[Federal Register Volume 89, Number 16 (Wednesday, January 24, 2024)]
[Proposed Rules]
[Pages 4706-4768]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-28745]
[[Page 4705]]
Vol. 89
Wednesday,
No. 16
January 24, 2024
Part III
Commodity Futures Trading Commission
-----------------------------------------------------------------------
17 CFR Parts 1 and 23
Operational Resilience Framework for Futures Commission Merchants, Swap
Dealers, and Major Swap Participants; Proposed Rule
��Federal Register / Vol. 89 , No. 16 / Wednesday, January 24, 2024 /
Proposed Rules��
[[Page 4706]]
-----------------------------------------------------------------------
COMMODITY FUTURES TRADING COMMISSION
17 CFR Parts 1 and 23
RIN 3038-AF23
Operational Resilience Framework for Futures Commission
Merchants, Swap Dealers, and Major Swap Participants
AGENCY: Commodity Futures Trading Commission.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: The Commodity Futures Trading Commission (CFTC or Commission)
is proposing to require that futures commission merchants, swap
dealers, and major swap participants establish, document, implement,
and maintain an Operational Resilience Framework reasonably designed to
identify, monitor, manage, and assess risks relating to information and
technology security, third-party relationships, and emergencies or
other significant disruptions to normal business operations. The
framework would include three components--an information and technology
security program, a third-party relationship program, and a business
continuity and disaster recovery plan--supported by broad requirements
relating to governance, training, testing, and recordkeeping. The
proposed rule would also require certain notifications to the
Commission and customers or counterparties. The Commission is further
proposing guidance relating to the management of risks stemming from
third-party relationships.
DATES: Comments must be received on or before March 2, 2024.
ADDRESSES: You may submit comments, identified by RIN number 3038-AF23,
by any of the following methods:
CFTC Comments Portal: https://comments.cftc.gov. Select
the ``Submit Comments'' link for this rulemaking and follow the
instructions on the Public Comment Form.
Mail: Christopher Kirkpatrick, Secretary of the
Commission, Commodity Futures Trading Commission, Three Lafayette
Centre, 1155 21st Street NW, Washington, DC 20581.
Hand Delivery/Courier: Follow the same instructions as for
Mail, above.
Please submit your comments using only one of these methods.
Submissions through the CFTC Comments Portal are encouraged.
All comments must be submitted in English, or if not, accompanied
by an English translation. Comments will be posted as received to
https://comments.cftc.gov. You should submit only information that you
wish to make available publicly. If you wish the Commission to consider
information that you believe is exempt from disclosure under the
Freedom of Information Act (FOIA), a petition for confidential
treatment of the exempt information may be submitted according to the
procedures established in Commission regulation 145.9.\1\
---------------------------------------------------------------------------
\1\ 17 CFR 145.9. The Commission's regulations are found at 17
CFR chapter I (2022).
---------------------------------------------------------------------------
The Commission reserves the right, but shall have no obligation, to
review, pre-screen, filter, redact, refuse or remove any or all of your
submission from https://comments.cftc.gov that it may deem to be
inappropriate for publication, such as obscene language. All
submissions that have been redacted or removed that contain comments on
the merits of the rulemaking will be retained in the public comment
file and will be considered as required under the Administrative
Procedure Act and other applicable laws, and may be accessible under
the FOIA.
FOR FURTHER INFORMATION CONTACT: Amanda L. Olear, Director, at 202-418-
5283 or [email protected]; Pamela Geraghty, Deputy Director, at 202-418-
5634 or [email protected]; Fern Simmons, Associate Director, at 202-
418-5901 or [email protected]; Elise Bruntel, Special Counsel, at 202-
418-5577 or [email protected]; Market Participants Division, Commodity
Futures Trading Commission, Three Lafayette Centre, 1151 21st Street
NW, Washington, DC 20581.
