOSCO, Principles for Financial Market

Infrastructures, (Apr. 2012), at 96, available at http://www.iosco.org/library/pubdocs/pdf/IOSCOPD377.pdf. See also CPMI,

Cyber resilience in financial market infrastructures, (Nov. 2014),

available at http://www.bis.org/cpmi/publ/d122.pdf.

---------------------------------------------------------------------------

[[Page 80143]]

B. Categories of Risk Analysis and Oversight Applicable to All DCMs,

SEFs, and SDRs

The system safeguards provisions of the Commodity Exchange Act

(``Act'' or ``CEA'') and Commission regulations applicable to all DCMs,

SEFs, and SDRs require each DCM, SEF, and SDR to maintain a program of

risk analysis and oversight to identify and minimize sources of

operational risk.\45\ The Act provides that each such entity must have

appropriate controls and procedures for this purpose, and must have

automated systems that are reliable, secure, and have adequate scalable

capacity.\46\ Commission regulations concerning system safeguards for

DCMs, SEFs, and SDRs provide that the program of risk analysis and

oversight required of each such entity must address specified

categories of risk analysis and oversight, and applicable regulations

and guidance provide that such entities should follow generally

accepted standards and best practices for development, operation,

reliability, security, and capacity of automated systems.\47\

---------------------------------------------------------------------------

\45\ 7 U.S.C. 7(d)(20); 7 U.S.C. 5h(f)(14); 7 U.S.C. 24a(c)(8);

17 CFR 38.1050; 17 CFR 37.1400; 17 CFR 49.24(a)(1).

\46\ Id.

\47\ 17 CFR 38.1051(a) and (b); 17 CFR 37.1401(a); Appendix A to

Part 37, Core Principle 14 of Section 5h of the Act--System

Safeguards (a) Guidance (1) Risk analysis and oversight program; 17

CFR 49.24(b) and (c).

---------------------------------------------------------------------------

Six categories of risk analysis and oversight are specified in the

Commission's current regulations for DCMs, SEFs, and SDRs: Information

security; business continuity-disaster recovery (``BC-DR'') planning

and resources; capacity and performance planning; systems operations;

systems development and quality assurance; and physical security and

environmental controls.\48\ The current DCM, SEF, and SDR system

safeguards regulations address specific requirements concerning BC-DR,

but do not provide any further guidance respecting the other five

required categories.\49\ In this Notice of Proposed Rulemaking

(``NPRM''), the Commission proposes to clarify what is already required

of all DCMs, SEFs, and SDRs regarding the other five specified

categories, by defining each of them. The proposed definitions are

grounded in generally accepted best practices regarding appropriate

risk analysis and oversight with respect to system safeguards, which

all DCMs, SEFs, and SDRs should follow as provided in the current

regulations. As the proposed definitions explicitly state, they are not

intended to be all-inclusive; rather, they highlight important aspects

of the required risk analysis and oversight categories.

---------------------------------------------------------------------------

\48\ See 17 CFR 38.1051(a); 17 CFR 37.1401(a); and 17 CFR

49.24(b).

\49\ See 17 CFR 38.1051(c) and 38.1051(i) (for DCMs); 17 CFR

37.1401(b) and Appendix A to Part 37, Core Principle 14 of Section

5h of the Act--System Safeguards (a) Guidance (3) Coordination (for

SEFs); 17 CFR 49.24(d) and 49.24(k) (for SDRs).

---------------------------------------------------------------------------

The Commission is also proposing to add and define another

enumerated category, enterprise risk management and governance, to the

list of required categories of system safeguards-related risk analysis

and oversight. As explained below, generally accepted best practices

regarding appropriate risk analysis and oversight with respect to

system safeguards--which form the basis for the proposed definition of

this added category--also establish enterprise risk management and

governance as an important category of system safeguards-related risk

analysis and oversight. This category is therefore implicit in the

Commission's existing system safeguard regulations, which already

require each DCM, SEF, and SDR to maintain a program of risk analysis

and oversight with respect to system safeguards.\50\ The proposed rule

would make it an explicitly listed category for the sake of clarity. As

with the other proposed category definitions, the definition of the

proposed additional category of enterprise risk management and

governance clarifies what is already required and will continue to be

required of all DCMs, SEFs, and SDRs with regard to their system

safeguards-related risk analysis and oversight programs under the

existing rules. As such, addition of this category does not impose

additional obligations on such entities. The Commission sets forth

below the best practices surrounding enterprise risk management and

governance. In connection with its further definition of five of the

other six categories of risk analysis and oversight already enumerated

in the existing regulations, the Commission will also cite some

examples of the best practices underlying those categories.

---------------------------------------------------------------------------

\50\ 17 CFR 38.1050(a) (for DCMs); 17 CFR 37.1400(a) (for SEFs);

17 CFR 49.24(a)(1) (for SDRs).

---------------------------------------------------------------------------

1. Enterprise Risk Management and Governance

As stated in the proposed rules, this category of risk analysis and

oversight includes the following five areas:

Assessment, mitigation, and monitoring of security and

technology risk.

Capital planning and investment with respect to security

and technology.

Board of directors and management oversight of system

safeguards.

Information technology audit and controls assessments.

Remediation of deficiencies.

The category also includes any other enterprise risk management and

governance elements included in generally accepted best practices. As

noted above, this category of risk analysis and oversight is already

implicit in the Commission's existing system safeguards rules for all

DCMs, SEFs, and SDRs, as an essential part of an adequate program of

risk analysis and oversight according to generally accepted standards

and best practices. The Commission sets out below the best practices

basis for its proposed definition of this category, which like the

other proposed definitions is provided for purposes of clarity.

a. Assessment, Mitigation, and Monitoring of Security and

Technology Risk

In the area of assessment, mitigation, and monitoring of security

and technology risk, NIST calls for organizations to develop

appropriate and documented risk assessment policies, to make effective

risk assessments, and to develop and implement a comprehensive risk

management strategy relating to the operation and use of information

systems.\51\ NIST notes that risk assessment is a fundamental component

of an organization's risk management process, which should include

framing, assessing, responding to, and monitoring risks associated with

operation of information systems or with any compromise of data

confidentiality, integrity, or availability.\52\ According to NIST:

---------------------------------------------------------------------------

\51\ See NIST Special Publication (``SP'') 800-53 Rev. 4,

Security and Privacy Controls for Federal Information Systems and

Organizations Controls (``NIST SP 800-53 Rev. 4''), RA-1, RA-2, and

RA-3, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

\52\ NIST SP 800-39, Managing Information Security Risk:

Organization, Mission, and Information System View (March 2011)

(``NIST SP 800-39''), available at http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf.

Leaders must recognize that explicit, well-informed risk-based

decisions are necessary in order to balance the benefits gained from

the operation and use of these information systems with the risk of

the same systems being vehicles through which purposeful attacks,

environmental disruptions, or human errors cause mission or business

failure.\53\

---------------------------------------------------------------------------

\53\ Id. at 1.

NIST standards further provide that an organization's risk

management strategy regarding system safeguards

[[Page 80144]]

should include risk mitigation strategies, processes for evaluating

risk across the organization, and approaches for monitoring risk over

time.\54\ ISACA's Control Objectives for Information and Related

Technology (``COBIT'') 5 calls for organizations to continually

identify, assess, and reduce IT-related risk in light of levels of

system safeguards risk tolerance set by the organization's executive

management.\55\ As part of such assessment, COBIT 5 calls for

maintaining an updated risk profile that includes known risks and risk

attributes as well as an inventory of the organization's related

resources, capabilities, and controls.\56\

---------------------------------------------------------------------------

\54\ NIST SP 800-53 Rev. 4, control PM-9 Risk Management

Strategy, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

\55\ ISACA, Control Objectives for Information and Related

Technology (``COBIT'') 5, Align, Plan and Organize (``APO'') APO12,

available at https://cobitonline.isaca.org/.

\56\ Id. at APO12.03.

---------------------------------------------------------------------------

b. Capital Planning and Investment Respecting Security and Technology

Security and technology capital planning and investment are also

recognized as best practices for enterprise risk management and

governance. NIST standards call for entities to determine, as part of

their capital planning and investment control process, both the

information security requirements of their information systems and the

resources required to protect those systems.\57\ NIST standards further

provide that entities should ensure that their capital planning and

investment includes the resources needed to implement their information

security programs, and should document all exceptions to this

requirement.\58\ ISACA's COBIT 5 also addresses capital planning,

budgeting, and investment with respect to information technology and

system safeguards.\59\

---------------------------------------------------------------------------

\57\ NIST 800-53 Rev. 4, SA-2, Allocation of Resources,

available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

\58\ Id. at PM-3, Information Security Resources.

\59\ COBIT 5, APO06, available at https://cobitonline.isaca.org/

.

---------------------------------------------------------------------------

c. Board of Directors and Management Oversight of System Safeguards

Board of directors and management oversight of system safeguards is

another recognized best practice for enterprise risk management and

governance. NIST defines requirements for board of directors and

management oversight of cybersecurity.\60\ The FFIEC calls for

financial sector organizations to review the system safeguards-related

credentials of the board of directors or the board committee

responsible for oversight of technology and security, and to determine

whether the directors responsible for such oversight have the

appropriate level of experience and knowledge of information technology

and related risks to enable them to provide adequate oversight.\61\ If

directors lack the needed level of experience and knowledge, the FFIEC

calls for the organization to consider bringing in outside independent

consultants to support board oversight.\62\ ISACA's COBIT 5 calls for

entities to maintain effective governance of the enterprise's IT

mission and vision, and to maintain mechanisms and authorities for

managing the enterprise's use of IT in support of its governance

objectives, in light of the criticality of IT to its enterprise

strategy and its level of operational dependence on IT.\63\ In a three-

lines-of-defense model for cybersecurity, the important third line of

defense consists of having an independent audit function report to the

board of directors concerning independent tests, conducted with

sufficient frequency and depth, that determine whether the organization

has appropriate and adequate cybersecurity controls in place which

function as they should.\64\

---------------------------------------------------------------------------

\60\ See, e.g., NIST 800-53 Rev. 4, Program Management Controls

PM-1, Information Security Program Plan, PM-2, Senior Information

Security Officer, and PM 9, Risk Management Strategy, available at

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

\61\ FFIEC, Audit IT Examination Handbook, Objective 3, at A-2,

available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Audit.pdf.

\62\ Id.

\63\ COBIT 5, APO01, available at https://cobitonline.isaca.org/

.

\64\ CFTC Roundtable, at 242-243. In addition, boards of

directors can now face litigation alleging breach of fiduciary duty

based on failure to monitor cybersecurity risk and ensure

maintenance of proper cybersecurity controls. See, e.g., Kulla v.

Steinhafel, D. Minn. No. 14-CV-00203, (U.S. Dist. 2014) (shareholder

derivative suit against Target board of directors), and Palkon v.

Holmes, D. NJ No. 2:14-CV-01234 (U.S. Dist. 2014) (shareholder

derivative suit against Wyndham Worldwide Corporation board

members).

---------------------------------------------------------------------------

d. Information Technology Audit and Controls Assessment

Information technology audit and controls assessments are an

additional major aspect of best practices regarding enterprise risk

management and governance. As the FFIEC has stated:

A well-planned, properly structured audit program is essential

to evaluate risk management practices, internal control systems, and

compliance with corporate policies concerning IT-related risks at

institutions of every size and complexity. Effective audit programs

are risk-focused, promote sound IT controls, ensure the timely

resolution of audit deficiencies, and inform the board of directors

of the effectiveness of risk management practices.\65\

---------------------------------------------------------------------------

\65\ FFIEC, Audit IT Examination Handbook, at 1, available at

http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Audit.pdf.

The FFIEC has also noted that today's rapid rate of change with

respect to information technology and cybersecurity make IT audits

essential to the effectiveness of an overall audit program.\66\

Further:

---------------------------------------------------------------------------

\66\ Id.

The audit program should address IT risk exposures throughout

the institution, including the areas of IT management and strategic

planning, data center operations, client/server architecture, local

and wide-area networks, telecommunications, physical and information

security . . . systems development, and business continuity

planning. IT audit should also focus on how management determines

the risk exposure from its operations and controls or mitigates that

risk.\67\

---------------------------------------------------------------------------

\67\ Id.

e. Remediation of Deficiencies

Finally, remediation of deficiencies is another important part of

enterprise risk management and governance best practices. NIST calls

for organizations to ensure that plans of action and milestones for IT

systems and security are developed, maintained, and documented, and for

organizations to review such plans for consistency with organization-

wide risk management strategy and priorities for risk response

actions.\68\ As noted above, ISACA's COBIT 5 establishes best practices

calling for entities to reduce IT-related risk within levels of

tolerance set by enterprise executive management.\69\ The FFIEC calls

for management to take appropriate and timely action to address

identified IT problems and weaknesses, and to report such actions to

the board of directors.\70\ FFIEC further calls for the internal audit

function to determine whether management sufficiently corrects the root

causes of all significant system safeguards deficiencies.\71\

---------------------------------------------------------------------------

\68\ NIST 800-53 Rev. 4, control PM-4, Plan of Action and

Milestones Process, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

\69\ COBIT 5, APO12, available at https://cobitonline.isaca.org/

.

\70\ FFIEC, Audit IT Examination Handbook, Objective 6, at A-4,

available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Audit.pdf.

\71\ Id.

---------------------------------------------------------------------------

2. Information Security

As stated in the proposed rules, this category of risk analysis and

oversight includes, without limitation, controls relating to each of

the following:

[[Page 80145]]

Access to systems and data (e.g., least privilege,

separation of duties, account monitoring and control).\72\

---------------------------------------------------------------------------

\72\ NIST SP 800-53 Rev. 4, Access Controls (``AC'') control

family, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf; Council on CyberSecurity,

CSC 7, 12, 15, available at http://www.counciloncybersecurity.org/critical-controls/.

---------------------------------------------------------------------------

User and device identification and authentication.\73\

---------------------------------------------------------------------------

\73\ NIST SP 800-53 Rev. 4, Identification and Authentication

(``IA'') control family, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf; Council on

CyberSecurity, CSC 1, 2, available at http://www.counciloncybersecurity.org/critical-controls/.

---------------------------------------------------------------------------

Security awareness training.\74\

---------------------------------------------------------------------------

\74\ NIST SP 800-53 Rev. 4, Awareness and Training (``AT'')

control family, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf; Council on CyberSecurity,

CSC 9, available at http://www.counciloncybersecurity.org/critical-controls/.

---------------------------------------------------------------------------

Audit log maintenance, monitoring, and analysis.\75\

---------------------------------------------------------------------------

\75\ NIST SP 800-53 Rev. 4, Audit and Accountability (``AU'')

control family, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf; Council on CyberSecurity,

CSC 14, available at http://www.counciloncybersecurity.org/critical-controls/.

---------------------------------------------------------------------------

Media protection.\76\

---------------------------------------------------------------------------

\76\ NIST SP 800-53 Rev. 4, Media Protection (``MP'') control

family, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

---------------------------------------------------------------------------

Personnel security and screening.\77\

---------------------------------------------------------------------------

\77\ NIST SP 800-53 Rev. 4, Personnel Security (``PS'') control

family, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

---------------------------------------------------------------------------

Automated system and communications protection (e.g.,

malware defenses, software integrity monitoring).\78\

---------------------------------------------------------------------------

\78\ NIST SP 800-53 Rev. 4, System and Communication Protection

(``SC'') control family, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf; Council on

CyberSecurity, CSC 7, 10, 11, 13, available at http://www.counciloncybersecurity.org/critical-controls/.

---------------------------------------------------------------------------

Automated system and information integrity (e.g., network

port control, boundary defenses, encryption).\79\

---------------------------------------------------------------------------

\79\ NIST SP 800-53 Rev. 4, System and Information Integrity

(``SI'') control family, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf; Council on

CyberSecurity, CSC 3, 5, 17, available at http://www.counciloncybersecurity.org/critical-controls/.

---------------------------------------------------------------------------

Vulnerability management.\80\

---------------------------------------------------------------------------

\80\ NIST SP 800-53 Rev. 4, control RA-5, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf;

Council on CyberSecurity, CSC 4, 5, available at http://www.counciloncybersecurity.org/critical-controls/.

---------------------------------------------------------------------------

Penetration testing.\81\

---------------------------------------------------------------------------

\81\ NIST SP 800-53 Rev. 4, control CA-8, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf;

Council on CyberSecurity, CSC 20, available at http://www.counciloncybersecurity.org/critical-controls/.

---------------------------------------------------------------------------

Security incident response and management.\82\

---------------------------------------------------------------------------

\82\ NIST SP 800-53 Rev. 4, Incident Response (``IR'') control

family, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf; NIST SP 800-61 Rev. 2,

Computer Security Incident Handling Guide (``NIST SP 800-61 Rev.

2''), available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf.

---------------------------------------------------------------------------

The category also includes any other elements of information

security included in generally accepted best practices. All of these

important aspects of information security are grounded in generally

accepted standards and best practices, such as the examples cited in

the footnotes for each aspect given above. The Commission believes that

information security programs that address each of these aspects

continue to be essential to maintaining effective system safeguards in

today's cybersecurity threat environment.

3. Business Continuity-Disaster Recovery Planning and Resources

The Commission's current system safeguards regulations for DCMs,

SEFs, and SDRs already contain detailed description of various aspects

of this category of risk analysis and oversight. The regulations

require DCMs, SEFs, and SDRs to maintain a BC-DR plan and BC-DR

resources, emergency procedures, and backup facilities sufficient to

enable timely resumption of the DCM's, SEF's, or SDR's operations, and

resumption of its fulfillment of its responsibilities and obligations

as a CFTC registrant following any such disruption.\83\ In this

connection, the regulations address applicable recovery time objectives

for resumption of operations.\84\ The regulations also require regular,

periodic, objective testing and review of DCM, SEF, and SDR BC-DR

capabilities.\85\ Applicable regulations and guidance provide that the

DCM, SEF, or SDR, to the extent practicable, should coordinate its BC-

DR plan with those of other relevant parties as specified, initiate and

coordinate periodic, synchronized testing of such coordinated

plans.\86\ They further provide that the DCM, SEF, or SDR should ensure

that its BC-DR plan takes into account the BC-DR plans of its

telecommunications, power, water, and other essential service

providers.\87\ In addition, the regulations and guidance call for DCMs,

SEFs, and SDRs to follow generally accepted best practices and

standards with respect to BC-DR planning and resources, as similarly

provided for the other specified categories of system safeguards risk

analysis and oversight.\88\

---------------------------------------------------------------------------

\83\ 17 CFR 38.1051(c) (for DCMs); 17 CFR 37.1401(b) (for SEFs);

17 CFR 49.24(a)(2) (for SDRs).

\84\ 17 CFR 38.1051(c) and (d) (for DCMs); 17 CFR 37.1401(b) and

(c) (for SEFs); 17 CFR 49.24(d), (e), and (f) (for SDRs).

\85\ 17 CFR 38.1051(h) (for DCMs); 17 CFR 37.1401(g) (for SEFs);

17 CFR 49.24(j) (for SDRs).

\86\ 17 CFR 38.1051(i)(1) and (2) (for DCMs); Appendix A to Part

37, Core Principle 14 of Section 5h of the Act--System Safeguards

(a) Guidance (3)(i) and (ii) (for SEFs); 17 CFR 49.24(k)(1) and (2)

(for SDRs).

\87\ 17 CFR 38.1051(i)(3) (for DCMs); Appendix A to Part 37,

Core Principle 14 of Section 5h of the Act--System Safeguards (a)

Guidance (3)(iii) (for SEFs); 17 CFR 49.24(k)(3) (for SDRs).

\88\ 17 CFR 38.1051(b) (for DCMs); Appendix A to Part 37, Core

Principle 14 of Section 5h of the Act--System Safeguards (a)

Guidance (1) Risk analysis and oversight program (for SEFs); 17 CFR

49.24(c) (for SDRs). For such best practices, see generally, e.g.,

NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal

Information Systems, available at http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf.

---------------------------------------------------------------------------

Because the current system safeguards regulations already address

these various aspects of the category of BC-DR planning and resources,

the Commission is not proposing to further define this category at this

time. The Commission notes that participants in the CFTC Roundtable

discussed whether BC-DR planning and testing is at an inflection point:

while such planning and testing has traditionally focused on kinetic

events such as storms or physical attacks by terrorists, today

cybersecurity threats may also result in loss of data integrity or

long-term cyber intrusion. Future development of different types of BC-

DR testing focused on cyber resiliency, and of new standards for

recovery and resumption of operations may be warranted.\89\

---------------------------------------------------------------------------

\89\ CFTC Roundtable, at 277-363.

---------------------------------------------------------------------------

4. Capacity and Performance Planning

As provided in the proposed rule, this category of risk analysis

and oversight includes (without limitation): Controls for monitoring

DCM, SEF, or SDR systems to ensure adequate scalable capacity (e.g.,

testing, monitoring, and analysis of current and projected future

capacity and performance, and of possible capacity degradation due to

planned automated system changes); \90\ and any other elements of

capacity and performance planning included in generally accepted best

practices. All of these important aspects of capacity and performance

planning are grounded in generally accepted standards and best

practices, such as the examples cited in the footnote above. The

Commission believes that capacity and performance planning programs

that address these aspects are essential to maintaining

[[Page 80146]]

effective system safeguards in today's cybersecurity threat

environment.

---------------------------------------------------------------------------

\90\ ISACA, COBIT 5, Build, Acquire and Implement (``BAI'')

BAI04, available at https://cobitonline.isaca.org/; FFIEC,

Operations IT Examination Handbook, at 33-34, 35, 40-41, available

at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Operations.pdf.

---------------------------------------------------------------------------

5. Systems Operations

As set out in the proposed rule, this category of risk analysis and

oversight includes (without limitation) each of the following elements:

System maintenance.\91\

---------------------------------------------------------------------------

\91\ NIST SP 800-53 Rev. 4, Maintenance (``MA'') control family,

available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

---------------------------------------------------------------------------

Configuration management (e.g., baseline configuration,

configuration change and patch management, least functionality,

inventory of authorized and unauthorized devices and software).\92\

---------------------------------------------------------------------------

\92\ NIST SP 800-53 Rev. 4, Configuration Management (``CM'')

control family, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf; Council on CyberSecurity,

CSC 1, 2, 3, 10, 11, 12, available at http://www.counciloncybersecurity.org/critical-controls/.

---------------------------------------------------------------------------

Event and problem response and management.\93\

---------------------------------------------------------------------------

\93\ FFIEC, Operations IT Examination Handbook, at 28, and

Objective 10, at A-8 to A-9, available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Operations.pdf;

ISACA, COBIT 5, Deliver, Service and Support (``DSS'') process

DSS03, available at https://cobitonline.isaca.org/.

---------------------------------------------------------------------------

It also includes any other elements of system operations included

in generally accepted best practices. All of these important aspects of

systems operations are grounded in generally accepted standards and

best practices, for example those cited in the footnotes for each

aspect given above. The Commission believes that systems operations

programs that address each of these aspects are essential to

maintaining effective system safeguards in today's cybersecurity threat

environment.

6. Systems Development and Quality Assurance

As set out in the proposed rule, this category of risk analysis and

oversight includes (without limitation) each of the following elements:

Requirements development.\94\

---------------------------------------------------------------------------

\94\ NIST SP 800-53 Rev. 4, control SA-4, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf;

FFIEC Development and Acquisition IT Examination Handbook, at 2-3,

available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_DevelopmentandAcquisition.pdf.

---------------------------------------------------------------------------

Pre-production and regression testing.\95\

---------------------------------------------------------------------------

\95\ NIST SP 800-53 Rev. 4, controls SA-8, SA-10, SA-11,

available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf; NIST SP 800-64 Rev. 2, Security Considerations

in the System Development Life Cycle (``NIST SP 800-64 Rev. 2''), at

26-27, available at http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf; FFIEC, Development and Acquisition

IT Examination Handbook, at 8-9, and Objective 9, at A-6 to A-7,

available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_DevelopmentandAcquisition.pdf.

---------------------------------------------------------------------------

Change management procedures and approvals.\96\

---------------------------------------------------------------------------

\96\ Id. at 47-48.

---------------------------------------------------------------------------

Outsourcing and vendor management.\97\

---------------------------------------------------------------------------

\97\ NIST SP 800-53 Rev. 4, controls SA-9, SA-12, available at

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf; FFIEC, Outsourcing Technology Services IT Examination

Handbook, at 2, available at http://ithandbook.ffiec.gov/ITBooklets/

FFIEC_ITBooklet_OutsourcingTechnologyServices.pdf.

---------------------------------------------------------------------------

Training in secure coding practices.\98\

---------------------------------------------------------------------------

\98\ NIST SP 800-53 Rev. 4, controls AT-3, SA-11, available at

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

---------------------------------------------------------------------------

It also includes any other elements of systems development and

quality assurance included in generally accepted best practices. All of

these important aspects of systems development and quality assurance

are grounded in generally accepted standards and best practices, such

as the examples cited in the footnotes for each aspect given above. The

Commission believes that systems development and quality assurance

programs that address each of these aspects are essential to

maintaining effective system safeguards in today's cybersecurity threat

environment.

7. Physical Security and Environmental Controls.

As stated in the proposed rule, this category of risk analysis and

oversight includes (without limitation) each of the following elements:

\99\

---------------------------------------------------------------------------

\99\ NIST SP 800-53 Rev. 4, Physical and Environmental

Protection (PE) control family, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf;

FFIEC, Operations IT Examination Handbook, at 15-18, available at

http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Operations.pdf.

---------------------------------------------------------------------------

Physical access and monitoring.

Power, telecommunication, environmental controls.

Fire protection.

It also includes any other elements of physical security and

environmental controls included in generally accepted best practices.

All of these important aspects of physical security and environmental

controls are grounded in generally accepted standards and best

practices, such as the examples cited in the footnote given above. The

Commission believes that physical security and environmental controls

programs that address each of these aspects are essential to

maintaining effective system safeguards in today's cybersecurity threat

environment.

C. Requirements To Follow Best Practices, Ensure Testing Independence,

and Coordinate BC-DR Plans

The Commission's current regulations for DCMs and SDRs and its

guidance for SEFs provide that such entities should follow best

practices in addressing the categories which their programs of risk

analysis and oversight are required to include.\100\ They provide that

such entities should ensure that their system safeguards testing,

whether conducted by contractors or employees, is conducted by

independent professionals (i.e., persons not responsible for

development or operation of the systems or capabilities being

tested).\101\ They further provide that such entities should coordinate

their BC-DR plans with the BC-DR plans of market participants and

essential service providers.\102\

---------------------------------------------------------------------------

\100\ See Sec. 38.1051(b) (for DCMs); Appendix A to Part 37,

Core Principle 14 of Section 5h of the Act--System Safeguards (a)

Guidance (1) Risk analysis and oversight program (for SEFs); Sec.

49.24(c) (for SDRs).

\101\ See Sec. 38.1051(h) (for DCMs); Appendix A to Part 37,

Core Principle 14 of Section 5h of the Act--System Safeguards (a)

Guidance (2) Testing (for SEFs); Sec. 49.24(j) (for SDRs).

\102\ See Sec. 38.1051(i) (for DCMs); Appendix A to Part 37,

Core Principle 14 of Section 5h of the Act--System Safeguards (a)

Guidance (3) Coordination (for SEFs); Sec. 49.24(k) (for SDRs).

---------------------------------------------------------------------------

In this NPRM, the Commission is proposing to make these three

provisions mandatory for all DCMs, SEFs, and SDRs. The proposed rule

provisions reflect this at appropriate points.\103\ Making these

provisions mandatory will align the system safeguards rules for DCMs,

SEFs, and SDRs with the Commission's system safeguards rules for DCOs,

which already contain mandatory provisions in these respects. The

Commission believes that in today's cybersecurity threat environment

(discussed above), following generally accepted standards and best

practices, ensuring tester independence, and coordinating BC-DR plans

appropriately are essential to adequate system safeguards and cyber

resiliency for DCMs, SEFs, and SDRs, as well as for DCOs. For this

reason, the Commission believes that making these provisions mandatory

will benefit DCMs, SEFs, and SDRs, their market participants and

customers, and the public interest. The Commission

[[Page 80147]]

understands that most DCMs, SEFs, and SDRs have been following the

provisions of the current regulations and guidance in these respects,

and thus already meet these proposed requirements.

---------------------------------------------------------------------------

\103\ Regarding following best practices, see proposed rule

Sec. 38.1051(b) (for DCMs); Sec. 37.1401(b) (for SEFs); and Sec.

49.24(c) (for SDRs). Regarding tester independence, see proposed

rules Sec. Sec. 38.1051(h)(2)(iv), (3)(i)(C), (3)(ii)(B), (4)(iii),

(5)(iv), and (6)(ii) (for DCMs); Sec. Sec. 37.1401(h)(2)(i),

(3)(i)(A), (4)(i), (5)(iii), and (6)(i) (for SEFs); and Sec. Sec.

49.24(j)(2)(iii), (3)(i)(B), (4)(ii), (5)(iv), and (6)(ii) (for

SDRs). Regarding BC-DR plan and plan testing coordination, see

proposed rule Sec. 38.1051(i) (for DCMs); Sec. 37.1401(i) (for

SEFs); and Sec. 49.24(k) (for SDRs).

---------------------------------------------------------------------------

D. Updating of Business Continuity-Disaster Recovery Plans and

Emergency Procedures

The Commission is proposing amendment of the current system

safeguards rules requiring DCMs, SEFs, and SDRs to maintain a business

continuity-disaster recovery plan and emergency procedures, by adding a

requirement for such plans and procedures to be updated as frequently

as required by appropriate risk analysis, but at a minimum at least

annually. Updating such plans and procedures at least annually is a

best practice. NIST standards provide that once an organization has

developed a BC-DR plan, ``the organization should implement the plan

and review it at least annually to ensure the organization is following

the roadmap for maturing the capability and fulfilling their [sic]

goals for incident response.'' \104\ NIST also states that information

systems contingency plans (``ISCPs'') ``should be reviewed for accuracy

and completeness at least annually, as well as upon significant changes

to any element of the ISCP, system, mission/business processes

supported by the system, or resources used for recovery procedures.''

\105\

---------------------------------------------------------------------------

\104\ NIST SP 800-61 Rev. 2, at 8, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf.

\105\ NIST SP 800-34 Rev. 1, at 8, available at http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf.

---------------------------------------------------------------------------

As noted previously, current Commission system safeguards

regulations and guidance provide that all DCMs, SEFs, and SDRs should

follow best practices in their required programs of risk analysis and

oversight. The Commission understands that many DCMs, SEFs, and SDRs

currently update their BC-DR plans and emergency procedures at least

annually. In light of these facts, the Commission believes that the

proposed requirement for updating such plans and procedures as often as

indicated by appropriate risk analysis, and at a minimum at least

annually, may not impose substantial additional burdens or costs on

DCMs, SEFs, or SDRs.

E. System Safeguards-Related Books and Records Obligations

The Commission's current system safeguards rules for all DCMs,

SEFs, and SDRs contain a provision addressing required production of

system safeguards-related documents to the Commission on request.\106\

The proposed rule includes a provision amending these document

production provisions, to further clarify requirements for document

production by all DCMs, SEFs, and SDRs relating to system safeguards.

The proposed provision would require each DCM, SEF, and SDR to provide

to the Commission, promptly on the request of Commission staff: Current

copies of its BC-DR plans and other emergency procedures, updated at a

frequency determined by appropriate risk analysis but at a minimum no

less than annually; all assessments of its operational risks or system

safeguards-related controls; all reports concerning system safeguards

testing and assessment required by the Act or Commission regulations;

and all other documents requested by Commission staff in connection

with Commission oversight of system safeguards.

---------------------------------------------------------------------------

\106\ 17 CFR 38.1051(g) and (h) (for DCMs); 17 CFR 37.1401(f)

and (g) (for SEFs); 17 CFR 49.24(i) and (j) (for SDRs).

---------------------------------------------------------------------------

As noted in the text of the proposed rule, production of all such

books and records is already required by the Act and Commission

regulations, notably by Commission regulation Sec. 1.31.\107\ No

additional cost or burden is created by this provision. This section is

included in the proposed rule solely to provide additional clarity to

DCMs, SEFs, and SDRs concerning their statutory and regulatory

obligation to produce all such system safeguards-related documents

promptly upon request by Commission staff.

---------------------------------------------------------------------------

\107\ 17 CFR 1.31; see also 17 CFR 38.1051(g) and (h); 17 CFR

37.1401(f) and (g); 17 CFR 49.24(i) and (j).

---------------------------------------------------------------------------

F. Cybersecurity Testing Requirements for DCMs, SEFs, and SDRs

1. Clarification of Existing Testing Requirements for All DCMs, SEFs,

and SDRs

The Act requires each DCM, SEF, and SDR to develop and maintain a

program of system safeguards-related risk analysis and oversight to

identify and minimize sources of operational risk.\108\ The Act

mandates that in this connection each DCM, SEF and SDR must develop and

maintain automated systems that are reliable, secure, and have adequate

scalable capacity, and must ensure system reliability, security, and

capacity through appropriate controls and procedures.\109\

---------------------------------------------------------------------------

\108\ CEA section 5(d)(20) (for DCMs); CEA section 5h(f)(14)

(for SEFs); CEA section 21(f)(4)(A) and 17 CFR 49.24(a) (for SDRs).

\109\ Id.

---------------------------------------------------------------------------

The Commission's existing system safeguards rules for DCMs, SEFs,

and SDRs mandate that, in order to achieve these statutory

requirements, each DCM, SEF, and SDR must conduct testing and review

sufficient to ensure that its automated systems are reliable, secure,

and have adequate scalable capacity.\110\ In this NPRM, as discussed in

detail below, the Commission proposes to clarify this system safeguards

and cybersecurity testing requirement, by specifying and defining five

types of system safeguards testing that a DCM, SEF, or SDR necessarily

must perform to fulfill the requirement. The Commission believes, as

the generally accepted standards and best practices noted in this NPRM

make clear, that it would be essentially impossible for a DCM, SEF, or

SDR to fulfill its existing obligation to conduct testing sufficient to

ensure the reliability, security, and capacity of its automated systems

without conducting each type of testing addressed by the proposed rule.

Each of these types of testing is a generally recognized best practice

for system safeguards.\111\ For these reasons, the

[[Page 80148]]

provisions of the proposed rule calling for each DCM, SEF, and SDR to

conduct each of these types of testing and assessment clarify the

testing requirements of the existing system safeguards rules for DCMs,

SEFs, and SDRs; they do not impose new requirements. Providing this

clarification of the testing provisions of the existing system

safeguards rules is a primary purpose of this proposed rule.

---------------------------------------------------------------------------

\110\ 17 CFR 38.1051(h) (for DCMs); 17 CFR 37.1401(g) (for

SEFs); 17 CFR 49.24(j) (for SDRs).

\111\ The Commission's existing rules and guidance provide that

a DCM's, SEF's, or SDR's entire program of risk analysis and

oversight, which includes testing, should be based on generally

accepted standards and best practices with respect to the

development, operation, reliability, security, and capacity of

automated systems. See 17 CFR 38.1051(h) (for DCMs); Appendix A to

Part 37, Core Principle 14 of Section 5h of the Act--System

Safeguards (a) Guidance (1) Risk analysis and oversight program (for

SEFs); 17 CFR 49.24(j) (for SDRs). Each of the types of testing

addressed in this NPRM--vulnerability testing, penetration testing,

controls testing, security incident response plan testing, and

enterprise technology risk assessment--has been a generally

recognized best practice for system safeguards since before the

testing requirements of the Act and the current regulations were

adopted. The current system safeguards provisions of the CEA and the

Commission's regulations became effective in August 2012. Generally

accepted best practices called for each type of testing specified in

the proposed rule well before that date, as shown in the following

examples. Regarding all five types of testing, see, e.g., NIST SP

800-53A, Rev. 1, Guide for Assessing the Security Controls in

Federal Information Systems and Organizations (``NIST 800-53A

Rev.1''), at E1, F67, F230, F148, and F226, June 2010, available at

http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf. Regarding vulnerability testing, see, e.g., NIST SP

800-53A Rev. 1, at F67, June 2010, available at http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf; and NIST SP 800-115, Technical Guide to Information

Security Testing and Assessment, at 5-2, September 2008, available

at http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf.

Regarding penetration testing, see, e.g., NIST Special Publication

(``SP'') 800-53A, Rev. 1, at E1, June 2010, available at: http://csc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf; and NIST 800-115, at 4-4, September 2008, available at:

http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf.

Regarding controls testing, see, e.g., NIST 800-53A, Rev. 1, at 13

and Appendix F1, June 2010, available at http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf.

Regarding security incident response plan testing, see, e.g., NIST

800-53A, Rev. 1, at F148, June 2010, available at http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf. Regarding enterprise technology risk assessment, see,

e.g., NIST 800-53A, Rev.1, at F226, June 2010, available at http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf.

---------------------------------------------------------------------------

The Commission's clarification of existing testing requirements for

DCMs, SEFs, and SDRs by specifying and defining five types of

cybersecurity testing essential to fulfilling those testing

requirements is designed to set out high-level, minimum requirements

for these types of testing, with the expectation that the particular

ways in which DCMs, SEFs, and SDRs conduct such testing may change as

accepted standards and industry best practices develop over time and

are reflected in the DCM's, SEF's, or SDR's risk analysis. This

parallels the inclusion in the Commission's existing system safeguards

rules and guidance for DCMs, SEFs, and SDRs of provisions that call for

those entities to follow generally accepted standards and best

practices in their programs of risk analysis and oversight with respect

to system safeguards. Those similarly high-level provisions were also

designed to allow DCMs, SEFs, and SDRs flexibility in adapting their

programs to current industry best practices, which the Commission

recognized and continues to recognize will evolve over time.

2. New Minimum Testing Frequency and Independent Contractor Testing

Requirements for Covered DCMs and All SDRs

In this NPRM, as discussed in detail below, the Commission is also

proposing that covered DCMs (as defined) and all SDRs would be subject

to new minimum testing frequency requirements with respect to each type

of system safeguards testing included in the clarification of the

system safeguards testing requirement in the Commission's existing

system safeguards rules. To strengthen the objectivity and reliability

of the testing, assessment, and information available to the Commission

regarding covered DCM and SDR system safeguards, the Commission is also

proposing that for certain types of testing, covered DCMs and SDRs

would be subject to new independent contractor testing requirements.

