On November 5, 2014, the Chairman of the Commodity Futures Trading Commission, Timothy G. Massad, gave keynote remarks at the Futures Industry Association Expo 2014.
Part of Chairman Massad’s remarks focused on the importance and oversight of cybersecurity and business continuity disaster recovery for the financial institutions, exchanges, and markets that the Commission regulates. Specifically, Chairman Massad discussed the fact that the Commission’s system safeguards require that the entities the Commission regulates have four important components:
1. A program of risk analysis and oversight to identify and minimize sources of cyber and operational risk;
2. Automated systems that are reliable, secure, and have adequate scalable capacity;
3. Emergency procedures, backup facilities, and a business continuity disaster recovery plan; and
4. Regular, objective, independent testing to verify that the system safeguards program is sufficient to fulfill its regulatory responsibilities.
In addition, Chairman Massad explained that the entities the Commission regulates must have a risk management program that addresses the following key elements: information security, systems development, quality assurance, and governance. Clearinghouses and exchanges must notify the Commission promptly of certain incidents and must have recovery procedures in place. For example, systematically important clearinghouses must be able to resume operations in two hours.
Finally, Chairman Massad provided guidance on the key areas that the Commission is focused on:
• Governance – Is the board paying sufficient attention to cybersecurity and taking appropriate steps? Does the board have the expertise — and does it devote the time — to do so? Is it setting the right tone as to the importance of these issues? The same questions apply, needless to say, to top management.
• Resources – Are sufficient resources and capabilities being devoted to monitor and control cyber-related risks across all levels of the organization?
• Policies and Procedures – Are adequate plans and policies in place to address information security, physical security, system operations, and other critical areas? And is the regulated entity actually following its plans and policies and considering how plans and policies may need to be amended from time to time in light of technological, market, or other security developments?
• Vigilance and Responsiveness to Identified Weaknesses and Problems – If a weakness or deficiency is identified, does the regulated entity take prompt and thorough action to address it? Does it not only fix the immediate problem but also examine the root causes of the deficiency?
Chairman Massad concluded his remarks by noting that enforcement and compliance are a priority for the Commission.
Regulators are continuing to increase their focus on whether directors and executive officers are appropriately engaged in overseeing cybersecurity preparedness. While the board or CEO is not expected to configure the firewall, they should be able to ask appropriate questions to ensure that the right people, processes, and technology are in place and that the company is continuously analyzing threats and risks and adjusting accordingly. Further, they should ensure that the company is preparing to respond in the event of an incident and evaluating ways to appropriately shift liability for financial consequences through insurance products and contracts.