SUPPLEMENTARY INFORMATION:
Table of Contents
I. Introduction
II. Proposal
A. Generally--Proposed Paragraph (b)
1. Purpose and Scope; Components--Proposed Paragraphs (b)(1) and
(b)(2)
2. Standard--Proposed Paragraph (b)(3)
3. Request for Comment
B. Governance--Proposed Paragraph (c)
1. Approval of Components--Proposed Paragraph (c)(1)
2. Risk Appetite and Risk Tolerance Limits--Proposed Paragraph
(c)(2)
3. Internal Escalations--Proposed Paragraph (c)(3)
4. Consolidated Program or Plan--Proposed Paragraph (c)(4)
5. Request for Comment
C. Information and Technology Security Program--Proposed
Paragraph (d)
1. Risk Assessment--Proposed Paragraph (d)(1)
2. Effective Controls--Proposed Paragraph (d)(2)
3. Incident Response Plan--Proposed Paragraph (d)(3)
4. Request for Comment
D. Third-Party Relationship Program--Proposed Paragraph (e)
1. Third-Party Relationship Lifecyle Stages--Proposed Paragraph
(e)(1)
2. Heightened Requirements for Critical Third-Party Service
Providers--Proposed Paragraph (e)(2)
3. Third-Party Service Provider Inventory--Proposed Paragraph
(e)(3)
4. Retention of Responsibility--Proposed Paragraph (e)(3)
5. Application to Existing Third-Party Relationships
6. Guidance on Third-Party Relationship Programs--Proposed
Paragraph (e)(4); Appendix A to Part 1; Appendix A to Subpart J of
Part 23
7. Request for Comment
E. Business Continuity and Disaster Recovery Plan--Proposed
Paragraph (f)
1. Definition of ``Business Continuity and Disaster Recovery
Plan''
2. Purpose--Proposed Paragraph (f)(1)
3. Minimum Contents--Proposed Paragraph (f)(2)
4. Accessibility--Proposed Paragraph (f)(3)
5. Request for Comment
F. Training and Distribution--Proposed Paragraph (g)
G. Review and Testing--Proposed Paragraph (h)
1. Reviews--Proposed Paragraph (h)(1)
2. Testing--Proposed Paragraph (h)(2)
3. Independence--Proposed Paragraph (h)(3)
4. Documentation--Proposed Paragraph (h)(4)
5. Internal Reporting--Proposed Paragraph (h)(5)
6. Request for Comment
H. Required Notifications--Proposed Paragraphs (i) and (j)
1. Commission Notification of Incidents--Proposed Paragraph
(i)(1)
2. Commission Notification of BCDR Plan Activation--Proposed
Paragraph (i)(2)
3. Notifications to Customers or Counterparties--Proposed
Paragraph (j)
4. Request for Comment
I. Amendment and Expansion of Other Provisions in Current
Commission Regulation 23.603
1. Emergency Contacts--Proposed Paragraph (k)
2. Recordkeeping--Proposed Paragraph (l)
3. Request for Comment
J. Cross-Border Application for Swap Entities
K. Implementation Period
III. Related Matters
A. Regulatory Flexibility Act
B. Paperwork Reduction Act
C. Cost-Benefit Considerations
D. Antitrust Laws
I. Introduction
In 2012 and 2013, the Commission adopted rules requiring that
futures commission merchants (FCMs),\2\ swap dealers (SDs) \3\ and
major swap
[[Page 4707]]
participants (MSPs) \4\ establish risk management programs (RMPs).\5\
The rules require that SDs and MSPs (together, swap entities) and FCMs
design their RMPs to monitor and manage the risks associated with their
activities as swap entities or FCMs.\6\ Such risks include, but are not
limited to, market, credit, liquidity, segregation, settlement,
capital, and operational risk.\7\ Taken together, the RMP rules support
a unified Commission objective: to require FCMs and swap entities
(collectively, covered entities) to establish comprehensive risk
management practices to mitigate systemic risk and promote customer
protection.\8\ Recognizing that covered entities vary in size and
complexity, the RMP rules identify certain elements that must, at a
minimum, be included as part of the RMP, and require that certain risks
must be taken into account; but the rules otherwise allow covered
entities flexibility to design RMPs tailored to their circumstances and
organizational structures.\9\
---------------------------------------------------------------------------
\2\ See 7 U.S.C. 1a(28), 17 CFR 1.3 (defining ``futures
commission merchant'').
\3\ See 7 U.S.C. 1a(49), 17 CFR 1.3 (defining ``swap dealer'').
\4\ See 7 U.S.C. 1a(33), 17 CFR 1.3 (defining ``major swap
participant'').''