The Commission believes that in light of the current cyber threat

environment described above, the minimum frequency requirements being

proposed are necessary and appropriate, and will give additional

clarity concerning what is required in this respect. As discussed

above, and discussed in detail below, the proposed minimum frequency

requirements are all grounded in generally accepted standards and best

practices.\112\ Best practices also call for testing by both entity

employees and independent contractors as a necessary means of ensuring

the effectiveness of cybersecurity testing and of the entity's program

of risk analysis and oversight.\113\

---------------------------------------------------------------------------

\112\ See discussion above concerning the need for cybersecurity

testing.

\113\ Id.

---------------------------------------------------------------------------

The Commission believes that the minimum testing frequency and

independent contractor testing requirements in the proposed rule should

be applied to DCMs whose annual total trading volume is five percent or

more of the annual total trading volume of all DCMs regulated by the

Commission, as well as to all SDRs. This would give DCMs that have less

than five percent of the annual total trading volume of all DCMs more

flexibility regarding the testing they must conduct. As a matter of

policy, the Commission believes it is appropriate to reduce possible

costs and burdens for smaller entities when it is possible to do so

consistent with achieving the fundamental goals of the Act and

Commission rules. Accordingly, the Commission believes that applying

the minimum frequency and independent contractor requirements in this

proposed rule only to DCMs whose annual volume is five percent or more

of the total annual volume of all regulated DCMs, and to SDRs, would be

appropriate, in light of the fact that smaller DCMs will still be

required to conduct testing of all the types clarified in the proposed

rule as essential to fulfilling the testing requirements of the

existing DCM system safeguards rules.\114\

---------------------------------------------------------------------------

\114\ These considerations do not apply to SDRs. Each SDR

contains reported swap data that constitutes a unique part of the

total picture of the entire swap market that the Dodd-Frank Wall

Street Reform and Consumer Protection Act, Pub. L. 111-203, 124

Stat. 1376 (2010) (``Dodd-Frank Act'') requires the Commission to

have. Therefore, the highest level of system safeguards protection

must be required for all SDRs. The Commission also notes that,

because the Commission is proposing a parallel cybersecurity testing

rule that would cover all DCOs, a non-covered DCM that shares common

ownership and automated systems with a DCO would in practice fulfill

the testing frequency and independent contractor testing

requirements proposed for covered DCMs, by virtue of sharing

automated systems and system safeguards with the DCO.

---------------------------------------------------------------------------

To give effect to this concept, the proposed rule would make this

five percent volume threshold the basis for its definition of a

``covered designated contract market,'' and would require all DCMs to

report their annual total trading volume to the Commission each year,

as discussed below in section H. The proposed rule defines ``annual

total trading volume'' as the total number of all contracts traded on

or pursuant to the rules of a designated contract market. Under the

proposed rule, a DCM would become a covered DCM, and thus become

subject to the proposed testing frequency and independent contractor

testing requirements, if it meets the five percent volume threshold

with respect to calendar year 2015 or any calendar year thereafter.

It is possible that a DCM which has previously become a covered DCM

subject to these requirements by meeting the five percent volume

threshold could cease to meet the definition of a covered DCM if its

annual total trading volume later fell below the five percent volume

threshold. The proposed rule's frequency requirements for controls

testing and for independent contractor testing of key controls specify

that such testing must be performed no less frequently than every two

years, the longest minimum frequency requirement included in the

proposed rule. The Commission believes that a DCM which has become a

covered DCM should complete an entire cycle of the testing required of

covered DCMs before it ceases to be subject to those requirements by

virtue of its annual total trading volume falling below the five

percent threshold. Accordingly, the proposed rule's definition of

``covered designated contract market'' also specifies that such a DCM

would cease to be a covered DCM when it has fallen below the five

percent volume threshold for two consecutive years.

3. Vulnerability Testing

a. Need for Vulnerability Testing

Testing to identify cyber and automated system vulnerabilities is a

significant component of a DCM's, SEF's, or SDR's program of risk

analysis

[[Page 80149]]

and oversight to identify and minimize sources of operational risk, and

a necessary prerequisite for remediating vulnerabilities, minimizing

exposure to attackers, and enhancing automated system resilience in the

face of cyber threats. The Council on Cybersecurity explains the need

for ongoing vulnerability testing as follows:

Cyber defenders must operate in a constant stream of new

information: Software updates, patches, security advisories, threat

bulletins, etc. Understanding and managing vulnerabilities has

become a continuous activity, requiring significant time, attention,

and resources.

Attackers have access to the same information, and can take

advantage of gaps between the appearance of new knowledge and

remediation. For example, when new vulnerabilities are reported by

researchers, a race starts among all parties, including: Attackers

(to ``weaponize'', deploy an attack, exploit); vendors (to develop,

deploy patches or signatures and updates), and defenders (to assess

risk, regression-test patches, install).

Organizations that do not scan for vulnerabilities and

proactively address discovered flaws face a significant likelihood

of having their computer systems compromised. Defenders face

particular challenges in scaling remediation across an entire

enterprise, and prioritizing actions with conflicting priorities,

and sometimes-uncertain side effects.\115\

---------------------------------------------------------------------------

\115\ Council on Cybersecurity, CSC 4, Continuous Vulnerability

Assessment and Remediation: Why Is This Control Critical? (emphasis

added), available at http://www.counciloncybersecurity.org/critical-controls/.

Vulnerability testing is essential to cyber resilience.\116\ CFTC

Roundtable participants noted that for a financial sector institution,

vulnerability testing will scan and assess the security controls of the

entity's automated systems, on an ongoing basis, to ensure that they

are in place and operating properly.\117\ In the automated system

context, such testing will include ongoing review that includes

automated scanning, to ensure that timely software updates and patches

have been made for operating systems and applications, that network

components are configured properly, and that no known vulnerabilities

are present in operating systems and application software.\118\

---------------------------------------------------------------------------

\116\ CFTC Roundtable, at 95-96.

\117\ Id.

\118\ Id.

---------------------------------------------------------------------------

b. Best Practices Call for Vulnerability Testing

Conducting ongoing vulnerability testing, including automated

scanning, is a best practice with respect to cybersecurity. NIST

standards call for organizations to scan for automated system

vulnerabilities both on a regular and ongoing basis and when new

vulnerabilities potentially affecting their systems are identified and

reported.\119\ NIST adds that organizations should employ vulnerability

scanning tools and techniques that automate parts of the vulnerability

management process, with respect to enumerating platforms, software

flaws, and improper configurations; formatting checklists and test

procedures, and measuring vulnerability impacts.\120\ NIST states that

vulnerability scans should address, for example: Patch levels;

functions, ports, protocols, and services that should not be accessible

to users or devices; and improperly configured or incorrectly operating

information flow controls.\121\ NIST also calls for the organization to

remediate vulnerabilities identified by vulnerability testing, in

accordance with its assessments of risk.\122\

---------------------------------------------------------------------------

\119\ NIST SP 800-53 Rev. 4, control RA-5 Vulnerability

Scanning, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

\120\ Id.

\121\ Id.

\122\ Id.

---------------------------------------------------------------------------

The Council on CyberSecurity's Critical Security Controls call for

organizations to ``continuously acquire, assess, and take action on new

information in order to identify vulnerabilities, remediate, and

minimize the window of opportunity for attackers.'' \123\ The Council

states that organizations should use vulnerability scanning tools that

look for both code-based and configuration-based vulnerabilities, run

automated vulnerability scans against all systems on the network at a

minimum on a weekly basis, and deliver to management prioritized lists

of the most critical vulnerabilities found.\124\

---------------------------------------------------------------------------

\123\ Council on Cybersecurity, CSC 4, Continuous Vulnerability

Assessment and Remediation, available at http://www.counciloncybersecurity.org/critical-controls/.

\124\ Id. at CSC 4-1.

---------------------------------------------------------------------------

The Data Security Standards (``DSS'') of the Payment Card Industry

(``PCI'') Security Standards Council note that ``[v]ulnerabilities are

being discovered continually by malicious individuals and researchers,

and being introduced by new software,'' and accordingly provide that

``[s]ystem components, processes, and custom software should be tested

frequently to ensure security controls continue to reflect a changing

environment.'' \125\ These standards call for running internal and

external network vulnerability scans both regularly and after any

significant change in the network.\126\

---------------------------------------------------------------------------

\125\ Security Standards Council, Payment Card Industry Data

Security Standards (v.3.1, 2015) (``PCI DSS''), Requirement 11:

Regularly test security systems and processes, available at https://www.pcisecuritystandards.org/security_standards/index.php.

\126\ Id., Requirement 11.2.

---------------------------------------------------------------------------

c. Proposed Vulnerability Testing Definitions and Related Provisions

The Commission is proposing to clarify the existing testing

requirements for all DCMs, all SEFs, and all SDRs by specifying

vulnerability testing as an essential means of fulfilling those

requirements, and defining it as testing of a DCM's, SEF's, or SDR's

automated systems to determine what information may be discoverable

through a reconnaissance analysis of those systems and what

vulnerabilities may be present on those systems. This definition is

consistent with NIST standards for such testing.\127\ For purposes of

this definition, the term ``reconnaissance analysis'' is used to

combine various aspects of vulnerability testing.\128\ The proposed

definition deliberately refers broadly to vulnerability testing in

order to avoid prescribing use of any particular technology or tools,

because vulnerability assessments may not always be automated, and

technology may change.\129\

---------------------------------------------------------------------------

\127\ See NIST SP 800-53 Rev. 4, control RA-5, available at

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

\128\ See, e.g., NIST SP 800-115, Technical Guide to Information

Security Testing and Assessment (2008) (``NIST 800-115''), at 2-4,

available at http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf, noting that ``[e]xternal testing often begins with

reconnaissance techniques that search public registration data,

Domain Name System (DNS) server information, newsgroup postings, and

other publicly available information to collect information (e.g.,

system names, Internet Protocol [IP] addresses, operating systems,

technical points of contact) that may help the assessor to identify

vulnerabilities.''

\129\ See, e.g., SANS Institute, Penetration Testing: Assessing

Your Overall Security Before Attackers Do (June 2006), at 7,

available at https://www.sans.org/reading-room/whitepapers/analyst/penetration-testing-assessing-security-attackers-34635, noting: ``A

wide variety of tools may be used in penetration testing. These

tools are of two main types; reconnaissance or vulnerability testing

tools and exploitation tools. While penetration testing is more

directly tied to the exploitation tools, the initial scanning and

reconnaissance is often done using less intrusive tools.''

---------------------------------------------------------------------------

The proposed rule would require that vulnerability testing include

automated vulnerability scanning, as well as an analysis of the test

results to identify and prioritize all vulnerabilities that require

remediation.\130\ Best practices

[[Page 80150]]

note that in most situations, vulnerability monitoring is most

efficient and cost-effective when automation is used.\131\ Participants

in the CFTC Roundtable agreed that automated vulnerability scanning

provides important benefits.\132\ Where indicated by appropriate risk

analysis, automated scanning would be required to be conducted on an

authenticated basis (i.e., using log-in credentials).\133\ Where

automated scans are unauthenticated (i.e., conducted without using

usernames or passwords), effective compensating controls would be

required.\134\

---------------------------------------------------------------------------

\130\ See, PCI DSS, at 94, available at https://www.pcisecuritystandards.org/security_standards/index.php, defining

a vulnerability scan as ``a combination of automated or manual

tools, techniques, and/or methods run against external and internal

network devices and servers, designed to expose potential

vulnerabilities that could be found and exploited by malicious

individuals.'' See also NIST SP 800-115, supra note 111, available

at http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf;

noting that testing techniques that include vulnerability scanning

``. . . can identify systems, ports, services, and potential

vulnerabilities, and may be performed manually but are generally

performed using automated tools.''

\131\ NIST SP 800-39, at 47-48, available at http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf.

\132\ CFTC Roundtable, at 170-171.

\133\ The PCI Monitor, published by the PCI Security Standards

Council, explains the differences between unauthenticated and

authenticated vulnerability scanning, and the benefits of each type,

as follows: [U]nauthenticated web application scan tests are

conducted with no usernames and/or passwords as part of the test.

Authenticated web application scan tests use usernames and passwords

to simulate user activity on the Web site or system being tested.

Essentially, unauthenticated scan testing is ``logged-out testing''

and authenticated scanning is ``logged-in testing.'' . . .

Unauthenticated scan testing is typically much easier than

authenticated testing; it can be performed with basic tools and

doesn't require a great deal of technical expertise or understanding

of the systems, Web pages or workflows being tested. Unauthenticated

tests are also much quicker and can be effective in detecting

recognizable vulnerabilities without investing a great deal of time

and resources. However, unauthenticated testing alone is not an

effective method of simulating targeted attacks. The results may be

limited, producing a false sense of assurance that the systems have

been thoroughly assessed. . . . [A]uthenticated testing is more

thorough since user interaction and functionality . . . can be more

accurately simulated. Performing authenticated testing does require

a broader and deeper skill set and should only be performed by

qualified, experienced professionals. . . . Additionally, since

authenticated testing often includes manual techniques, the amount

of time required to perform such tests can increase significantly. .

. . As a general guideline, if the desire is to simulate what users

on the system are able to do, then authenticated testing is the most

effective approach. If the intent is to quickly identify the highest

risks that any user or tool could exploit, then unauthenticated

testing may suffice. Once the unauthenticated vulnerabilities are

identified and remediated, then authenticated testing should be

considered to achieve a more comprehensive assessment.

PCI Monitor, Vol. 2, Issue 26 (June 25, 2014), available at

http://training.pcisecuritystandards.org/the-pci-monitor-weekly-news-updates-and-insights-from-pci-ssc2?ecid=ACsprvuuirRbrU3vDlk76s_ngGKJKEYlvaBJzvvUMldZv4KKh6V1guIKOR5VLTNfAqPQ_Gmox3zO&utm_campaign=Monitor&utm_source=hs_email&utm_medium=email&utm_content=13292865&_hsenc=p2ANqtz_LIkkHURyUmyq1p2OxB39R5nOpRh1XHE_jW6wCC6EEUAow15E7AuExcIGwdYxyh_6YNxVvKorcurk6r90E3d7dG71fbw&_hsmi=13292865%20-%20web.

\134\ See PCI DSS, supra note 125, App. B at 112, available at

https://www.pcisecuritystandards.org/security_standards/index.php:

``Compensating controls may be considered . . . when an entity

cannot meet a requirement explicitly as stated, due to legitimate

technical or documented business constraints, but has sufficiently

mitigated the risk associated with the requirement through

implementation of other, or compensating, controls.''

---------------------------------------------------------------------------

The proposed rule would require all DCMs, SEFs, and SDRs to conduct

vulnerability testing at a frequency determined by an appropriate risk

analysis. Testing as often as indicated by appropriate risk analysis is

a best practice. For example, the FFIEC states that ``[t]he frequency

of testing should be determined by the institution's risk assessment.''

\135\ Best practices call for risk assessments to include consideration

of a number of important factors in this regard, including, for

example, the frequency and extent of changes in the organization's

automated systems and operating environment; the potential impact if

risks revealed by testing are not addressed appropriately; the degree

to which the relevant threat environment or potential attacker profiles

and techniques are changing; and the results of other testing.\136\

Frequency appropriate to risk analysis can also vary depending on the

type of monitoring involved; for example, with whether automated

monitoring or procedural testing is being conducted.\137\

---------------------------------------------------------------------------

\135\ FFIEC, Information Security IT Examination Handbook, at

82, available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf.

\136\ See NIST SP 800-39, at 47-48, available at http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf;

FFIEC, Information Security IT Examination Handbook, at 82,

available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf.

\137\ Id.

---------------------------------------------------------------------------

d. Minimum Vulnerability Testing Frequency Requirements for Covered

DCMs and SDRs

The proposed rule would require covered DCMs and SDRs to conduct

vulnerability testing no less frequently than quarterly. Best practices

support this requirement. For example, PCI DSS standards provide that

entities should run internal and external network vulnerability scans

``at least quarterly,'' as well as after any significant network

changes, new system component installations, firewall modifications, or

product upgrades.\138\ The Council on CyberSecurity calls for entities

to ``continuously acquire, assess, and take action on new information

in order to identify vulnerabilities.'' \139\ In light of these best

practices and the current level of cyber threat to the financial sector

discussed above, the Commission believes that the proposed rule

provisions regarding vulnerability testing frequency are appropriate in

today's cybersecurity environment.\140\

---------------------------------------------------------------------------

\138\ PCI DSS, Requirement 11.2, available at https://www.pcisecuritystandards.org/security_standards/index.php.

\139\ Council on CyberSecurity, CSC 4, Continuous Vulnerability

Assessment and Remediation, available at http://www.counciloncybersecurity.org/critical-controls/.

\140\ The Commission understands that most covered DCMs and SDRs

currently conduct vulnerability testing on at least a quarterly

basis and in many cases on a continuous basis.

---------------------------------------------------------------------------

e. Independent Contractor Vulnerability Testing Requirements for

Covered DCMs and All SDRs

The proposed rule would require covered DCMs and SDRs to engage

independent contractors to conduct two of the required quarterly

vulnerability tests each year, while permitting covered DCMs and SDRs

to conduct other vulnerability testing using employees not responsible

for development or operation of the systems or capabilities being

tested.

Participants in the CFTC Roundtable agreed that important benefits

are provided when a testing program includes both testing by

independent contractors and testing by entity employees not responsible

for building or operating the system being tested. As one participant

noted, ``[t]here are advantages to both, but neither can stand alone.''

\141\ Much testing needs to happen internally, but much also needs to

be conducted from the viewpoint of an outsider, particularly where

testing against the possible tactics or techniques of a particular

threat actor is concerned.\142\ Third-party vendors offer specialized

expertise concerning the latest threat intelligence, the latest attack

vectors against the financial sector, and the recent experience of

other entities with similar systems and similar vulnerabilities.\143\

One benefit offered by testing conducted by entity employees is that

internal vulnerability testing and scanning can utilize viewpoints that

the outside world would not have, based on intimate knowledge of the

entity's network and systems.\144\ Conversely, an additional benefit

provided by independent contractor testing comes from the outsider's

different perspective, and his or her ability to look for things that

entity employees may not have contemplated during the design or

[[Page 80151]]

operation of the system involved.\145\ One Roundtable participant

observed that the vulnerability assessments which are the goal of

vulnerability testing done by entity employees need to themselves be

tested and validated by independent, external parties.\146\ In short,

an overall testing program that includes both testing by independent

contractors and testing by entity employee can offer complementary

benefits.

---------------------------------------------------------------------------

\141\ CFTC Roundtable, at 88.

\142\ Id. at 88-89.

\143\ Id. at 103-104.

\144\ Id. at 177.

\145\ Id. at 171.

\146\ Id.

---------------------------------------------------------------------------

Regarding the benefits provided by independent contractor testing,

NIST notes that:

[E]ngaging third parties (e.g., auditors, contractor support

staff) to conduct the assessment offers an independent view and

approach that internal assessors may not be able to provide.

Organizations may also use third parties to provide specific subject

matter expertise that is not available internally.\147\

---------------------------------------------------------------------------

\147\ NIST SP 800-115, at 6-6, available at http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf. NIST also

notes that giving outsiders access to an organization's systems can

introduce additional risk, and recommends proper vetting and

attention to contractual responsibility in this regard.

FFIEC states that testing by independent contractors provides

credibility to test results.\148\ Where testing is conducted by entity

employees, FFIEC calls for tests performed ``by individuals who are

also independent of the design, installation, maintenance, and

operation of the tested system.'' \149\ In its COBIT 5 framework, ISACA

states that those performing system safeguards testing and assurance

should be independent from the functions, groups, or organizational

components being tested.\150\ With respect to system safeguards testing

by internal auditors, FFIEC states that the auditors should have both

independence and authority from the Board of Directors to access all

records and staff necessary for their audits.\151\ It also states that

they should not participate in activities that may compromise or appear

to compromise their independence, such as preparing or developing the

types of reports, procedures, or operational duties normally reviewed

by auditors.\152\ The data security standards of the Payment Card

Industry Security Standards Council call for conducting both internal

and external vulnerability scans, with external scans performed by an

approved vendor.\153\

---------------------------------------------------------------------------

\148\ FFIEC, Information Security IT Examination Handbook, at

81, available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf.

\149\ Id.

\150\ ISACA, COBIT 5, Monitor, Evaluate and Assess (``MEA'')

MEA02.05, Ensure that assurance providers are independent and

qualified, available at https://cobitonline.isaca.org.

\151\ Id. at 6.

\152\ Id.

\153\ PCI DSS, Requirement 11, Regularly test security systems

and processes, at 94-96, available at https://www.pcisecuritystandards.org/security_standards/index.php.

---------------------------------------------------------------------------

Current Commission system safeguards rules leave to a DCM or SDR

the choice of whether vulnerability testing or other system safeguards

testing is conducted by independent contractors or entity employees not

responsible for building or operating the systems being tested. The

proposed requirement for some vulnerability testing to be performed by

independent contractors is intended to ensure that covered DCM and SDR

programs of risk analysis and oversight with respect to system

safeguards include the benefits coming from a combination of testing by

both entity employees and independent contractors, as discussed above.

In light of the best practices and the current level of cyber threat to

the financial sector discussed above, the Commission believes that the

proposed rule provisions regarding vulnerability testing by independent

contractors are appropriate in today's cybersecurity environment.

4. Penetration Testing

a. Need for Penetration Testing

Penetration testing to exploit cyber and automated system

vulnerabilities, a testing type which complements vulnerability

testing, is also a significant component of a DCM's, SEF's, or SDR's

program of risk analysis and oversight to identify and minimize sources

of operational risk. Penetration tests go beyond the uncovering of an

organization's automated system vulnerabilities that vulnerability

testing aims to achieve: They subject the system to real-world attacks

by testing personnel, in order to identify both the extent to which an

attacker could compromise the system before the organization detects

and counters the attack, and the effectiveness of the organization's

response mechanisms.\154\ NIST defines penetration testing as ``[a]

test methodology in which assessors, typically working under specific

constraints, attempt to circumvent or defeat the security features of

an information system.'' \155\ NIST describes the benefits of

penetration testing as follows:

---------------------------------------------------------------------------

\154\ See FFIEC, Information Security IT Examination Handbook,

at 81, available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf.

\155\ NIST SP 800-53 Rev. 4, App. B at B-17, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

Penetration testing is a specialized type of assessment

conducted on information systems or individual system components to

identify vulnerabilities that could be exploited by adversaries.

Such testing can be used to either validate vulnerabilities or

determine the degree of resistance organizational information

systems have to adversaries within a set of specified constraints

(e.g., time, resources, and/or skills). Penetration testing attempts

to duplicate the actions of adversaries in carrying out hostile

cyber attacks against organizations and provides a more in-depth

---------------------------------------------------------------------------

analysis of security-related weaknesses/deficiencies.\156\

\156\ Id. at F-62, CA-8 Penetration Testing.

---------------------------------------------------------------------------

The Council on CyberSecurity explains the need for penetration

testing as follows:

Attackers often exploit the gap between good defensive designs

and intentions and implementation or maintenance. . . . In addition,

successful defense requires a comprehensive program of technical

defenses, good policy and governance, and appropriate action by

people. In a complex environment where technology is constantly

evolving, and new attacker tradecraft appears regularly,

organizations should periodically test their defenses to identify

gaps and to assess their readiness.

Penetration testing starts from the identification and

assessment of vulnerabilities that can be identified in the

enterprise. It complements this by designing and executing tests

that demonstrate specifically how an adversary can either subvert

the organization's security goals (e.g., the protection of specific

Intellectual Property) or achieve specific adversarial objectives

(e.g., establishment of a covert Command and Control

infrastructure). The result provides deeper insight, through

demonstration, into the business risks of various vulnerabilities.

[Penetration testing] exercises take a comprehensive approach at

the full spectrum of organization policies, processes, and defenses

in order to improve organizational readiness, improve training for

defensive practitioners, and inspect current performance levels.

Independent Red Teams can provide valuable and objective insights

about the existence of vulnerabilities and the efficacy of defenses

and mitigating controls already in place and even of those planned

for future implementation.\157\

---------------------------------------------------------------------------

\157\ Council on Cybersecurity, CSC 20, Penetration Tests and

Red Team Exercises: Why Is This Control Critical? available at

http://www.counciloncybersecurity.org/critical-controls/.

Anecdotally, one CFTC Roundtable participant characterized the need

for penetration testing by stating that, ``you will never know how

strong your security is until you try to break it yourself and try to

bypass it,'' adding that ``if you're not testing to see how strong it

is, I guarantee you, somebody

[[Page 80152]]

else is.'' \158\ Another Roundtable participant described the essential

function of penetration testing as intruding into a network as

stealthily as possible, mimicking the methodologies used by attackers,

seeing whether and at what point the entity can detect the intrusion,

and identifying gaps between the entity's current defenses and attacker

capabilities, with the goal of reducing the time needed to detect an

intrusion from multiple days to milliseconds, and closing the gaps

between attacker and defender capabilities.\159\

---------------------------------------------------------------------------

\158\ Id. at 96.

\159\ Id. at 58-60.

---------------------------------------------------------------------------

b. Best Practices Call for Both External and Internal Penetration

Testing

Best practices and standards provide that organizations should

conduct two types of penetration testing: External and internal. Many

best practices sources also describe the benefits of both types of

penetration testing. The Council on CyberSecurity states that

organizations should:

Conduct regular external and internal penetration tests to

identify vulnerabilities and attack vectors that can be used to

exploit enterprise systems successfully. Penetration testing should

occur from outside the network perimeter (i.e., the Internet or

wireless frequencies around an organization) as well as from within

its boundaries (i.e., on the internal network) to simulate both

outsider and insider attacks.\160\

---------------------------------------------------------------------------

\160\ Council on CyberSecurity, CSC 20-1, available at http://www.counciloncybersecurity.org/critical-controls/.

FINRA's recent Report on Cybersecurity Practices provides a useful

---------------------------------------------------------------------------

description of the benefits of penetration testing:

Penetration Testing (also known as ``Pen Testing'') is an

effective practice that simulates a real-world attack against a

firm's computer systems. The goal of a third-party penetration test

is to get an attacker's perspective on security weaknesses that a

firm's technology systems may exhibit.

Penetration Tests are valuable for several reasons:

Determining the feasibility of a particular set of

attack vectors;

identifying higher-risk vulnerabilities that result

from a combination of lower-risk vulnerabilities exploited in a

particular sequence;

identifying vulnerabilities that may be difficult or

impossible to detect with automated network or application

vulnerability scanning software;

assessing the magnitude of potential business and

operational impacts of successful attacks;

testing the ability of network defenders to

successfully detect and respond to the attack; and

providing evidence to support increased investments in

security personnel and technology.

Penetration Tests can take different forms depending on a firm's

specific objectives for the test. Each of these contributes in its

own way to an overall defense-in-depth strategy.\161\

---------------------------------------------------------------------------

\161\ FINRA, Report on Cybersecurity Practices (February 2015),

at 22, available at https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf.

FINRA also describes the different benefits of external and

---------------------------------------------------------------------------

internal penetration testing, and emphasizes the need for both types:

External penetration testing is designed to test a firm's

systems as they are exposed to the outside world (typically via the

Internet), while internal penetration testing is designed to test a

firm's systems' resilience to the insider threat. An advanced

persistent attack may involve an outsider gaining a progressively

greater foothold in a firm's environment, effectively becoming an

insider in the process. For this reason, it is important to perform

penetration testing against both external and internal interfaces

and systems.\162\

---------------------------------------------------------------------------

\162\ Id.

NIST standards for system safeguards call for organizations to

conduct penetration testing, and reference both external and internal

testing.\163\ NIST describes the benefits of external penetration tests

as follows:

---------------------------------------------------------------------------

\163\ NIST SP 800-53 Rev. 4, control CA-8 Penetration Testing,

available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

External security testing is conducted from outside the

organization's security perimeter. This offers the ability to view

the environment's security posture as it appears outside the

security perimeter--usually as seen from the Internet--with the goal

of revealing vulnerabilities that could be exploited by an external

attacker.\164\

---------------------------------------------------------------------------

\164\ NIST SP 800-115, at 2-4 to 2-5, available at http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf.

NIST notes that internal penetration tests offer different

---------------------------------------------------------------------------

benefits, as follows:

For internal security testing, assessors work from the internal

network and assume the identity of a trusted insider or an attacker

who has penetrated the perimeter defenses. This kind of testing can

reveal vulnerabilities that could be exploited, and demonstrates the

potential damage this type of attacker could cause. Internal

security testing also focuses on system-level security and

configuration--including application and service configuration,

authentication, access control, and system hardening.\165\

---------------------------------------------------------------------------

\165\ Id. See also, e.g., System Administration, Networking, and

Security Institute (``SANS''), Penetration Testing in the Financial

Services Industry (2010), at 17, available at https://www.sans.org/reading-room/whitepapers/testing/penetration-testing-financial-services-industry-33314 (``Penetration testing is essential given

the context of high operational risk in the financial services

industry.'')

---------------------------------------------------------------------------

c. Proposed Penetration Testing Definitions and Related Provisions

The Commission is proposing to clarify the existing testing

requirements for all DCMs, all SEFs, and all SDRs by specifying both

external and internal penetration testing as essential to fulfilling

those requirements, and defining both. External penetration testing

would be defined as attempts to penetrate a DCM's, SEF's, or SDR's

automated systems or networks from outside their boundaries to identify

and exploit vulnerabilities (including, but not limited to, methods for

circumventing the security features of an application, system, or

network). Internal penetration testing would be defined as attempts to

penetrate a DCM's, SEF's, or SDR's automated systems or networks from

inside their boundaries to identify and exploit vulnerabilities

(including, but not limited to, methods for circumventing the security

features of an application, system, or network). These definitions are

consistent with the standards and best practices discussed above. In

light of the best practices, and the external and internal penetration

testing benefits noted above, the Commission believes that such testing

is important in the context of today's cybersecurity threat

environment.

The proposed rule would require all DCMs, SEFs, and SDRs to conduct

both external and internal penetration testing at a frequency

determined by an appropriate risk analysis. As discussed above, testing

as often as indicated by appropriate risk analysis is a best

practice.\166\

---------------------------------------------------------------------------

\166\ See discussion above concerning vulnerability testing.

---------------------------------------------------------------------------

d. Minimum Penetration Testing Frequency Requirements for Covered Dcms

and Sdrs

The proposed rule would require covered DCMs and SDRs to conduct

both external and internal penetration testing no less frequently than

annually.\167\ Best practices support this

[[Page 80153]]

requirement.\168\ NIST calls for at least annual penetration testing of

an organization's network and systems.\169\ The FFIEC calls for

independent penetration testing of high risk systems at least annually,

and for quarterly testing and verification of the efficacy of firewall

and access control defenses.\170\ Data security standards for the

payment card industry provide that entities should perform both

external and internal penetration testing ``at least annually,'' as

well as after any significant network changes, new system component

installations, firewall modifications, or product upgrades.\171\

---------------------------------------------------------------------------

\167\ The SEC's Regulation System Compliance and Integrity

(``Regulation SCI''), issued in final form in December 2014, also

requires penetration testing by SCI entities, defined as including,

among other things, national securities exchanges, alternative

trading systems, and registered clearing agencies. It requires each

SCI entity to conduct SCI reviews that include penetration testing

at least every three years. The Commission's proposed rule would

require covered DCMs and SDRs to conduct penetration testing at a

frequency determined by an appropriate risk analysis, but no less

frequently than annually. In light of the multiple best practices

cited above, and the importance of covered DCMs and SDRs to the

national economy, the Commission believes that conducting

penetration testing at least annually is appropriate.

\168\ The Commission understands that most covered DCMs (as

defined) and most SDRs currently conduct external and internal

penetration testing at least annually.

\169\ NIST, SP 800-115, Technical Guide to Information Security

Testing and Assessment, Section 5.2.2, at 5-5, available at http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf.

\170\ FFIEC, Information Security IT Examination Handbook, at

82, available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf.

\171\ PCI DSS, Requirements 11.3.1 and 11.3.2. available at

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf.

---------------------------------------------------------------------------

e. Independent Contractor Penetration Testing Requirements for Covered

DCMS and All SDRS

The proposed rule would require covered DCMs and SDRs to engage

independent contractors to conduct the required minimum of an annual

external penetration test. It would allow covered DCMs and SDRs to have

internal penetration testing, and any additional external penetration

testing needed in light of appropriate risk analysis, conducted either

by independent contractors or by entity employees who are not

responsible for development or operation of the systems or capabilities

being tested.

As noted above, best practices support having some testing

conducted by independent contractors.\172\ NIST notes that:

---------------------------------------------------------------------------

\172\ See discussion above concerning vulnerability testing.

[E]ngaging third parties (e.g., auditors, contractor support

staff) to conduct the assessment offers an independent view and

approach that internal assessors may not be able to provide.

Organizations may also use third parties to provide specific subject

matter expertise that is not available internally.\173\

---------------------------------------------------------------------------

\173\ NIST SP 800-115, at 6-6, available at http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf. NIST also

notes that giving outsiders access to an organization's systems can

introduce additional risk, and recommends proper vetting and

attention to contractual responsibility in this regard.

The data security standards of the Payment Card Industry Security

Standards Council call for external testing to be performed by an

approved vendor.\174\ Participants in the CFTC Roundtable agreed that

important benefits are provided when a testing program includes testing

by independent contractors, noting that vendor testing has particular

value with respect to what external penetration does, namely test from

the viewpoint of an outsider and against the current tactics,

techniques, and threat vectors of current threat actors as revealed by

current threat intelligence.\175\

---------------------------------------------------------------------------

\174\ PCI DSS, Requirement 11, Regularly test security systems

and processes, at 94-96, available at https://www.pcisecuritystandards.org/security_standards/index.php.

\175\ CFTC Roundtable, at 88-89, 103-104, 171.

---------------------------------------------------------------------------

Current Commission system safeguards rules leave to a DCM or SDR

the choice of whether penetration testing or other system safeguards

testing is conducted by independent contractors or entity employees not

responsible for building or operation of the systems being tested. The

proposed requirement for the required minimum annual external

penetration testing to be performed by independent contractors is

intended to ensure that covered DCM and SDR programs of risk analysis

and oversight with respect to system safeguards include the benefits

provided when independent contractors perform such testing. In light of

the best practices and the current level of cyber threat to the

financial sector discussed above, the Commission believes that the

proposed rule provisions regarding external penetration testing by

independent contractors are appropriate in today's cybersecurity

environment.\176\

---------------------------------------------------------------------------

\176\ The Commission understands that most DCMs that would be

covered by the proposed covered DCM definition, and most SDRs,

currently have external penetration testing conducted by independent

contractors at least annually.

---------------------------------------------------------------------------

5. Controls Testing

a. Need for Controls Testing

As defined in the proposed rule, controls are the safeguards or

countermeasures used by a DCM, SEF, or SDR to protect the reliability,

security, or capacity of its automated systems or the confidentiality,

integrity, and availability of its data and information, so as to

fulfill its statutory and regulatory responsibilities. Controls testing

is defined as assessment of all of the DCM's, SEF's, or SDR's system

safeguards-related controls, to determine whether they are implemented

correctly, are operating as intended, and are enabling the organization

to meet system safeguards requirements. Regular, ongoing testing of all

of an organization's system safeguards-related controls for these

purposes is a crucial part of the program of risk analysis and

oversight required of all DCMs, SEFs, and SDRs by the Act and

Commission regulations.\177\ As noted in NIST's standards and best

practices, there are three broad types of system safeguards-related

controls, including technical controls, operational controls, and

management controls.\178\ Some controls provide safeguards against

automated system failures or deficiencies, while others guard against

human error, deficiencies, or malicious action. Controls testing as

addressed by the proposed rule includes all of these types of system

safeguards controls.

---------------------------------------------------------------------------

\177\ 17 CFR 38.1050(a) (for DCMs); 17 CFR 37.1400(a) (for

SEFs); 17 CFR 49.24(a)(1) (for SDRs).

\178\ NIST SP 800-53 Rev. 4, at F-3, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf;

See also CFTC Roundtable, at 194-196.

---------------------------------------------------------------------------

Describing some of the important benefits of controls assessment,

NIST notes that ``[u]nderstanding the overall effectiveness of

implemented security and privacy controls is essential in determining

the risk to the organization's operations and assets . . . resulting

from the use of the system,''\179\ and observes that controls

assessment ``is the principal vehicle used to verify that implemented

security controls . . . are meeting their stated goals and

objectives.'' \180\ NIST adds that:

---------------------------------------------------------------------------

\179\ NIST SP 800-53A Rev. 4, Assessing Security and Privacy

Controls to Federal Information Systems and Organizations (``NIST SP

800-53A Rev. 4''), at 1, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf.

\180\ Id. at xi (Foreword).

Security assessments: (i) Ensure that information security is

built into organizational information systems; (ii) identify

weaknesses and deficiencies early in the development process; (iii)

provide essential information needed to make risk-based decisions as

part of security authorization processes; and (iv) ensure compliance

to vulnerability mitigation procedures.\181\

---------------------------------------------------------------------------

\181\ NIST SP 800-53 Rev. 4, control CA-2 Security Assessments,

available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

The Commission believes that in today's rapidly-changing cybersecurity

threat environment, regular, ongoing controls testing that verifies

over time the effectiveness of each system safeguards control used by a

DCM, SEF, or SDR is essential to ensuring the continuing overall

efficacy of the entity's system safeguards and of its program of risk

analysis and oversight.

[[Page 80154]]

b. Best Practices Call for Controls Testing

Best practices and standards call for organizations to conduct

regular, ongoing controls testing that over time includes testing of

all their system safeguards-related controls. NIST calls for

organizations to have a security assessment plan that:

Assesses the security controls in the information system and its

environment of operation to determine the extent to which the

controls are implemented correctly, operating as intended, and

producing the desired outcome with respect to meeting established

security requirements.\182\

---------------------------------------------------------------------------

\182\ Id.

NIST notes that the results of such testing can allow organizations,

among other things to identify potential cybersecurity problems or

shortfalls, identify security-related weaknesses and deficiencies,

prioritize risk mitigation decisions and activities, confirm that

weaknesses and deficiencies have been addressed, and inform related

budgetary decisions and capital investment.\183\ FFIEC calls for

controls testing because ``[c]ontrols should not be assumed to be

completely effective,'' and states that a controls testing program ``is

sound industry practice and should be based on an assessment of the

risk of non-compliance or circumvention of the institution's

controls.'' \184\ ISACA's COBIT standards call for organizations to

``[c]ontinuously monitor and evaluate the control environment,

including self-assessments and independent assurance reviews,'' \185\

and to ``[r]eview the operation of controls . . . to ensure that

controls within business process operate effectively.'' \186\ ISACA

observes that this enables management ``to identify control

deficiencies and inefficiencies and to initiate improvement actions.''

