Advancing from Incident Response to Cyber Resilience: Remarks of Commissioner Christy Goldsmith Romero at FIA International Derivatives Expo Conference
June 20, 2023
Remarks as prepared for delivery
Standard disclaimer
Thank you to FIA for inviting me to speak. Today, I will talk about the cyber threat, and how the collective “we” can advance from a mentality of incident response to one of cyber resilience. I will also share with you five pillars of cyber resilience.
The Cyber Threat
Global financial markets and economies are at an inflection point for cyber security. Cyber criminals have become more coordinated, innovative, and resourced. They take safe haven in nation states like Russia, China, Iran and North Korea, and in some cases are state sponsored, like the Lazarus Group.
In November at FIA Asia, I talked about the top three cyber threats: ransomware, zero day vulnerability, and third party servicer vulnerability.[1] As one example, this month, all three threats were combined in the MOVEit hack, for which the Russian-linked ransomware gang CL0P has claimed credit.[2] The hack was made through a zero-day vulnerability in MOVEit software that companies use to move files.[3] It allowed the hackers to gain access and download massive amounts of data.[4] Reportedly, CL0P has contacted companies with ransom demands.[5] According to a statement from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), some U.S. government agencies are victims, although CISA said, “This is not a campaign like SolarWinds that poses a systemic risk.”[6] Given that we are in London, I can share that the BBC reported last week that it was itself a victim, along with other British companies.[7] Reportedly, these companies all used the same payroll service provider who was targeted.[8] Other victims reportedly include U.S. financial institutions, U.S. universities, a major oil company, and cities, and states.[9]
What I just described is any company’s worst nightmare. But these top three cyber threats, along with the emergence of artificial intelligence-enabled cyber attacks, means that we face ever-evolving threat vectors.[10] When I spoke to FIA in February, I quoted then-FBI Director Robert Mueller, who said in 2012, “There are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”[11] I learned that my wife, who was the Chief Speechwriter for the last three FBI Directors, wrote that for Director Mueller. And, this is important to get on the record, as anyone who is married will appreciate—she was right. Director Mueller’s predictions have proven true more than a decade later.
Advancing to Cyber Resilience
If avoiding a hack is off the table, then governments and industry should collectively work to prepare for hacks by increasing cyber resilience. The U.S. Government, including the CFTC, is moving from an incident response mentality to one of cyber resilience—to prepare us for future threats.
That is why many companies are moving to Zero Trust Architecture, a framework that assumes a breach, and then limits access, and requires multifactor and other authentication. As one part of the advancement to cyber resilience, the U.S. Government, including the CFTC, is advancing to Zero Trust under a White House Executive Order.[12]
As this is my fourth cyber remarks to FIA, many of you are aware that I have made cyber resilience a top priority. When at Treasury, I was part of a cyber task force. Since I arrived at the CFTC, I have regular meetings with our CISO, receive regular threat information, and am briefed on our move to the cloud and advancing to Zero Trust Architecture.
Cyber resilience is equally important for our registrants. At the CFTC, we didn’t wait for the February ION Markets attack that compromised a number of brokers in the derivatives market to start working on cyber issues. Since November 2022, I have been leading the Commission’s work on the first cyber resilience rule for banks (swap dealers) and brokers (futures commission merchants).
It has been a busy seven months. The issues in promoting operational resilience are complex, challenging, and reach far beyond the CFTC into other parts of the administration, and the private sector.
When I spoke at the FIA/SIFMA conference one week after LockBit’s ransomware attack on ION Markets, and with markets still shaken, I said “[t]here are lessons to be learned from last week’s cyber attack. If we all can discuss those and how to implement those lessons, we can adapt and take steps to build a more resilient market.”[13] As I lead the CFTC’s efforts to advance to a cyber resilience framework through this rulemaking, I have taken this to heart.
We have met with the top cyber officials at each of the banking regulators to discuss in detail how to move to cyber resilience, their guidance on third party risks that was released this month, and their previously released Sound Practices to Strengthen Operational Resilience. We met with the White House and The National Institute of Standards and Technology’s (“NIST”). And yes, we also talked with FIA, as well as ISDA.
I also sponsor the CFTC’s Technology Advisory Committee (TAC), which I have stacked with cybersecurity experts, and I have benefitted from their experience.[14] In our first meeting, we had cyber presentations from NIST and TAC member Treasury Deputy Assistant Secretary Todd Conklin who reported on the cyber threat in the financial sector and lessons learned from the ION attack.[15] I have also been neck deep in international and U.S. regulations, guidelines, and papers on cyber resilience.