\5\ See 17 CFR 1.11; 17 CFR 23.600; Enhancing Protections
Afforded Customers and Customer Funds Held by Futures Commission
Merchants and Derivatives Clearing Organizations, 78 FR 68506 (Nov.
14, 2013) (Final FCM RMP Rule); Swap Dealer and Major Swap
Participant Recordkeeping, Reporting, and Duties Rules; Futures
Commission Merchant and Introducing Broker Conflicts of Interest
Rules; and Chief Compliance Officer Rules for Swap Dealers, Major
Swap Participants, and Futures Commission Merchants, 77 FR 20128
(Apr. 3, 2012) (Final Swap Entities RMP Rule).
\6\ See 17 CFR 1.11(c); 17 CFR 23.600(b). The RMP rule for FCMs
does not apply to FCMs that do not accept or hold customer assets.
See 17 CFR 1.11(a).
\7\ See 17 CFR 1.11(e); 17 CFR 23.600(c).
\8\ See Final Swap Entities RMP Rule, 77 FR at 20128; Final FCM
RMP Rule, 78 FR 68506.
\9\ See, e.g., Regulations Establishing and Governing the Duties
of Swap Dealers and Major Swap Participants, 75 FR 71397, 71399
(Nov. 23, 2010) (Proposed Swap Entities RMP Rule) (``The
Commission's rule has been designed such that the specific elements
of a risk management program will vary depending on the size and
complexity of a [swap entity's] business operations.'').
---------------------------------------------------------------------------
In the decade since the RMP rules were adopted, covered entities
have encountered a wide variety of challenging conditions, including
Brexit, the LIBOR transition, the COVID-19 pandemic stress period, the
invasion of Ukraine, and general interest rate increases to tame
inflation. Throughout this period, the Commission has, through its
various oversight activities, observed that adherence to its RMP rules
has supported covered entities' ability to withstand and recover from
market challenges. The Commission therefore believes the RMP rules have
helped establish a solid foundation of risk management among covered
entities across various risk types, promoting a solid baseline standard
of risk management that reduces overall systemic risk and enhances the
Commission's customer protections.
Nevertheless, the Commission believes it has identified
opportunities to adapt its regulations to further promote sound risk
management practices, reduce risk to the U.S. financial system, and
protect commodity interest customers and counterparties.\10\
Specifically, as it relates to this proposal, the Commission believes
that recent events, noted below, have highlighted the need for more
particularized risk management requirements for covered entities
designed to promote operational resilience. An outcome of the effective
management of operational risk, ``operational resilience'' can be
broadly defined as the ability of a firm to detect, resist, adapt to,
respond to, and recover from operational disruptions.\11\ As the use of
technology and associated third-party service providers have expanded
within the financial sector, so too have the sources of operational
risk facing covered entities, notably the potential for technological
failures and cyberattacks.\12\ The Commission preliminarily believes
that requirements for covered entities directed at promoting sound
practices for managing these risks, as well as the risk of other
potential physical disruptions to operations (e.g., power outages,
natural disasters, pandemics), and for mitigating their potential
impact would not only strengthen individual covered entity operational
resilience but would reduce risk to the U.S. financial system as a
whole and help protect derivatives customers and counterparties.\13\
---------------------------------------------------------------------------
\10\ The Commission recently solicited public comment on an
advanced notice of proposed rulemaking regarding potential
amendments to the RMP requirements. See Risk Management Program
Regulations for Swap Dealers, Major Swap Participants, and Futures
Commission Merchants, 88 FR 45826 (Jul. 18, 2023) (RMP ANPRM). The
comment file is available at https://comments.cftc.gov/PublicComments/CommentList.aspx?id=7412.