\187\

---------------------------------------------------------------------------

\183\ NIST SP 800-53A Rev. 4, at 3, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf.

\184\ FFIEC, Information Security IT Examination Handbook,

available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf.

\185\ ISACA, COBIT 5, MEA02 Evaluate and Assess the System of

Internal Control, available at https://cobitonline.isaca.org/.

\186\ Id., Section 02.02 Review Business Process Controls

Effectiveness.

\187\ Id., Section 02.

---------------------------------------------------------------------------

c. Controls Testing Definitions and Related Provisions

In this NPRM, the Commission is proposing to clarify the existing

testing requirements for all DCMs, SEFs, and SDRs by specifying

controls testing as essential to fulfilling those requirements, and

defining it. The proposed rule's definitions of controls and controls

testing are discussed above.\188\ The proposed rule also defines ``key

controls'' as those controls that an appropriate risk analysis

determines are either critically important for effective system

safeguards, or intended to address risks that evolve or change more

frequently and therefore require more frequent review to ensure their

continuing effectiveness in addressing such risks.

---------------------------------------------------------------------------

\188\ See discussion above concerning the need for controls

testing.

---------------------------------------------------------------------------

The proposed rule would require each DCM, SEF, and SDR to conduct

controls testing, including testing of each control included in its

program of system safeguards-related risk analysis and oversight, at a

frequency determined by an appropriate risk analysis. As discussed

above, testing at such a frequency is a best practice.\189\

---------------------------------------------------------------------------

\189\ See discussion above concerning vulnerability testing.

---------------------------------------------------------------------------

d. Minimum Controls Testing Frequency Requirements for Covered DCMs and

SDRs

The proposed rule would call for a covered DCM or an SDR to conduct

controls testing, including testing of each control included in its

program of system safeguards-related risk analysis and oversight, no

less frequently than every two years. It would permit such testing to

be conducted on a rolling basis over the course of the two-year period

or the period determined by appropriate risk analysis, whichever is

shorter.\190\

---------------------------------------------------------------------------

\190\ The Commission understands that the proposed rule could

result in some additional controls testing costs for some covered

DCMs or SDRs, because they are not currently conducting testing of

all their system safeguards controls at the minimum frequency

required by the proposed rule. In such cases, the covered DCM or SDR

would need to accelerate the testing of some controls to comply with

the two-year minimum frequency requirement.

---------------------------------------------------------------------------

The proposed rule includes this frequency provision in order to

ensure that in all cases, each control included in the system

safeguards risk analysis and oversight program of a covered DCM or an

SDR is tested at least every two years, or tested more frequently if

that is indicated by appropriate analysis of the entity's system

safeguards-related risks. The Commission believes that it is essential

for each control to be tested at least this often in order to confirm

the continuing adequacy of the entity's system safeguards in today's

cybersecurity threat environment. The Commission also recognizes that

appropriate risk analysis may well determine that more frequent testing

of either certain key controls or all controls is necessary.

The provision permitting such testing to be done on a rolling basis

is included in recognition of the fact that an adequate system

safeguards program for a covered DCM or an SDR must necessarily include

large numbers of controls of all the various types discussed above, and

that therefore it could be impracticable and unduly burdensome to

require testing of all controls in a single test. The rolling basis

provision is designed to give flexibility to a covered DCM or an SDR

concerning which controls are tested when during the applicable minimum

period--either every two years or more often if called for by

appropriate risk analysis--as long as each control is tested within the

applicable minimum period. This flexibility is intended to reduce

burdens associated with testing every control to the extent possible

while still ensuring the needed minimum testing frequency. Testing on a

rolling or recursive basis is also congruent with best practices. NIST

states that a controls test can consist of either complete assessment

of all controls or a partial assessment of controls selected for a

particular assessment purpose.\191\ NIST notes that over time,

organizations can increase cybersecurity situational awareness through

appropriate testing, which provides increased insight into and control

of the processes used to manage the organization's security, which in

turn enhances situational awareness, in a recursive process.\192\

---------------------------------------------------------------------------

\191\ NIST SP 800-53A Rev. 4, at 17-18, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf.

\192\ NIST SP-800-137, Information Security Continuous

Monitoring (ISCM) for Federal Information Systems and Organizations,

at 6, available at http://csrc.nist.gov/publications/nistpubs/800-137/SP800-137-Final.pdf.

---------------------------------------------------------------------------

e. Independent Contractor Controls Testing Requirements for Covered

DCMs and SDRs

The proposed rule would require covered DCMs and SDRs to engage

independent contractors to test and assess each of the entity's key

controls no less frequently than every two years.\193\ It permits the

covered DCM or SDR to conduct any other required controls testing by

using either independent contractors or entity employees not

responsible for development or operation of the systems of capabilities

involved in the test. Independent testing of key controls is consonant

with best practices. ISACA

[[Page 80155]]

standards call for controls testing to include independent assurance

reviews as well as self-assessments, in order to assure control

effectiveness.\194\ NIST calls for controls testing to include

assessment by independent assessors, free from actual or perceived

conflicts of interest, in order to validate the completeness, accuracy,

integrity, and reliability of test results.\195\ The proposed rule's

requirement for testing of key controls by independent contractors at

least every two years is designed to ensure that covered DCM and SDR

programs of risk analysis and oversight with respect to system

safeguards include these benefits with regard to the testing of their

key controls. In light of the best practices and the current level of

cyber threat to the financial sector discussed above, the Commission

believes that having each of a covered DCM's or SDR's key controls

tested by independent contractors at least every two years is

appropriate and important in today's cybersecurity environment. The

rolling basis provision of the proposed rule regarding controls testing

would leave to a covered DCM or SDR the choice of whether to have key

controls testing by independent contractors done in a single test at

least every two years, or in multiple, partial tests by independent

contractors that cover each key control within the two-year minimum

period.\196\

---------------------------------------------------------------------------

\193\ The Commission understands that most DCMs that would be

covered by the proposed covered DCM definition, and most SDRs,

currently retain independent contractors to perform testing of their

key controls.

\194\ ISACA, COBIT 5, MEA02, Monitor, Evaluate and Assess the

System of Internal Control, available at https://cobitonline.isaca.org/.

\195\ NIST SP 800-53 Rev. 4, control CA-2 Security Assessments,

Control Enhancements 1, Security Assessments: Independent Assessors,

available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

\196\ The requirements proposed by the Commission regarding

controls testing are generally consistent with the SEC's Regulation

SCI, issued in final form in December 2014. Regulation SCI applies

to SCI entities, defined as including, among other things, national

securities exchanges, alternative trading systems, and registered

clearing agencies. It requires each SCI entity to conduct SCI

reviews that include assessments of the design and effectiveness of

internal controls, in a manner consistent with industry standards.

SCI reviews must be conducted at least annually.

---------------------------------------------------------------------------

6. Security Incident Response Plan Testing

a. Need for Security Incident Response Plans and Testing

Financial sector entities should maintain and test a security

incident \197\ response plan (``SIRP''). As the Council on

CyberSecurity explains in addressing its Critical Security Control

calling for incident response plans and testing:

---------------------------------------------------------------------------

\197\ NIST defines a ``security incident'' as ``[a]n occurrence

that actually or potentially jeopardizes the confidentiality,

integrity, or availability of an information system or the

information the system processes, stores, or transmits, or that

constitutes a violation or imminent threat of violation of security

policies, security procedures, or acceptable use policies.'' NIST SP

800-53 Rev. 4, at B-9, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf. NIST further

defines a ``computer security incident'' as ``a violation or

imminent threat of violation of computer security policies,

acceptable use policies, or standard security practices.'' NIST SP

800-61 Rev. 2, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf. The FFIEC defines a

``security incident'' as ``the attempted or successful unauthorized

access, use, modification, or destruction of information systems or

customer data. If unauthorized access occurs, the financial

institution's computer systems could potentially fail and

confidential information could be compromised.'' FFIEC IT

Examination Handbook, Business Continuity Planning IT Examination

Handbook, at 25, available at http://ithandbook.ffiec.gov/

ITBooklets/FFIEC_ITBooklet_BusinessContinuityPlanning.pdf.

Cyber incidents are now just part of our way of life. Even

large, well-funded, and technically sophisticated enterprises

struggle to keep up with the frequency and complexity of attacks.

The question of a successful cyber-attack against an enterprise is

not ``if'' but ``when''. When an incident occurs, it is too late to

develop the right procedures, reporting, data collection, management

responsibility, legal protocols, and communications strategy that

will allow the enterprise to successfully understand, manage, and

recover. Without an incident response plan, an organization may not

discover an attack in the first place, or, if the attack is

detected, the organization may not follow good procedures to contain

damage, eradicate the attacker's presence, and recover in a secure

fashion. Thus, the attacker may have a far greater impact, causing

more damage, infecting more systems, and possibly exfiltrate more

sensitive data than would otherwise be possible were an effective

incident response plan in place.\198\

---------------------------------------------------------------------------

\198\ Council on CyberSecurity, The Critical Security Controls

for Effective Cyber Defense Version 5.1, CSC 18, at 96, available at

http://www.counciloncybersecurity.org/critical-controls/.

Adequate cyber resilience requires that organizations have the capacity

to detect, contain, eliminate, and recover from a cyber intrusion. The

Commission believes that SIRPs and their testing are essential to such

capabilities.

CFTC Roundtable participants recommended that the Commission

consider SIRP testing in addressing the various types of testing needed

in today's cyber threat environment.\199\ Panelists stated that testing

an organization's ability to recover from cyber attacks, in particular

from attacks aimed at destruction of data or automated systems or at

degradation of data integrity, is very important.\200\ They noted that

when a security incident actually happens, it is helpful to have an

incident response plan, but more helpful to have tested it. Panelists

explained if the organization has practiced its plan or framework for

responding to a security incident, the people who must make decisions--

often with incomplete or conflicting information--will know what

numbers to call, where to go, what is expected, and what the framework

is for making the quick decisions that are needed. They also noted that

failure to practice the response process can delay or paralyze timely

response and cause severe consequences, and that this makes practicing

an incident response plan or framework crucial to effective incident

response.\201\ Panelists also noted that much financial sector business

continuity testing has focused in the past on an entity's ability to

respond to physical security incidents such as storms, transportation

or electric power outages, fire, flood, etc. In addition to physical

security incident response testing, adequate testing today must take

into account the fact that the risk landscape has changed and now

includes increased cyber threat.\202\

---------------------------------------------------------------------------

\199\ CFTC Roundtable, at 82-84.

\200\ Id. at 79-80.

\201\ Id. at 284-287.

\202\ Id. at 283-284, 290-294.

---------------------------------------------------------------------------

b. Best Practices Call for Maintaining and Testing a SIRP

Having and testing a cyber and physical security incident response

plan is a best practice with regard to cybersecurity. NIST urges

organizations to have a cyber incident response plan that:

Establishes procedures to address cyber attacks against an

organization's information system(s). These procedures are designed

to enable security personnel to identify, mitigate, and recover from

malicious computer incidents, such as unauthorized access to a

system or data, denial of service, or unauthorized changes to system

hardware, software, or data (e.g., malicious logic, such as a virus,

worm, or Trojan horse).\203\

---------------------------------------------------------------------------

\203\ NIST SP 800-34 Rev. 1, Contingency Planning Guide for

Federal Information Systems (``NIST SP 800-34 Rev. 1''), Sec. 2.2.5

Cyber Incident Response Plan, at 11, available at http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1_errata-Nov11-2010.pdf.

NIST notes that such plans may be included as an appendix to the

organization's business continuity plan.\204\

---------------------------------------------------------------------------

\204\ Id.

---------------------------------------------------------------------------

NIST best practices for cybersecurity also call for organizations

to test their incident response capabilities with respect to their

information systems, at appropriate frequencies, to determine their

effectiveness, and to document test results.\205\ They provide that

organizations should:

---------------------------------------------------------------------------

\205\ NIST SP 800-53 Rev. 4, control IR-3 Incident Response

Testing, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

[[Page 80156]]

---------------------------------------------------------------------------

[H]ave information technology (IT) plans in place, such as

contingency and computer security incident response plans, so that

they can respond to and manage adverse situations involving IT.

These plans should be maintained in a state of readiness, which

should include having personnel trained to fulfill their roles and

responsibilities within a plan, having plans exercised to validate

their content, and having systems and system components tested to

ensure their operability in an operational environment specified in

a plan. These three types of events can be carried out efficiently

and effectively through the development and implementation of a

test, training, and exercise (TT&E) program. Organizations should

consider having such a program in place because tests, training, and

exercises are so closely related. For example, exercises and tests

offer different ways of identifying deficiencies in IT plans,

procedures, and training.\206\

---------------------------------------------------------------------------

\206\ NIST SP 800-84, Guide to Test, Training, and Exercise

Programs for IT Plans and Capabilities (``NIST SP 800-84''), at ES-

1, available at http://csrc.nist.gov/publications/nistpubs/800-84/SP800-84.pdf.

---------------------------------------------------------------------------

NIST adds that:

Organizations should conduct TT&E events periodically; following

organizational changes, updates to an IT plan, or the issuance of

new TT&E guidance; or as otherwise needed. This assists

organizations in ensuring that their IT plans are reasonable,

effective, and complete, and that all personnel know what their

roles are in the conduct of each IT plan. TT&E event schedules are

often dictated in part by organizational requirements. For example,

NIST Special Publication 800-53 requires Federal agencies to conduct

exercises or tests for their systems' contingency plans and incident

response capabilities at least annually.\207\

---------------------------------------------------------------------------

\207\ Id. at ES-2.

---------------------------------------------------------------------------

In addition, NIST states that an organization following best practices:

Coordinates contingency planning activities with incident

handling activities. By closely coordinating contingency planning

with incident handling activities, organizations can ensure that the

necessary contingency planning activities are in place and activated

in the event of a security incident.\208\

---------------------------------------------------------------------------

\208\ NIST SP 800-53 Rev. 4, control CP-2 Contingency Plan,

available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-3r4.pdf.

According to NIST, an organization following best practices tests the

contingency plan for an information system at an appropriate frequency,

using organization-defined tests, to determine the effectiveness of the

plan and the organizational readiness to execute the plan. It then

reviews the test results, and initiates corrective actions if

needed.\209\

---------------------------------------------------------------------------

\209\ NIST SP 800-53 Rev. 4, control CP-4 Contingency Plan

Testing, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

---------------------------------------------------------------------------

FINRA's best practices also call for SIRPs. FINRA's 2015 Report on

Cybersecurity Practices states that:

Firms should establish policies and procedures, as well as roles

and responsibilities for escalating and responding to cybersecurity

incidents. Effective practices for incident response include

involvement in industry-wide and firm-specific simulation exercises

as appropriate to the role and scale of a firm's business.\210\

---------------------------------------------------------------------------

\210\ FINRA, Report on Cybersecurity Practices (February 2015),

at 23, available at https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf.

The FFIEC has said that ``[e]very financial institution should

develop an incident response policy that is properly integrated into

the business continuity planning process.'' \211\ The FFIEC also calls

for incident response plan testing, stating that ``[f]inancial

institutions should assess the adequacy of their preparation by testing

incident response guidelines to ensure that the procedures correspond

with business continuity strategies.\212\

---------------------------------------------------------------------------

\211\ FFIEC, Business Continuity Planning IT Examination

Handbook, at 25, available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_BusinessContinuityPlanning.pdf.

\212\ Id. at 25-26.

---------------------------------------------------------------------------

The Council on CyberSecurity's Critical Security Controls provide

that organizations should protect their information, as well as their

reputations, by developing and implementing an incident response plan

and infrastructure ``for quickly discovering an attack and then

effectively containing the damage, eradicating the attacker's presence,

and restoring the integrity of the network and systems.'' \213\ The

Critical Security Controls also call for organizations to ``conduct

periodic incident scenario sessions for personnel associated with the

incident handling team, to ensure that they understand current threats

and risks, as well as their responsibilities in supporting the incident

handling teams.'' \214\

---------------------------------------------------------------------------

\213\ Council on CyberSecurity, The Critical Security Controls

for Effective Cyber Defense Version 5.1, CSC 18, at 96, available at

http://www.counciloncybersecurity.org/critical-controls/.

\214\ Id. at 97.

---------------------------------------------------------------------------

c. Flexibility Regarding Forms of SIRP Testing

SIRP testing can take a number of possible forms, consistent with

generally accepted standards and best practices, and accordingly, the

proposed rule would apply the general requirement that the forms of

testing addressed in an entity's security incident response plan should

be aligned with an entity's appropriate analysis of its system

safeguards-related risks. As noted in NIST's best practices regarding

security incident response testing:

Organizations test incident response capabilities to determine

overall effectiveness of the capabilities and to identify potential

weaknesses or deficiencies. Incident response testing includes, for

example, the use of checklists, walk-through or tabletop exercises,

simulations (parallel/full interrupt), and comprehensive exercises.

Incident response testing can also include a determination of the

effects on organizational operations (e.g., reduction in mission

capabilities), organizational assets, and individuals due to

incident response.\215\

---------------------------------------------------------------------------

\215\ NIST SP 800-53 Rev. 4, control IR-3 Incident Response

Testing, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

As provided in the proposed rule, the scope of the plan and its testing

should be broad enough to support entity resilience with respect to

security incidents that is sufficient to enable the entity to fulfill

its statutory and regulatory responsibilities. Such resilience should

include the ability to detect, contain, respond to, and recover from

both cyber and physical security incidents in a timely fashion.

d. Best Practices Provide Guidance Regarding Appropriate SIRP Contents

The Commission notes that its existing system safeguards rules and

guidance for DCMs, SEFs, and SDRs provide that those entities should

follow generally accepted standards and best practices in meeting the

testing requirements applicable to their required program of risk

analysis and oversight with respect to system safeguards, and that this

applies with respect to SIRPs and their testing.\216\ Best practices

provide useful guidance concerning the contents of an adequate SIRP.

---------------------------------------------------------------------------

\216\ 17 CFR 38.1050; 17 CFR 38.1051(a) and (b) (for DCMs);

Appendix A to Part 37, Core Principle 14 of Section 5h of the Act--

System Safeguards (a) Guidance (1) Risk analysis and oversight

program (for SEFs); 17 CFR 49.24(a) through (c) (for SDRs).

---------------------------------------------------------------------------

For example, NIST calls for an organization to develop, document,

and distribute to the appropriate personnel ``an incident response

policy that addresses purpose, scope, roles, responsibilities,

management commitment, coordination among organizational entities, and

compliance,'' as well as ``procedures to facilitate the implementation

of the incident response policy and associated incident response

controls.'' \217\ NIST further recommends that an

[[Page 80157]]

organization should develop and maintain an incident response plan

that:

---------------------------------------------------------------------------

\217\ NIST SP 800-53 Rev. 4, control IR-1 Incident Response

Policy and Procedures, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

1. Provides the organization with a roadmap for implementing its

incident response capability;

2. Describes the structure and organization of the incident

response capability;

3. Provides a high-level approach for how the incident response

capability fits into the overall organization;

4. Meets the unique requirements of the organization, which

relate to mission, size, structure, and functions;

5. Defines reportable incidents;

6. Provides metrics for measuring the incident response

capability within the organization;

7. Defines the resources and management support needed to

effectively maintain and mature an incident response capability; and

8. Is reviewed and approved by [appropriate organization-defined

personnel or roles].\218\

---------------------------------------------------------------------------

\218\ NIST SP 800-53 Rev. 4, control IR-8 Incident Response

Plan, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

NIST also calls for the organization to distribute copies of the plan

to appropriate personnel; review the plan at an appropriate frequency;

update the plan ``to address system/organizational changes or problems

encountered during plan implementation, execution, or testing;''

communicate plan changes to appropriate personnel; and protect the plan

from unauthorized disclosure and modification.\219\ NIST notes that

while incident response policies are individualized to the

---------------------------------------------------------------------------

organization, most policies include the same key elements:

\219\ Id.

Statement of management commitment.

Purpose and objectives of policy.

Scope of the policy (to whom and what it applies and

under what circumstances).

Definition of computer security incidents and related

terms.

Organizational structure and definition of roles,

responsibilities, and levels of authority; should include the

authority of the incident response team to confiscate or disconnect

equipment and to monitor suspicious activity, the requirements for

reporting certain types of incidents, the requirements and

guidelines for external communications and information sharing

(e.g., what can be shared with whom, when, and over what channels),

and the handoff and escalation points in the incident management

process.

Prioritization or severity ratings of incidents.

Performance measures.

Reporting and contact forms.\220\

---------------------------------------------------------------------------

\220\ NIST SP 800-61 Rev. 2, section 2.3.1 Policy Elements,

available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf.

---------------------------------------------------------------------------

e. Proposed SIRP Definitions and Related Provisions

In this NPRM, the Commission is proposing to clarify the existing

testing requirements for all DCMs, SEFs, and SDRs by specifying SIRP

testing as essential to fulfilling those requirements, and defining it.

The proposed rule would define ``security incident'' as a cyber or

physical security event that actually or potentially jeopardizes

automated system operation, reliability, security, or capacity, or the

availability, confidentiality, or integrity of data. The proposed rule

would define ``security incident response plan'' as a written plan that

documents the DCM's, SEF's, or SDR's policies, controls, procedures,

and resources for identifying, responding to, mitigating, and

recovering from security incidents, as well as the roles and

responsibilities of management, staff, and independent contractors in

responding to security incidents. This definition notes that a SIRP may

be a separate document or a BC-DR plan section or appendix dedicated to

security incident response. The proposed rule would define ``security

incident response plan testing'' as testing of a DCM's, SEF's, or SDR's

SIRP to determine its effectiveness, identify its potential weaknesses

or deficiencies, enable regular updating and improvement, and maintain

the entity's preparedness and resiliency with respect to security

incidents. This definition adds that methods of conducting SIRP testing

may include (without limitation) checklist completion, walk-through or

table-top exercises, simulations, and comprehensive exercises.

The proposed rule would require all DCMs, SEFs, and SDRs to conduct

SIRP testing at a frequency determined by an appropriate risk analysis.

As discussed above, testing as often as indicated by appropriate risk

analysis is a best practice.\221\ The Commission believes that in

today's cybersecurity threat environment, appropriate risk analysis may

well call for conducting frequent SIRP tests of various types. The

flexibility regarding forms of SIRP testing provided by the proposed

rule is designed in part to encourage appropriately frequent SIRP

testing.

---------------------------------------------------------------------------

\221\ See discussion above concerning vulnerability testing.

---------------------------------------------------------------------------

f. Minimum SIRP Testing Frequency Requirements for Covered DCMs and

SDRs

The proposed rule would call for a covered DCM or an SDR to conduct

SIRP testing no less frequently than annually.\222\ Best practices

support this requirement. For example, NIST calls for organizations to

test their systems-related contingency plans and incident response

capabilities at least annually.\223\

---------------------------------------------------------------------------

\222\ The Commission understands that many covered DCMs (as

defined) and many SDRs currently conduct SIRP testing at least

annually.

\223\ NIST SP 800-84, Guide to Test, Training, and Exercise

Programs for IT Plans and Capabilities, at 2-4 (citing NIST SP 800-

53, Rev. 4, Security and Privacy Controls for Federal Information

Systems and Organizations).

---------------------------------------------------------------------------

g. Who Performs Security Incident Response Plan Testing

The proposed rule would leave to covered DCMs and SDRs (as well as

to all other DCMs and to all SEFs) the choice of having security

incident response plan testing conducted by independent contractors or

by employees of the covered DCM or SDR. This provision of the proposed

rule therefore would not impose any additional burdens or costs on DCMs

or SDRs.

7. Enterprise Technology Risk Assessment

a. Enterprise Technology Risk Assessment Definition and Purpose

The proposed rule would clarify the testing requirements of the

Commission's current system safeguards rules for all DCMs, SEFs, and

SDRs by specifying that conducting regular enterprise technology risk

assessments (``ETRAs'') is essential to meeting those testing

requirements. The proposed rule would define ETRAs as written

assessments that include (without limitation) an analysis of threats

and vulnerabilities in the context of mitigating controls. As further

defined, an ETRA identifies, estimates, and prioritizes a DCM's, SEF's

or SDR's risks to operations or assets, or to market participants,

individuals, or other entities, resulting from impairment of the

confidentiality, integrity, or availability of data and information or

the reliability, security, or capacity of automated systems. The

purpose of assessments of enterprise risk is identifying (a) threats

and vulnerabilities, (b) the harm that could occur given the potential

for threats that exploit vulnerabilities, and (c) the likelihood that

such harm will occur, in order to produce a broad determination of the

organization's system safeguards-related risks.\224\ According to NIST,

such risk assessment is necessary for well-informed, risk-based

leadership

[[Page 80158]]

decisions that ``balance the benefits gained from the operation and use

of . . . information systems with the risk of the same systems being

vehicles through which purposeful attacks, environmental disruptions,

or human errors cause mission or business failure.'' \225\

---------------------------------------------------------------------------

\224\ NIST SP 800-39, at 1, available at http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf.

\225\ Id.

---------------------------------------------------------------------------

An ETRA may be used as the overarching vehicle through which a DCM,

SEF, or SDR draws together and uses the results and lessons learned

from each of the types of cybersecurity and system safeguards testing

addressed in the proposed rule, in order to identify and mitigate its

system safeguards-related risks. As NIST observes, ``[s]ince no one

technique can provide a complete picture of the security of a system or

network, organizations should combine appropriate techniques to ensure

robust security assessments.'' \226\

---------------------------------------------------------------------------

\226\ NIST SP 800-115, available at http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf.

---------------------------------------------------------------------------

The proposed rule's testing scope provisions would require that

DCMs, SEFs, and SDRs conduct ETRAs of a scope broad enough to identify

any vulnerability that, if exploited or accidentally triggered, could

enable: (1) Interference with the organization's operations or the

fulfillment of its statutory and regulatory responsibilities, (2)

impairment or degradation of the reliability, security, or capacity of

the organization's automated systems, (3) addition, deletion,

modification, exfiltration, or compromise of any data relating to the

organization's regulated activities, or (4) any other unauthorized

action affecting the organization's regulated activities or the

hardware or software used in connection with them. The proposed rule

would not, however, specify particular methods, structures, or

frameworks for ETRAs. Best practices provide a number of sources for

such risk assessment frameworks,\227\ and a DCM, SEF, or SDR would have

flexibility to choose the assessment framework it believes most

appropriate to its particular circumstances. FINRA notes that

approaches to integrating threats and vulnerabilities in an overall

risk assessment report often differ, with some organizations following

proprietary risk assessment methodologies and others using vendor

products tailored to their particular needs, and with firms using a

variety of cyber incident and threat intelligence inputs for their risk

assessments.\228\ The flexibility provided by the proposed rule in this

respect is intended to reduce the costs of performing an ETRA to the

extent practicable while still ensuring the sufficiency of the

important assessment process.

---------------------------------------------------------------------------

\227\ See, e.g., ISACA, COBIT 5; International Organisation for

Standardisation and International Electrotechnical Commission

(``ISO/IEC'') 27001; FFIEC.

\228\ FINRA, Report on Cybersecurity Practices (February 2015),

at 14, available at https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf.

---------------------------------------------------------------------------

The proposed rule would require all DCMs, SEFs, and SDRs to conduct

ETRAs at a frequency determined by an appropriate risk analysis. As

noted above, conducting testing and assessment as often as indicated by

such risk analysis is a best practice.\229\

---------------------------------------------------------------------------

\229\ See discussion of vulnerability testing frequency.

---------------------------------------------------------------------------

b. Best Practices Call for ETRAs

Regular performance of ETRAs is a best practice. In describing such

assessments and emphasizing their importance, FFIEC states that:

Financial institutions must maintain an ongoing information

security risk assessment program that effectively:

Gathers data regarding the information and technology

assets of the organization, threats to those assets,

vulnerabilities, existing security controls and processes, and the

current security standards and requirements;

Analyzes the probability and impact associated with the

known threats and vulnerabilities to their assets; and

Prioritizes the risks present due to threats and

vulnerabilities to determine the appropriate level of training,

controls, and assurance necessary for effective mitigation.\230\

---------------------------------------------------------------------------

\230\ FFIEC, Information Security IT Examination Handbook, at 7-

8, available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf.

FINRA calls for firms to conduct regular risk assessments to identify

cybersecurity risks, and for such assessments to include ``an

assessment of external and internal threats and asset vulnerabilities,

and prioritized and time-bound recommendations to remediate identified

risks.'' \231\ FINRA calls such risk assessments ``a key driver in a

firm's risk management-based cybersecurity program.'' \232\ ISACA

standards contain similar provisions.\233\

---------------------------------------------------------------------------

\231\ FINRA, Report on Cybersecurity Practices (February 2015),

at 12, available at https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf.

\232\ Id. at 13.

\233\ ISACA, COBIT 5, APO12, Manage Risk, available at https://cobitonline.isaca.org.

---------------------------------------------------------------------------

c. Minimum ETRA Frequency Requirements for Covered DCMs and SDRs

The proposed rule would call for covered DCMs and SDRs to conduct

an ETRA no less frequently than annually.\234\ Either annual or more

frequent assessment of technology and cybersecurity risk is a best

practice. For example, FINRA states that firms conducting appropriate

risk assessment do so either annually or on an ongoing basis throughout

the year, in either case culminating in an annual risk assessment

report.\235\ As noted above, FFIEC calls for financial institutions to

maintain ongoing information security risk assessment programs.\236\

---------------------------------------------------------------------------

\234\ The Commission understands that most covered DCMs and most

SDRs currently perform cybersecurity and system safeguards risk

assessments on at least an annual basis.

\235\ FINRA, Report on Cybersecurity Practices (February 2015),

at 14, available at https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf.

\236\ FFIEC, Information Security IT Examination Handbook, at 7-

8, available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf.

---------------------------------------------------------------------------

The proposed requirement to prepare a written assessment on at

least an annual basis would not eliminate the need for a covered DCM or

SDR to conduct risk assessment and monitoring on an ongoing basis, as

best practices require. Rather, the proposed requirement is intended to

formalize the risk assessment process and ensure that it is documented

at a minimum frequency. As noted in the FFIEC Handbook: ``Monitoring

and updating the security program is an important part of the ongoing

cyclical security process. Financial institutions should treat security

as dynamic with active monitoring; prompt, ongoing risk assessment; and

appropriate updates to controls.'' \237\

---------------------------------------------------------------------------

\237\ Id. at 86.

---------------------------------------------------------------------------

d. Who Conducts ETRAs

The proposed rule would permit covered DCMs and SDRs (as well as

all other DCMs and all SEFs) to conduct ETRAs using either independent

contractors or employees not responsible for development or operation

of the systems or capabilities being assessed. Assessment by

independent contractors is congruent with best practices. NIST and

FFIEC note that assessment by independent contractors offers the

benefit of an independent view and approach that might not be provided

by internal assessors, and can lend credibility to assessment

results.\238\ Best practices

[[Page 80159]]

also support assessment by entity employees, provided that they are

suitably independent of the design, installation, maintenance, and

operation of systems being assessed.\239\ A dedicated risk department,

an internal audit department, or a Chief Compliance Officer would be

examples of entity employees who could appropriately conduct an ETRA.

Because the proposed rule gives flexibility to covered DCMs and SDRs

regarding who conducts ETRAs, this provision will not impose additional

costs.\240\

---------------------------------------------------------------------------

\238\ See NIST SP 800-115, at 6-6, available at http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf; and

FFIEC, Information Security IT Examination Handbook, at 81,

available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf.

\239\ Id. See also, e.g., ISACA, COBIT 5, MEA02.05, Ensure that

assurance providers are independent and qualified, available at

https://cobitonline.isaca.org/.

\240\ The requirements proposed by the Commission regarding

enterprise technology risk assessment are generally consistent with

the SEC's Regulation SCI, issued in final form in December 2014.

Regulation SCI applies to SCI entities, defined as including, among

other things, national securities exchanges, alternative trading

systems, and registered clearing agencies. It requires each SCI

entity to conduct SCI reviews that include automated system risk

assessments, in a manner consistent with industry standards. SCI

reviews must be conducted at least annually.

---------------------------------------------------------------------------

G. Additional Testing-Related Risk Analysis and Oversight Program

Requirements Applicable To All DCMs, SEFs, and SDRs

As noted above, the Act requires each DCM, SEF, and SDR to develop

and maintain a program of system safeguards-related risk analysis and

oversight to identify and minimize sources of operational risk.\241\

The Act mandates that in this connection each DCM, SEF, and SDR must

develop and maintain automated systems that are reliable, secure, and

have adequate scalable capacity, and must ensure system reliability,

security, and capacity through appropriate controls and

procedures.\242\ The Commission's existing system safeguards rules for

DCMs, SEFs, and SDRs mandate that, in order to achieve these statutory

requirements, each DCM, SEF, and SDR must conduct testing and review

sufficient to ensure that its automated systems are reliable, secure,

and have adequate scalable capacity.\243\ The existing rules and

guidance also provide that a DCM's, SEF's, or SDR's entire program of

risk analysis and oversight, which includes such testing, should be

based on generally accepted standards and best practices with respect

to the development, operation, reliability, security, and capacity of

automated systems.\244\

---------------------------------------------------------------------------

\241\ CEA section 5(d)(20) (for DCMs); CEA section 5h(f)(14)

(for SEFs); CEA section 21(f)(4)(A) and 17 CFR 49.24(a) (for SDRs).

\242\ Id.

\243\ 17 CFR 38.1051(h) (for DCMs); 17 CFR 37.1401(g) (for

SEFs); 17 CFR 49.24(j) (for SDRs).

\244\ See 17 CFR 38.1051(b) (for DCMs); Appendix A to Part 37,

Core Principle 14 of Section 5h of the Act--System Safeguards (a)

Guidance (1) Risk analysis and oversight program (for SEFs); 17 CFR

49.24(c) (for SDRs).

---------------------------------------------------------------------------

In this NPRM, in addition to clarifying the existing testing

requirements for DCMs, SEFs, and SDRs by specifying and defining the

five types of testing that these entities necessarily must perform to

fulfill those requirements, the Commission also proposes to clarify the

testing requirements by specifying and defining three other aspects of

DCM, SEF, and SDR risk analysis and oversight programs that are

necessary to fulfillment of the testing requirements and achievement of

their purposes. These three aspects are: (1) The scope of testing and

assessment, (2) internal reporting and review of test results, and (3)

remediation of vulnerabilities and deficiencies revealed by testing.

These risk analysis and oversight program aspects are generally

recognized best practice for system safeguards. As best practices and

also the Act and the regulations themselves make clear, it would be

essentially impossible for a DCM, SEF, or SDR to fulfill its obligation

to conduct testing sufficient to ensure the reliability, security, and

capacity of its automated systems without conducting testing of

appropriate scope; without performing appropriate internal reporting

and review of test results; or without remediating vulnerabilities and

deficiencies disclosed by testing, in line with appropriate risk

analysis.\245\ This has been true since before the testing requirements

of the Act and the current regulations were adopted.\246\ Accordingly,

the provisions of the proposed rule addressing testing scope, internal

reporting and review, and remediation clarify the testing requirements

of the existing system safeguards rules for DCMs, SEFs, and SDRs; they

do not impose new requirements.

---------------------------------------------------------------------------

\245\ See e.g., NIST SP 800-115, Technical Guide to Information

Security Testing and Assessment, at 6-10--6-12, September 2008,

available at http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf; NIST SP 800-53A Rev. 4, at 10, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf;

FFIEC, Information Security IT Examination Handbook, at 5, available

at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf; NIST SP 800-53 Rev. 4,

Program Management (``PM'') control family, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf;

FINRA, Report on Cybersecurity Practices, February 2015, at 8,

available at https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf; FFIEC,

Audit IT Examination Handbook, Objective 6, at A-4, available at

http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Audit.pdf;

ISACA, COBIT 5, APO12, available at https://cobitonline.isaca.org/.

\246\ The current system safeguards provisions of the CEA and

the Commission's regulations became effective in August 2012.

Generally accepted best practices called for appropriate testing

scope, internal reporting and review of test results, and

remediation of vulnerabilities and deficiencies disclosed by testing

well before that date, as shown in the following examples. Regarding

scope of testing and assessment, see, e.g., NIST SP 800-115,

Technical Guide to Information Security Testing and Assessment, at

6-10 to 6-12, September 2008, available at http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf. Regarding internal

reporting and review, see, e.g., FFIEC, Information Security IT

Examination Handbook, at 5, available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf. Regarding remediation, see,

e.g., FFIEC, Audit IT Examination Handbook, Objective 6, at A-4,

available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Audit.pdf.

---------------------------------------------------------------------------

1. Scope of Testing and Assessment

The Commission is proposing that the scope of all testing and

assessment required by its system safeguards regulations for DCMs,

SEFs, and SDRs should be broad enough to include all testing of

automated systems and controls necessary to identify any vulnerability

which, if exploited or accidentally triggered, could enable an intruder

or unauthorized user or insider to interfere with the entity's

operations or with fulfillment of its statutory and regulatory

responsibilities; to impair or degrade the reliability, security, or

capacity of the entity's automated systems; to add to, delete, modify,

exfiltrate, or compromise the integrity of any data related to the

entity's regulated activities; or to undertake any other unauthorized

action affecting the entity's regulated activities or the hardware or

software used in connection with those activities.

Testing scope should take into account not only an organization's

particular automated systems and networks and vulnerabilities,

including any recent changes to them, but also the nature of the

organization's possible adversaries and their capabilities as revealed

by current cybersecurity threat analysis: iI short, it should be based

on proper risk analysis.\247\ The Commission recognizes that, as

Roundtable panelists noted, the scope set for particular instances of

the various types of cybersecurity testing can vary appropriately.\248\

The scope provisions

[[Page 80160]]

of the proposed rule are designed to give a DCM, SEF, or SDR

flexibility with regard to setting the scope of particular

cybersecurity tests, so long as its overall program of testing is

sufficient to provide adequate assurance of the overall effectiveness

of its cybersecurity controls with respect to its system safeguards-

related risks. The Commission believes that the scope of testing and

assessment set out in the proposed rule is broad enough to provide the

needed flexibility, while still providing sufficient guidance regarding

the testing scope necessary for an adequate program of system

safeguards-related risk analysis and oversight. Such flexibility should

reduce costs and burdens associated with the proposed scope

requirements to the extent possible while still ensuring the system

safeguards resilience necessary in today's cybersecurity threat

environment.