I expect that in the next few months, we will release the first result of all of this work, a proposed rule on operational and cyber resilience (should it be approved by the Commission). Note that I say first result, and not end result. My hope is for this proposal to generate a rich public comment file that aids in the advancement to cyber resilience. Let me say that I am exceptionally proud of the staff’s and my office’s hard work.
Five Pillars of Cyber Resilience
In order to advance from incident response to cyber resilience, I believe that there are five pillars of a cyber resilience framework:
- A proportionate and appropriate approach;
- Following generally accepted standards and best practices;
- Elevating responsibility through governance;
- Building resilience to third-party risk; and
- Avoiding reinventing the wheel—instead leveraging the important work already done in this space.
A bit more about each of these pillars.
1. A proportionate and appropriate approach
Operational resilience is not a one-size-fits-all approach. A small broker with a few staff and a small number of vendors faces very different risks from a large dealer. For a resilience strategy to work, it must fit each organization. It must be tailored, flexible, and commensurate with the risks faced.
2. Follow generally accepted standards and best practices
There are generally accepted standards designed to promote cyber resilience. These include, for example, standards and best practices by NIST’s Cybersecurity Framework, and on an international level, the International Organization for Standards (ISO). Among best practices are training, review of resilience plans, and testing. I look forward to hearing from our panel today about the standards they follow, and the types and frequency of testing.
3. Elevating responsibility through governance
Operational resilience is about people as much as it is about technology. We are not truly secure if just one person can make a mistake, click on the wrong thing, and cause total disruption. Building resilience requires elevating responsibility for resilience to those who make strategic decisions about the business.
With the FBI reporting $10.3 billion in cyber crime losses in 2022,[16] shattering the record from the prior year, it’s a business risk if companies do not have operational resilience plans properly tailored to their risks. That means putting those plans on the executive agenda, where they belong.
4. Building resilience to third-party risk
Cyber hackers will go through any door they can open, whether it’s at your company or your vendor or supply chain. Operational resilience cannot be achieved without ensuring that your third party’s servicer’s door is secured against cyber criminals.
Generally accepted standards discuss heightened scrutiny where the third party is deemed “critical.” At the TAC meeting, Treasury Deputy Assistant Secretary Conklin discussed how “many institutions didn’t even classify [ION Markets] necessarily as a ‘critical’ third-party vendor. So many firms who onboarded ION didn’t use the highest-level scrutiny that they use for their most critical third-party vendors.”[17] I look forward to hearing from our panel today about how third-party relationship management can best be a part of the advance from incident response to resilience.
5. Leveraging the work of others, including prudential regulators and the National Futures Association
The prudential regulators released Sound Practices to Strengthen Operational Resilience that became effective in 2022, and finalized their interagency guidance on third-party risk management this month. They have also issued rules and guidance on information security, including notification of incidents.
We are aware that swap dealers may participate in consolidated operational resilience programs at an enterprise level—programs that already follow prudential regulatory requirements and guidance. I believe that it is important to recognize those consolidated programs, and to harmonize our requirements where we can. The same is true for harmonizing with existing NFA guidance.
Conclusion
Finally, we are stronger together. As the regulator, we want to work with you to help strengthen your operational resilience, especially prior to any disruptive event. We see and can share best practices. A two-way flow of information can be very helpful. Remember that we are part of the U.S. government that has access to threat information. Also remember that there could be multiple firms that are impacted particularly given reliance on third party service providers. We want to work with you. If the public and private sector can work together to build resilience, we can collectively harden our defenses, making it that much harder for cyber criminals to be successful.
[1] See Commissioner Christy Goldsmith Romero, U.S. Commodity Futures Trading Commission, Protecting Against Emerging Global Fintech Threats in Cyberspace and Cryptocurrencies, (Nov. 30, 2022), Keynote Remarks of Commissioner Christy Goldsmith Romero at the Futures Industry Association, Asia Derivatives Conference, Singapore | CFTC.
[2] Cybersecurity and Infrastructure Security Agency, CISA and FBI Release, Advisory on CL0P Ransomware Gang Exploiting MOVEit Vulnerability, (June 7, 2023) CISA and FBI Release Advisory on CL0P Ransomware Gang Exploiting MOVEit Vulnerability | CISA.