\11\ See Proposed Swap Entities RMP Rule, 75 FR 71399, n.12
(defining ``operational risk'' as including ``the risk of loss due
to deficiencies in information systems, internal processes and
staffing, or disruptions from external events that result in the
reduction, deterioration, or breakdown in services or controls
within the firm.''). Several sources have produced definitions of
``operational resilience'' relevant to the financial sector. See
e.g., Board of Governors of the Federal Reserve System (FRB), the
Office of the Comptroller of the Currency (OCC), and the Federal
Deposit Insurance Corporation (FDIC) (together, the prudential
regulators), Sound Practices to Strengthen Operational Resilience at
2 (Oct. 30, 2020) (Prudential Operational Resilience Paper)
(defining ``operational resilience'' as the ``ability to deliver
operations, including critical operations and core business lines,
through a disruption from any hazard.''); Basel Committee on Banking
Supervision (BCBS), Principles for Operational Resilience at 2, 3
(Mar. 31, 2021) (BCBS Operational Resilience Principles) (``ability
of a bank to deliver critical operations through disruption'');
National Institute of Standards and Technology (NIST), Developing
Cyber-Resilient Systems: A Systems Security Engineering Approach, SP
800-160, Vol. 2, Rev. 1 at 76 (Dec. 2021) (``ability of systems to
resist, absorb, and recover from or adapt to an adverse occurrence
during operation that may cause harm, destruction, or loss of
ability to perform mission-related functions.''). Core to each of
these definitions is the notion of being able to continue to operate
or perform despite a disruption.
\12\ See Jason Harrell, Depository Trust & Clearing Corporation
(DTCC) Managing Director, Head of External Engagements,
``Operational and Technology Risk, Evolving Cybersecurity Risks in a
Digitalized Era'' (Sept. 20, 2023) (``While partnerships with third
parties offer rapid solutions for institutions to access the latest
technologies and capabilities, they also increase the surface area
for potential threat actors to gain access to an institution,
causing cyber incidents that can impact the institution's operations
and potentially create additional sector impacts.'').
\13\ Responding to the RMP ANPRM, several commenters suggested
the Commission consider addressing cybersecurity risk independently.
See Americans for Financial Reform Education Fund (AFREF) and Public
Citizen Letter at 6 (Sept. 18, 2023) (AFREF&PC Letter); Better
Markets Letter Re: Risk Management Program Regulations for Swap
Dealers, Major Swap Participants, and Futures Commission Merchants
(RIN 3038-AE59) at 6-9 (Sept. 18, 2023) (Better Markets Letter);
R.J. O'Brien & Associates LLC Letter at 5-6 (Sept. 18, 2023) (R.J.
O'Brien Letter). AFRF and Public Citizen also recommended that the
Commission consider extending its risk management regulations to
encompass third-party service providers for information technology
services. See AFREF&PC Letter at 2.
---------------------------------------------------------------------------
The importance of operational resilience in the financial industry
has come into stark relief in the past few years, particularly
following the COVID-19 pandemic. At the start of the pandemic,
Commission staff initiated near daily in-depth discussions with covered
entities as those registrants navigated the myriad challenges presented
during that time. Through a combination of sustained intensive effort
on the part of the covered entities, and targeted no-action positions
and exemptive relief provided by Commission staff, covered entities
generally continued to operate without material disruption to their
CFTC-regulated activities. As a result of this unprecedented
experience, the Commission considered whether there were additional
opportunities for it to act to gain ongoing transparency into, and to
provide further regulatory support to, covered entities' operational
resilience practices outside of an unfolding crisis. Commission staff
then began the work of assessing the current operational resilience
landscape for covered entities and determining how the Commission could
act to further the holistic consideration and adoption of operational
resilience practices amongst covered entities to ensure that certain
[[Page 4708]]
operational risks impacting their CFTC-regulated activities were being
addressed on an ongoing basis.
In particular, one area of increased focus is cyber risk. In 2022,
cyber intelligence firms reported that the financial sector was among
the most impacted by malicious emails, and was ultimately the most
breached over the course of the year, with more than 566 successful
attacks resulting in 254 million leaked records by early December
2022.\14\ For the past two years, financial institutions responding to
a DTCC risk survey have identified cyber risk as one of the top five
risks to global financial markets, highlighting the increased
sophistication of cyber criminals and the industry's growing digital
footprint as key drivers.\15\ Given that remote access and cloud
computing may become permanent features of the financial markets, the
need for financial institutions to strengthen, adapt, and prioritize
their information and technology risk practices would seem critical to
preserving the continued integrity and stability of U.S. financial
markets.\16\
---------------------------------------------------------------------------
\14\ See Trellix, The Threat Report Fall 2022 at 11 (Nov. 2022)
(noting that the financial services sector was the most targeted by
malicious emails in Q3 of 2022); Flashpoint, Flashpoint Year In
Review: 2022 Financial Threat Landscape (Dec. 20, 2022) (citing
finance and insurance as the most-breached sector in 2022).