---------------------------------------------------------------------------

\247\ CFTC Roundtable, at 97, 100-101, 107-111, 127-130, 139-

141, 172-180.

\248\ Id.

---------------------------------------------------------------------------

2. Internal Reporting and Review

The proposed rule would require that a DCM's, SEF's, or SDR's

senior management and its Board of Directors receive and review reports

of the results of all testing and assessment required by Commission

rules. It also would require DCMs, SEFs, and SDRs to establish and

follow appropriate procedures for remediation of issues identified

through such review, and for evaluation of the effectiveness of the

organization's testing and assessment protocols.

Oversight of an organization's cybersecurity and system safeguards

program by both senior management and the Board of Directors is a best

practice. According to FINRA:

Active executive management--and as appropriate to the firm,

board-level involvement--is an essential effective practice to

address cybersecurity threats. Without that involvement and

commitment, a firm is unlikely to achieve its cybersecurity

goals.\249\

---------------------------------------------------------------------------

\249\ FINRA, Report on Cybersecurity Practices, February 2015,

at 7, available at https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf.

FINRA observes that ``[b]oards should play a leadership role in

overseeing firms' cybersecurity efforts,'' and states that they should

understand and approach cybersecurity as an enterprise-wide risk

management issue rather than merely an information technology

issue.\250\ As noted by FINRA, the absence of proactive senior

management and board involvement in cybersecurity can make firms more

vulnerable to successful cybersecurity attacks.\251\ The FFIEC states

that regular reports to the board should address the results of the

organization's risk assessment process and of its security monitoring

and testing, including both internal and external audits and

reviews.\252\ In addition, FFIEC calls for boards to review

recommendations for changes to the information security program

resulting from testing and assessment, and to review the overall

effectiveness of the program.\253\

---------------------------------------------------------------------------

\250\ Id.

\251\ Id. at 8.

\252\ FFIEC, Information Security IT Examination Handbook, at 5,

available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf.

\253\ Id. See also, e.g., NIST SP 800-53 Rev. 4, Program

Management (``PM'') control family, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

---------------------------------------------------------------------------

3. Remediation

The proposed rule would require each DCM, SEF, and SDR to analyze

the results of the testing and assessment required by the applicable

system safeguards rules, in order to identify all vulnerabilities and

deficiencies in its systems, and to remediate those vulnerabilities and

deficiencies to the extent necessary to enable it to fulfill the

applicable system safeguards requirements and meet its statutory and

regulatory obligations. The proposed rule would require such

remediation to be timely in light of appropriate risk analysis with

respect to the risks presented.

Remediation of vulnerabilities and deficiencies revealed by

cybersecurity testing is a best practice and a fundamental purpose of

such testing. FFIEC calls for management of financial sector

organizations to take appropriate and timely action to address

identified cybersecurity and system safeguards problems and

weaknesses.\254\ ISACA's COBIT 5 standards call for organizations to

continually identify, assess, and reduce IT-related risk within levels

of tolerance set by executive management.\255\

---------------------------------------------------------------------------

\254\ FFIEC, Audit IT Examination Handbook, Objective 6, at A-4,

available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Audit.pdf.

\255\ ISACA, COBIT 5, APO12, available at https://cobitonline.isaca.org/.

---------------------------------------------------------------------------

Best practices recognize that risk mitigation decisions and

activities need to be prioritized in light of appropriate risk

analysis, and that prompt and sufficient corrective action should

target not only significant deficiencies noted in testing and

assessment reports but also the root causes of such deficiencies.\256\

The minimum basis for system safeguards remediation decisions,

priorities, and actions by DCMs, SEFs, and SDRs is set out in the

proposed rule: DCMs, SEFs, and SDRs must remediate system safeguards

vulnerabilities and deficiencies sufficiently to enable them to meet

applicable system safeguards requirements and fulfill their statutory

and regulatory obligations. Remediation that failed to meet this

standard would not provide adequate system safeguards protection in

today's cybersecurity threat environment, and could result in

unacceptable harm to the public or the national economy.

---------------------------------------------------------------------------

\256\ See, e.g., NIST SP 800-53A Rev. 4, at 3, available at

http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf; FFIEC, Audit IT Examination Handbook, Objective 6,

at A-4, available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Audit.pdf.

---------------------------------------------------------------------------

H. Required Production of Annual Total Trading Volume

As discussed above in preamble section F, the proposed rule would

create requirements applicable to covered DCMs, as defined, as well as

to SDRs, concerning system safeguards testing frequency and testing by

independent contractors. As also discussed above, the Commission

believes that the minimum testing frequency and independent contractor

testing requirements in the proposed rule should be applied to DCMs

whose annual total trading volume is five percent or more of the annual

total trading volume of all DCMs regulated by the Commission. This

would give DCMs that have less than five percent of the annual total

trading volume of all DCMs more flexibility regarding the testing they

must conduct. With respect to DCMs, the Commission believes that

applying the proposed frequency and independent contractor requirements

only to DCMs whose annual total trading volume is five percent or more

of the annual total trading volume of all regulated DCMs may be

appropriate, in light of the fact that smaller DCMs will still be

required to conduct testing of all the types addressed in the proposed

rule pursuant to the existing DCM system safeguards rules.

In order to provide certainty to all DCMs concerning whether the

testing frequency and independent contractor provisions of the propose

rule would apply to them, it is necessary for the Commission to receive

annually from each DCM, beginning in 2016, its annual total trading

volume for the preceding year, and to notify each DCM annually,

beginning in 2016, of the percentage of the annual total trading volume

of all DCMs which is constituted by that DCM's annual total trading

volume for the preceding year. The proposed rule therefore would

require each DCM to report its annual total trading volume for 2015 to

the Commission within 30 calendar days of the effective date of the

[[Page 80161]]

final rule, and to report its annual total volume for 2016 and each

subsequent year thereafter to the Commission by January 31 of 2017 and

of each calendar year thereafter.\257\

---------------------------------------------------------------------------

\257\ The SEC's Regulation SCI, issued in final form in December

2014, employs similar methodology to distinguish in some cases which

entities are subject to SCI review requirements. Regulation SCI uses

percentages of average daily dollar volume of stock trading to

determine whether alternative trading systems are subject to

Regulation SCI as SCI entities.

---------------------------------------------------------------------------

I. Advance Notice of Proposed Rulemaking Regarding Minimum Testing

Frequency and Independent Contractor Testing Requirements for Covered

SEFs

The Commission is considering proposing, by means of a future NPRM,

that the most systemically important SEFs should be subject to the same

new minimum testing frequency requirements proposed in this NPRM for

covered DCMs and SDRs. It is also considering proposing, by means of a

future NPRM, that the most systemically important SEFs should be

subject to the same independent contractor testing requirements

proposed in this NPRM for covered DCMs and SDRs. Accordingly, by means

of this concluding section of the preamble and the related set of

questions and requests for comment at the conclusion of the Requests

for Comment section, the Commission is issuing an Advance Notice of

Proposed Rulemaking (``ANPRM'') with respect to these subjects.

As discussed above, the Commission believes that, in light of the

current cyber threat environment, the minimum frequency requirements

and independent contractor testing requirements proposed in this NPRM

for covered DCMs and SDRs are necessary and appropriate for ensuring

the cybersecurity and resiliency of such entities, and are essential to

the effectiveness of their cybersecurity testing and the adequacy of

their programs of system safeguards risk analysis and oversight. As

noted above, these requirements are grounded in generally accepted

standards and best practices.\258\ The Commission also believes, as

discussed above, that the independent contractor testing requirements

proposed in this NPRM for covered DCMs and SDRs will appropriately

strengthen the objectivity and reliability of the testing, assessment,

and information available to the Commission regarding covered DCM and

SDR system safeguards.

---------------------------------------------------------------------------

\258\ See discussion above concerning the need for cybersecurity

testing.

---------------------------------------------------------------------------

For the same reasons, the Commission believes that it is

appropriate and necessary to consider applying these same minimum

testing frequency and independent contractor testing requirements to

the most systemically important SEFs. The Commission is aware that at

this time SEFs are new CFTC-regulated entities still awaiting final

registration by the Commission, and that the SEF market is still in an

early stage of development. Nevertheless, the Commission believes that

SEFs that trade swaps with significant notional value or that trade

significant numbers of swaps may have become systemically important

enough that such requirements for them may now have become essential,

in light of today's cybersecurity threat environment (discussed above),

the importance of the swap market to the U.S. economy, as recognized by

the Dodd-Frank Act, and the notional value and volume of swaps traded

on larger SEFs or pursuant to their rules.

Preliminarily, the Commission believes it is appropriate to

consider defining the ``covered SEFs'' to which these requirements

would be applied as those SEFs for which the annual total notional

value of all swaps traded on or pursuant to the rules of the SEF is ten

percent (10%) or more of the annual total notional value of all swaps

traded on or pursuant to the rules of all SEFs regulated by the

Commission. This threshold would give SEFs that have less than ten

percent of the annual total notional value of all swaps traded more

flexibility regarding the testing they must conduct. As a matter of

policy, the Commission believes it is appropriate to reduce possible

costs and burdens for smaller entities when it is possible to do so

consistent with achieving the fundamental goals of the Act and

Commission rules. Accordingly, the Commission believes, preliminarily,

that applying the minimum frequency and independent contractor

requirements in this proposed rule only to SEFs that have ten percent

or more of the annual total notional value of all swap traded would be

appropriate, in light of the fact that smaller SEFs will still be

required, pursuant to this current NPRM, to conduct testing of all the

types clarified in the NPRM as essential to fulfilling the testing

requirements of the existing SEF system safeguards rules. The

Commission also notes that, under this current NPRM and the parallel

NPRM being issued with respect to DCOs, a non-covered SEF that shares

common ownership and automated systems with a DCO, a covered DCM, or an

SDR would in practice fulfill the testing frequency and independent

contractor testing requirements by virtue of sharing automated systems

and system safeguards with the DCO, covered DCM, or SDR.

However, the Commission will also consider whether it would be more

appropriate to define ``covered SEF'' in terms of annual total notional

value of swaps traded, or in terms of annual total number of swaps

traded, and how notional value would best be defined in this context.

It will also consider what percentage share of the annual total

notional value of all swaps traded on all SEFs regulated by the

Commission, or of the annual total number of swaps traded, should be

used to define ``covered SEF.'' It will further consider whether it

would be more appropriate for the definition to be applied with respect

to the notional value or the number of swaps in each asset class

separately, or to be applied with respect to the notional value or the

number of all swaps combined regardless of asset class.

Accordingly, in the final part of the Request for Comment section

below, the Commission is seeking comments regarding each of these

considerations. The Commission will consider all such comments in

determining what definition of ``covered SEF'' it should propose in a

future NPRM on this subject, if such a proposal is made. The Commission

is also seeking information relating to the possible costs and benefits

of applying the minimum testing frequency and independent contractor

testing requirements to covered SEFs, and how such benefits or costs

could be quantified or estimated. In addition, the Commission seeks

additional information regarding the extent to which SEFs are currently

meeting these requirements. Finally, the Commission seeks additional

information concerning the most appropriate method for SEFs to report

annually to the Commission their annual total notional value of swaps

traded or their annual total number of swaps traded.

II. Related Matters

A. Regulatory Flexibility Act

The Regulatory Flexibility Act (``RFA'') requires that agencies

consider whether the regulations they propose will have a significant

economic impact on a substantial number of small entities and, if so,

provide a regulatory flexibility analysis respecting the impact.\259\

The rules proposed by the Commission will impact DCMs, SEFs, and SDRs.

The Commission has

[[Page 80162]]

previously established certain definitions of ``small entities'' to be

used by the Commission in evaluating the impact of its regulations on

small entities in accordance with the RFA.\260\ The Commission has

previously determined that DCMs, SEFs, and SDRs are not small entities

for the purpose of the RFA.\261\ Therefore, the Chairman, on behalf of

the Commission pursuant to 5 U.S.C. 605(b), certifies that the proposed

rules will not have a significant economic impact on a substantial

number of small entities.

---------------------------------------------------------------------------

\259\ 5 U.S.C. 601 et seq.

\260\ See 47 FR 18618-21 (Apr. 30, 1982).

\261\ See 47 FR 18618, 18619 (Apr. 30, 1982) discussing DCMs; 78

FR 33548 (June 4, 2013) discussing SEFs; 76 FR 54575 (Sept. 1, 2011)

discussing SDRs.

---------------------------------------------------------------------------

B. Paperwork Reduction Act

1. Introduction

The Paperwork Reduction Act of 1995 (``PRA'') \262\ imposes certain

requirements on Federal agencies, including the Commission, in

connection with their conducting or sponsoring any collection of

information, as defined by the PRA. An agency may not conduct or

sponsor, and a person is not required to respond to, a collection of

information unless it displays a currently valid control number. This

proposed rulemaking contains recordkeeping and reporting requirements

that are collections of information within the meaning of the PRA.

---------------------------------------------------------------------------

\262\ 44 U.S.C. 3501 et seq.

---------------------------------------------------------------------------

The proposed rulemaking contains provisions that would qualify as

collections of information, for which the Commission has already sought

and obtained control numbers from the Office of Management and Budget

(``OMB''). The titles for these collections of information are ``Part

38-Designated Contract Markets'' (OMB Control Number 3038-0052), ``Part

37-Swap Execution Facilities'' (OMB Control Number 3038-0074), and

``Part 49-Swap Data Repositories; Registration and Regulatory

Requirements'' (OMB Control Number 3038-0086). If adopted, responses to

these collections of information would be mandatory. As discussed

below, with the exception of proposed Sec. 38.1051(n) that would

require all DCMs to submit annual trading volume information to the

Commission, the Commission believes the proposal will not impose any

new recordkeeping or reporting requirements that are not already

accounted for in existing collections 3038-0052,\263\ 3038-0074,\264\

and 3038-0086.\265\ Accordingly, the Commission invites public comment

on the accuracy of its estimate regarding the impact of proposed Sec.

38.1051(n) on collection 3038-0052 and its determination that no

additional recordkeeping or information collection requirements or

changes to existing collection requirements would result from the

proposal.

---------------------------------------------------------------------------

\263\ See OMB Control No. 3038-0052, available at http://www.reginfo.gov/public/do/ PRAOMBHistory?ombControlNumber=3038-0052.

\264\ See OMB Control No. 3038-0074, available at http://www.reginfo.gov/public/do/PRAOMBHistory?ombControlNumber=3038-0074.

\265\ See OMB Control No. 3038-0086, available at http://www.reginfo.gov/public/do/ PRAOMBHistory?ombControlNumber=3038-0086.

---------------------------------------------------------------------------

The Commission will protect proprietary information according to

the Freedom of Information Act (``FOIA'') and 17 CFR part 145,

``Commission Records and Information.'' In addition, section 8(a)(1) of

the Act strictly prohibits the Commission, unless specifically

authorized by the Act, from making public ``data and information that

would separately disclose the business transactions or market positions

of any person and trade secrets or names of customers.'' The Commission

is also required to protect certain information contained in a

government system of records according to the Privacy Act of 1974.

2. Clarification of Collections 3038-0052, 3038-0074, and 3038-0086

The Commission notes that all DCMs, SEFs, and SDRs are already

subject to system safeguard-related books and records obligations.

However, with the exception of business continuity-disaster recovery

testing, the records relating to a particular system safeguard test or

assessment are not explicitly addressed in the current rules.

Therefore, as discussed above in Section I.E., the Commission is

proposing to amend Sec. Sec. 38.1051(g), 37.1041(g), and 49.24(i) to

clarify the system safeguard-related books and records obligations for

all DCMs, SEFs, and SDRs. The proposed regulations would require these

entities, in accordance with Commission regulation Sec. 1.31,\266\ to

provide the Commission with the following system safeguards-related

books and records promptly upon request of any Commission

representative: (1) current copies of the BC-DR plans and other

emergency procedures; (2) all assessments of the entity's operational

risks or system safeguard-related controls; (3) all reports concerning

system safeguards testing and assessment required by this chapter,

whether performed by independent contractors or employees of the DCM,

SEF, or SDR; and (4) all other books and records requested by

Commission staff in connection with Commission oversight of system

safeguards pursuant to the Act or Commission regulations, or in

connection with Commission maintenance of a current profile of the

entity's automated systems. The pertinent recordkeeping and reporting

requirements of proposed Sec. 38.1051(g) are contained in the

provisions of current Commission regulations Sec. Sec. 38.1051(g)

\267\ and (h),\268\ which were adopted on June 19, 2012 (``DCM Final

Rules'').\269\ In the DCM Final Rules, the Commission estimated that

each respondent subject to the part 38 requirements would experience a

10 percent increase, or 30 additional hours, in the information

collection burden as a result of the regulations implementing certain

core principles, including Core Principle 20 (System Safeguards).\270\

The pertinent recordkeeping and reporting burdens of proposed Sec.

37.1401(g) are contained in the provisions of current Commission

regulations Sec. Sec. 37.1041(f) \271\ and (g),\272\

[[Page 80163]]

which were adopted on June 4, 2103 (``SEF Final Rules'').\273\ In the

SEF Final Rules, the Commission estimated that each respondent subject

to the part 37 requirements would incur a collection burden of 308

hours annually as a result of the regulations implementing certain core

principles, including Core Principle 14 (System Safeguards).\274\

Additionally, the pertinent recordkeeping and reporting requirements of

proposed Sec. 49.24(i) are contained in the provisions of current

Commission regulations Sec. Sec. 49.24(i) \275\ and (j),\276\ which

were adopted on September 1, 2011 (``SDR Final Rules'').\277\ In the

SDR Final Rules, the Commission determined that the collection burdens

created by the Commission's proposed rules, which were discussed in

detail in the proposing release, are identical to the collective

burdens of the final rules.\278\ The Commission estimated in the

proposing release that the total ongoing annual burden for all of the

Sec. 49.24 requirements is 15,000 burden hours per respondent.\279\

The Commission believes that proposed Sec. Sec. 38.1051(g) and

49.24(i) would not impact the burden estimates currently provided for

in OMB Control Numbers 3038-0052, 3038-0074, and 3038-0086.

---------------------------------------------------------------------------

\266\ Commission regulation Sec. 1.31(a)(1) specifically

provides that ``all books and records required to be kept by the Act

or by these regulations shall be kept for a period of five years

from the date thereof and shall be readily accessible during the

first 2 years of the 5-year period.'' The rule further provides that

``all such books and records shall be open to inspection by any

representative of the Commission or the United States Department of

Justice.'' See 17 CFR 1.31(a)(1).

\267\ Commission regulation Sec. 38.1051(g) specifically

provides that ``a designated contract market must provide to the

Commission upon request current copies of the business-continuity

disaster recovery plan and other emergency procedures, its

assessments of its operational risks, and other documents requested

by Commission staff for the purpose of maintaining a current profile

of the designated contract market's systems.'' See 17 CFR

38.1051(g).

\268\ Commission regulation Sec. 38.1051(h) specifically

provides that ``a designated contract market must conduct regular,

periodic, objective testing and review of its automated systems to

ensure that they are reliable, secure, and have adequate scalable

capacity. It must also conduct regular, periodic testing and review

of its business continuity-disaster recovery capabilities.'' The

regulation further provides that ``pursuant to Core Principle 18

(Recordkeeping) and Sec. Sec. 38.950 and 38.951, the designated

contract market must keep records of all such tests, and make all

test results available to the Commission upon request.'' See 17 CFR

38.1051(h).

\269\ 77 FR 36612 (June 19, 2012).

\270\ 77 FR 36664-65 (June 19, 2012).

\271\ Commission regulation Sec. 37.1401(f) specifically

provides that a swap execution facility shall provide to the

Commission, upon request, current copies of its business continuity-

disaster recovery plan and other emergency procedures, its

assessments of its operational risks, and other documents requested

by Commission staff for the purpose of maintaining a current profile

of the swap execution facility's automated systems. See 17 CFR

37.1401(f).

\272\ Commission regulation Sec. 37.1401(g) specifically

provides that a swap execution facility shall conduct regular,

periodic, objective testing and review of its automated systems to

ensure that they are reliable, secure, and have adequate scalable

capacity. A swap execution facility shall also conduct regular,

periodic testing and review of its business continuity-disaster

recovery capabilities. The rule further provides that pursuant to

Core Principle 10 under section 5h of the Act (Recordkeeping and

Reporting) and Sec. Sec. 37.1000 through 37.1001, the swap

execution facility shall keep records of all such tests, and make

all test results available to the Commission upon request. See 17

CFR 37.1401(g).

\273\ 78 FR 33476 (June 4, 2013).

\274\ 78 FR 33551 (June 4, 2013).

\275\ Commission regulation Sec. 49.24(i) specifically provides

that a registered swap data repository shall provide to the

Commission upon request current copies of its business continuity

and disaster recovery plan and other emergency procedures, its

assessments of its operational risks, and other documents requested

by Commission staff for the purpose of maintaining a current profile

of the swap data repository's automated systems. See 17 CFR

49.24(i).

\276\ Commission regulation Sec. 49.24(j) specifically provides

that a registered swap data repository shall conduct regular,

periodic, objective testing and review of its automated systems to

ensure that they are reliable, secure, and have adequate scalable

capacity. It shall also conduct regular, periodic testing and review

of its business continuity-disaster recovery capabilities. The rule

further provides that pursuant to Sec. Sec. 1.31, 49.12 and 45.2 of

the Commission's Regulations, the swap data repository shall keep

records of all such tests, and make all test results available to

the Commission upon request. See 17 CFR 49.24(j).

\277\ 76 FR 54538 (Sept. 1, 2011).

\278\ 76 FR 54572 (Sept. 1, 2011).

\279\ 75 FR 80924 (Dec. 23, 2010).

---------------------------------------------------------------------------

3. Proposed Revision to Collection 3038-0052

Proposed Sec. 38.1051(n) would require all DCMs to provide to the

Commission for calendar year 2015, and each calendar year thereafter,

its annual total trading volume. This information would be required

within 30 calendar days of the effective date of the final version of

this rule, and for 2016 and subsequent years by January 31 of the

following calendar year. The Commission believes that all DCMs

generally calculate their annual trading volume in the usual course of

business and many of the DCMs already publish this information on their

Web site. Consequently, the Commission believes that any burden

incurred by the DCMs as a result of proposed Sec. 38.1051(n) would be

minimal. Presently, there are 15 registered DCMs that would be required

to comply with proposed Sec. 38.1051(n) and the burden hours for this

collection have been estimated as follows:

Estimated number of respondents: 15.

Annual responses by each respondent: 1.

Total annual responses: 15.

Estimated average hours per response: 0.5.

Aggregate annual reporting burden: 7.5.

With the respondent burden for this collection estimated to average 0.5

hours per response, the total annual cost burden per respondent is

estimated to be $22.015. The Commission based its calculation on an

hourly wage rate of $44.03 for a Compliance Officer.\280\

---------------------------------------------------------------------------

\280\ In arriving at a wage rate for the hourly costs imposed,

Commission staff used the National Industry-Specific Occupational

Employment and Wage Estimates, published in May (2014 Report). The

hourly rate for a Compliance Officer in the Securities and Commodity

Exchanges as published in the 2014 Report was $44.03 per hour.

---------------------------------------------------------------------------

4. Information Collection Comments

The Commission invites comment on any aspect of the proposed

information collection requirements discussed above. Pursuant to 44

U.S.C. 3506(c)(2)(B), the Commission will consider public comments on

such proposed requirements in: (1) Evaluating whether the proposed

collection of information is necessary for the proper performance of

the functions of the Commission, including whether the information will

have a practical use; (2) Evaluating the accuracy of the Commission's

estimate of the burden of the proposed collection of information,

including the validity of the methodology and assumptions used; (3)

Enhancing the quality, utility, and clarity of the information proposed

to be collected; and (4) Minimizing the burden of collection of

information on those who are to respond, including through the use of

appropriate automated, electronic, mechanical, or other technological

information collection techniques.

Copies of the submission from the Commission to OMB are available

from the CFTC Clearance Officer, 1155 21st Street NW., Washington, DC

20581, (202) 418-5160 or from http://RegInfo.gov. Persons desiring to

submit comments on the proposed information collection requirements

should send those comments to: The Office of Information and Regulatory

Affairs, Office of Management and Budget, Room 10235, New Executive

Office Building, Washington, DC 20503, Attention: Desk Officer of the

Commodity Futures Trading Commission; (202) 395-6566 (fax); or

[email protected] (email). Please provide the Commission with

a copy of submitted comments so that all comments can be summarized and

addressed in the final rulemaking, and please refer to the ADDRESSES

section of this rulemaking for instructions on submitting comments to

the Commission. OMB is required to make a decision concerning the

proposed information collection requirements between thirty (30) and

sixty (60) days after publication of the Proposal in the Federal

Register. Therefore, a comment to OMB is best assured of receiving full

consideration if OMB (as well as the Commission) receives it within

thirty (30) days of publication of the Proposal.

C. Consideration of Costs and Benefits

1. Introduction

Section 15(a) of the CEA requires the Commission to consider the

costs and benefits of its actions before promulgating a regulation

under the CEA or issuing certain orders.\281\ Section 15(a) further

specifies that the costs and benefits shall be evaluated in light of

five broad areas of market and public concern: (1) Protection of market

participants and the public; (2) efficiency, competitiveness, and

financial integrity of futures markets; (3) price discovery; (4) sound

risk management practices; and (5) other public interest

considerations. The Commission considers below the costs and benefits

resulting from its discretionary determinations with respect to the

section 15(a) factors.

---------------------------------------------------------------------------

\281\ 7 U.S.C. 19(a).

---------------------------------------------------------------------------

As an initial matter, the Commission considers the incremental

costs and benefits of these regulations, that is the

[[Page 80164]]

costs and benefits that are not already present in the current system

safeguard practices and requirements under the Act and the Commission's

regulations for DCMs, SEFs, and SDRs. Where reasonably feasible, the

Commission has endeavored to estimate quantifiable costs and benefits.

Where quantification is not feasible, the Commission identifies and

describes costs and benefits qualitatively.\282\

---------------------------------------------------------------------------

\282\ For example, to quantify benefits such as enhanced

protections for market participants and the public and financial

integrity of the futures and swaps markets would require

information, data and/or metrics that either do not exist, or to

which the Commission generally does not have access.

---------------------------------------------------------------------------

As discussed below, the Commission has identified certain costs and

benefits associated with some of the proposed regulations and requests

comment on all aspects of its proposed consideration of costs and

benefits, including identification and assessment of any costs and

benefits not discussed herein. In particular, the Commission requests

that commenters provide data and any other information or statistics

that the commenters relied on to reach any conclusions regarding the

Commission's proposed consideration of costs and benefits, including

the series of questions at the end of this section.

2. Background and Baseline for the Proposal

As discussed above in Section I.A., the Commission believes that

the current cyber threats to the financial sector, including DCMs,

SEFs, and SDRs regulated by the Commission, have expanded over the

course of recent years. According to the Committee on Payments and

Market Infrastructures of the Bank for International Settlements,

``Cyber attacks against the financial system are becoming more

frequent, more sophisticated and more widespread.'' \283\ A survey of

46 global securities exchanges conducted by IOSCO and the WFE found

that as of July 2013, over half of exchanges world-wide had experienced

a cyber attack during the previous year.\284\ The Ponemon Institute

2015 Cost of Data Breach Study, which included 350 companies, found

that the average cost of a data breach is $3.79 million, which

represents a 23 percent increase from the 2014 study.\285\ Moreover,

the study concluded that the consequences of lost business are having a

greater impact on the cost of a data breach with the average cost

increasing from $1.33 million last year to $1.57 million this

year.\286\ Accordingly, the current cyber threat environment highlights

the need to consider an updated regulatory framework with respect to

cybersecurity testing for DCMs, SEFs, and SDRs. Although the Commission

acknowledges that the proposal would likely result in some additional

costs, particularly for some covered DCMs and SDRs, the proposal would

also bring several overarching benefits to the futures and swaps

industry. A comprehensive cybersecurity testing program is important to

efforts by the regulated entities to harden cyber defenses, to mitigate

operations, reputation, and financial risk, and to maintain cyber

resilience and ability to recover from cyber attack.\287\

Significantly, to ensure the effectiveness of cybersecurity controls, a

financial sector entity must test in order to find and fix its

vulnerabilities before an attacker exploits them.

---------------------------------------------------------------------------

\283\ Committee on Payments and Market Infrastructures of the

Bank for International Settlements, Cyber resilience in financial

market infrastructures (November 2014), at 1.

\284\ IOSCO and WFE, Cyber-crime, securities markets and

systemic risk, Staff Working Paper (SWP2/2013) (July 16, 2013), at

3, available at http://www.iosco.org/research/pdf/swp/Cyber-Crime-Securities-Markets-and-Systemic-Risk.pdf.

\285\ Ponemon Institute Research Report sponsored by IBM, 2015

Cost of Data Brach Study: Global Analysis (May 2015), at 1.

\286\ Id. at 2. The cost component includes the abnormal

turnover of customers, increased customer acquisition activities,

reputation losses and diminished goodwill. The growing awareness of

identity theft and customers' concerns about the security of their

personal data following a breach has contributed to the lost

business.

\287\ CFTC Roundtable, at 24.

---------------------------------------------------------------------------

The Commission recognizes that any economic effects, including

costs and benefits, should be compared to a baseline that accounts for

current regulatory requirements. The baseline for this cost and benefit

consideration is the set of existing requirements under the Act and the

Commission's regulations for DCMs, SEFs, and SDRs. As discussed in the

preamble, the Act requires each DCM, SEF, and SDR to develop and

maintain a program of system safeguards-related risk analysis and

oversight to identify and minimize sources of operational risk.\288\

The Act also mandates that each DCM, SEF, and SDR must develop and

maintain automated systems that are reliable, secure, and have adequate

scalable capacity, and must ensure system reliability, security, and

capacity through appropriate controls and procedures.\289\ The

Commission's existing system safeguards rules for DCMs, SEFs, and SDRs

mandate that, in order to achieve these statutory requirements, each

DCM, SEF, and SDR must conduct testing and review sufficient to ensure

that its automated systems are reliable, secure, and have adequate

scalable capacity.\290\

---------------------------------------------------------------------------

\288\ CEA section 5(d)(20) (for DCMs); CEA section 5h(f)(14)

(for SEFs); CEA section 21(f)(4)(A) and 17 CFR 49.24(a) (for SDRs).

\289\ Id.

\290\ 17 CFR 38.1051(h) (for DCMs); 17 CFR 37.1401(g) (for

SEFs); 17 CFR 49.24(j) (for SDRs).

---------------------------------------------------------------------------

As discussed above, the Commission proposes to clarify the system

safeguards and cybersecurity testing requirements of its existing rules

for DCMs, SEFs, and SDRs, by specifying and defining five types of

system safeguards testing that a DCM, SEF, or SDR necessarily must

perform to fulfill the testing requirement. Each of the types of

testing and assessment that would be required under the proposed rule--

vulnerability testing, penetration testing, controls testing, security

incident response plan testing, and enterprise technology risk

assessment--is a generally recognized best practice for system

safeguards, as discussed above and discussed in detail below. Moreover,

the Commission believes, as the generally accepted standards and best

practices noted in this NPRM make it clear, that it would be

essentially impossible for a DCM, SEF, or SDR to fulfill its existing

obligation to conduct testing sufficient to ensure the reliability,

security, and capacity of its automated systems without conducting each

type of testing addressed by the proposed rule. This has been true

since before the testing requirements of the Act and the current

regulations were adopted, and it would be true today even if the

Commission were not issuing this NPRM.\291\ Accordingly, as

[[Page 80165]]

discussed below in this consideration of costs and benefits section,

the Commission believes that, with the exception of the minimum testing

frequency and independent contractor requirements for covered DCMs and

SDRs, the proposed rules calling for each DCM, SEF, and SDR to conduct

each of these types of testing and assessment will not impose any new

costs on DCMs, SEFs, and SDRs. If compliance with the clarified testing

requirements proposed herein results in costs to DCMs, SEFs, and SDRs,

the Commission believes that those are costs associated with compliance

with existing testing requirements and not the proposed rules.

---------------------------------------------------------------------------

\291\ The Commission's existing rules and guidance provide that

a DCM's, SEF's, or SDR's entire program of risk analysis and

oversight, which includes testing, should be based on generally

accepted standards and best practices with respect to the

development, operation, reliability, security, and capacity of

automated systems. See Appendix A to Part 37, Core Principle 14 of

Section 5h of the Act--System Safeguards (a) Guidance (1) Risk

analysis and oversight program (for SEFs); 17 CFR 38.1051(h) (for

DCMs); 17 CFR 49.24(j) (for SDRs). Each of the types of testing

addressed in this NPRM--vulnerability testing, penetration testing,

controls testing, security incident response plan testing, and

enterprise technology risk assessment--has been a generally

recognized best practice for system safeguards since before the

testing requirements of the Act and the current regulations were

adopted. The current system safeguards provisions of the CEA and the

Commission's regulations became effective in August 2012. Generally

accepted best practices called for each type of testing specified in

the proposed rule well before that date, as shown in the following

examples. Regarding all five types of testing, see, e.g., NIST SP

800-53A, Rev. 1, Guide for Assessing the Security Controls in

Federal Information Systems and Organizations (``NIST 800-53A

Rev.1''), at E1, F67, F230, F148, and F226, June 2010, available at

http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf. Regarding vulnerability testing, see, e.g., NIST SP

800-53A Rev. 1, at F67, June 2010, available at http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf; and NIST SP 800-115, Technical Guide to Information

Security Testing and Assessment, at 5-2, September 2008, available

at http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

. Regarding penetration testing, see, e.g., NIST Special Publication

(``SP'') 800-53A, Rev. 1, at E1, June 2010, available at: http://csc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf; and NIST 800-115, at 4-4, September 2008, available at:

http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf.

Regarding controls testing, see, e.g., NIST 800-53A, Rev. 1, at 13

and Appendix F1, June 2010, available at http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf.

Regarding security incident response plan testing, see, e.g., NIST

800-53A, Rev. 1, at F148, June 2010, available at http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf. Regarding enterprise technology risk assessment, see,

e.g., NIST 800-53A, Rev.1, at F226, June 2010, available at http://csrc.nist.gov/publications/nistpubs/800-53A-rev1/sp800-53A-rev1-final.pdf.

---------------------------------------------------------------------------

To assist the Commission in its understanding of the current system

safeguard practices at DCMs and SDRs, Commission staff collected some

preliminary information from some DCMs and SDRs regarding their current

costs associated with conducting vulnerability testing, external and

internal penetration testing, controls testing, and enterprise

technology risk assessments (``DMO Preliminary Survey'').\292\ Some of

the cost estimates provided by the DCMs and SDRs included estimates at

the parent company level of the DCM and SDR as the entities were unable

to apportion the actual costs to a particular entity within their

corporate structure, within which entities may share the same automated

systems and system safeguard programs. In some cases, apportioning

costs could be further complicated by sharing of system safeguards

among DCMs, SEFs, SDRs, or DCOs. Therefore, in the data collected for

the DMO Preliminary Survey, it is difficult in some cases to

distinguish between the system safeguard-related costs of DCMs, SEFs,

SDRs, and DCOs. In light of the above factors, the cost estimates

discussed below are simple cost averages of the affected entities'

estimates, without regard to the type of entity.\293\ The data from the

DMO Preliminary Survey, information received by Commission staff in

administering the Commission's system safeguard program,\294\ and

information the Commission received during the CFTC Roundtable on March

18, 2015, are reflected below in the Commission's effort to estimate

the costs and benefits of the proposal.

---------------------------------------------------------------------------

\292\ The Commission notes that the DCMs and SDRs that provided

the information for the DMO Preliminary Survey requested

confidential treatment. Additionally, because the Commission's cost

estimates are only based on preliminary data from some DCMs and

SDRs, the Commission is including questions throughout the

consideration of costs and benefits section for commenters to

provide the Commission with specific cost estimates regarding the

proposed rules.

\293\ By definition, averages are meant to serve only as a

reference point; the Commission understands that due to the nature

of the proposed requirements in relation to the current practices at

a covered DCM or an SDR, some entities may go above the average

while others may stay below.

\294\ Commission staff conduct system safeguard examinations

(``SSEs'') to evaluate DCMs' compliance with Core Principle 20

(System Safeguards) and Commission regulations Sec. Sec. 38.1050

and 38.1051. See 17 CFR 38.1050 and 38.1051. With respect to SDRs,

Commission staff conduct SSEs to evaluate SDRs' compliance with

Commission regulation Sec. 49.24. See 17 CFR 49.24.

---------------------------------------------------------------------------

As noted above, and discussed more fully below, the Commission

believes that to the extent that the proposal will impose additional

costs, such costs will primarily impact covered DCMs (as defined) and

SDRs as a result of the minimum testing frequency and independent

contractor requirements.\295\ The Commission expects that the costs and

benefits may vary somewhat among the covered DCMs and SDRs. In this

same regard, the Commission notes that some covered DCMs and SDRs are

larger or more complex than others, and the proposed requirements may

impact covered DCMs and SDRs differently depending on their size and

the complexity of their systems.\296\ The Commission recognizes that it

is not possible to precisely estimate the additional costs for covered

DCMs and SDRs that may be incurred as a result of this rulemaking, as

the actual costs will be dependent on the operations and staffing of

the particular covered DCM and SDR, and to some degree, the manner in

which they choose to implement compliance with the proposed new

requirements. The Commission is sensitive to the economic effects of

the proposed regulations, including costs and benefits. Accordingly,

the Commission seeks comment on the costs and benefits associated with

the proposed regulations, including, where possible, quantitative data.

---------------------------------------------------------------------------

\295\ The Commission believes that the proposed requirement in

Sec. Sec. 38.1051(c), 37.1041(c), and 49.24(d) that would require

all DCMs (covered and non-covered), SEFs, and SDRs to update BC-DR

plans and emergency procedures no less frequently than annually will

impose new costs relative to the current requirements. Additionally,

the proposed provisions that would make it mandatory for such

entities to follow best practices, ensure tester independence, and

coordinate BC-DR plans will also impose new costs relative to the

current requirements. The Commission also expects that all DCMs will

incur additional costs as a result of proposed requirement in Sec.

38.1051(n) for the reporting of annual trading volume to the

Commission.

\296\ Based on information obtained from the DMO Preliminary

Survey and the Commission's system safeguard compliance program, the

Commission understands that most covered DCMs and SDRs currently

conduct system safeguard testing at the proposed minimum frequency

for most of the five tests in the proposal. Additionally, the

Commission understands that most covered DCMs and SDRs currently

engage independent contractors for the testing required by the

proposal.