[3] Tech.co, Hackers Behind MOVEit Ransomware Attacks Issue Their Ultimatum, Hackers Behind MOVEit Ransomware Attacks Issue an Ultimatum (tech.co).
[4] See Id.
[5] See Id.
[6] Wall Street Journal, Energy Department, Other U.S. Government Agencies Hacked in Cyberattack, (June 15, 2023) Energy Department, Other U.S. Government Agencies Hacked in Cyberattack - WSJ; CNN, Exclusive: US government agencies hit in global cyberattack, (June 15, 2023) US government hit in global cyberattack | CNN Politics (“The US Cybersecurity and Infrastructure Security Agency ‘is providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,’ Eric Goldstein, the agency’s executive assistant director for cybersecurity, said in a statement.”)
[7] BBC, MOVEit hack: Media watchdog Ofcom latest victim of mass hack, (June 12, 2023) MOVEit hack: Media watchdog Ofcom latest victim of mass hack - BBC News.
[8] Compliance Week, Shades of SolarWinds in lessons from MOVEit hack, (June 14, 2023) Shades of SolarWinds in lessons from MOVEit hack | Premium | Compliance Week.
[9] CNN, Exclusive: US government agencies hit in global cyberattack, (June 15, 2023) US government hit in global cyberattack | CNN Politics; TechCrunch, Ransomware gang lists first victims of MOVEit mass-hacks, including US banks and universities, (June 15, 2023) https://techcrunch.com/2023/06/15/moveit-clop-mass-hacks-banks-universities/.
[10] At the March 22, 2023 meeting of the CFTC Technology Advisory Committee which I sponsor, we had expert presentations on the cyber threat as well as on AI-enabled cyber threats. See TAC Meeting Agenda That Includes Cybersecurity, Decentralized Finance, and Artificial Intelligence - YouTube (March 22, 2023).
[11] CFTC Commissioner Christy Goldsmith Romero, Adjusting the Sails for Cyber and Climate Resilience, (Feb. 10, 2023) https://www.cftc.gov/PressRoom/SpeechesTestimony/oparomero6, citing Robert S. Mueller, III, Director, Federal Bureau of Investigation, Remarks as Prepared for Delivery to the RSA Cyber Security Conference, Mar. 1, 2012, FBI — Combating Threats in the Cyber World: Outsmarting Terrorists, Hackers, and Spies.
[12] White House, Executive Order on Improving the Nation's Cybersecurity | The White House (May 12, 2021).
[13] CFTC Commissioner Christy Goldsmith Romero, Adjusting the Sails for Cyber and Climate Resilience, (Feb. 10, 2023) https://www.cftc.gov/PressRoom/SpeechesTestimony/oparomero6.
[14] See TAC Meeting Agenda That Includes Cybersecurity, Decentralized Finance, and Artificial Intelligence - YouTube (March 22, 2023). Members of TAC who are cybersecurity experts include the TAC Chair Carole House who was recently the Director for Cybersecurity and Secure Digital Innovation at the White House National Security Council under President Biden; Todd Conklin, Deputy Assistant Secretary of Treasury’s Office of Cybersecurity and Critical Infrastructure Protection; Tim Gallagher who was a career-long FBI agent and executive, was most recently Managing Director for Cyber Risk at Kroll, and now is Managing Director, Digital Investigations & Cyber Defense and Chief Security Officer at Nardello, both of which are cybersecurity companies; the co-Founder and CEO of Trail of Bits which is a cybersecurity firm; and the co-founder and CEO of Fireblocks which is a cybersecurity firm.
[15] See CFTC, Presentation of Todd Conklin, Deputy Assistant Secretary of Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), The Cyber Threat Landscape for Financial Markets: Lessons Learned from ION Markets, Cloud Use in Financial Services, and Beyond, CFTC Technology Advisory Committee Meeting (March 22, 2023) TAC Meeting Agenda That Includes Cybersecurity, Decentralized Finance, and Artificial Intelligence - YouTube.
[16] FBI, Internet Crime Report 2022, 2022_IC3Report.pdf (March 22, 2023).
[17] See CFTC, Presentation of Todd Conklin, Deputy Assistant Secretary of Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), The Cyber Threat Landscape for Financial Markets: Lessons Learned from ION Markets, Cloud Use in Financial Services, and Beyond, CFTC Technology Advisory Committee Meeting (March 22, 2023) TAC Meeting Agenda That Includes Cybersecurity, Decentralized Finance, and Artificial Intelligence - YouTube.
-CFTC-