CFTC Finalizes Rules on Cybersecurity Testing for Futures Industry

Under new rules adopted by the Commodity Futures Trading Commission (CFTC), various entities in the futures industry must undertake cybersecurity testing. At its open meeting on Sept. 8, 2016, the CFTC amended its system safeguards rules for exchanges, clearinghouses, and data repositories to require cybersecurity testing and system safeguards risk analysis. Under the amended rules, specified entities must undertake five types of testing: (1) vulnerability testing, (2) penetration testing, (3) controls testing, (4) security incident response plan testing, and (5) enterprise technology risk assessment. The rules provide for minimum testing intervals, and require the use of independent contractors in certain circumstances.

Back to top