---------------------------------------------------------------------------

While certain costs are amenable to quantification, other costs are

not easily estimated, such as the costs to the public or market

participants in the event of a cybersecurity incident at a DCM, SEF, or

SDR. The public interest is served by these critical infrastructures

performing their functions. The Commission's proposed regulations are

intended to mitigate the frequency and severity of system security

breaches or functional failures, and therefore, provide an important if

unquantifiable benefit to the public interest. Although the benefits of

effective regulation are difficult to estimate in dollar terms, the

Commission believes that they are of equal importance in light of the

Commission's mandate to protect market participants and the public and

to promote market integrity.

The discussion of costs and benefits that follows begins with a

summary of each proposed regulation and a consideration, where

appropriate, of the corresponding costs and benefits. At the conclusion

of this discussion, the Commission considers the costs and benefits of

the proposed regulations collectively in light of the five factors set

forth in section 15(a) of the CEA.

3. Categories of Risk Analysis and Oversight: Sections 38.1051(a),

37.1401(a), and 49.24(b)

a. Summary of Proposed Rules

As discussed above in Section I.B., the proposed rules would, among

other things, add enterprise risk management and governance to the list

of required categories of system safeguards-related risk analysis and

oversight.

[[Page 80166]]

b. Costs and Benefits

As discussed in the preamble, the Commission believes that

enterprise risk management and governance is implicit in the

Commission's existing system safeguard regulations, which already

require each DCM, SEF, and SDR to maintain a program of risk analysis

and oversight with respect to system safeguards.\297\ The proposed

rules would make enterprise risk management and governance an

explicitly listed category for the sake of clarity. The Commission

believes that this clarification will not impose any new costs for

DCMs, SEFs, and SDRs.

---------------------------------------------------------------------------

\297\ 17 CFR 38.1050(a) (for DCMs); 17 CFR 37.1400(a) (for

SEFs); and 17 CFR 49.24(a)(1) (for SDRs).

---------------------------------------------------------------------------

4. Requirements to Follow Best Practices, Ensure Testing Independence,

and Coordinate BC-DR Plans: Sections for Best Practices--38.1051(b);

37.1401(b); and Sec. 49.24(c). Sections for Tester Independence--

38.1051(h)(2)(iv), (3)(i)(C), (3)(ii)(B), (4)(iii), (5)(iv), and

(6)(ii); 37.1401(h)(2)(i), (3)(i)(A), (4)(i), (5)(iii), and (6)(i); and

49.24(j)(2)(iii), (3)(i)(B), (4)(ii), (5)(iv), and (6)(ii). Sections

for BC-DR Plans--38.1051(i); Sec. 37.1401(i); and Sec. 49.24(k)

a. Summary of Proposed Rules

As discussed above in Section I.C., the proposed rules would make

the existing provisions with respect to following best practices,

ensuring tester independence, and coordinating BC-DR plans mandatory

for DCMs, SEFs, and SDRs.

b. Costs

As discussed in the preamble, the Commission's existing rules for

DCMs and SDRs and its guidance for SEFs provide that such entities

should follow best practices in addressing the categories which their

programs of risk analysis and oversight are required to include.\298\

They provide that such entities should ensure that their system

safeguards testing, whether conducted by contractors or employees, is

conducted by independent professionals (persons not responsible for

development or operation of the systems or capabilities being

tested).\299\ They further provide that such entities should coordinate

their BC-DR plans with the BC-DR plans of market participants and

essential service providers.\300\ In light of the language in the

proposed rules that would make these provisions mandatory, the proposed

rules will impose new costs relative to the current requirements.

However, the Commission does not have quantification or estimation of

these potential costs.

---------------------------------------------------------------------------

\298\ See Sec. 38.1051(b) (for DCMs); Appendix A to Part 37,

Core Principle 14 of Section 5h of the Act--System Safeguards (a)

Guidance (1) Risk analysis and oversight program (for SEFs); Sec.

49.24(c) (for SDRs).

\299\ See Sec. 38.1051(h) (for DCMs); Appendix A to Part 37,

Core Principle 14 of Section 5h of the Act--System Safeguards (a)

Guidance (2) Testing (for SEFs); Sec. 49.24(j) (for SDRs).

\300\ See Sec. 38.1051(i) (for DCMs); Appendix A to Part 37,

Core Principle 14 of Section 5h of the Act--System Safeguards (a)

Guidance (3) Coordination (for SEFs); Sec. 49.24(k) (for SDRs).

---------------------------------------------------------------------------

c. Benefits

Making the provisions mandatory will align the system safeguards

rules for DCMs, SEFs, and SDRs with the Commission's system safeguards

rules for DCOs, which already contain mandatory provisions in these

respects. The Commission believes that in today's cybersecurity threat

environment, following generally accepted standards and best practices,

ensuring tester independence, and coordinating BC-DR plans

appropriately are essential to adequate system safeguards and cyber

resiliency for DCMs, SEFs, and SDRs. The Commission also believes that

clarity concerning necessary requirements in these respects will

benefit DCMs, SEFs, and SDRs, their market participants and customers,

and the public interest.

d. Request for Comments

The Commission requests comment on the potential costs and benefits

associated with the proposed provisions that would make it mandatory

for DCMs, SEFs, and SDRs to follow best practices, ensure tester

independence, and coordinate BC-DR plans, including, where possible,

quantitative data.

5. Updating of Business Continuity-Disaster Recovery Plans and

Emergency Procedures: Sections 38.1051(c), 37.1401(c), and 49.24(d).

a. Summary of Proposed Rules

As discussed above in Section I.D., the proposed rules would

require a DCM, SEF, or SDR to update its BC-DR plan and emergency

procedures at a frequency determined by an appropriate risk analysis,

but at a minimum no less frequently than annually.

b. Costs

The Commission's existing rules provide that DCMs, SEFs, and SDRs

must maintain BC-DR plans and emergency procedures, but do not specify

a frequency in which such plans and procedures must be updated.\301\

The proposed rules will impose new costs relative to the requirements

of the current rules.\302\ However, the Commission does not have

quantification or estimation of these potential costs.

---------------------------------------------------------------------------

\301\ Commission regulations Sec. Sec. 38.1051(c) (for DCMs),

37.1401(b) (for SEFs), and 49.24(d) (for SDRs); 17 CFR 38.1051(c);

17 CFR 37.1401(b); 17 CFR 49.24(d).

\302\ The Commission understands from conducting its oversight

of DCMs, SEFs, and SDRs that many of these entities currently update

their respective BC-DR plans and emergency procedures at least

annually.

---------------------------------------------------------------------------

c. Benefits

The Commission notes that updating BC-DR plans and emergency

procedures at least annually is a generally accepted best practice, as

it follows NIST and other standards. These standards highlight the

importance of updating such plans and procedures at least annually to

help enable the organization to better prepare for cyber security

incidents. Specifically, the NIST standards provide that once an

organization has developed a BC-DR plan, ``the organization should

implement the plan and review it at least annually to ensure the

organization is following the roadmap for maturing the capability and

fulfilling their [sic] goals for incident response.'' \303\

---------------------------------------------------------------------------

\303\ NIST SP 800-53 Rev. 4, Physical and Environmental

Protection (PE) control family, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf;

FFIEC, Operations IT Examination Handbook, at 15-18, available at

http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Operations.pdf.

---------------------------------------------------------------------------

d. Request for Comments

The Commission requests comment on the potential costs and benefits

associated with complying with proposed regulations Sec. Sec.

38.1051(c), 37.1401(c), and 49.24(d), including, where possible,

quantitative data.

6. Required system safeguards-related books and records obligations:

Sections 38.1051(g), 37.1041(g), and 49.24(i)

a. Summary of Proposed Rules

As discussed above in Section I.E., proposed Sec. Sec. 38.1051(g),

37.1401(g), and 49.24(i) would require a DCM, SEF, or SDR, in

accordance with Commission regulation Sec. 1.31,\304\ to provide the

Commission with the following system safeguards-related books and

records promptly upon request of any

[[Page 80167]]

Commission representative: (1) Current copies of the BC-DR plans and

other emergency procedures; (2) all assessments of the entity's

operational risks or system safeguards-related controls; (3) all

reports concerning system safeguards testing and assessment required by

this chapter, whether performed by independent contractors or employees

of the DCM, SEF, or SDR; and (4) all other books and records requested

by Commission staff in connection with Commission oversight of system

safeguards pursuant to the Act or Commission regulations, or in

connection with Commission maintenance of a current profile of the

entity's automated systems.

---------------------------------------------------------------------------

\304\ Commission regulation Sec. 1.31(a)(1) specifically

provides that ``all books and records required to be kept by the Act

or by these regulations shall be kept for a period of five years

from the date thereof and shall be readily accessible during the

first 2 years of the 5-year period.'' The rule further provides that

``all such books and records shall be open to inspection by any

representative of the Commission or the United States Department of

Justice.'' See 17 CFR 1.31(a)(1).

---------------------------------------------------------------------------

b. Costs

As discussed more fully above in the PRA section, all DCMs, SEFs,

and SDRs are already subject to system safeguard-related books and

records requirements. However, with the exception of BC-DR testing, the

records relating to a particular system safeguard test or assessment

are not explicitly addressed in the current rules. Therefore, the

Commission is proposing Sec. Sec. 38.1051(g), 37.1401(g), and 49.24(i)

to clarify the system safeguard recordkeeping and reporting

requirements for these entities. The Commission notes that the

pertinent recordkeeping and reporting requirements of proposed Sec.

38.1051(g) are contained in the provisions of current Commission

regulations Sec. Sec. 38.1051(g) and (h). The pertinent recordkeeping

and reporting requirements of proposed Sec. 37.1041(g) are contained

in the provisions of current Sec. Sec. 37.1041(f) and (g). In

addition, the pertinent recordkeeping and reporting requirements of

proposed Sec. 49.24(i) are contained in the provisions of current

Commission regulations Sec. Sec. 49.24(i) and (j). Because the

production of system-safeguard records is already required by the

current rules, the Commission believes that the proposed rules would

not impose any additional costs on DCMs, SEFs, and SDRs.

c. Benefits

The recordkeeping requirements for DCMs, SEFs, and SDRs allow the

Commission to fulfill its oversight role and effectively monitor a

DCM's, SEF's, or SDR's system safeguards program and compliance with

the Act and the Commission's regulations. In addition, such

requirements enable Commission staff to perform efficient examinations

of DCMs, SEFs, and SDRs, and increase the likelihood that Commission

staff may identify conduct inconsistent with the requirements. Further,

making all system safeguard-related documents available to the

Commission upon request informs the Commission of areas of potential

weaknesses, or persistent or recurring problems, across the DCMs, SEFs,

and SDRs.

7. Definitions: Sections 38.1051(h)(1), 37.1041(h)(1), and 49.24(j)(1)

a. Summary of Proposed Rules

Proposed Sec. Sec. 38.105(h)(1), 37.1041(h)(1), and 49.24(j)(1)

would include definitions for the following terms: (1) Controls; (2)

controls testing; (3) enterprise technology risk assessment; (4)

external penetration testing; (5) internal penetration testing; (6) key

controls; (7) security incident; (8) security incident response plan;

(9) security incident response plan testing; and (10) vulnerability

testing. Additionally, Sec. 38.105(h)(1) would include the definition

for covered designated contract market.

b. Costs and Benefits

The proposed definitions simply provide context to the specific

system safeguard tests and assessments that a DCM, SEF, or SDR would be

required to conduct on an ongoing basis. Accordingly, the costs and

benefits of these terms are attributable to the substantive testing

requirements and, therefore, are discussed in the cost and benefit

considerations related to the rules describing the requirements for

each test.

8. Vulnerability Testing: Sections 38.1051(h)(2), 37.1401(h)(2), and

49.24(j)(2)

a. Summary of Proposed Rules

As discussed above in Section I.F.3., proposed Sec. Sec.

38.1051(h)(1), 37.1401(h)(1), and 49.24(j)(1) would define

vulnerability testing as testing of a DCM's, SEF's, or SDR's automated

systems to determine what information may be discoverable through a

reconnaissance analysis of those systems and what vulnerabilities may

be present on those systems. The proposed rules would require a DCM,

SEF, or SDR to conduct vulnerability testing that is sufficient to

satisfy the testing scope requirements in proposed Sec. Sec.

38.1051(k), 37.1401(k), and 49.24(l), at a frequency determined by an

appropriate risk analysis. Vulnerability testing would include

automated vulnerability scanning, with some such scanning to be

conducted on an authenticated basis (e.g., using log-in credentials).

Where scanning is conducted on an unauthenticated basis, implementation

of effective compensating controls would be required. At a minimum,

covered DCMs and SDRs would be required to conduct vulnerability

testing no less frequently than quarterly. Covered DCMs and SDRs would

be required to engage independent contractors to perform two of the

required quarterly tests each year, although the entity could have

other vulnerability testing conducted by employees not responsible for

development or operation of the systems or capabilities being tested.

b. Costs

1. Vulnerability Testing Requirement for All DCMs, SEFs, and SDRs

As discussed in the preamble, the Act requires each DCM, SEF, and

SDR to develop and maintain a program of system safeguards-related risk

analysis and oversight to identify and minimize sources of operational

risk.\305\ The Act mandates that in this connection each DCM, SEF, and

SDR must develop and maintain automated systems that are reliable,

secure, and have adequate scalable capacity, and must ensure system

reliability, security, and capacity through appropriate controls and

procedures.\306\

---------------------------------------------------------------------------

\305\ CEA section 5(d)(20) (for DCMs); CEA section 5h(f)(14)

(for SEFs); CEA section 21(f)(4)(A) and 17 CFR 49.24(a) (for SDRs).

\306\ Id.

---------------------------------------------------------------------------

The Commission's existing system safeguards rules for DCMs, SEFs,

and SDRs mandate that, in order to achieve these statutory

requirements, each DCM, SEF, and SDR must conduct testing and review

sufficient to ensure that its automated systems are reliable, secure,

and have adequate scalable capacity.\307\ The Commission believes, as

the generally accepted standards and best practices noted in this NPRM

make clear, that it would be essentially impossible for a DCM, SEF, or

SDR to fulfill its existing obligation to conduct testing sufficient to

ensure the reliability, security, and capacity of its automated systems

without conducting vulnerability testing. The proposed rules clarify

the existing testing requirements by specifying vulnerability testing

as a necessary component. The Commission believes that this has always

been the case.\308\ If compliance with the existing testing

requirements as clarified by the proposed rules results in costs to a

DCM, SEF, or SDR beyond those it already incurs in this connection, the

Commission believes that such additional costs would be attributable to

compliance with the

[[Page 80168]]

existing regulations and not to the proposed rules. Accordingly, the

Commission believes that this clarification will not impose any new

costs for DCMs, SEFs, and SDRs.

---------------------------------------------------------------------------

\307\ Commission regulations Sec. Sec. 38.1051(h) (for DCMs),

37.1401(g) (for SEFs), and 49.24(j) (for SDRs). 17 CFR 38.1051(h);

17 CFR 37.1401(g); and 17 CFR 49.24(j).

\308\ See supra note 291.

---------------------------------------------------------------------------

2. Minimum Vulnerability Testing Frequency Requirements for Covered

DCMs and SDRs

As discussed above, the proposed rules would require covered DCMs

and SDRs to conduct vulnerability testing no less frequently than

quarterly.\309\ The current rules require DCMs and SDRs to conduct

regular, periodic, objective testing of their automated systems.\310\

Accordingly, the proposed rules will impose new costs relative to the

requirements of the current rules.\311\ The Commission notes that the

proposed frequency comports with industry best practices.\312\

---------------------------------------------------------------------------

\309\ While the existing system safeguards rules provide that

all DCMs must conduct testing to ensure the reliability, security,

and capacity of their automated systems, and thus to conduct

vulnerability testing, external and internal penetration testing,

controls testing, enterprise technology risk assessments, and to

have and test security incident response plans in a way governed by

appropriate risk analysis, the proposed rules would avoid applying

the addition minimum frequency requirements to non-covered DCMs in

order to give smaller markets with fewer resources somewhat more

flexibility regarding the testing they must conduct. The Commission

believes that such a reduced burden for smaller DCMs may be

appropriate, in light of the fact that they will still be required

to conduct such testing and assessments, and to have security

incident response plans, pursuant to the existing system safeguards

rules for DCMs.

\310\ See Commission regulations Sec. Sec. 38.1051(h) (for

DCMs) and 49.24(j) (for SDRs); 17 CFR 38.1051(h); 17 CFR 49.24(j).

\311\ Based on the information collected in the DMO Preliminary

Survey, the Commission understands that most covered DCMs and SDRs

currently conduct vulnerability testing at the proposed frequency.

\312\ PCI DSS standards, 11.2, at 94, available at https://www.pcisecuritystandards.org/security_standards/index.php.

---------------------------------------------------------------------------

3. Independent Contractor Requirement for Covered DCMs and SDRs

As discussed above, the proposed rules would require at least two

of the required quarterly vulnerability tests each year to be conducted

by an independent contractor. Current regulations Sec. Sec. 38.1051(h)

and 49.24(j) provide that testing of automated systems should be

conducted by qualified, independent professionals.\313\ The qualified

independent professionals may be independent contractors or employees

of a DCM or SDR as long as they are not responsible for development or

operation of the systems or capabilities being tested. Accordingly, the

proposed independent contractor requirement will impose new costs

relative to the requirements of the current rules.\314\ The Commission

notes that best practices also support the use of independent

contractors to conduct vulnerability testing.\315\

---------------------------------------------------------------------------

\313\ Id.

\314\ Based on the information collected in the DMO Preliminary

Survey, the Commission understands that some covered DCMs and SDRs

may not be engaging independent contractors at all, or may not be

engaging such contractors at a frequency that would satisfy proposed

frequency requirement.

\315\ See CFTC Roundtable, at 88-89; NIST SP 800-115, at 6-6,

available at http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf; FFIEC, Information Security IT Examination Handbook,

at 81, available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf; PCI-DSS Version 3.1,

Requirement 11, Regularly test security systems and processes, at

94-96, available at https://www.pcisecuritystandards.org/security_standards/index.php.

---------------------------------------------------------------------------

4. Cost Estimates for Covered DCMs and SDRs

The Commission's preliminary cost estimate for vulnerability

testing, based on data collected from the DMO Preliminary Survey,

suggests that on average, a covered DCM or SDR currently spends

approximately $3,495,000 annually.\316\ The data also suggests that

with respect to the entities that currently use independent contractors

to conduct vulnerability testing, a covered DCM or SDR spends

approximately $71,500 to hire an independent contractor to conduct one

vulnerability test annually and $143,000 to conduct two tests annually.

In providing these estimates, the Commission recognizes that the actual

costs may vary widely as a result of many factors, including the size

of the organization, the complexity of the automated systems, and the

scope of the test. Where a covered DCM or SDR does not currently use an

independent contractor to conduct any vulnerability tests, the

Commission expects that such entities may also incur some additional

minor costs as a result of the need to establish and implement internal

policies and procedures that are reasonably designed to address the

workflow associated with the test. For example, the Commission expects

that such policies and procedures may include communication and

cooperation between the entity and independent contractor,

communication and cooperation between the entity's legal, business,

technology, and compliance departments, appropriate authorization to

remediate vulnerabilities identified by the independent contractor,

implementation of the measures to address such vulnerabilities, and

verification that these measures are effective and appropriate.

Moreover, although the Commission believes that all covered DCMs and

SDRs have substantial policies and procedures in place for

vulnerability testing conducted by internal staff, the Commission

acknowledges that affected entities who do not already use independent

contractors for some vulnerability testing may need to dedicate time to

reviewing and revising their existing policies and procedures to ensure

that they are sufficient in the context of the proposed requirements.

The Commission believes that any costs incurred by the entities as

result of such review would be minor.

---------------------------------------------------------------------------

\316\ During the CFTC Roundtable, one of the participants noted

the difficulty in providing cost estimates for vulnerability and

penetration testing, but emphasized that vulnerability testing is

generally automated while penetration testing is usually more

manual. See CFTC Roundtable, at 98.

---------------------------------------------------------------------------

c. Benefits

Vulnerability testing identifies, ranks, and reports

vulnerabilities that, if exploited, may result in an intentional or

unintentional compromise of a system.\317\ The complex analysis and

plan preparation that a DCM, SEF, or SDR undertakes to complete

vulnerability testing, including designing and implementing changes to

existing plans, are likely to contribute to a better ex ante

understanding by the DCM's, SEF's, or SDR's management of the

challenges the entity would face in a cyber threat scenario, and thus

better preparation to meet those challenges. This improved preparation

in turn helps reduce the possibility of market disruptions. Regularly

conducting vulnerability tests enables a DCM, SEF, or SDR to mitigate

the impact that a cyber threat to, or a disruption of, a DCM's, SEF's,

or SDR's operations would have on market participants, parties required

by the Act or Commission regulations to report swaps data to SDRs, and,

more broadly, the stability of the U.S. financial markets. Accordingly,

the Commission believes that such testing strengthens a DCM's, SEF's,

and SDR's automated systems, thereby protecting market participants and

swaps data reporting parties from a disruption in services.

---------------------------------------------------------------------------

\317\ See Security Standards Council, PCI-DSS Information

Supplement: Penetration Testing Guidance, p. 3, available at:

https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf.

---------------------------------------------------------------------------

With respect to the proposed minimum frequency requirement for

covered DCMs and SDRs, the Commission believes that such entities have

a significant incentive to conduct vulnerability testing at least

quarterly in order to identify the latest threats to the

[[Page 80169]]

organization and reduce the likelihood that attackers could exploit

vulnerabilities. Best practices support the requirement that

vulnerability testing be conducted no less frequently than quarterly.

For example, PCI DSS standards provide that entities should run

internal and external network vulnerability scans ``at least

quarterly,'' as well as after any significant network changes, new

system component installations, firewall modifications, or product

upgrades.\318\ Moreover, the Commission believes that the proposed

frequency requirement will give additional clarity to covered DCMs and

SDRs concerning what is required of them in this respect.

---------------------------------------------------------------------------

\318\ PCI DSS, Requirement 11.2 Regularly test security systems

and processes, at 94, available at https://www.pcisecuritystandards.org/security_standards/index.php.

---------------------------------------------------------------------------

As noted above, the proposed rules would also require covered DCMs

and SDRs to engage independent contractors to conduct two of the

required quarterly vulnerability tests each year, while providing

covered DCMs and SDRs with the flexibility to conduct other

vulnerability testing using employees not responsible for development

or operation of the systems or capabilities being tested. Consistent

with the views shared by the panelists at the CFTC Roundtable, the

Commission believes there are important benefits when a testing program

includes both testing by independent contractors and testing by entity

employees not responsible for building or operating the system being

tested. One participant in the CFTC Roundtable noted, ``[t]here are

advantages to both, but neither can stand alone.'' \319\ Much testing

needs to happen internally, but much also needs to be conducted from

the viewpoint of an outsider, particularly where testing against the

possible tactics or techniques of a particular threat actor is

concerned.\320\ With respect to testing conducted by entity employees,

one benefit is that internal vulnerability testing and scanning can

utilize viewpoints that the outside world would not have, based on

intimate knowledge of the entity's network and systems.\321\ An

additional benefit provided by independent contractor testing comes

from the outsider's different perspective, and his or her ability to

look for things that entity employees may not have contemplated during

the design or operation of the system involved.\322\ The Commission

also notes that best practices support having testing conducted by both

independent contractors and entity employees.\323\ Accordingly, the

Commission believes the proposed rules are appropriate and would strike

the appropriate balance between both entity employees and independent

contractors conducting the vulnerability tests.

---------------------------------------------------------------------------

\319\ CFTC Roundtable, at 88.

\320\ Id. at 88-89.

\321\ Id. at 177.

\322\ Id. at 171.

\323\ See NIST SP 800-115, at 6-6, available at http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf; FFIEC,

Information Security IT Examination Handbook, at 81, available at

http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf; ISACA, COBIT 5, MEA02.05,

Ensure that assurance providers are independent and qualified,

available at https://cobitonline.isaca.org/.

---------------------------------------------------------------------------

d. Request for Comments

As set out in more detail below in the Request for Comments

section, the Commission seeks additional information regarding the

costs and benefits of vulnerability testing, including the minimum

testing frequency and independent contractor requirement, and the

extent to which the proposed rules clarify the standard. The Commission

particularly solicits comments concerning the need for vulnerability

testing and the associated costs and benefits, from DCMs, SEFs, and

SDRs, from futures and swap market participants, from best practices

and standards organizations, from cybersecurity service providers and

cybersecurity experts in both the private and public sectors, and from

other financial regulators.

9. External Penetration Testing: Sections 38.1051(h)(3)(i),

37.1401(h)(3)(i), and 49.24(j)(3)(i)

a. Summary of Proposed Rules

As discussed above in Section I.F.4., proposed Sec. Sec.

38.1051(h)(1), 37.1401(h)(1), and 49.24(j)(1) would define external

penetration testing as attempts to penetrate a DCM's, SEF's or SDR's

automated systems from outside the systems' boundaries to identify and

exploit vulnerabilities. The proposed rules would require a DCM, SEF,

or SDR to conduct external penetration testing that is sufficient to

satisfy the scope requirements in proposed Sec. Sec. 38.1051(k),

37.1401(k), and 49.24(l), at a frequency determined by an appropriate

risk analysis. At a minimum, covered DCMs and SDRs would be required to

conduct external penetration testing no less frequently than annually.

Covered DCMs and SDRs would also be required to engage independent

contractors to perform the required annual external penetration test,

although the entity could have other external penetration testing

conducted by employees not responsible for development or operation of

the systems or capabilities being tested.

b. Costs

1. External Penetration Testing for All DCMs, SEFs, and SDRs

As discussed in the preamble, the Act requires each DCM, SEF, and

SDR to develop and maintain a program of system safeguards-related risk

analysis and oversight to identify and minimize sources of operational

risk.\324\ The Act mandates that in this connection each DCM, SEF, and

SDR must develop and maintain automated systems that are reliable,

secure, and have adequate scalable capacity, and must ensure system

reliability, security, and capacity through appropriate controls and

procedures.\325\

---------------------------------------------------------------------------

\324\ CEA section 5(d)(20) (for DCMs); CEA section 5h(f)(14)

(for SEFs); CEA section 21(f)(4)(A) and 17 CFR 49.24(a) (for SDRs).

\325\ Id.

---------------------------------------------------------------------------

The Commission's existing system safeguards rules for DCMs, SEFs,

and SDRs mandate that, in order to achieve these statutory

requirements, each DCM, SEF, and SDR must conduct testing and review

sufficient to ensure that its automated systems are reliable, secure,

and have adequate scalable capacity.\326\ The Commission believes, as

the generally accepted standards and best practices noted in this NPRM

make clear, that it would be essentially impossible for a DCM, SEF, or

SDR to fulfill its existing obligation to conduct testing sufficient to

ensure the reliability, security, and capacity of its automated systems

without conducting external penetration testing.

---------------------------------------------------------------------------

\326\ Commission regulations Sec. Sec. 38.1051(h) (for DCMs),

37.1401(g) (for SEFs), and 49.24(j) (for SEFs). 17 CFR 38.1051(h);

17 CFR 37.1401(g); and 17 CFR 49.24(j).

---------------------------------------------------------------------------

The proposed rules clarify the existing testing requirements by

specifying external penetration testing as a necessary component. The

Commission believes it has always been the case.\327\ If compliance

with the existing testing requirements as clarified by the proposed

rules results in costs to a DCM, SEF, or SDR beyond those it already

incurs in this connection, the Commission believes that such additional

costs would be attributable to compliance with the existing regulations

and not to the proposed rules. Accordingly, the Commission believes

that this clarification will not impose any new costs for DCMs, SEFs,

and SDRs.

---------------------------------------------------------------------------

\327\ See supra note 291.

---------------------------------------------------------------------------

[[Page 80170]]

2. Minimum External Penetration Testing Frequency Requirements for

Covered DCMs and SDRs

As discussed above, the proposed rules would require covered DCMs

and SDRs to conduct external penetration testing no less frequently

than annually. The current rules require DCMs and SDRs to conduct

regular, periodic, objective testing of their automated systems.\328\

Therefore, the proposed rules will impose new costs relative to the

requirements of the current rules.\329\ The Commission notes that the

proposed frequency requirement is consistent with industry best

practices.\330\

---------------------------------------------------------------------------

\328\ See Commission regulations Sec. Sec. 38.1051(h) (for

DCMs) and 49.24(j) (for SDRs); 17 CFR 38.1051(h); 17 CFR 49.24(j).

\329\ Based on the information collected in the DMO Preliminary

Survey, the Commission understands that most covered DCMs and SDRs

currently conduct external penetration testing at the proposed

frequency.

\330\ NIST, SP 800-115, Technical Guide to Information Security

Testing and Assessment, Section 5.2.2, at 5-5, available at http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf.

---------------------------------------------------------------------------

3. Independent Contractor Requirement for Covered DCMs and SDRs

As discussed above, the proposed rules would require the annual

external penetration test to be conducted by an independent contractor.

Current regulations Sec. Sec. 38.1051(h) and 49.24(j) provide that

testing of automated systems should be conducted by qualified,

independent professionals.\331\ The qualified independent professionals

may be independent contractors or employees of a DCM or SDR as long as

they are not responsible for development or operation of the systems or

capabilities being tested. Therefore, the proposed rules will impose

new costs relative to the requirements of the current rules.\332\ The

Commission notes that best practices support using independent

contractors to conduct external penetration testing.\333\

---------------------------------------------------------------------------

\331\ Id.

\332\ Based on the information collected in the DMO Preliminary

Survey, the Commission understands that most covered DCMs and SDRs

currently engage independent contractors to conduct external

penetration testing.

\333\ Council on CyberSecurity, CSC 20-1, available at http://www.counciloncybersecurity.org/critical-controls/.

---------------------------------------------------------------------------

4. Cost Estimates for Covered DCMs and SDRs

Based on the cost information from the DMO Preliminary Survey, the

Commission estimates that the average cost for a covered DCM or SDR to

conduct external penetration testing annually is approximately

$244,625. The Commission recognizes that the actual costs may vary

widely as a result of many factors, including the size of the

organization, the complexity of the automated systems, and the scope of

the test. Where a covered DCM or SDR does not currently use an

independent contractor to conduct the external penetration test, the

Commission expects that such entities may also incur some additional

minor costs as a result of the need to establish and implement internal

policies and procedures that are reasonably designed to address the

workflow associated with the test. For example, the Commission expects

that such policies and procedures may include communication and

cooperation between the entity and independent contractor,

communication and cooperation between the entity's legal, business,

technology, and compliance departments, appropriate authorization to

remediate vulnerabilities identified by the independent contractor,

implementation of the measures to address such vulnerabilities, and

verification that these measures are effective and appropriate. The

Commission acknowledges that covered DCMs and SDRs that currently do

not use independent contractors for the external penetration test may

need to dedicate time to reviewing and revising their existing policies

and procedures to ensure that they are sufficient in the context of the

proposed requirements. The Commission believes that any costs incurred

by the entities as result of such review would be minor.

c. Benefits

The benefits for external penetration testing, including the

minimum testing frequency and independent contractors, are discussed

below in conjunction with the benefits for internal penetration

testing.

d. Request for Comments

As set out in more detail below in the Request for Comments

section, the Commission seeks additional information regarding the

costs and benefits of external penetration testing, including the

minimum testing frequency and independent contractor requirement. The

Commission particularly solicits comments concerning the need for

external penetration testing and the associated costs and benefits,

from DCMs, SEFs, and SDRs, from futures and swap market participants,

from best practices and standards organizations, from cybersecurity

service providers and cybersecurity experts in both the private and

public sectors, and from other financial regulators.

10. Internal Penetration Testing: Sections 38.1051(h)(3)(ii),

37.1401(h)(3)(ii), and 49.24(j)(3)(ii)

a. Summary of Proposed Rules

As discussed above in Section I.F.4., proposed Sec. Sec.

38.1051(h)(1), 37.1401(h)(1), and 49.24(j)(1) would define internal

penetration testing as attempts to penetrate a DCM's, SEF's, or SDR's

automated systems from inside the systems' boundaries to identify and

exploit vulnerabilities. The proposed rules would require a DCM, SEF,

or SDR to conduct internal penetration testing that is sufficient to

satisfy the scope requirements in proposed Sec. Sec. 38.1051(k),

37.1401(k), and 49.24(l), at a frequency determined by an appropriate

risk analysis. At a minimum, covered DCMs and SDRs would be required to

conduct the internal penetration testing no less frequently than

annually. The DCM or SDR may engage independent contractors to conduct

the test, or the entity may use employees of the DCM or SDR who are not

responsible for development or operation of the systems or capabilities

being tested.

b. Costs

1. Internal Penetration Testing for All DCMs, SEFs, and SDRs

As discussed in the preamble, the Act requires each DCM, SEF, and

SDR to develop and maintain a program of system safeguards-related risk

analysis and oversight to identify and minimize sources of operational

risk.\334\ The Act mandates that in this connection each DCM, SEF, and

SDR must develop and maintain automated systems that are reliable,

secure, and have adequate scalable capacity, and must ensure system

reliability, security, and capacity through appropriate controls and

procedures.\335\

---------------------------------------------------------------------------

\334\ CEA section 5(d)(20) (for DCMs); CEA section 5h(f)(14)

(for SEFs); CEA section 21(f)(4)(A) and 17 CFR 49.24(a) (for SDRs).

\335\ Id.

---------------------------------------------------------------------------

The Commission's existing system safeguards rules for DCMs, SEFs,

and SDRs mandate that, in order to achieve these statutory

requirements, each DCM, SEF, and SDR must conduct testing and review

sufficient to ensure that its automated systems are reliable, secure,

and have adequate scalable capacity.\336\ The Commission believes, as

the generally accepted standards and best practices noted in this NPRM

make clear, that it would be essentially

[[Page 80171]]

impossible for a DCM, SEF, or SDR to fulfill its existing obligation to

conduct testing sufficient to ensure the reliability, security, and

capacity of its automated systems without conducting internal

penetration testing. The proposed rules clarify the existing testing

requirements by specifying internal penetration testing as a necessary

component. The Commission believes that this has always been the

case.\337\ If compliance with the existing testing requirements as

clarified in the proposed rules results in costs to a DCM, SEF, or SDR

beyond those it already incurs in this connection, the Commission

believes that such additional costs would be attributable to compliance

with the existing regulations and not to the proposed rules.

Accordingly, the Commission believes that this clarification will not

impose any new costs on DCMs, SEFs, and SDRs.

---------------------------------------------------------------------------

\336\ Commission regulations Sec. Sec. 38.1051(h) (for DCMs),

37.1401(g) (for SEFs), and 49.24(j) (for SDRs). 17 CFR 38.1051(h);

17 CFR 37.1401(g); and 17 CFR 49.24(j).

\337\ See supra note 291.

---------------------------------------------------------------------------

2. Minimum Internal Penetration Testing Frequency Requirements for

Covered DCMs and SDRs

As discussed above, the proposed rules would require covered DCMs

and SDRs to conduct internal penetration testing no less frequently

than annually. The current rules require DCMs and SDRs to conduct

regular, periodic, objective testing of their automated systems.\338\

Therefore, the proposed rules will impose new costs relative to the

requirements of the current rules.\339\ The Commission notes that the

proposed frequency is consistent with industry best practices.\340\

---------------------------------------------------------------------------

\338\ See Commission regulations Sec. Sec. 38.1051(h) (for

DCMs) and 49.24(j) (for SDRs); 17 CFR 38.1051(h); 17 CFR 49.24(j).

\339\ Based on the information from the DMO Preliminary Survey,

the Commission understands that most covered DCMs and SDRs currently

conduct internal penetration testing at the proposed frequency.

\340\ PCI DSS standards, at 96-97, available at https://www.pcisecuritystandards.org/security_standards/index.php.

---------------------------------------------------------------------------

3. Cost Estimates for Covered DCMs and SDRs

Based on the data from the DMO Preliminary Survey, the Commission

estimates that the current average cost for a covered DCM or SDR

conducting internal penetration testing is approximately $410,625

annually. In providing these estimates, the Commission recognizes that

the actual costs may vary significantly as a result of numerous

factors, including the size of the organization, the complexity of the

automated systems, and the scope of the test. Additionally, the

Commission recognizes that the affected entities may undertake an

evaluation, on an initial and ongoing basis, regarding internal

policies and procedures that may need to be revised. If such an

evaluation is required, the Commission believes that any incremental

costs would be minor.

c. Benefits

External penetration testing benefits DCMs, SEFs, and SDRs by

identifying the extent to which its systems can be compromised before

an attack is identified.\341\ Such testing is conducted outside a

DCM's, SEF's, or SDR's security perimeter to help reveal

vulnerabilities that could be exploited by an external attacker.

Accordingly, the Commission believes that the external penetration

testing strengthens DCMs', SEFs', and SDRs' systems, thereby protecting

not only the DCMs, SEFs, and SDRs, but also market participants and

parties required by the Act or Commission regulations to report swaps

data to the SDRs from a disruption in services, which could potentially

disrupt the functioning of the broader financial markets.

---------------------------------------------------------------------------

\341\ FFIEC, Information Security IT Examination Handbook, at

81, available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf.

---------------------------------------------------------------------------

By attempting to penetrate a DCM's, SEF's or SDR's automated

systems from inside the systems' boundaries, internal penetration tests

allow the respective entities to assess system vulnerabilities from

attackers that penetrate their perimeter defenses and from trusted

insiders, such as former employees and contractors. In addition to

being an industry best practice, the Commission believes that annual

internal penetration testing is important because such potential

attacks by trusted insiders generally pose a unique and substantial

threat due to their more sophisticated understanding of a DCM's, SEF's,

or SDR's systems. Moreover, ``[a]n advanced persistent attack may

involve an outsider gaining a progressively greater foothold in a

firm's environment, effectively becoming an insider in the process. For

this reason, it is important to perform penetration testing against

both external and internal interfaces and systems.'' \342\ As discussed

above in the costs section, the proposed rules would address the

required minimum frequency for covered DCMs and SDRs in performing

external and internal penetration testing. Best practices support

external and internal penetration testing on at least an annual basis.

