Even at an event that usually focuses on financial market structure, regulation, and intricate derivatives products, cyber security was at the top of the agenda during the morning keynotes and panels at the Futures Industry Association Expo in Chicago.
Timothy Massad, the new chairman of the US Commodity Futures Trading Commission (CFTC), didn't begin his speech by focusing on cybertopics, but they did make up a substantial portion of his comments. Likewise, CEOs from the four largest derivatives exchanges -- CME Group, Eurex, Intercontinental Exchange (ICE), and the CBOE -- also spent time discussing how the increase in cyberattacks is changing the focus of senior leaders across their respective organizations.
"An increasingly important aspect of our oversight of CCPs [central counterparty clearinghouses], as well as exchanges and other key institutions that we regulate, is cyber security and business continuity disaster recovery generally," Massad said during this morning's keynote address. "The need to strengthen the security and resilience of our financial markets against cyberattacks is clear."
Highlighting some of the more recent attacks, including those against JPMorgan Chase, Home Depot, and Target, Massad said the frequency of attacks is increasing, and the industry and regulators need to keep pace.
- We are all aware of the risk. Some of our nation's exchanges have also been hit or suffered other technological problems that caused outages or serious concerns. And because of the interconnectedness of financial institutions and markets, a failure in one institution can have significant repercussions in the system.
Jeffrey Sprecher, founder, chairman, and CEO of ICE, called cyber security an important topic for senior leaders at his organization. "Our company has really stepped up" to address the topic. "Every board meeting has hours of cyber discussion." Security experts from across the financial services industry share threat information. "There is a lot of dialogue between staff members across the industry," which is necessary to help prevent attacks.
Massad said the CFTC is increasing its oversight of cyber preparedness in the industry. Its updated cybersecurity safeguards require that exchanges, clearinghouses, and other market infrastructure entities have four things.
- Risk analysis: "a program of risk analysis and oversight to identify and minimize sources of cyber and operational risk"
- Automation: "automated systems that are reliable, secure, and have adequate scalable capacity"
- A plan: "emergency procedures, backup facilities, and a business continuity-disaster recovery plan"
- Regular testing: "regular, objective, independent testing to verify that the system safeguards program is sufficient to fulfill its regulatory responsibilities"
Market infrastructure providers also need the ability to recover from attacks quickly. "Clearinghouses, exchanges, and these other institutions must also notify the commission promptly of certain incidents and must have recovery procedures in place," Massad said. "Systemically important clearinghouses, for example, must be able to resume operations within two hours."
However, the CFTC cannot test and review all of the market's players.
- We conduct system safeguard examinations to determine compliance with these requirements, but we must remember the limitations of our oversight. Keep in mind that some of our major financial institutions are spending more on cybersecurity each year than our agency's entire budget. We do not engage in independent testing.
Instead of testing each institution separately, the CFTC will look for evidence that an entity is taking cyber security seriously, he said. The commission will look at four key areas:
- Governance: "Is the board paying sufficient attention to cyber security and taking appropriate steps? Does the board have the expertise, and does it devote the time, to do so? Is it setting the right tone as to the importance of these issues? The same questions apply, needless to say, to top management."
- Resources: "Are sufficient resources and capabilities being devoted to monitor and control cyber-related risks across all levels of the organization?"
- Policies and procedures: "Are adequate plans and policies in place to address information security, physical security, system operations, and other critical areas? And is the regulated entity actually following its plans and policies, and considering how plans and policies may need to be amended from time to time in light of technological, market or other security developments?"
- Vigilance and responsiveness: "If a weakness or deficiency is identified, does the regulated entity take prompt and thorough action to address it? Does it not only fix the immediate problem, but also examine the root causes of the deficiency?"