The US Commodity Futures Trading Commission (CFTC) has voted unanimously to approve two proposals for amendments to existing regulations addressing cybersecurity testing and safeguards for the automated systems used by critical infrastructures the CFTC regulates.
The proposals will be open for public comment during a 60-day comment period after their publication in the Federal Register.
The proposals, to be published in separate Federal Register Notices, identify five types of cybersecurity testing as essential to a sound system safeguards program: (1) vulnerability testing, (2) penetration testing, (3) controls testing, (4) security incident response plan testing, and (5) enterprise technology risk assessments.
The two proposals would require all derivatives clearing organisations, designated contract markets, swap execution facilities, and swap data repositories to conduct each of the five types of cybersecurity testing, as frequently as indicated by appropriate risk analysis. In addition, the proposals would specify minimum testing frequency requirements for all derivatives clearing organisations and swap data repositories and specified designated contract markets, and require them to have certain tests performed by independent contractors.