NIST calls for at least annual penetration testing of an organization's

network and systems.\343\ The FFIEC calls for penetration testing of

high risk systems at least annually, and for quarterly testing and

verification of the efficacy of firewall and access control

defenses.\344\ Data security standards for the payment card industry

provide that entities should perform both external and internal

penetration testing ``at least annually,'' as well as after any

significant network changes, new system component installations,

firewall modifications, or product upgrades.\345\ The Commission

believes the specified frequency levels would increase the likelihood

that the affected entities will be adequately protected against the

level of cybersecurity threat now affecting the financial sector. The

Commission also notes that identifying and fixing vulnerabilities that

could be exploited by adversaries would likely be a more cost effective

alternative to dealing with a successful cyber attack.

---------------------------------------------------------------------------

\342\ FINRA, Report on Cybersecurity Practices (February 2015),

at 22, available at https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf.

\343\ NIST, SP 800-115, Technical Guide to Information Security

Testing and Assessment, Section 5.2.2, at 5-5, available at http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf.

\344\ FFIEC, Information Security IT Examination Handbook, at

82, available at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf.

\345\ PCI DSS, Requirements 11.3.1 and 11.3.2., available at

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf.

---------------------------------------------------------------------------

With respect to external penetration testing, the proposed

requirement for annual testing to be performed by independent

contractors is intended to ensure that covered DCM and SDR programs of

risk analysis and oversight with respect to system safeguards include

the benefits provided when independent contractors perform such

testing. The Commission shares the view expressed by participants in

the CFTC Roundtable that vendor testing has particular value with

respect to external penetration testing because the test comes from the

viewpoint of an outsider and against the current tactics, techniques,

and threat vectors of current threat actors as revealed by current

threat intelligence.

d. Request for Comments

As set out in more detail below in the Request for Comments

section, the Commission seeks additional information regarding the

costs and benefits of internal penetration testing, including the

minimum testing frequency requirement. The Commission particularly

solicits comments concerning the need for internal penetration testing

and the associated costs and benefits, from DCMs, SEFs, and SDRs, from

futures and swap market participants, from best

[[Page 80172]]

practices and standards organizations, from cybersecurity service

providers and cybersecurity experts in both the private and public

sectors, and from other financial regulators.

11. Controls Testing: Sections 38.1051(h)(4), 37.1401(h)(4), and

49.24(j)(4)

a. Summary of Proposed Rules

As discussed above in Section I.F.5., proposed Sec. Sec.

38.1051(h)(1), 37.1401(h)(1) and 49.24(j)(1) would define controls

testing as an assessment of the DCM's, SEF's, or SDR's market controls

to determine whether such controls are implemented correctly, are

operating as intended, and are enabling the entity to meet the system

safeguard requirements established by the respective chapters. The

proposed rules would require a DCM, SEF, or an SDR to conduct controls

testing that is sufficient to satisfy the scope requirements in

proposed Sec. Sec. 38.1051(k), 37.1401(k), and 49.24(l), at a

frequency determined by an appropriate risk analysis. At a minimum,

covered DCMs and SDRs would be required to conduct the controls testing

no less frequently than every two years. The testing may be conducted

on a rolling basis over the course of the minimum two-year period or

over a minimum period determined by an appropriate risk analysis. The

covered DCM and SDR must engage independent contractors to test and

assess the key controls in the entity's risk analysis and oversight, no

less frequently than every two years. The entities may conduct any

other controls testing required by Sec. Sec. 38.1051(h)(4) and

49.24(j)(4) by using either independent contractors or employees of the

covered DCM or SDR who are not responsible for the development or

operations of the systems or capabilities being tested.

b. Costs

1. Controls Testing for All DCMs, SEFs, and SDRs

As discussed in the preamble, the Act requires each DCM, SEF, and

SDR to develop and maintain a program of system safeguards-related risk

analysis and oversight to identify and minimize sources of operational

risk.\346\ The Act mandates that in this connection each DCM, SEF, and

SDR must develop and maintain automated systems that are reliable,

secure, and have adequate scalable capacity, and must ensure system

reliability, security, and capacity through appropriate controls and

procedures.\347\

---------------------------------------------------------------------------

\346\ CEA section 5(d)(20) (for DCMs); CEA section 5h(f)(14)

(for SEFs); CEA section 21(f)(4)(A) and 17 CFR 49.24(a) (for SDRs).

\347\ Id.

---------------------------------------------------------------------------

The Commission's existing system safeguards rules for DCMs, SEFs,

and SDRs mandate that, in order to achieve these statutory

requirements, each DCM, SEF, and SDR must conduct testing and review

sufficient to ensure that its automated systems are reliable, secure,

and have adequate scalable capacity.\348\ The Commission believes, as

the generally accepted standards and best practices noted in this NPRM

make clear, that it would be essentially impossible for a DCM, SEF, or

SDR to fulfill its existing obligation to conduct testing sufficient to

ensure the reliability, security, and capacity of its automated systems

without conducting controls testing.

---------------------------------------------------------------------------

\348\ Commission regulations Sec. Sec. 38.1051(h) (for DCMs),

37.1401(g) (for SEFs), and 49.24(j) (for SDRs). 17 CFR 38.1051(h);

17 CFR 37.1401(g); and 17 CFR 49.24(j).

---------------------------------------------------------------------------

The proposed rules clarify the existing testing requirements by

specifying controls testing as a necessary component. The Commission

believes that this has always been the case.\349\ If compliance with

the existing testing requirements as clarified by the proposed rules

imposes costs to a DCM, SEF, or SDR beyond those it already incurs in

this connection, the Commission believes that such additional costs

would be attributable to compliance with the existing regulations and

not to the proposed rules. Accordingly, the Commission believes that

this clarification will not impose any new costs for DCMs, SEFs, or

SDRs.

---------------------------------------------------------------------------

\349\ See supra note 291.

---------------------------------------------------------------------------

2. Minimum Controls Testing Frequency Requirements for Covered DCMs and

SDRs

As discussed above, the proposed rules would require a covered DCM

or SDR to test each control included in its program of system

safeguards-related risk analysis and oversight no less frequently than

every two years. The proposed rules would also permit such testing to

be conducted on a rolling basis over the course of the period

determined by appropriate risk analysis. The current rules require DCMs

and SDRs to conduct regular, periodic, objective testing of their

automated systems.\350\ Therefore, the proposed rules will impose new

costs relative to the requirements of the current rules.\351\ The

Commission notes that testing on a rolling basis is consistent with

generally accepted best practices.\352\

---------------------------------------------------------------------------

\350\ See Commission regulations Sec. Sec. 38.1051(h) (for

DCMs) and 49.24(j) (for SDRs); 17 CFR 38.1051(h); 17 CFR 49.24(j).

\351\ Based on the information collected in the DMO Preliminary

Survey, the Commission understands that some covered DCMs and SDRs

currently conduct controls testing at the proposed frequency level.

\352\ NIST SP 800-53A Rev. 4, at 17-18, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf.

---------------------------------------------------------------------------

3. Independent Contractor Requirement for Covered DCMs and SDRs

As discussed above, the proposed rules would require a DCM or SDR

to engage an independent contractor to test and assess the key controls

no less frequently than every two years. Current regulations Sec. Sec.

38.1051(h) and 49.24(j) provide that testing of automated systems

should be conducted by qualified, independent professionals.\353\ The

qualified independent professionals may be independent contractors or

employees of a DCM or SDR as long as they are not responsible for

development or operation of the systems or capabilities being tested.

Accordingly, the proposed rules will impose new costs relative to the

requirements of the current rules.\354\ The Commission notes that best

practices support independent testing of key controls.\355\

---------------------------------------------------------------------------

\353\ Id.

\354\ Based on the information collected in the DMO Preliminary

Survey, the Commission understands that most covered DCMs and SDRs

currently engage independent contractors to conduct key controls

testing.

\355\ NIST SP 800-53 Rev. 4, control CA-2 Security Assessments,

Control Enhancements 1, Security Assessments: Independent Assessors,

available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

---------------------------------------------------------------------------

4. Cost Estimates for Covered DCMs and SDRs

Based on the information from the DMO Preliminary Survey, the

Commission estimates that the current average cost for a covered DCM or

an SDR conducting controls testing is approximately $2,724,000

annually.\356\ Consistent with all of the system safeguard-related

tests required in the proposal, the Commission recognizes that the

actual costs may vary widely as a result of numerous factors including,

the size of the organization, the complexity of the automated systems,

and the scope of the test. With respect to a covered DCM or SDR that

does not currently use an independent contractor to conduct key

controls testing, the

[[Page 80173]]

Commission expects that these entities may incur some minor costs as a

result of the need to establish and implement internal policies and

procedures that are reasonably designed to address the workflow

associated with the test. For example, the Commission expects that such

policies and procedures may include the communication and cooperation

between the entity and independent contractor, communication and

cooperation between the entity's legal, business, technology, and

compliance departments, appropriate authorization to remediate

deficiencies identified by the independent contractor, implementation

of the measures to address such deficiencies, and verification that

these measures are effective and appropriate. While the Commission

believes that all covered DCMs and SDRs have substantial policies and

procedures in place for controls testing conducted by internal staff,

the Commission acknowledges that the affected entities may dedicate

time in reviewing and revising their existing policies and procedures

to ensure that they are sufficient in the context of the proposed

requirements. The Commission believes that any costs incurred by the

entities as result of such review would be minor.

---------------------------------------------------------------------------

\356\ One of the Cybersecurity Roundtable participants noted

that with respect to the costs for a properly scoped program of

controls testing there is no single answer to this question because

it depends on the number of an organization's applications and the

amount of money spent across the industry varies greatly. See CFTC

Roundtable, at 258-59.

---------------------------------------------------------------------------

c. Benefits

Controls testing is essential in determining risk to an

organization's operations and assets, to individuals, and to other

organizations, and to the nation resulting from the use of the

organization's systems.\357\ In other words, controls testing is vital

because it allows firms to be nimble in preventing, detecting, or

recovering from an attack.\358\ The Commission believes that the

complex analysis and plan preparation that a DCM, SEF, and SDR

undertakes with respect to controls testing, including designing and

implementing changes to existing plans, likely contributes to a better

ex ante understanding by the DCM's, SEF's, and SDR's management of the

challenges the entity would face in a cyber threat scenario, and thus

better preparation to meet those challenges. This improved preparation

would help reduce the possibility of market disruptions and financial

losses to market participants. Moreover, regularly conducting controls

testing enables a DCM, SEF, and SDR to mitigate the impact that a cyber

threat to, or a disruption of, a DCM's, SEF's, or SDR's operations

would have on market participants, entities required by the Act or

Commission regulations to report swaps data to SDRs, and, more broadly,

the stability of the U.S. financial markets. Accordingly, the

Commission believes that such testing strengthens a DCM's, SEF's, and

SDR's automated systems, thereby protecting market participants and

swaps data reporting parties from a disruption in services.

---------------------------------------------------------------------------

\357\ NIST SP 800-53A, Assessing Security and Privacy Controls

in Federal Information Systems and Organizations, rev. 4 (``NIST SP

800-53A''), p. 3, available at: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf.

\358\ CFTC Roundtable, at 43-44.

---------------------------------------------------------------------------

As noted above in the costs section, the proposed rules would

require a covered DCM or SDR to test each control included in its

program of system safeguards-related risk analysis oversight no less

frequently than every two years. The Commission believes that it is

essential for each control to be tested at least this often in order to

confirm the continuing adequacy of the entity's system safeguards in

today's cybersecurity threat environment. Additionally, the frequency

requirement would benefit the affected entities by providing additional

clarity concerning what is required of them in this respect. The

proposed rules would also permit such testing to be conducted on a

rolling basis over the course of the period determined by appropriate

risk analysis. The rolling basis provision is designed to give a

covered DCM or SDR flexibility concerning which controls are tested

during the required minimum frequency period. This flexibility is

intended to reduce burdens associated with testing every control to the

extent possible while still ensuring the needed minimum testing

frequency. The Commission also notes that testing on a rolling basis is

consistent with industry best practices.\359\

---------------------------------------------------------------------------

\359\ NIST SP 800-53A Rev. 4, at 17-18, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf.

---------------------------------------------------------------------------

Additionally, as noted above, the proposed rules would require a

covered DCM or SDR to engage independent contractors to test and assess

each of the entity's key controls no less frequently than every two

years. The entities would have the flexibility to conduct any other

controls testing by either independent contractors or entity employees

not responsible for development or operation of the systems or

capabilities being tested. Independent testing of key controls is

consistent with best practices. Significantly, the NIST Standards note

the important benefits of independent testing and call for controls

testing to include assessment by independent assessors, free from

actual or perceived conflicts of interest, in order to validate the

completeness, accuracy, integrity, and reliability of test

results.\360\ Accordingly, in light of best practices and the current

cyber threat level to the financial sector, the Commission believes the

independent contractor requirement would provide these substantial

benefits.

---------------------------------------------------------------------------

\360\ NIST SP 800-53 Rev. 4, supra note 195.

---------------------------------------------------------------------------

d. Request for Comments

As set out in more detail below in the Request for Comments

section, the Commission seeks additional information regarding the

costs and benefits of controls testing, including the minimum testing

frequency and independent contractor requirement. The Commission

particularly solicits comments concerning the need for controls testing

and the associated costs and benefits, from DCMs, SEFs, and SDRs, from

futures and swap market participants, from best practices and standards

organizations, from cybersecurity service providers and cybersecurity

experts in both the private and public sectors, and from other

financial regulators.

12. Security Incident Response Plan Testing: Sections 38.1051(h)(5),

37.1401(h)(5), and 49.24(j)(5)

a. Summary of Proposed Rules

As discussed above in Section I.F.6., proposed Sec. Sec.

38.1051(h)(1), 37.1401(h)(1), and 49.24(j)(1) would define security

incident response plan testing as testing of a DCM's, SEF's, or SDR's

security incident response plan to determine the plan's effectiveness,

identifying its potential weaknesses or deficiencies, enabling regular

plan updating and improvement, and maintaining organizational

preparedness and resiliency with respect to security incidents. In

addition, methods of conducting security incident response plan testing

may include, but are not limited to, checklist completion, walk-through

or table-top exercises, simulations, and comprehensive exercises. The

DCM's, SEF's, or SDR's security incident response would be required to

include, without limitation, the entity's definition and classification

of security incidents, its policies and procedures for reporting

security incidents and for internal and external communication and

information sharing regarding security incidents, and the hand-off and

escalation points in its security incident response process. The

entities may coordinate its security incident response plan testing

with other testing required by this section or with testing of its

other BC-DR and crisis management plans. The proposed rules would

[[Page 80174]]

require covered DCMs and SDRs to conduct such testing at a frequency

determined by an appropriate risk analysis, but at a minimum no less

frequently than annually.

b. Costs

1. Security Incident Response Plan Testing for All DCMs, SEFs, and SDRs

As discussed in the preamble, the Act requires each DCM, SEF, and

SDR to develop and maintain a program of system safeguards-related risk

analysis and oversight to identify and minimize sources of operational

risk.\361\ The Act mandates that in this connection each DCM, SEF, and

SDR must develop and maintain automated systems that are reliable,

secure, and have adequate scalable capacity, and must ensure system

reliability, security, and capacity through appropriate controls and

procedures.\362\

---------------------------------------------------------------------------

\361\ CEA section 5(d)(20) (for DCMs); CEA section 5h(f)(14)

(for SEFs); CEA section 21(f)(4)(A) and 17 CFR 49.24(a) (for SDRs).

\362\ Id.

---------------------------------------------------------------------------

The Commission's existing system safeguards rules for DCMs, SEFs,

and SDRs mandate that, in order to achieve these statutory

requirements, each DCM, SEF, and SDR must conduct testing and review

sufficient to ensure that its automated systems are reliable, secure,

and have adequate scalable capacity.\363\ The Commission believes, as

the generally accepted standards and best practices noted in this NPRM

make clear, that it would be essentially impossible for a DCM, SEF, or

SDR to fulfill its existing obligation to conduct testing sufficient to

ensure the reliability, security, and capacity of its automated systems

without conducting security incident response plan testing.

---------------------------------------------------------------------------

\363\ Commission regulations Sec. Sec. 38.1051(h) (for DCMs),

37.1401(g) (for SEFs), and 49.24(j) (for SDRs). 17 CFR 38.1051(h);

17 CFR 37.1401(g); and 17 CFR 49.24(j).

---------------------------------------------------------------------------

The proposed rules clarify the existing testing requirements by

specifying security incident response plan testing as a necessary

component. The Commission believes that this has always been the

case.\364\ If compliance with the existing testing requirements as

clarified by the proposed rules results in costs to a DCM, SEF, or SDR

beyond those it already incurs in this connection, the Commission

believes that such additional costs would be attributable to compliance

with the existing regulations and not to the proposed rules.

Accordingly, the Commission believes that this clarification will not

impose any new costs for DCMs, SEFs, and SDRs.

---------------------------------------------------------------------------

\364\ See supra note 291.

---------------------------------------------------------------------------

2. Minimum Security Incident Response Testing Frequency Requirements

for Covered DCMs and SDRs

As discussed above, the proposed rules would require covered DCMs

and SDRs to conduct security incident response plan testing at least

annually. The current rules require DCMs and SDRs to conduct regular,

periodic, objective testing of their automated systems.\365\

Accordingly, the proposed rules will impose new costs relative to the

requirements of the current rules.\366\ The Commission notes that the

proposed frequency requirement is consistent with industry best

practices.\367\

---------------------------------------------------------------------------

\365\ See Commission regulations Sec. Sec. 38.1051(h) (for

DCMs) and 49.24(j) (for SDRs); 17 CFR 38.1051(h); 17 CFR 49.24(j).

\366\ Based on the Commission's experience in administering the

system safeguard compliance program, the Commission believes that

many covered DCMs and SDRs currently conduct security incident

response plan testing at the proposed frequency.

\367\ NIST SP 800-84, Guide to Test, Training, and Exercise

Programs for IT Plans and Capabilities, at 2-4 (citing NIST SP 800-

53, Rev. 4, Security and Privacy Controls for Federal Information

Systems and Organizations).

---------------------------------------------------------------------------

3. Estimated Costs for Covered DCMs and SDRs

At present, the Commission cannot quantify or estimate the current

costs associated with security incident response plan testing at a

covered DCM or SDR. Nevertheless, to the extent that the proposed rules

would impose additional costs on covered DCMs and SDRs, the Commission

believes that such costs may vary widely as result of numerous factors,

including the size of the organization, the complexity of the automated

systems, and the scope of the test. Additional costs incurred by the

affected entities could include time in reviewing and revising existing

policies and procedures, initially and on an ongoing basis, concerning

security incident response testing to ensure that they are sufficient

in the context of the proposed requirements. In such cases, the

Commission believes that any costs would be minimal.

c. Benefits

Security incident response plans, and adequate testing of such

plans, reduce the damage caused by breaches of a DCM's, SEF's, or SDR's

network security. Network security breaches are highly likely to have a

substantial negative impact on a DCM's, SEF's, or SDR's operations.

They can increase costs through lost productivity, lost current and

future market participation or swap data reporting, compliance

penalties, and damage to the DCM's, SEF's, or SDR's reputation and

brand. Moreover, the longer a cyber intrusion continues, the more its

impact may be compounded.

The proposed rules would provide clarity to covered DCMs and SDRs

concerning the minimum testing frequency. The Commission believes the

proposed frequency requirement would increase the likelihood that these

entities could mitigate the duration and impact in the event of a

security incident by making them better prepared for such an incident.

Therefore, a covered DCM or SDR may also be better positioned to reduce

any potential impacts to automated system operation, reliability,

security, or capacity, or the availability, confidentiality, or

integrity of its futures and swaps data.

d. Request for Comments

As set out in more detail below in the Request for Comments

section, the Commission seeks additional information regarding the

costs and benefits of the proposed security incident response plan

testing requirement, including the minimum testing frequency

requirement. The Commission also seeks comments on all aspects of the

proposed security incident response plan testing requirement. The

Commission particularly solicits comments concerning both the need for

security incident response plans and plan testing and the associated

costs and benefits, from DCMs, SEFs, and SDRs, from futures and swap

market participants, from best practices and standards organizations,

from cybersecurity service providers and cybersecurity experts in both

the private and public sectors, and from other financial regulators.

13. Enterprise Technology Risk Assessment: Sections Sec. Sec.

38.1051(h)(6), 37.1401(h)(6), and 49.24(j)(6)

a. Summary of Proposed Rules

As discussed above in Section I.F.7., proposed Sec. Sec.

38.1051(h)(1), 37.1401(h)(1), and 49.24(j)(1) would define ETRA as an

assessment that includes an analysis of threats and vulnerabilities in

the context of mitigating controls. In addition, the assessment

identifies, estimates, and prioritizes risks to the entity's operations

or assets, or to market participants, individuals, or other entities,

resulting from impairment of the confidentiality, integrity, and

availability of data and information or the reliability, security, or

capacity of automated systems. The proposed rules

[[Page 80175]]

would require a covered DCM or SDR to conduct an ETRA at a frequency

determined by an appropriate risk analysis, but at a minimum no less

frequently than annually. The proposed rules would provide that the

assessment may be conducted by independent contractors, or employees of

the DCM or SDR who are not responsible for development or operation of

the systems or capabilities being tested.

b. Costs

1. ETRAs for All DCMs, SEFs, and SDRs

As discussed in the preamble, the Act requires each DCM, SEF, and

SDR to develop and maintain a program of system safeguards-related risk

analysis and oversight to identify and minimize sources of operational

risk.\368\ The Act mandates that in this connection each DCM, SEF, and

SDR must develop and maintain automated systems that are reliable,

secure, and have adequate scalable capacity, and must ensure system

reliability, security, and capacity through appropriate controls and

procedures.\369\

---------------------------------------------------------------------------

\368\ CEA section 5(d)(20) (for DCMs); CEA section 5h(f)(14)

(for SEFs); CEA section 21(f)(4)(A) and 17 CFR 49.24(a) (for SDRs).

\369\ Id.

---------------------------------------------------------------------------

The Commission's existing system safeguards rules for DCMs, SEFs,

and SDRs mandate that, in order to achieve these statutory

requirements, each DCM, SEF, and SDR must conduct testing and review

sufficient to ensure that its automated systems are reliable, secure,

and have adequate scalable capacity.\370\ The Commission believes, as

the generally accepted standards and best practices noted in this NPRM

make clear, that it would be essentially impossible for a DCM, SEF, or

SDR to fulfill its existing obligation to conduct testing sufficient to

ensure the reliability, security, and capacity of its automated systems

without conducting ETRAs.

---------------------------------------------------------------------------

\370\ Commission regulations Sec. Sec. 38.1051(h) (for DCMs),

37.1401(g) (for SEFs), and 49.24(j) (for SDRs). 17 CFR 38.1051(h);

17 CFR 37.1401(g); and 17 CFR 49.24(j).

---------------------------------------------------------------------------

The proposed rules clarify the existing testing requirements by

specifying ETRAs as a necessary component.\371\ The Commission believes

that this has always been the case. If compliance with the existing

testing requirements as clarified by the proposed rules results in

costs to a DCM, SEF, or SDR beyond those it already incurs in this

connection, the Commission believes that such additional costs would be

attributable to compliance with the existing regulations and not to the

proposed rules. Accordingly, the Commission believes that this

clarification will not impose any new costs for DCMs, SEFs, and SDRs.

---------------------------------------------------------------------------

\371\ See supra note 291.

---------------------------------------------------------------------------

2. Minimum ETRA Frequency Requirements for Covered DCMs and SDRs

As discussed above, the proposed rules would require covered DCMs

and SDRs to conduct ETRAs at least annually. The current rules require

DCMs and SDRs to conduct regular, periodic, objective testing of their

automated systems.\372\ Therefore, the proposed rules will impose new

costs relative to the requirements of the current rules.\373\ The

Commission notes that the proposed frequency requirement comports with

industry best practices.\374\

---------------------------------------------------------------------------

\372\ See Commission regulations Sec. Sec. 38.1051(h) (for

DCMs) and 49.24(j) (for SDRs); 17 CFR 38.1051(h); 17 CFR 49.24(j).

\373\ Based on the information from the DMO Preliminary Survey,

the Commission understands that most covered DCMs and SDRs currently

conduct ETRAs at the proposed frequency.

\374\ FINRA, Report on Cybersecurity Practices (February 2015),

at 14, available at https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf.

---------------------------------------------------------------------------

3. Estimated Costs for Covered DCMs and SDRs

Based on the information from the DMO Preliminary Survey, the

Commission estimates that the current average cost for covered DCMs and

SDRs conducting the assessment is approximately $1,347,950 annually.

However, the Commission notes that actual costs may vary widely among

the affected entities due to the size of the organization, the

complexity of the automated systems, and the scope of the assessment.

Additionally, the Commission recognizes that the affected entities may

undertake an evaluation, on an initial and ongoing basis, regarding

internal policies and procedures that may need to be revised. If such

an evaluation is required, the Commission believes that any incremental

costs would be minor.

c. Benefits

The Commission believes that ETRAs are an essential component of a

comprehensive system safeguard program. ETRAs can be viewed as a

strategic approach through which DCMs, SEFs, and SDRs identify risks

and aligns its systems goals accordingly. The Commission believes that

these requirements are necessary to support a strong risk management

framework for DCMs, SEFs, and SDRs, thereby helping to protect DCMs,

SEFs, and SDRs, market participants, parties required by the Act or

Commission regulations to report swaps data to SDRs, and helping to

mitigate the risk of market disruptions.

The proposed rules would provide clarity to covered DCMs and SDRs

concerning the minimum assessment frequency. Best practices support

annual or more frequent assessment of technology and cybersecurity

risk. For example, FINRA states that firms conducting appropriate risk

assessment do so either annually or on an ongoing basis throughout the

year, in either case culminating in an annual risk assessment

report.\375\ The Commission believes the proposed frequency

requirements would better position the entities to identify, estimate,

and prioritize the risks facing them in today's cybersecurity threat

environment.

---------------------------------------------------------------------------

\375\ FINRA, Report on Cybersecurity Practices (February 2015),

at 14, available at https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf.

---------------------------------------------------------------------------

d. Request for Comments

As set out in more detail below in the Request for Comments

section, the Commission seeks additional information regarding the

costs and benefits of the enterprise technology risk assessment

requirement, including the minimum testing frequency requirement. The

Commission particularly solicits comments concerning the need for

enterprise technology risk assessments and the associated costs and

benefits, from DCMs, SEFs, and SDRs, from futures and swap market

participants, from best practices and standards organizations, from

cybersecurity service providers and cybersecurity experts in both the

private and public sectors, and from other financial regulators.

14. Scope for Testing and Assessment: Sections 38.1051(k), 37.1401(k),

and 49.24(l)

a. Summary of Proposed Rules

As discussed above in Section I.G.1., proposed Sec. Sec.

38.1051(k), 37.1401(k), and 49.24(l) would require that the scope for

all system safeguards testing and assessment required by this chapter

must be broad enough to include all testing of automated systems,

networks, and controls necessary to identify any vulnerability which,

if triggered, could enable an intruder or unauthorized user or insider

to: (1) Interfere with the entity's operations or with fulfillment of

the entity's statutory and regulatory responsibilities; (2) impair or

degrade the reliability, security, or adequate

[[Page 80176]]

scalable capacity of the entity's automated systems; (3) add to,

delete, augment, modify, exfiltrate, or compromise the integrity of any

data related to the entity's regulated activities; or (4) undertake any

other unauthorized action affecting the entity's regulated activities

or the hardware or software used in connection with those activities.

b. Costs and Benefits

The Commission believes that the costs and benefits associated with

the scope for testing and assessment are generally attributable to the

substantive testing requirements; therefore they are discussed in the

cost and benefit considerations related to the rules describing the

requirements for each test or assessment.

15. Internal Review of Test and Assessment Reports: Sections

38.1051(l), 37.1401(l), and 49.24(m)

a. Summary of Proposed Rules

As discussed above in Section I.G.2. proposed Sec. Sec.

38.1051(l), 37.1401(l), and 49.24(m) would require the senior

management and the Board of Directors of the DCM, SEF, or SDR to

receive and review reports setting forth the results of all testing and

assessment required by this section. In addition, the proposed rules

would require the DCM, SEF, or SDR to establish and follow appropriate

procedures for the remediation of issues identified through such

review, as provided in sections 38.1051(m), 37.1401(m), and 49.24(n)

(Remediation), and for evaluation of the effectiveness of testing and

assessment protocols.

b. Costs

As discussed in the preamble, the Commission proposes to clarify

the testing requirements by specifying and defining certain aspects of

DCM, SEF, and SDR risk analysis and oversight programs that are

necessary to fulfillment of the testing requirements and achievement of

their purposes. This clarification includes review of system safeguard

testing and assessments by senior management and the DCM's, SEF's, or

SDR's Board of Directors, which is recognized as best practice for

system safeguards.\376\ The Commission believes, as the generally

accepted standards and best practices noted in this NPRM make clear,

that it would be essentially impossible for a DCM, SEF, or SDR to

fulfill its existing obligation to conduct testing sufficient to ensure

the reliability, security, and capacity of its automated systems

without performing appropriate internal reporting and review of test

results.\377\ This has been true since before the testing requirements

of the Act and the current regulations were adopted.\378\ If compliance

with the existing testing requirements as clarified by the proposed

rules results in costs to a DCM, SEF, or SDR beyond those it already

incurs, the Commission believes that such additional costs would be

attributable to compliance with the existing regulations and not to the

proposed rules. Accordingly, the Commission believes that this

clarification will not impose any new costs for DCMs, SEFs, and SDRs.

---------------------------------------------------------------------------

\376\ FINRA, Report on Cybersecurity Practices, February 2015,

at 7, available at https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf; FFIEC,

Information Security IT Examination Handbook, at 5, available at

http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf.; and NIST SP 800-53, Rev.

4, Program Management Control Family, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

\377\ See e.g., NIST SP 800-115, Technical Guide to Information

Security Testing and Assessment, at 6-10-6-12, September 2008,

available at http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf; NIST SP 800-53A Rev. 4, at 10, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf;

FFIEC, Information Security IT Examination Handbook, at 5, available

at http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf; NIST SP 800-53 Rev. 4,

Program Management control family, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf;

FINRA, Report on Cybersecurity Practices, February 2015, at 8,

available at https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf; FFIEC,

Audit IT Examination Handbook, Objective 6, at 5, available at

http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_Audit.pdf;

ISACA, COBIT 5, APO12, available at https://cobitonline.isaca.org/.

\378\ See supra note 246.

---------------------------------------------------------------------------

c. Benefits

The Commission believes that internal reporting and review are an

essential component of a comprehensive and effective system safeguard

program. While senior management and the DCM's, SEF's, or SDR's board

of directors will have to devote resources to reviewing testing and

assessment reports, active supervision by senior management and the

board of directors promotes responsibility and accountability by

affording them greater opportunity to evaluate the effectiveness of the

testing and assessment protocols. Moreover, the attention by the board

of directors and senior management should help to promote a focus on

such reviews and issues, and enhance communication and coordination

regarding such reviews and issues among the business, technology,

legal, and compliance personnel of the DCM, SEF, and SDR. Active

supervision by senior management and the board of directors also

promotes a more efficient, effective, and reliable DCM and SDR risk

management and operating structure. Consequently, DCMs, SEFs, and SDRs

should be better positioned to strengthen the integrity, resiliency,

and availability of its automated systems.

d. Request for Comments

The Commission requests comment on any potential costs of proposed

Sec. Sec. 38.1051(l), 37.1401(l), and 49.24(m) on DCMs, SEFs, and

SDRs, including, where possible, quantitative data.

16. Remediation: Sections 38.1051(m), 37.1401(m), and 49.24(n)

a. Summary of Proposed Rules

As discussed above in Section I.G.3., proposed Sec. Sec.

38.1051(m), 37.1401(m), and 49.24(n) would require a DCM, SEF, or an

SDR to analyze the results of the testing and assessment required by

this section to identify all vulnerabilities and deficiencies in the

entity's systems. The DCM, SEF, or SDR would also be required to

remediate the vulnerabilities and deficiencies revealed by all testing

and assessment, to the full extent necessary to enable the entity to

fulfill the system safeguards requirements of this chapter, and to meet

all statutory and regulatory obligations in connection with its

regulated activities. The remediation must be timely in light of

appropriate risk analysis with respect to the risks presented by such

vulnerabilities and deficiencies.

b. Costs

As discussed in the preamble, the Commission proposes to clarify

the testing requirements by specifying and defining certain aspects of

DCM, SEF, and SDR risk analysis and oversight programs that are

necessary to fulfillment of the testing requirements and achievement of

their purposes. This clarification includes remediation. Remediation of

vulnerabilities and deficiencies revealed by cybersecurity testing is a

best practice and a fundamental purpose of such testing.\379\ The

Commission believes, as the generally accepted standards and best

practices noted in this NPRM make clear, that it would be essentially

impossible for a DCM, SEF, or SDR to

[[Page 80177]]

fulfill its existing obligation to conduct testing sufficient to ensure

the reliability, security, and capacity of its automated systems

without performing remediation.\380\ This has been true since before

the testing requirements of the Act and the current regulations were

adopted.\381\ If compliance with the existing testing requirements as

clarified by the proposed rules results in costs to a DCM, SEF, or SDR

beyond those it already incurs, the Commission believes that such

additional costs would be attributable to compliance with the existing

regulations and not to the proposed rules. Accordingly, the Commission

believes that this clarification will not impose any new costs for

DCMs, SEFs, and SDRs.

---------------------------------------------------------------------------

\379\ FINRA, Report on Cybersecurity Practices, February 2015,

at 7, available at https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf; FFIEC,

Information Security IT Examination Handbook, at 5, available at

http://ithandbook.ffiec.gov/ITBooklets/FFIEC_ITBooklet_InformationSecurity.pdf.; and NIST SP 800-53, Rev.

4, Program Management Control Family, available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

\380\ See supra note 377.

\381\ See supra note 246.

---------------------------------------------------------------------------

c. Benefits

The Commission believes that effective remediation is a critical

component of a comprehensive and effective system safeguard program. As

discussed above, the Commission believes that the remediation of

vulnerabilities and deficiencies revealed by cybersecurity testing is

an industry best practice. Moreover, remediation may reduce the

frequency and severity of systems disruptions and breaches for the

DCMs, SEFs, and SDRs. In addition, remediation helps to ensure that the

entities dedicate appropriate resources to timely address system

safeguard-related deficiencies and would place an emphasis on

mitigating harm to market participants while promoting market

integrity. Without a timely remediation requirement, the impact of

vulnerabilities or deficiencies identified by the testing or assessment

could persist and have a detrimental effect on the futures and swaps

markets generally as well as market participants.

d. Request for Comments

As set out in more detail below in the Request for Comments

section, the Commission seeks additional information regarding the

costs and benefits of the remediation requirement. The Commission

particularly solicits comments concerning the need for remediation and

the associated costs and benefits, from DCMs, SEFs, and SDRs, from

futures and swap market participants, from best practices and standards

organizations, from cybersecurity service providers and cybersecurity

experts in both the private and public sectors, and from other

financial regulators.

17. Required Production of Annual Trading Volume: Section 38.1051(n)

a. Summary of Proposed Rule

Proposed Sec. 38.1051(n) would require all DCMs to provide to the

Commission for calendar year 2015, and each calendar year thereafter,

its annual total trading volume. This information would be required

within 30 calendar days of the effective date of the final version of

this rule, and for 2016 and subsequent years by January 31 of the

following calendar year.

b. Costs

As discussed above in the PRA section, the Commission believes that

all DCMs generally calculate their annual trading volume in the usual

course of business and many of the DCMs already publish this

information on their Web site. Therefore, the Commission believes that

any costs incurred by the DCMs as a result of proposed Sec. 38.1051(n)

would be minimal. The Commission estimates that each DCM would spend

approximately half an hour to prepare and file the trading volume

information with Commission at a cost of approximately $22.00

annually.\382\

---------------------------------------------------------------------------

\382\ In arriving at a wage rate for the hourly costs imposed,

Commission staff used the National Industry-Specific Occupational

Employment and Wage Estimates, published in May (2014 Report). The

hourly rate for a Compliance Officer in the Securities and Commodity

Exchanges as published in the 2014 Report was $44.03 per hour.

---------------------------------------------------------------------------

c. Benefits

As a result of the Commission's proposal to apply the enhanced

system safeguard requirements to DCMs whose annual trading volume in a

calendar year is five percent or more of the combined annual trading

volume of all DCMs regulated by Commission (i.e., covered DCMs), the

Commission believes that it is necessary to require all DCMs to provide

the Commission with annual trading volume information. Otherwise, the

Commission would be unable to accurately evaluate whether a particular

DCM would be subject to the proposal. As stated in the proposed rule,

the Commission will provide each DCM with its percentage of the

combined annual trading volume of all DCMs regulated by the Commission

for the preceding calendar year. Therefore, all DCMs will receive

certainty from the Commission regarding whether they must comply with

the enhanced system safeguard requirements. This requirement will

support more accurate application of the proposed rules.

18. Section 15(a) Factors

a. Protection of Market Participants and the Public

The Commission believes that the proposed rules should benefit the

futures and swaps markets by promoting more robust automated systems

and therefore fewer disruptions and market-wide closures, systems

compliance issues, and systems intrusions. Because automated systems

play a central and critical role in today's electronic financial market

environment, oversight of DCMs, SEFs, and SDRs with respect to

automated systems is an essential part of effective oversight of both

futures and swaps markets. In addition, providing the Commission with

reports concerning system safeguards testing and assessments required

by the proposed rules will facilitate the Commission's oversight of

futures and swaps markets, augment the Commission's efforts to monitor

systemic risk, and will further the protection of market participants

and the public by helping to ensure that automated systems are

available, reliable, secure, have adequate scalable capacity, and are

effectively overseen. As a result, the Commission also expects fewer

interruptions to the systems that directly support the respective

entities, including matching engines, regulatory and surveillance

systems, and the dissemination of market data, which should help ensure

compliance with the relevant statutory and regulatory obligations.

Moreover, market participants will benefit from systems that are secure

and able to protect their anonymity with respect to positions in the

marketplace and other aspects of their personally-identifiable

information.

b. Efficiency, Competitiveness, and Financial Integrity of the Markets

A DCM or SEF that has system safeguard policies and procedures in

place, including the timely remediation of vulnerabilities and

deficiencies in light of appropriate risk analysis, will promote

overall market confidence and could lead to greater market efficiency,

competitiveness, and perceptions of financial integrity. Safeguarding

the reliability, security, and capacity of DCM, SEF, and SDR computer

systems are essential to mitigation of system risk for the nation's

financial sector as a whole. A comprehensive testing program capable of

identifying operational risks will enhance the efficiency, and

financial integrity of the markets by increasing the likelihood that

trading remains uninterrupted and transactional data and positions are

not

[[Page 80178]]

lost.\383\ A DCM or SEF with such a program also promotes confidence in

the markets, and encourages liquidity and stability. Moreover, the

ability of a DCM or SEF to recover and resume trading promptly in the

event of a disruption of their operations, or an SDR to recover and

resume its swap data recordkeeping and reporting function, is highly

important to the U.S. economy and ensuring the resiliency of the

automated systems is a critical part of the Commission's mission.

Additionally, and because SDRs hold data needed by financial regulators

from multiple jurisdictions, safeguarding such systems will be

essential to mitigation of systemic risk world-wide. Notice to the

Commission concerning the results of system safeguard tests performed

by the DCMs, SEFs, and SDRs will assist the Commission's oversight and

its ability to assess systemic risk levels. It would present

unacceptable risks to the U.S. financial system if futures and swaps

markets that comprise critical components of the world financial

system, and SDRs that hold data concerning swaps, were to become

unavailable for an extended period of time for any reason, and adequate

system safeguards are essential to the mitigation of such risks.

---------------------------------------------------------------------------

\383\ During the CFTC Roundtable, one of the participants noted

that ``if data is disclosed about activity in the markets, that is a

survivable event from a resiliency perspective, but if we don't know

who owns what and what their positions are, then there are no

markets.'' CFTC Roundtable, at 71.

---------------------------------------------------------------------------

c. Price Discovery

Any interruption in trading on a DCM or SEF can distort the price

discovery process. Similarly, any interruption in the operations of an

SDR will hamper the Commission's ability to examine potential price

discrepancies and other trading inconsistencies in the swaps market.

Therefore, reliable functioning computer systems and networks are

essential in protecting the price discovery process. The Commission

believes that the proposed rules will reduce the incidence and severity

of automated system security breaches and functional failures. In

addition, the Commission views the proposed rules as likely to

facilitate the price discovery process by mitigating the risk of

operational market interruptions from disjoining forces of supply and

demand. The presence of thorough system safeguards testing signals to

the market that a DCM or SEF is a financially sound place to trade,

thus attracting greater liquidity which leads to more accurate price

discovery.

d. Sound Risk Management Practices

The proposed rules will benefit the risk management practices of

both the regulated entities and the participants who use the facilities

of those entities. Participants who use DCMs or SEFs to manage

commercial price risks should benefit from markets that behave in an

orderly and controlled fashion. If prices move in an uncontrolled

fashion due to a cybersecurity incident, those who manage risk may be

forced to exit the market as a result of unwarranted margin calls or

deterioration of their capital. In addition, those who want to enter

the market to manage risk may only be able to do so at prices that do

not reflect the actual supply and demand fundamentals due to the

effects of a cybersecurity incident. Relatedly, participants may have

greater confidence in their ability to unwind positions because market

disruptions would be less common. With respect to SDRs, the Commission

believes that the ability of participants in the swaps market to report

swap transactions to an SDR without interruption will serve to improve

regulators' ability to monitor risk management practices through better

knowledge of open positions and SDR services related to various trade,

collateral, and risk management practices. The Commission notes

regulator access (both domestic and foreign) to the data held by an SDR

is essential for regulators to be able to monitor the swap market and

certain participants relating to systemic risk.

e. Other Public Interest Considerations

The American economy and the American public depend upon the

availability of reliable and secure markets for price discovery,

hedging, and speculation. Ensuring the adequate safeguarding and the

reliability, security, and capacity of the systems supporting these

market functions is a core focus in the Commission's role in monitoring

and assessing the level of systemic risk, and is central to its

fulfillment of oversight responsibilities. As one CFTC Roundtable

panelist explained, ``if the futures system doesn't work many other

things don't work, and it's a wholly interconnected system. And the

more we can make all the parts more secure the more resilient it's

going to be overall.'' \384\

---------------------------------------------------------------------------

\384\ CFTC Roundtable, at 28.

---------------------------------------------------------------------------

III. Requests for Comment

A. Comments Regarding Notice of Proposed Rulemaking

The Commission requests comments from the public on all aspects of

this NPRM. This specifically includes comments on all aspects of the

Commission's preliminary consideration of costs and benefits associated

with the Proposal, and all aspects of the Commission's preliminary

consideration of the five factors that the Commission is required to

consider under section 15(a) of the CEA. The Commission particularly

solicits comments concerning all aspects of the Proposal and its

associated costs and benefits from DCMs, SEFs, and SDRs, from futures

and swap market participants, from best practices and standards

organizations, from cybersecurity providers and cybersecurity experts

in both the private and public sectors, and from other financial

regulators.

The questions below relate to areas that the Commission believes

may be relevant. In addressing these questions or any other aspects of

the Proposal and Commission's assessments, commenters are encouraged to

submit any data or other information that they may have quantifying or

qualifying the costs and benefits of the Proposal. Comments may be

submitted directly to the Office of Information and Regulatory Affairs,

by fax at (202) 395-6566 or by email at [email protected].

Please provide the Commission with a copy of submitted comments so that

all comments can be summarized and addressed in the final rule

preamble. Refer to the ADDRESSES section of this NPRM for comment

submission instructions to the Commission. A copy of the supporting

statements for the collections of information discussed above may be

obtained by visiting http://RegInfo.gov. OMB is required to make a

decision concerning the collection of information between 30 and 60

days after publication of this document in the Federal Register.

Therefore, a comment is best assured of having its full effect if OMB

receives it within 30 days of publication.

1. Do commenters agree with the Commission's analysis of the costs

and benefits of each provision in the Proposal? Please explain why or

why not.

2. Do commenters believe that there are additional benefits or

costs that could be quantified or otherwise estimated? If so, please

identify those categories and, if possible, provide specific estimates

or data.

3. Do commenters agree that the definitions of the categories of

risk analysis and oversight to be addressed by DCM, SEF, and SDR

programs of system safeguards-related risk analysis and oversight

included in the Proposal are appropriate, sufficiently clear, and

[[Page 80179]]

reflective of generally accepted best practices and standards? Please

identify any suggested clarifications or changes respecting these

definitions.

4. Do commenters agree that following generally accepted standards

and best practices, ensuring tester independence, and coordinating BC-

DR plans appropriately are essential to adequate system safeguards and

cyber resiliency for DCMs, SEFs, and SDRs, and that the current rule

provisions and guidance providing that DCMs, SEFs, and SDRs should

comply in these regards should be changed to require mandatory

compliance? Please identify, and quantify insofar as possible, any new

costs that DCMs, SEFs, or SDRs would incur due to making such

compliance mandatory.

5. Do commenters agree that the definitions of terms included in

the proposed Sec. Sec. 38.1051(h)(1), 37.1401(h)(1), and 49.24(j)(1)

are appropriate, sufficiently clear, and reflective of generally

accepted best practices and standards? Please identify any suggested

clarifications or changes respecting these definitions.

6. Do commenters agree that the types of system safeguards testing

specified in the Proposal, including vulnerability testing, external

and internal penetration testing, controls testing, security incident

response plan testing, and enterprise technology risk assessment, are

appropriate and necessary in today's cybersecurity environment? Please

explain why or why not. Also, do commenters agree that each testing

type is appropriately and adequately addressed by the Proposal? Please

explain why or why not, and identify any suggested clarifications or

changes in this connection.

7. Are the types of cybersecurity and system safeguards testing

included in the Proposal sufficient in the aggregate to provide the

cybersecurity and system safeguards protections needed by DCMs, SEFs,

and SDRs to enable them to fulfill their statutory and regulatory

requirements in the current cybersecurity environment? Please explain

why or why not. Also, should the Commission consider requiring other

types of cybersecurity and system safeguards testing not included in

the Proposal? If so, please identify the other types of testing that

should be required, and if possible provide information concerning the

costs and benefits that would be involved.

8. The existing system safeguards rules for DCMs, SEFs, and SDRs

require testing sufficient to ensure automated system reliability,

security, and capacity. The Proposal clarifies these testing

requirements by specifying and defining five types of system safeguards

testing essential to fulfilling these existing requirements. Do

commenters agree that this clarification will not impose new costs on

DCMs, SEFs, and SDRs? Commenters who disagree are asked to specify

which types of testing called for in the Proposal DCMs, SEFs, or SDRs

do not currently conduct, and what new costs such entities would incur

as the result of the clarification of required testing types.

9. Do commenters agree that the minimum testing frequency

requirements included in the Proposal for each of the types of system

safeguards testing are appropriate in today's cybersecurity

environment? Please explain why or why not. In your response, please be

specific with respect to the types of testing that you suggest should

be conducted either more or less frequently than specified in the

Proposal, and indicate the potential costs and benefits associated with

each such modification.

10. Do commenters agree with the requirements included in the

Proposal for certain testing to be conducted by independent

contractors? Please explain why or why not. If not, please address what

testing you believe should be conducted by independent contractors, and

the frequency of independent contractor testing that should be

required. Please also indicate the potential costs and benefits

associated with each such modification.

11. What are the benefits of requiring certain tests to be

conducted by independent contractors? In your response, please be

specific with respect to which tests should be conducted by independent

contractors and, if possible, provide specific estimates or data for

the costs of each test.

12. For covered DCMs and SDRs, please identify and explain how any

of the proposed testing requirements respecting minimum testing

frequency and use of independent contractors differ from the current

practice at the entity (e.g., the entity does not currently use

independent contractors for vulnerability testing, whereas the proposed

rule would require the entity to engage independent contractors to

conduct two of the required quarterly tests each year). In cases where

the Proposal differs from current practice, please provide specific

estimates of any additional costs that the entity would incur to comply

with the proposal.

13. Do commenters agree that the testing scope requirements

provided in the Proposal are appropriate, sufficiently clear,

reflective of generally accepted best practices and standards, and

sufficient to enable DCMs, SEFs, and SDRs to fulfill their statutory

and regulatory responsibilities? Please identify any suggested

clarifications or changes respecting these provisions.

14. Do commenters agree that the internal reporting and review

requirements provided in the Proposal are appropriate, sufficiently

clear, reflective of generally accepted best practices and standards,

and sufficient to enable DCMs, SEFs, and SDRs to fulfill their

statutory and regulatory responsibilities? Please identify any

suggested clarifications or changes respecting these provisions.

15. Do commenters agree that the remediation requirements provided

in the Proposal are appropriate, sufficiently clear, reflective of

generally accepted best practices and standards, and sufficient to

enable DCMs, SEFs, and SDRs to fulfill their statutory and regulatory

responsibilities? Please identify any suggested clarifications or

changes respecting these provisions.

16. Do commenters believe that there are any costs or benefits from

the Proposal that could be quantified or monetized that are unique to a

DCM, SEF, or an SDR? If so, please identify those costs or benefits,

and if possible provide specific estimates or data.

17. Are there methods by which the Commission could reduce the

costs imposed by the Proposal, while still maintaining the system

safeguards for DCMs, SEFs, and SDRs that are required by law and are

appropriate to today's cybersecurity threat environment? If so, please

explain.

18. Are there any unintended consequences that would result from

the Proposal? If so, please describe them, and explain how the

unintended consequences would impact any of the costs or benefits

associated with the Proposal, or would impact DCM, SEF, or SDR

operations.

19. Does the Proposal appropriately describe the potential impacts

on the protection of market participants and the public, efficiency and

competition, financial integrity of the futures markets and price

discovery, sound risk management practices, and other public interest

considerations? If not, please provide specific examples.

20. Do commenters believe that there are reasonable alternatives to

any aspect of the Proposal? In the response, please specifically

describe such alternatives and identify their potential costs and

benefits relative to the proposal. Please also describe the potential

impacts of the alternatives on protection of market participants and

the public, efficiency and competition, financial integrity of the

futures markets and price discovery,

[[Page 80180]]

sound risk management practices, and other public interest

considerations.

B. Comments Regarding Advance Notice of Proposed Rulemaking Concerning

Covered SEFs

The Commission requests comments from the public on all aspects of

the ANPRM included herein concerning possible future minimum testing

frequency requirements and independent contractor testing requirements

for covered SEFs. The Commission particularly solicits comments

concerning all aspects of the ANPRM from DCMs, SEFs, and SDRs, from

futures and swap market participants, from best practices and standards

organizations, from cybersecurity providers and cybersecurity experts

in both the private and public sectors, and from other financial

regulators.

The questions below relate to areas that the Commission believes

may be relevant. In addressing these questions or any other aspects of

the ANPRM concerning possible future minimum testing frequency

requirements and independent contractor testing requirements for

covered SEFs, commenters are encouraged to submit any data or other

information that they may have quantifying or qualifying costs and

benefits that could be related to the ANPRM. Comments may be submitted

directly to the Office of Information and Regulatory Affairs, by fax at

(202) 395-6566 or by email at [email protected]. Please

provide the Commission with a copy of submitted comments so that all

comments can be summarized and addressed in the final rule preamble.

Refer to the ADDRESSES section of this NPRM for comment submission

instructions to the Commission.

The Commission is considering whether the minimum testing frequency

and independent contractor testing requirements which this NPRM would

apply to covered DCMs and SDRs should be applied, via a future NPRM, to

the most systemically important SEFs, which such a future NPRM would

define as ``covered SEFs.'' The Commission requests comments on all

aspects of this question, including possible related costs and

benefits. In addition, commenters are asked to address the particular

aspects of this subject included in the questions below.

1. Should the minimum testing frequency and independent contractor

testing requirements be applied, via a future NPRM, to the most

systemically important SEFs, or to all SEFs, or should such

requirements not be applied to SEFs at this time?

2. Given the nature of the swap market, would it be more

appropriate to define ``covered SEF'' in terms of the annual total

notional value of all swaps traded on or pursuant to the rules of a

SEF, as compared with the annual total notional value of all swaps

traded on or pursuant to the rules of all SEFs regulated by the

Commission? Or would it be more appropriate to define ``covered SEF''

in terms of the annual total number of swaps traded on or pursuant to

the rules of a SEF, as compared with the annual total number of swaps

traded on all SEFs regulated by the Commission?

3. If defining ``covered SEF'' in terms of notional value is more

appropriate, how should ``notional value'' be defined?

4. If defining ``covered SEF'' in terms of notional value is more

appropriate, what percentage share of the annual total notional value

of all swaps traded on all SEFs regulated by the Commission should be

used to define ``covered SEF''?

5. If defining ``covered SEF'' in terms of the annual total number

of swaps traded is more appropriate, what percentage share of the

annual total number of all swaps traded on all SEFs regulated by the

Commission should be used to define ``covered SEF''?

6. Would it be more appropriate for the definition to address the

notional value or the number of swaps in each asset class separately,

or to address the notional value or the number of all swaps combined

regardless of asset class?

7. Do commenters agree that overall risk mitigation for the U.S.

swap market as a whole would be enhanced if the minimum testing

frequency and independent contractor testing requirements were applied

to the most systemically important SEFs? Or do commenters believe that

the testing requirements for all SEFs proposed in the current NPRM are

sufficient for appropriate overall risk mitigation? Or do commenters

believe the minimum testing frequency and independent contractor

testing requirements should be applied to all SEFs in order to

appropriately address the risk to the U.S. swap market?

8. The Commission is considering defining ``covered SEF'' as a SEF

for which the annual total notional value of all swaps traded on or

pursuant to the rules of the SEF is ten percent (10%) or more of the

annual total notional value of all swaps traded on or pursuant to the

rules of all SEFs regulated by the Commission. Via a future NPRM, such

SEFs would be subject to the minimum testing frequency and independent

contractor testing requirements proposed in this current NPRM for

covered DCMs and SDRs. Do commenters agree that this percentage share

provides the most appropriate means of determining which SEFs would be

``covered SEFs'' subject to these requirements? Would a different

percentage share be more appropriate, and if so, what other percentage

share should be used? Should the Commission consider a different

methodology for defining covered SEFs? If so, please explain.

9. How should the benefits and costs of applying the minimum

testing frequency and independent contractor testing requirements to

covered SEFs be quantified or estimated? If possible, provide specific

estimates or data.

10. For each of the five types of cybersecurity testing addressed

in this NPRM, what costs would a covered SEF incur to comply with the

minimum testing frequency and independent contractor testing

requirements?

11. To what extent are SEFs currently meeting the minimum testing

frequency and independent contractor testing requirements proposed in

this NPRM? To the extent possible, please provide specific estimates or

data.

12. How could a SEF most appropriately report to the Commission its

annual total notional value of all swaps traded or its annual total

number of swaps traded, in order to enable the Commission to notify it

of whether it is a covered SEF?

13. Are there additional alternatives or factors which commenters

believe the Commission should consider in determining what, if

anything, to propose in connection with the definition of covered SEFs

and minimum testing frequency and independent contractor testing

requirements for covered SEFs?

List of Subjects

17 CFR Part 37

Commodity futures, Reporting and recordkeeping requirements, System

safeguards testing requirements.

17 CFR Part 38

Commodity futures, Reporting and recordkeeping requirements, System

safeguards testing requirements.

17 CFR Part 49

Administrative practice and procedure, Reporting and recordkeeping

requirements, System safeguards testing requirements.

For the reasons set forth in the preamble, the Commodity Futures

Trading Commission proposes to amend 17 CFR chapter I as follows:

[[Page 80181]]

PART 37--SWAP EXECUTION FACILITIES

0

1. The authority citation for part 37 continues to read as follows:

Authority: 7 U.S.C. 1a, 2, 5, 6, 6c, 7, 7a-2, 7b-3, and 12a, as

amended by Titles VII and VIII of the Dodd Frank Wall Street Reform

and Consumer Protection Act, Pub. L. 111-203, 124 Stat. 1376.

0

2. Amend Sec. 37.1401 as follows:

0

a. Revise paragraphs (a) and (b);

0

b. Remove paragraph (f);

0

c. Redesignate paragraphs (c) through (e) as paragraphs (d) through

(f);

0

d. Add new paragraph (c);

0

e. Revise paragraph (g);

0

f. Redesignate paragraph (h) as paragraph (j); and

0

g. Add new paragraphs (h), (i), (k), (l), and (m).

The revisions and additions read as follows:

Sec. 37.1401 Requirements.

(a) A swap execution facility's program of risk analysis and

oversight with respect to its operations and automated systems must

address each of the following categories of risk analysis and

oversight:

(1) Enterprise risk management and governance. This category

includes, but is not limited to: Assessment, mitigation, and monitoring

of security and technology risk; security and technology capital

planning and investment; board of directors and management oversight of

technology and security; information technology audit and controls

assessments; remediation of deficiencies; and any other elements of

enterprise risk management and governance included in generally

accepted best practices.

(2) Information security. This category includes, but is not

limited to, controls relating to: Access to systems and data (e.g.,

least privilege, separation of duties, account monitoring and control);

user and device identification and authentication; security awareness

training; audit log maintenance, monitoring, and analysis; media

protection; personnel security and screening; automated system and

communications protection (e.g., network port control, boundary

defenses, encryption); system and information integrity (e.g., malware

defenses, software integrity monitoring); vulnerability management;

penetration testing; security incident response and management; and any

other elements of information security included in generally accepted

best practices.

(3) Business continuity-disaster recovery planning and resources.

This category includes, but is not limited to: Regular, periodic

testing and review of business continuity-disaster recovery

capabilities, the controls and capabilities described in paragraphs

(c), (d), (j), and (k) of this section; and any other elements of

business continuity-disaster recovery planning and resources included

in generally accepted best practices.

(4) Capacity and performance planning. This category includes, but

is not limited to: Controls for monitoring the swap execution

facility's systems to ensure adequate scalable capacity (e.g., testing,

monitoring, and analysis of current and projected future capacity and

performance, and of possible capacity degradation due to planned

automated system changes); and any other elements of capacity and

performance planning included in generally accepted best practices.

(5) Systems operations. This category includes, but is not limited

to: System maintenance; configuration management (e.g., baseline

configuration, configuration change and patch management, least

functionality, inventory of authorized and unauthorized devices and

software); event and problem response and management; and any other

elements of system operations included in generally accepted best

practices.

(6) Systems development and quality assurance. This category

includes, but is not limited to: Requirements development; pre-

production and regression testing; change management procedures and

approvals; outsourcing and vendor management; training in secure coding

practices; and any other elements of systems development and quality

assurance included in generally accepted best practices.

(7) Physical security and environmental controls. This category

includes, but is not limited to: Physical access and monitoring; power,

telecommunication, and environmental controls; fire protection; and any

other elements of physical security and environmental controls included

in generally accepted best practices.

(b) In addressing the categories of risk analysis and oversight

required under paragraph (a) of this section, a swap execution facility

shall follow generally accepted standards and best practices with

respect to the development, operation, reliability, security, and

capacity of automated systems.

(c) A swap execution facility must maintain a business continuity-

disaster recovery plan and business continuity-disaster recovery

resources, emergency procedures, and backup facilities sufficient to

enable timely recovery and resumption of its operations and resumption

of its ongoing fulfillment of its responsibilities and obligations as a

swap execution facility following any disruption of its operations.

Such responsibilities and obligations include, without limitation:

Order processing and trade matching; transmission of matched orders to

a designated clearing organization for clearing, where appropriate;

price reporting; market surveillance; and maintenance of a

comprehensive audit trail. The swap execution facility's business

continuity-disaster recovery plan and resources generally should enable

resumption of trading and clearing of swaps executed on or pursuant to

the rules of the swap execution facility during the next business day

following the disruption. Swap execution facilities determined by the

Commission to be critical financial markets are subject to more

stringent requirements in this regard, set forth in Sec. 40.9 of this

chapter. A swap execution facility must update its business continuity-

disaster recovery plan and emergency procedures at a frequency

determined by an appropriate risk analysis, but at a minimum no less

frequently than annually.

* * * * *

(g) As part of a swap execution facility's obligation to produce

books and records in accordance with Sec. 1.31 of this chapter, Core

Principle 10 (Recordkeeping and Reporting), and Sec. Sec. 37.1000 and

37.1001, a swap execution facility must provide to the Commission the

following system safeguards-related books and records, promptly upon

the request of any Commission representative:

(1) Current copies of its business continuity-disaster recovery

plans and other emergency procedures;

(2) All assessments of its operational risks or system safeguards-

related controls;

(3) All reports concerning system safeguards testing and assessment

required by this chapter, whether performed by independent contractors

or by employees of the swap execution facility; and

(4) All other books and records requested by Commission staff in

connection with Commission oversight of system safeguards pursuant to

the Act or to part 37 of the Commission's regulations, or in connection

with Commission maintenance of a current profile of the swap execution

facility's automated systems.

(5) Nothing in paragraph (g) of this section shall be interpreted

as reducing or limiting in any way a swap execution facility's

obligation to comply with Core Principle 10 (Recordkeeping and

[[Page 80182]]

Reporting) or with Sec. 1.31 of this chapter, or Sec. Sec. 37.1000 or

37.1001 of the Commission's regulations.

(h) A swap execution facility must conduct regular, periodic,

objective testing and review of its automated systems to ensure that

they are reliable, secure, and have adequate scalable capacity. It must

also conduct regular, periodic testing and review of its business

continuity-disaster recovery capabilities. Such testing and review

shall include, without limitation, all of the types of testing set

forth in paragraph (h) of this section.

(1) Definitions. As used in paragraph (h) of this section:

Controls means the safeguards or countermeasures employed by the

swap execution facility in order to protect the reliability, security,

or capacity of its automated systems or the confidentiality, integrity,

and availability of its data and information, and in order to enable

the swap execution facility to fulfill its statutory and regulatory

responsibilities.

Controls testing means assessment of the swap execution facility's

controls to determine whether such controls are implemented correctly,

are operating as intended, and are enabling the swap execution facility

to meet the system safeguards requirements established by this chapter.

Enterprise technology risk assessment means a written assessment

that includes, but is not limited to, an analysis of threats and

vulnerabilities in the context of mitigating controls. An enterprise

technology risk assessment identifies, estimates, and prioritizes risks

to swap execution facility operations or assets, or to market

participants, individuals, or other entities, resulting from impairment

of the confidentiality, integrity, and availability of data and

information or the reliability, security, or capacity of automated

systems.

External penetration testing means attempts to penetrate the swap

execution facility's automated systems from outside the systems'

boundaries to identify and exploit vulnerabilities. Methods of

conducting external penetration testing include, but are not limited

to, methods for circumventing the security features of an automated

system.

Internal penetration testing means attempts to penetrate the swap

execution facility's automated systems from inside the systems'

boundaries, to identify and exploit vulnerabilities. Methods of

conducting internal penetration testing include, but are not limited

to, methods for circumventing the security features of an automated

system.

Key controls means those controls that an appropriate risk analysis

determines are either critically important for effective system

safeguards or intended to address risks that evolve or change more

frequently and therefore require more frequent review to ensure their

continuing effectiveness in addressing such risks.

Security incident means a cyber security or physical security event

that actually or potentially jeopardizes automated system operation,

reliability, security, or capacity, or the availability,

confidentiality or integrity of data.

Security incident response plan means a written plan documenting

the swap execution facility's policies, controls, procedures, and

resources for identifying, responding to, mitigating, and recovering

from security incidents, and the roles and responsibilities of its

management, staff and independent contractors in responding to security

incidents. A security incident response plan may be a separate document

or a business continuity-disaster recovery plan section or appendix

dedicated to security incident response.

Security incident response plan testing means testing of a swap

execution facility's security incident response plan to determine the

plan's effectiveness, identify its potential weaknesses or

deficiencies, enable regular plan updating and improvement, and

maintain organizational preparedness and resiliency with respect to

security incidents. Methods of conducting security incident response

plan testing may include, but are not limited to, checklist completion,

walk-through or table-top exercises, simulations, and comprehensive

exercises.

Vulnerability testing means testing of a swap execution facility's

automated systems to determine what information may be discoverable

through a reconnaissance analysis of those systems and what

vulnerabilities may be present on those systems.

(2) Vulnerability testing. A swap execution facility shall conduct

vulnerability testing of a scope sufficient to satisfy the requirements

set forth in paragraph (k) of this section, at a frequency determined

by an appropriate risk analysis.

(i) Such vulnerability testing shall include automated

vulnerability scanning. Where indicated by appropriate risk analysis,

such scanning must be conducted on an authenticated basis, e.g., using

log-in credentials. Where scanning is conducted on an unauthenticated

basis, the designated contract market must implement effective

compensating controls.

(ii) Vulnerability testing for a swap execution facility shall be

conducted by qualified, independent professionals. Such qualified

independent professionals may be independent contractors or employees

of the swap execution facility, but shall not be persons responsible

for development or operation of the systems or capabilities being

tested.

(3) Penetration testing--(i) External penetration testing. A swap

execution facility shall conduct external penetration testing of a

scope sufficient to satisfy the requirements set forth in paragraph (k)

of this section, at a frequency determined by an appropriate risk

analysis.

(A) External penetration testing for a swap execution facility

shall be conducted by qualified, independent professionals. Such

qualified independent professionals may be independent contractors or

employees of the swap execution facility, but shall not be persons

responsible for development or operation of the systems or capabilities

being tested.

(B) [Reserved]

(ii) Internal penetration testing. A swap execution facility shall

conduct internal penetration testing of a scope sufficient to satisfy

the requirements set forth in paragraph (k) of this section, at a

frequency determined by an appropriate risk analysis.

(A) A swap execution facility may conduct internal penetration

testing by engaging independent contractors, or by using employees of

the swap execution facility who are not responsible for development or

operation of the systems or capabilities being tested.

(B) [Reserved]

(4) Controls testing. A swap execution facility shall conduct

controls testing of a scope sufficient to satisfy the requirements set

forth in paragraph (k) of this section, at a frequency determined by an

appropriate risk analysis. Such controls testing must include testing

of each control included in the swap execution facility's program of

risk analysis and oversight.

(i) Controls testing for a swap execution facility shall be

conducted by qualified, independent professionals. Such qualified

independent professionals may be independent contractors or employees

of the swap execution facility, but shall not be persons responsible

for development or operation of the systems or capabilities being

tested.

(ii) [Reserved]

(5) Security incident response plan testing. A swap execution

facility shall

[[Page 80183]]

conduct security incident response plan testing sufficient to satisfy

the requirements set forth in paragraph (k) of this section, at a

frequency determined by an appropriate risk analysis.

(i) A swap execution facility's security incident response plan

shall include, without limitation, the swap execution facility's

definition and classification of security incidents, its policies and

procedures for reporting security incidents and for internal and

external communication and information sharing regarding security

incidents, and the hand-off and escalation points in its security

incident response process.

(ii) A swap execution facility may coordinate its security incident

response plan testing with other testing required by this section or

with testing of its other business continuity-disaster recovery and

crisis management plans.

(iii) A swap execution facility may conduct security incident

response plan testing by engaging independent contractors or by using

employees of the swap execution facility who are not responsible for

development or operation of the systems or capabilities being tested.

(6) Enterprise technology risk assessment. A swap execution

facility shall conduct enterprise technology risk assessment of a scope

sufficient to satisfy the requirements set forth in paragraph (k) of

this section, at a frequency determined by an appropriate risk

analysis.

(i) A swap execution facility may conduct enterprise technology

risk assessments by using independent contractors or employees of the

swap execution facility who are not responsible for development or

operation of the systems or capabilities being assessed.

(ii) [Reserved]

(i) To the extent practicable, a swap execution facility shall:

(1) Coordinate its business continuity-disaster recovery plan with

those of the market participants it depends upon to provide liquidity,

in a manner adequate to enable effective resumption of activity in its

markets following a disruption causing activation of the swap execution

facility's business continuity-disaster recovery plan;

(2) Initiate and coordinate periodic, synchronized testing of its

business continuity-disaster recovery plan with those of the market

participants it depends upon to provide liquidity; and

(3) Ensure that its business continuity-disaster recovery plan

takes into account the business continuity-disaster recovery plans of

its telecommunications, power, water, and other essential service

providers.

* * * * *

(k) Scope of testing and assessment. The scope for all system

safeguards testing and assessment required by this part must be broad

enough to include all testing of automated systems and controls

necessary to identify any vulnerability which, if triggered, could

enable an intruder or unauthorized user or insider to:

(1) Interfere with the swap execution facility's operations or with

fulfillment of its statutory and regulatory responsibilities;

(2) Impair or degrade the reliability, security, or adequate

scalable capacity of the swap execution facility's automated systems;

(3) Add to, delete, modify, exfiltrate, or compromise the integrity

of any data related to the swap execution facility's regulated

activities; or

(4) Undertake any other unauthorized action affecting the swap

execution facility's regulated activities or the hardware or software

used in connection with those activities.

(l) Internal reporting and review. Both the senior management and

the Board of Directors of the swap execution facility shall receive and

review reports setting forth the results of all testing and assessment

required by this section. The swap execution facility shall establish

and follow appropriate procedures for the remediation of issues

identified through such review, as provided in paragraph (m) of this

section, and for evaluation of the effectiveness of testing and

assessment protocols.

(m) Remediation. A swap execution facility shall analyze the

results of the testing and assessment required by this section to

identify all vulnerabilities and deficiencies in its systems. The swap

execution facility must remediate those vulnerabilities and

deficiencies to the extent necessary to enable the swap execution

facility to fulfill the system safeguards requirements of this part and

meet its statutory and regulatory obligations. Such remediation must be

timely in light of appropriate risk analysis with respect to the risks

presented by such vulnerabilities and deficiencies.

Appendix B to Part 37--[Removed and Reserved]

0

3. In Appendix B to Part 37, under the centered section heading Core

Principle 14 of Section 5h of the Act--System Safeguards, remove and

reserve the text.

PART 38--DESIGNATED CONTACT MARKETS

0

4. The authority citation for part 38 continues to read as follows:

Authority: 7 U.S.C. 1a, 2, 6, 6a, 6c, 6e, 6d, 6f, 6g, 6i, 6j,

6k, 6l, 6m, 6n, 7, 7a-2, 7b, 7b-1, 7b-3, 8, 9, 15, and 21, as

amended by the Dodd-Frank Wall Street Reform and Consumer Protection

Act, Pub. L. 111-203, 124 Stat. 1376.

0

5. Amend Sec. 38.1051 as follows:

0

a. Revise paragraphs (a), (b), (c), (g), (h), and (i) introductory

text; and

0

b. Add new paragraphs (k), (l), (m), and (n).

The revisions and additions read as follows:

Sec. 38.1051 General requirements.

(a) A designated contract market's program of risk analysis and

oversight with respect to its operations and automated systems must

address each of the following categories of risk analysis and

oversight:

(1) Enterprise risk management and governance. This category

includes, but is not limited to: Assessment, mitigation, and monitoring

of security and technology risk; security and technology capital

planning and investment; board of directors and management oversight of

technology and security; information technology audit and controls

assessments; remediation of deficiencies; and any other elements of

enterprise risk management and governance included in generally

accepted best practices.

(2) Information security. This category includes, but is not

limited to, controls relating to: Access to systems and data (e.g.,

least privilege, separation of duties, account monitoring and control);

user and device identification and authentication; security awareness

training; audit log maintenance, monitoring, and analysis; media

protection; personnel security and screening; automated system and

communications protection (e.g., network port control, boundary

defenses, encryption); system and information integrity (e.g., malware

defenses, software integrity monitoring); vulnerability management;

penetration testing; security incident response and management; and any

other elements of information security included in generally accepted

best practices.

(3) Business continuity-disaster recovery planning and resources.

This category includes, but is not limited to: Regular, periodic

testing and review of business continuity-disaster recovery

capabilities, the controls and capabilities described in paragraphs

(c), (d), (j), and (k) of this section; and any

[[Page 80184]]

other elements of business continuity-disaster recovery planning and

resources included in generally accepted best practices.

(4) Capacity and performance planning. This category includes, but

is not limited to: Controls for monitoring the designated contract

market's systems to ensure adequate scalable capacity (e.g., testing,

monitoring, and analysis of current and projected future capacity and

performance, and of possible capacity degradation due to planned

automated system changes); and any other elements of capacity and

performance planning included in generally accepted best practices.

(5) Systems operations. This category includes, but is not limited

to: System maintenance; configuration management (e.g., baseline

configuration, configuration change and patch management, least

functionality, inventory of authorized and unauthorized devices and

software); event and problem response and management; and any other

elements of system operations included in generally accepted best

practices.

(6) Systems development and quality assurance. This category

includes, but is not limited to: Requirements development; pre-

production and regression testing; change management procedures and

approvals; outsourcing and vendor management; training in secure coding

practices; and any other elements of systems development and quality

assurance included in generally accepted best practices.

(7) Physical security and environmental controls. This category

includes, but is not limited to: Physical access and monitoring; power,

telecommunication, and environmental controls; fire protection; and any

other elements of physical security and environmental controls included

in generally accepted best practices.

(b) In addressing the categories of risk analysis and oversight

required under paragraph (a) of this section, a designated contract

market shall follow generally accepted standards and best practices

with respect to the development, operation, reliability, security, and

capacity of automated systems.

(c) A designated contract market must maintain a business

continuity-disaster recovery plan and business continuity-disaster

recovery resources, emergency procedures, and backup facilities

sufficient to enable timely recovery and resumption of its operations

and resumption of its ongoing fulfillment of its responsibilities and

obligations as a designated contract market following any disruption of

its operations. Such responsibilities and obligations include, without

limitation: Order processing and trade matching; transmission of

matched orders to a designated clearing organization for clearing;

price reporting; market surveillance; and maintenance of a

comprehensive audit trail. The designated contract market's business

continuity-disaster recovery plan and resources generally should enable

resumption of trading and clearing of the designated contract market's

products during the next business day following the disruption.

Designated contract markets determined by the Commission to be critical

financial markets are subject to more stringent requirements in this

regard, set forth in Sec. 40.9 of this chapter. Electronic trading is

an acceptable backup for open outcry trading in the event of a

disruption. A designated contract market must update its business

continuity-disaster recovery plan and emergency procedures at a

frequency determined by an appropriate risk analysis, but at a minimum

no less frequently than annually.

* * * * *

(g) As part of a designated contract market's obligation to produce

books and records in accordance with Commission regulation Sec. 1.31

of this chapter, Core Principle 18 (Recordkeeping), and Sec. Sec.

38.950 and 38.951, a designated contract market must provide to the

Commission the following system safeguards-related books and records,

promptly upon the request of any Commission representative:

(1) Current copies of its business continuity-disaster recovery

plans and other emergency procedures;

(2) All assessments of its operational risks or system safeguards-

related controls;

(3) All reports concerning system safeguards testing and assessment

required by this chapter, whether performed by independent contractors

or by employees of the designated contract market; and

(4) All other books and records requested by Commission staff in

connection with Commission oversight of system safeguards pursuant to

the Act or to part 38 of the Commission's regulations, or in connection

with Commission maintenance of a current profile of the designated

contract market's automated systems.

(5) Nothing in paragraph (g) of this section shall be interpreted

as reducing or limiting in any way a designated contract market's

obligation to comply with Core Principle 18 (Recordkeeping) or with

Sec. 1.31 of this chapter, or Sec. Sec. 38.950 or 38.951 of the

Commission's regulations.

(h) A designated contract market must conduct regular, periodic,

objective testing and review of its automated systems to ensure that

they are reliable, secure, and have adequate scalable capacity. It must

also conduct regular, periodic testing and review of its business

continuity-disaster recovery capabilities. Such testing and review

shall include, without limitation, all of the types of testing set

forth in paragraph (h) of this section. A covered designated contract

market, as defined in this section, shall be subject to the additional

requirements regarding minimum testing frequency and independent

contractor testing set forth in paragraph (h) of this section.

(1) Definitions. As used in paragraph (h) of this section:

Controls means the safeguards or countermeasures employed by the

designated contract market in order to protect the reliability,

security, or capacity of its automated systems or the confidentiality,

integrity, and availability of its data and information, and in order

to enable the designated contract market to fulfill its statutory and

regulatory responsibilities.

Controls testing means assessment of the designated contract

market's controls to determine whether such controls are implemented

correctly, are operating as intended, and are enabling the designated

contract market to meet the system safeguards requirements established

by this chapter.

Covered designated contract market means a designated contract

market whose annual total trading volume in calendar year 2015, or in

any subsequent calendar year, is five percent (5%) or more of the

combined annual total trading volume of all designated contract markets

regulated by the Commission for the year in question, based on annual

total trading volume information provided to the Commission by each

designated contract market pursuant to the procedure set forth in this

chapter. A covered designated contract market that has annual total

trading volume of less than five percent (5%) of the combined annual

total trading volume of all designated contract markets regulated by

the Commission for two consecutive calendar years ceases to be a

covered designated contract market as of March 1 of the calendar year

following such two consecutive calendar years.

Enterprise technology risk assessment means a written assessment

that includes, but is not limited to, an analysis of threats and

vulnerabilities in the context of mitigating controls. An

[[Page 80185]]

enterprise technology risk assessment identifies, estimates, and

prioritizes risks to designated contract market operations or assets,

or to market participants, individuals, or other entities, resulting

from impairment of the confidentiality, integrity, and availability of

data and information or the reliability, security, or capacity of

automated systems.

External penetration testing means attempts to penetrate the

designated contract market's automated systems from outside the

systems' boundaries to identify and exploit vulnerabilities. Methods of

conducting external penetration testing include, but are not limited

to, methods for circumventing the security features of an automated

system.

Internal penetration testing means attempts to penetrate the

designated contract market's automated systems from inside the systems'

boundaries, to identify and exploit vulnerabilities. Methods of

conducting internal penetration testing include, but are not limited

to, methods for circumventing the security features of an automated

system.

Key controls means those controls that an appropriate risk analysis

determines are either critically important for effective system

safeguards or intended to address risks that evolve or change more

frequently and therefore require more frequent review to ensure their

continuing effectiveness in addressing such risks.

Security incident means a cyber security or physical security event

that actually or potentially jeopardizes automated system operation,

reliability, security, or capacity, or the availability,

confidentiality or integrity of data.

Security incident response plan means a written plan documenting

the designated contract market's policies, controls, procedures, and

resources for identifying, responding to, mitigating, and recovering

from security incidents, and the roles and responsibilities of its

management, staff and independent contractors in responding to security

incidents. A security incident response plan may be a separate document

or a business continuity-disaster recovery plan section or appendix

dedicated to security incident response.

Security incident response plan testing means testing of a

designated contract market's security incident response plan to

determine the plan's effectiveness, identify its potential weaknesses

or deficiencies, enable regular plan updating and improvement, and

maintain organizational preparedness and resiliency with respect to

security incidents. Methods of conducting security incident response

plan testing may include, but are not limited to, checklist completion,

walk-through or table-top exercises, simulations, and comprehensive

exercises.

Vulnerability testing means testing of a designated contract

market's automated systems to determine what information may be

discoverable through a reconnaissance analysis of those systems and

what vulnerabilities may be present on those systems.

(2) Vulnerability testing. A designated contract market shall

conduct vulnerability testing of a scope sufficient to satisfy the

requirements set forth in in paragraph (k) of this section, at a

frequency determined by an appropriate risk analysis.

(i) Such vulnerability testing shall include automated

vulnerability scanning. Where indicated by appropriate risk analysis,

such scanning must be conducted on an authenticated basis, e.g., using

log-in credentials. Where scanning is conducted on an unauthenticated

basis, the designated contract market must implement effective

compensating controls.

(ii) At a minimum, a covered designated contract market shall

conduct such vulnerability testing no less frequently than quarterly.

(iii) A covered designated contract market shall engage independent

contractors to conduct two of the required quarterly vulnerability

tests each year. The covered designated contract market may conduct

other vulnerability testing by using employees of the covered

designated contract market who are not responsible for development or

operation of the systems or capabilities being tested.

(iv) Vulnerability testing for a designated contract market which

is not a covered designated contract market as defined in this section

shall be conducted by qualified, independent professionals. Such

qualified independent professionals may be independent contractors or

employees of the designated contract market, but shall not be persons

responsible for development or operation of the systems or capabilities

being tested.

(3) Penetration testing--(i) External penetration testing. A

designated contract market shall conduct external penetration testing

of a scope sufficient to satisfy the requirements set forth in

paragraph (k) of this section, at a frequency determined by an

appropriate risk analysis.

(A) At a minimum, a covered designated contract market shall

conduct such external penetration testing no less frequently than

annually.

(B) A covered designated contract market shall engage independent

contractors to conduct the required annual external penetration test.

The covered designated contract market may conduct other external

penetration testing by using employees of the covered designated

contract market who are not responsible for development or operation of

the systems or capabilities being tested.

(C) External penetration testing for a designated contract market

which is not a covered designated contract market as defined in this

section shall be conducted by qualified, independent professionals.

Such qualified independent professionals may be independent contractors

or employees of the designated contract market, but shall not be

persons responsible for development or operation of the systems or

capabilities being tested.

(ii) Internal penetration testing. A designated contract market

shall conduct internal penetration testing of a scope sufficient to

satisfy the requirements set forth in paragraph (k) of this section, at

a frequency determined by an appropriate risk analysis.

(A) At a minimum, a covered designated contract market shall

conduct such internal penetration testing no less frequently than

annually.

(B) A designated contract market may conduct internal penetration

testing by engaging independent contractors, or by using employees of

the designated contract market who are not responsible for development

or operation of the systems or capabilities being tested.

(4) Controls testing. A designated contract market shall conduct

controls testing of a scope sufficient to satisfy the requirements set

forth in paragraph (k) of this section, at a frequency determined by an

appropriate risk analysis. Such controls testing must include testing

of each control included in the designated contract market's program of

risk analysis and oversight.

(i) At a minimum, a covered designated contract market shall such

conduct controls testing no less frequently than every two years. The

covered designated contract market may conduct such testing on a

rolling basis over the course of the minimum two-year period or over a

minimum period determined by an appropriate risk analysis, whichever is

shorter.

(ii) A covered designated contract market shall engage independent

contractors to test and assess the key controls included in its program

of risk analysis and oversight no less frequently than every two years.

The covered designated contract market may conduct

[[Page 80186]]

any other controls testing required by paragraph (h)(4) of this section

by using independent contractors or employees of the covered designated

contract market who are not responsible for development or operation of

the systems or capabilities being tested.

(iii) Controls testing for a designated contract market which is

not a covered designated contract market as defined in this section

shall be conducted by qualified, independent professionals. Such

qualified independent professionals may be independent contractors or

employees of the designated contract market, but shall not be persons

responsible for development or operation of the systems or capabilities

being tested.

(5) Security incident response plan testing. A designated contract

market shall conduct security incident response plan testing sufficient

to satisfy the requirements set forth in paragraph (k) of this section,

at a frequency determined by an appropriate risk analysis.

(i) A designated contract market's security incident response plan

shall include, without limitation, the designated contract market's

definition and classification of security incidents, its policies and

procedures for reporting security incidents and for internal and

external communication and information sharing regarding security

incidents, and the hand-off and escalation points in its security

incident response process.

(ii) A designated contract market may coordinate its security

incident response plan testing with other testing required by this

section or with testing of its other business continuity-disaster

recovery and crisis management plans.

(iii) At a minimum, a covered designated contract market shall

conduct such security incident response plan testing no less frequently

than annually.

(iv) A designated contract market may conduct security incident

response plan testing by engaging independent contractors or by using

employees of the designated contract market who are not responsible for

development or operation of the systems or capabilities being tested.

(6) Enterprise technology risk assessment. A designated contract

market shall conduct enterprise technology risk assessment of a scope

sufficient to satisfy the requirements set forth in paragraph (k) of

this section, at a frequency determined by an appropriate risk

analysis.

(i) A covered designated contract market shall conduct an

enterprise technology risk assessment no less frequently than annually.

(ii) A designated contract market may conduct enterprise technology

risk assessments by using independent contractors or employees of the

designated contract market who are not responsible for development or

operation of the systems or capabilities being assessed.

(i) To the extent practicable, a designated contract market shall:

* * * * *

(k) Scope of testing and assessment. The scope for all system

safeguards testing and assessment required by this part must be broad

enough to include all testing of automated systems and controls

necessary to identify any vulnerability which, if triggered, could

enable an intruder or unauthorized user or insider to:

(1) Interfere with the designated contract market's operations or

with fulfillment of its statutory and regulatory responsibilities;

(2) Impair or degrade the reliability, security, or adequate

scalable capacity of the designated contract market's automated

systems;

(3) Add to, delete, modify, exfiltrate, or compromise the integrity

of any data related to the designated contract market's regulated

activities; or

(4) Undertake any other unauthorized action affecting the

designated contract market's regulated activities or the hardware or

software used in connection with those activities.

(l) Internal reporting and review. Both the senior management and

the Board of Directors of the designated contract market shall receive

and review reports setting forth the results of all testing and

assessment required by this section. The designated contract market

shall establish and follow appropriate procedures for the remediation

of issues identified through such review, as provided in paragraph (m)

this section, and for evaluation of the effectiveness of testing and

assessment protocols.

(m) Remediation. A designated contract market shall analyze the

results of the testing and assessment required by this section to

identify all vulnerabilities and deficiencies in its systems. The

designated contract market must remediate those vulnerabilities and

deficiencies to the extent necessary to enable the designated contract

market to fulfill the system safeguards requirements of this part and

meet its statutory and regulatory obligations. Such remediation must be

timely in light of appropriate risk analysis with respect to the risks

presented by such vulnerabilities and deficiencies.

(n) Required production of annual total trading volume. (1) As used

in paragraph (n) of this section, annual total trading volume means the

total number of all contracts traded on or pursuant to the rules of a

designated contract market during a calendar year.

(2) Each designated contract market shall provide to the Commission

for calendar year 2015 and each calendar year thereafter its annual

total trading volume, providing this information for 2015 within 30

calendar days of the effective date of the final version of this rule,

and for 2016 and subsequent years by January 31 of the following

calendar year. For calendar year 2015 and each calendar year

thereafter, the Commission shall provide to each designated contract

market the percentage of the combined annual total trading volume of

all designated contract markets regulated by the Commission which is

constituted by that designated contract market's annual total trading

volume, providing this information for 2015 within 60 calendar days of

the effective date of the final version of this rule, and for 2016 and

subsequent years by February 28 of the following calendar year.

PART 49--SWAP DATA REPOSITORIES

0

6. The authority citation for part 49 continues to read as follows:

Authority: 7 U.S.C. 12a and 24a, as amended by Title VII of the

Wall Street Reform and Consumer Protection Act, Pub. L. 111-203, 124

Stat. 1376 (2010), unless otherwise noted.

0

7. Amend Sec. 49.24 as follows:

0

a. Revise paragraphs (b), (c), (d), (i), (j), and (k) introductory

text; and

0

b. Add new paragraphs (l), (m), and (n).

The revisions and additions read as follows:

Sec. 49.24 System Safeguards.

* * * * *

(b) A registered swap data repository's program of risk analysis

and oversight with respect to its operations and automated systems must

address each of the following categories of risk analysis and

oversight:

(1) Enterprise risk management and governance. This category

includes, but is not limited to: Assessment, mitigation, and monitoring

of security and technology risk; security and technology capital

planning and investment; board of directors and management oversight of

technology and security; information technology audit and controls

assessments; remediation of deficiencies; and any

[[Page 80187]]

other elements of enterprise risk management and governance included in

generally accepted best practices.

(2) Information security. This category includes, but is not

limited to, controls relating to: Access to systems and data (e.g.

least privilege, separation of duties, account monitoring and control);

user and device identification and authentication; security awareness

training; audit log maintenance, monitoring, and analysis; media

protection; personnel security and screening; automated system and

communications protection (e.g., network port control, boundary

defenses, encryption); system and information integrity (e.g., malware

defenses, software integrity monitoring); vulnerability management;

penetration testing; security incident response and management; and any

other elements of information security included in generally accepted

best practices.

(3) Business continuity-disaster recovery planning and resources.

This category includes, but is not limited to: Regular, periodic

testing and review of business continuity-disaster recovery

capabilities, the controls and capabilities described in paragraphs

(a), (d), (e), (f), and (k) of this section; and any other elements of

business continuity-disaster recovery planning and resources included

in generally accepted best practices.

(4) Capacity and performance planning. This category includes, but

is not limited to: Controls for monitoring the designated contract

market's systems to ensure adequate scalable capacity (e.g., testing,

monitoring, and analysis of current and projected future capacity and

performance, and of possible capacity degradation due to planned

automated system changes); and any other elements of capacity and

performance planning included in generally accepted best practices.

(5) Systems operations. This category includes, but is not limited

to: System maintenance; configuration management (e.g., baseline

configuration, configuration change and patch management, least

functionality, inventory of authorized and unauthorized devices and

software); event and problem response and management; and any other

elements of system operations included in generally accepted best

practices.

(6) Systems development and quality assurance. This category

includes, but is not limited to: Requirements development; pre-

production and regression testing; change management procedures and

approvals; outsourcing and vendor management; training in secure coding

practices; and any other elements of systems development and quality

assurance included in generally accepted best practices.

(7) Physical security and environmental controls. This category

includes, but is not limited to: Physical access and monitoring; power,

telecommunication, and environmental controls; fire protection; and any

other elements of physical security and environmental controls included

in generally accepted best practices.

(c) In addressing the categories of risk analysis and oversight

required under paragraph (b) of this section, a registered swap data

repository shall follow generally accepted standards and best practices

with respect to the development, operation, reliability, security, and

capacity of automated systems.

(d) A registered swap data repository shall maintain a business

continuity-disaster recovery plan and business continuity-disaster

recovery resources, emergency procedures, and backup facilities

sufficient to enable timely recovery and resumption of its operations

and resumption of its ongoing fulfillment of its duties and obligations

as a swap data repository following any disruption of its operations.

Such duties and obligations include, without limitation: The duties set

forth in Sec. 49.19, and maintenance of a comprehensive audit trail.

The swap data repository's business continuity-disaster recovery plan

and resources generally should enable resumption of swap data

repository's operations and resumption of ongoing fulfillment of the

swap data repository's duties and obligations during the next business

day following the disruption. A swap data repository shall update its

business continuity-disaster recovery plan and emergency procedures at

a frequency determined by an appropriate risk analysis, but at a

minimum no less frequently than annually.

* * * * *

(i) As part of a swap data repository's obligation to produce books

and records in accordance with Sec. Sec. 1.31 and 45.2 of this

chapter, and Sec. 49.12, a swap data repository must provide to the

Commission the following system safeguards-related books and records,

promptly upon the request of any Commission representative:

(1) Current copies of its business continuity-disaster recovery

plans and other emergency procedures;

(2) All assessments of its operational risks or system safeguards-

related controls;

(3) All reports concerning system safeguards testing and assessment

required by this chapter, whether performed by independent contractors

or by employees of the swap data repository; and

(4) All other books and records requested by Commission staff in

connection with Commission oversight of system safeguards pursuant to

the Act or Commission regulations, or in connection with Commission

maintenance of a current profile of the swap data repository's

automated systems.

(5) Nothing in paragraph (i) of this section shall be interpreted

as reducing or limiting in any way a swap data repository's obligation

to comply with Sec. Sec. 1.31 or 45.2 of this chapter, or Sec. 49.12

of the Commission's regulations.

(j) A registered swap data repository shall conduct regular,

periodic, objective testing and review of its automated systems to

ensure that they are reliable, secure, and have adequate scalable

capacity. It shall also conduct regular, periodic testing and review of

its business continuity-disaster recovery capabilities. Such testing

and review shall include, without limitation, all of the types of

testing set forth in paragraph (j) of this section.

(1) Definitions. As used in paragraph (j) of this section:

Controls means the safeguards or countermeasures employed by the

swap data repository in order to protect the reliability, security, or

capacity of its automated systems or the confidentiality, integrity,

and availability of its data and information, and in order to enable

the swap data repository to fulfill its statutory and regulatory duties

and responsibilities.

Controls testing means assessment of the swap data repository's

controls to determine whether such controls are implemented correctly,

are operating as intended, and are enabling the swap data repository to

meet the system safeguards requirements established by this chapter.

Enterprise technology risk assessment means a written assessment

that includes, but is not limited to, an analysis of threats and

vulnerabilities in the context of mitigating controls. An enterprise

technology risk assessment identifies, estimates, and prioritizes risks

to swap data repository operations or assets, or to market

participants, individuals, or other entities, resulting from impairment

of the confidentiality, integrity, and availability of data and

information or the reliability, security, or capacity of automated

systems.

External penetration testing means attempts to penetrate the swap

data repository's automated systems from outside the systems'

boundaries to

[[Page 80188]]

identify and exploit vulnerabilities. Methods of conducting external

penetration testing include, but are not limited to, methods for

circumventing the security features of an automated system.

Internal penetration testing means attempts to penetrate the swap

data repository's automated systems from inside the systems'

boundaries, to identify and exploit vulnerabilities. Methods of

conducting internal penetration testing include, but are not limited

to, methods for circumventing the security features of an automated

system.

Key controls means those controls that an appropriate risk analysis

determines are either critically important for effective system

safeguards or intended to address risks that evolve or change more

frequently and therefore require more frequent review to ensure their

continuing effectiveness in addressing such risks.

Security incident means a cyber security or physical security event

that actually or potentially jeopardizes automated system operation,

reliability, security, or capacity, or the availability,

confidentiality or integrity of data.

Security incident response plan means a written plan documenting

the swap data repository's policies, controls, procedures, and

resources for identifying, responding to, mitigating, and recovering

from security incidents, and the roles and responsibilities of its

management, staff and independent contractors in responding to security

incidents. A security incident response plan may be a separate document

or a business continuity-disaster recovery plan section or appendix

dedicated to security incident response.

Security incident response plan testing means testing of a swap

data repository's security incident response plan to determine the

plan's effectiveness, identify its potential weaknesses or

deficiencies, enable regular plan updating and improvement, and

maintain organizational preparedness and resiliency with respect to

security incidents. Methods of conducting security incident response

plan testing may include, but are not limited to, checklist completion,

walk-through or table-top exercises, simulations, and comprehensive

exercises.

Vulnerability testing means testing of a swap data repository's

automated systems to determine what information may be discoverable

through a reconnaissance analysis of those systems and what

vulnerabilities may be present on those systems.

(2) Vulnerability testing. A swap data repository shall conduct

vulnerability testing of a scope sufficient to satisfy the requirements

set forth in paragraph (l) of this section.

(i) Such vulnerability testing shall include automated

vulnerability scanning. Where indicated by appropriate risk analysis,

such scanning must be conducted on an authenticated basis, e.g., using

log-in credentials. Where scanning is conducted on an unauthenticated

basis, the swap data repository must implement effective compensating

controls.

(ii) The swap data repository shall conduct such vulnerability

testing at a frequency determined by an appropriate risk analysis, but

no less frequently than quarterly.

(iii) The swap data repository shall engage independent contractors

to conduct two of the required quarterly vulnerability tests each year.

The swap data repository may conduct other vulnerability testing by

using employees of the swap data repository who are not responsible for

development or operation of the systems or capabilities being tested.

(3) Penetration testing--(i) External penetration testing. A swap

data repository shall conduct external penetration testing of a scope

sufficient to satisfy the requirements set forth in paragraph (l) of

this section.

(A) The swap data repository shall conduct such external

penetration testing at a frequency determined by an appropriate risk

analysis, but no less frequently than annually.

(B) The swap data repository shall engage independent contractors

to conduct the required annual external penetration test. The swap data

repository may conduct other external penetration testing by using

employees of the swap data repository who are not responsible for

development or operation of the systems or capabilities being tested.

(ii) Internal penetration testing. A swap data repository shall

conduct internal penetration testing of a scope sufficient to satisfy

the requirements set forth in paragraph (l) of this section.

(A) The swap data repository shall conduct such internal

penetration testing at a frequency determined by an appropriate risk

analysis, but no less frequently than annually.

(B) The swap data repository may conduct internal penetration

testing by engaging independent contractors, or by using employees of

the swap data repository who are not responsible for development or

operation of the systems or capabilities being tested.

(4) Controls testing. A swap data repository shall conduct controls

testing of a scope sufficient to satisfy the requirements set forth in

paragraph (l) of this section. Such controls testing shall include

testing of each control included in the swap data repository's program

of system safeguards risk analysis and oversight.

(i) The swap data repository shall conduct controls testing at a

frequency determined by an appropriate risk analysis, but no less

frequently than every two years. The swap data repository may conduct

such testing on a rolling basis over the course of the minimum two-year

period or over a minimum period determined by an appropriate risk

analysis, whichever is shorter.

(ii) The swap data repository shall engage independent contractors

to test and assess the key controls, as determined by appropriate risk

analysis, included in the entity's program of risk analysis and

oversight no less frequently than every two years. The swap data

repository may conduct any other controls testing required by this

paragraph (j)(4) of this section by using independent contractors or

employees of the swap data repository who are not responsible for

development or operation of the systems or capabilities being tested.

(5) Security incident response plan testing. A swap data repository

shall conduct security incident response plan testing sufficient to

satisfy the requirements set forth in paragraph (l) of this section.

(i) The swap data repository's security incident response plan

shall include, without limitation, the swap data repository's

definition and classification of security incidents, its policies and

procedures for reporting security incidents and for internal and

external communication and information sharing regarding security

incidents, and the hand-off and escalation points in its security

incident response process.

(ii) The swap data repository may coordinate its security incident

response plan testing with other testing required by this section or

with testing of its other business continuity-disaster recovery and

crisis management plans.

(iii) The swap data repository shall conduct such security incident

response plan testing at a frequency determined by an appropriate risk

analysis, but at a minimum no less frequently than annually.

(iv) The swap data repository may conduct security incident

response plan testing by engaging independent contractors or by using

employees of the swap data repository who are not

[[Page 80189]]

responsible for development or operation of the systems or capabilities

being tested.

(6) Enterprise technology risk assessment. A swap data repository

shall conduct enterprise technology risk assessment of a scope

sufficient to satisfy the requirements set forth in paragraph (l) of

this section.

(i) The swap data repository shall conduct an enterprise technology

risk assessment at a frequency determined by an appropriate risk

analysis, but no less frequently than annually.

(ii) The swap data repository may conduct enterprise technology

risk assessments by using independent contractors or employees of the

swap data repository who are not responsible for development or

operation of the systems or capabilities being assessed.

(k) To the extent practicable, a registered swap data repository

shall:

* * * * *

(l) Scope of testing and assessment. The scope for all system

safeguards testing and assessment required by this section must be

broad enough to include all testing of automated systems and controls

necessary to identify any vulnerability which, if triggered, could

enable an intruder or unauthorized user or insider to:

(1) Interfere with the swap data repository's operations or with

fulfillment of its statutory and regulatory responsibilities;

(2) Impair or degrade the reliability, security, or adequate

scalable capacity of the swap data repository's automated systems;

(3) Add to, delete, modify, exfiltrate, or compromise the integrity

of any data related to the swap data repository's regulated activities;

or

(4) Undertake any other unauthorized action affecting the swap data

repository's regulated activities or the hardware or software used in

connection with those activities.

(m) Internal reporting and review. Both the senior management and

the Board of Directors of the swap data repository shall receive and

review reports setting forth the results of all testing and assessment

required by this section. The swap data repository shall establish and

follow appropriate procedures for the remediation of issues identified

through such review, as provided in paragraph (n) of this section, and

for evaluation of the effectiveness of testing and assessment

protocols.

(n) Remediation. A swap data repository shall analyze the results

of the testing and assessment required by this section to identify all

vulnerabilities and deficiencies in its systems. The swap data

repository must remediate those vulnerabilities and deficiencies to the

extent necessary to enable the swap data repository to fulfill the

system safeguards requirements of this part and meet its statutory and

regulatory obligations. Such remediation must be timely in light of

appropriate risk analysis with respect to the risks presented by such

vulnerabilities and deficiencies.

Issued in Washington, DC, on December 17, 2015, by the

Commission.

Christopher J. Kirkpatrick,

Secretary of the Commission.

Note: The following appendices will not appear in the Code of

Federal Regulations.

Appendices to System Safeguards Testing Requirements--Commission Voting

Summary, Chairman's Statement, and Commissioners' Statements Appendix

1--Commission Voting Summary

On this matter, Chairman Massad and Commissioners Bowen and

Giancarlo voted in the affirmative. No Commissioner voted in the

negative.

Appendix 2--Statement of Chairman Timothy G. Massad

I strongly support this proposed rule, which would enhance and

clarify requirements to protect exchanges, swap execution facilities

and swap data repositories from numerous cybersecurity risks.

This proposal, alongside a companion measure released by the

Commission's Division of Clearing and Risk, ensures that the private

companies that run the core infrastructure under our jurisdiction

are doing adequate evaluation of cybersecurity risks and testing of

their own cybersecurity and operational risk protections.

I believe this proposed rule will help address a number of

concerns, such as information security, physical security, business

continuity and disaster recovery. The proposal sets principles-based

testing standards which are deeply rooted in industry best

practices.

The rule identifies five types of testing as critical to a sound

system safeguards program: Vulnerability testing, penetration

testing, controls testing, security incident response plan testing

and enterprise-wide assessment of technology risk. Such efforts are

vital to mitigate risk and preserve the ability to detect, contain,

respond to, and recover from a cyberattack or other type of

operational problem.

The proposal applies the base standards to swap execution

facilities. It also contains an anticipated notice of proposed

rulemaking, which notes that the Commission is considering whether

to apply minimum testing frequency and independent contractor

testing requirements to the most systemically important swap

execution facilities. I previously stated that I did not expect our

proposal would apply to SEFs--not because cybersecurity isn't just

as important for them--but because many SEFs are still in the very

early stages of operation.

But my fellow commissioners have expressed concerns about

potential vulnerabilities and felt that we should propose that the

requirements apply to SEFs at this time. I appreciate their views

and am committed to working collaboratively to address these issues.

As always, we welcome public comment on this and its companion

proposal, which will be carefully considered before taking any final

action.

Appendix 3--Concurring Statement of Commissioner Sharon Y. Bowen

Today, we are considering two rule proposals that address an

issue which is right at the heart of systemic risk in our markets--

cybersecurity. The question that we face is: With a problem as

immense as cybercrime, and the many measures already being employed

to combat it, what would today's proposed rules accomplish? In

answer to that question, I want to say a few words about our

cybercrime challenge, what is currently being done to address it,

and what I hope these proposed regulations would add to these

efforts.

The problem is clear--our firms are facing an unrelenting

onslaught of attacks from hackers with a number of motives ranging

from petty fraud to international cyberwarfare. We have all heard of

notable and sizable companies that have been the victim of

cybercrime, including: Sony, eBay, JPMorgan, Target, and Staples--

even the U.S. government has fallen victim.

In recent testimony before the House Committee on Financial

Services, Subcommittee on Oversight and Investigations about

cybercrime, the Director of the Center for Cyber and Homeland

Security noted that the ``U.S. financial services sector in

particular is in the crosshairs as a primary target.'' \1\ He cited

one U.S. bank which stated that it faced 30,000 cyber-attacks in one

week--averaging an attack every 34 seconds.\2\

---------------------------------------------------------------------------

\1\ Testimony of Frank J. Cilluffo, Director, Center for Cyber

and Homeland Security, Before the U.S. House of Representatives,

Committee on Financial Services, Subcommittee on Oversight and

Investigations, 1 (June 16, 2015)(noting that ``the following

figures which were provided to me recently by a major U.S. bank on a

not-for-attribution basis: Just last week, they faced 30,000 cyber-

attacks. This amounts to an attack every 34 seconds, each and every

day. And these are just the attacks that the bank actually knows

about, by virtue of a known malicious signature or IP address. As

for the source of the known attacks, approximately 22,000 came from

criminal organizations; and 400 from nation-states.''), available at

https://cchs.gwu.edu/sites/cchs.gwu.edu/files/downloads/A%20Global%20Perspective%20on%20Cyber%20Threats%20-%2015%20June%202015.pdf.

\2\ Id.

---------------------------------------------------------------------------

Given the magnitude of the problem, it is not at all surprising

that a lot is already being done to address it. The Department of

Homeland Security and others have been working with private firms to

shore up defenses. Regulators have certainly been

[[Page 80190]]

active. The Securities and Exchange Commission (``SEC''), the

Federal Deposit Insurance Corporation (``FDIC''), the Federal

Reserve Board (``FRB''), the Federal Housing Finance Agency

(``FHFA''), and our self-regulatory organization, the National

Futures Association (``NFA''), have issued cybersecurity guidance.

In Europe, the Bank of England (``BOE'') introduced the CBEST

program to conduct penetration testing on firms, based on the latest

data on cybercrime. We heard a presentation from the BOE about CBEST

at a meeting of the Market Risk Advisory Committee this year.

I wanted to hear what market participants were doing to address

the challenge of our cybersecurity landscape so I met with several

of our large registrant dealers and asked them about their

cybersecurity efforts. After these discussions, I was both alarmed

by the immensity of the problem and heartened by efforts of these

larger participants to meet that problem head on. They were

employing best practices such as reviewing the practices of their

third party providers, using third parties to audit systems, sharing

information with other market participants, integrating

cybersecurity risk management into their governance structure, and

staying in communication with their regulators.

We have also been vigilant in our efforts to address

cybersecurity. Under our current rule structure, many of our

registrants have system safeguards requirements. They require, among

other things, that the registrants have policies and resources for

risk analysis and oversight with respect to their operations and

automated systems, as well as reporting, recordkeeping, testing, and

coordination with service providers. These requirements clearly

include appropriate cybersecurity measures. We also regularly

examine registrants for their adherence to the system safeguards

requirements, including effective governance, use of resources,

appropriate policies, and vigilant response to attacks.

So if all of this is happening, what would more regulation

accomplish? In other words, what is the ``value add'' of the rules

being proposed today? The answer is: A great deal. While some firms

are clearly engaging in best practices, we have no guarantee that

all of them are. And as I have said before, in a system as

electronically interconnected as our financial markets, ``we're

collectively only as strong as our weakest link, and so we need a

high baseline level of protection for everyone . . .'' \3\ We need

to incentivize all firms under our purview to engage in these

effective practices.

---------------------------------------------------------------------------

\3\ Commissioner Sharon Y. Bowen, Commodity Futures Trading

Commission, ``Remarks of CFTC Commissioner Sharon Y. Bowen Before

the 17th Annual OpRisk North America,'' March 25, 2015, available at

http://www.cftc.gov/PressRoom/SpeechesTestimony/opabowen-2.

---------------------------------------------------------------------------

We have to do this carefully though because once a regulator

inserts itself into the cybersecurity landscape at a firm--the firm

now has two concerns: Not just fighting the attackers, but managing

its reputation with its regulator. So, if not done carefully, a

regulator's attempt to bolster cybersecurity at a firm can instead

undermine it by incentivizing the firm to cover up any weaknesses in

its cybersecurity infrastructure, instead of addressing them.

Further, we must be careful not to mandate a one-size-fits-all

standard because firms are different. Thus, we must be thoughtful

about how to engage on this issue. We need to encourage best

practices, while not hampering firms' ability to customize their

risk management plan to address their cybersecurity threats.

I think these rulemakings are a great first step in

accomplishing that balance. There are many aspects of these

proposals that I like. First, they set up a comprehensive testing

regime by: (a) Defining the types of cybersecurity testing essential

to fulfilling system safeguards testing obligations, including

vulnerability testing, penetration testing, controls testing,

security incident response plan testing, and enterprise technology

risk assessment; (b) requiring internal reporting and review of

testing results; and (c) mandating remediation of vulnerabilities

and deficiencies. Further, for certain significant entities, based

on trading volume, it requires heightened measures such as minimum

frequency requirements for conducting certain testing, and specific

requirements for the use of independent contractors.

Second, there is a focus on governance--requiring, for instance,

that firms' Board of Directors receive and review all reports

setting forth the results of all testing. And third, these

rulemakings are largely based on well-regarded, accepted best

practices for cybersecurity, including The National Institute of

Standards and Technology Framework for Improving Critical

Infrastructure Cybersecurity (``NIST Framework'').\4\

---------------------------------------------------------------------------

\4\ NIST Framework, Subcategory PR.IP-10, at 28, and Category

DE.DP, at 31, available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.

---------------------------------------------------------------------------

In all, I think the staff has put together two thoughtful

proposals. Clearly, however, this is only a first step since all our

registrants, not just exchanges, SEFs, SDRs and DCOs, need to have

clear cybersecurity measures in place. I am also very eager to hear

what the general public has to say about these proposals. Do they go

far enough to incentivize appropriate cybersecurity measures? Are

they too burdensome for firms that do not pose significant risk to

the system? And given that this is a dynamic field with a constantly

evolving set of threats, what next steps should we take to address

cybercrime? Please send in all your thoughts for our consideration.

Appendix 4--Statement of Commissioner J. Christopher Giancarlo

In one of our very first conversations over a year and a half

ago, Chairman Massad and I discussed the many risks that cyber

threats pose to trading markets. We agreed that cyber and overall

system security is one of the most important issues facing markets

today in terms of trading integrity and financial stability.

Earlier this year, I called for a ``bottom-up'' approach to

combating cyber threats.\1\ This approach involves a close and

dynamic relationship between regulators and the marketplace. It also

requires the continuous development of best practices, defensive

strategies and response tactics through the leadership of market

participants, operators and self-regulatory organizations. The job

of the Commodity Futures Trading Commission (``CFTC'') as a

regulator is to encourage, support, inform and empower this

continuous development so that market participants adopt fully

optimized and up-to-date cyber defenses.

---------------------------------------------------------------------------

\1\ See Guest Lecture of Commissioner J. Christopher Giancarlo,

Harvard Law School, Fidelity Guest Lecture Series on International

Finance (Dec. 1, 2015), http://www.cftc.gov/PressRoom/SpeechesTestimony/opagiancarlo-11; see also Keynote Address of CFTC

Commissioner J. Christopher Giancarlo before the 2015 ISDA Annual

Asia Pacific Conference, Top Down Financial Market Regulation:

Disease Mislabeled as Cure (Oct. 26, 2015), http://www.cftc.gov/PressRoom/SpeechesTestimony/opagiancarlo-10.

---------------------------------------------------------------------------

It is appropriate that we are now taking up the subject of

system safeguards. I commend Chairman Massad and CFTC staff for

putting forth today's proposal. I believe it generally reflects the

``bottom-up'' approach I have advocated for market participants to

follow industry adopted standards and best practices. I support its

publication for notice and comment.

I believe it is right that the proposal covers not just

designated contract markets (``DCMs''), but also swap execution

facilities (``SEFs''). From my experience, SEFs are as concerned

with cyber security as are DCMs. Nevertheless, it is true that the

proposed rules will impose additional costs on some SEFs at a time

when they are struggling to implement the myriad new Dodd-Frank

requirements and obligations. Because system and cyber security

should be a priority on our registrants' precious time and

resources, the CFTC must find ways to alleviate unnecessary

regulatory costs.

As I have said many times before, the best way to reduce

unnecessary costs for SEFs is to correct the CFTC's flawed swaps

trading rules that remain fundamentally mismatched to the distinct

liquidity and trading dynamics of global swaps markets.\2\

Attempting to

[[Page 80191]]

accommodate this misbegotten regulatory framework restricts the SEF

industry's ability to deploy adequate resources for cyber defense. I

also believe that the CFTC should provide a sufficient

implementation period for any final rules so that market operators,

especially smaller DCMs and SEFs, have adequate time to meet the new

requirements.

---------------------------------------------------------------------------

\2\ See CFTC Commissioner J. Christopher Giancarlo, Pro-Reform

Reconsideration of the CFTC Swaps Trading Rules: Return to Dodd-

Frank, White Paper (Jan. 29, 2015), available at http://www.cftc.gov/idc/groups/public/@newsroom/documents/file/sefwhitepaper012915.pdf (noting that this mismatch--and the

application of this framework worldwide--has caused numerous harms,

foremost of which is driving global market participants away from

transacting with entities subject to CFTC swaps regulation,

resulting in fragmented global swaps markets); see also Statement of

Commissioner J. Christopher Giancarlo, Six Month Progress Report on

CFTC Swaps Trading Rules: Incomplete Action and Fragmented Markets

(Aug. 4, 2015), http://www.cftc.gov/PressRoom/SpeechesTestimony/giancarlostatement080415. See also International Swaps and

Derivatives Association, Cross-Border Fragmentation of Global

Interest Rate Derivatives: The New Normal? First Half 2015 Update,

ISDA Research Note (Oct. 28, 2015), http://www2.isda.org/functional-areas/research/research-notes/ (concluding that the market for euro

interest rate swaps continues to remain fragmented in U.S. and non-

U.S. liquidity pools ever since the introduction of the U.S. SEF

regime in October 2013).

---------------------------------------------------------------------------

Given the constantly morphing nature of cyber risk, the best

defenses provide no guarantee of protection. Therefore, it would be

a perverse and unfortunate result if any final system safeguards

rule were to have a chilling effect on robust cyber security

efforts. Market participants who abide by the rule should not be

afraid of a ``double whammy'' of a destructive cyber-attack followed

shortly thereafter by a CFTC enforcement action. Being hacked, by

itself, cannot be considered a rule violation subject to

enforcement. The CFTC should offer clear guidance to market

participants regarding their obligations under the rule and

designate safe harbors for compliance with it.\3\ The CFTC should

also indicate how it will measure market operators' compliance

against industry standards given that the exact requirements of best

practices can be open to interpretation.

---------------------------------------------------------------------------

\3\ The proposal requires market operators to follow industry

adopted standards and best practices. Given the many organizations

and U.S. government agencies (such as the U.S. Treasury Department's

Financial Crimes Enforcement Network, the Office of Domestic

Finance's Financial Sector Cyber Intelligence Group and the Office

of Terrorist Financing and Financial Crimes) issuing cyber security

procedures and advisories, there may be some question as to which

procedures and advisories fall within industry best practices for

purposes of complying with this rule proposal. To provide clarity,

the CFTC should offer guidance to market participants regarding

their obligations under the rule and designate safe harbors for

compliance, as needed.

---------------------------------------------------------------------------

In October, I called on the CFTC to add value to ongoing

industry cyber security initiatives by designating a qualified cyber

security information coordinator.\4\ This individual would work with

our registered entities to help them navigate the maze of Federal

national security agencies and access the most up-to-date cyber

security information available. I ask market participants to comment

on the value and utility of such a designation.

---------------------------------------------------------------------------

\4\ See supra note 1.

---------------------------------------------------------------------------

As market regulators, we can have no na[iuml]ve illusions that

cyber belligerents--foreign and domestic--view the world's financial

markets as anything other than 21st century battlefields. Cyber-

attacks on trading markets will not diminish anytime soon. They will

be relentless for years, if not decades, to come. Cyber risk is a

threat for which Dodd-Frank provides no guidance whatsoever.

Together, market regulators and the regulated community must make

cyber and system security our first priority in time and attention.

Today's proposal is a constructive step towards that goal. I look

forward to reviewing thoughtful comments from market participants

and the public.

[FR Doc. 2015-32143 Filed 12-22-15; 8:45 am]

BILLING CODE 6351-01-P

 

Last Updated: December 23, 2015