\15\ See DTCC, Systemic Risk Barometer Survey: 2023 Risk
Forecast (Dec. 7, 2022); DTCC, Systemic Risk Barometer Survey: 2022
Risk Forecast (Dec. 13, 2021) (naming cyber risk as the top risk to
the economy). See also Bank for International Settlements (BIS),
Financial Stability Institute (FSI), FSI Insights on policy
implementation No. 50, Banks' cyber security--a second generation of
regulatory approaches (June 12, 2023) (FSI Cybersecurity Paper)
(citing a 2023 report that most chief risk officers consider cyber
risk the top threat to the banking industry and the most likely to
result in a crisis or major operational disruption); Federal Bureau
of Investigation, internet Crime Complaint Center Releases 2022
Statistics (Mar. 22, 2023) (``Cyber-enabled crime has been around
for many years, but methods used by perpetrators continue to
increase in scope and sophistication emanating from around the
world.'').
\16\ See FRB, Cybersecurity and Financial System Resilience
Report at 15 (Aug. 2023) (``The rising number of advanced persistent
threats increases the potential for malicious cyber activity within
the financial sector. Combined with the increased internet-based
interconnectedness between financial institutions and the increasing
dependence on third-party service providers, these threats may
result in incidents that affect one or more participants in the
financial services sector simultaneously and have potentially
systemic consequences.'').
---------------------------------------------------------------------------
Covered entities have experienced firsthand how breaches of
information and technology security can reduce their ability to protect
customers. In 2016, for instance, a hacker was able to access customer
records held on an FCM's backup storage device after a default
configuration of that device left it open to infiltration via the
internet.\17\ In 2018, a successful phishing attack on an FCM
compromised customer information and resulted in the FCM's acceptance
of a fraudulent wire request that took $1 million in funds from a
customer's account.\18\ Other regulators have also taken action against
banks registered as swap entities where failed controls and third-party
service providers intersected to result in the significant exposure of
customer information.\19\ Even more recently, a ransomware attack on a
U.S. broker-dealer in November 2023 was so significant, news reports
indicate that the brokerage required a capital injection from a parent
entity to settle $9 billion in trades, an amount many times larger than
its net capital.\20\
---------------------------------------------------------------------------
\17\ See In re AMP Global Clearing LLC, CFTC Docket No. 18-10
(Feb. 12, 2018).
\18\ See In re Phillip Capital Inc., CFTC Docket No. 19-22
(Sept. 12, 2019).
\19\ See, e.g., In re Capital One, N.A. and Capital One Bank
(USA), N.A., AA-EC-20-49 (Aug. 5, 2020) (OCC finding that failed
risk management practices resulted in exposure of 100 million
individual credit card applications, including approximately 140,000
social security numbers, by a former cloud servicer employee); In re
Morgan Stanley Smith Barney LLC, File No. 3-17280 (Jun. 8, 2016)
(Securities and Exchange Commission (SEC) finding that failed risk
management controls allowed an employee to impermissibly access and
transfer data regarding 730,000 accounts to a personal server, which
was ultimately hacked by third parties).
\20\ See Paritosh Bansal, Reuters, ``Inside Wall Street's
scramble after ICBC hack'' (Nov. 13, 2023) (reporting that the firm
asked clients to temporarily suspend business with them and clear
trades elsewhere).
---------------------------------------------------------------------------
Against the backdrop of that work, a recent and well-documented
incident serves as an important cautionary tale about the potential
systemic impact of an operational event at a third-party service
provider. On January 30, 2023, a ransomware attack on ION Markets, a
division of UK-based third-party service provider ION Group LLC (ION),
resulted in a two-week disruption in mid-office activities at several
FCMs. ION provides order management, execution, trading, and trade
processing services for several FCMs, including about 20 percent of
clearing members at the Chicago Mercantile Exchange (CME), but also
provides software services to many other financial institutions,
notably many systemically important banks.\21\ FCMs affected by the
attack had to process trades manually, leading to delays in the timely
and accurate reporting of trade data to the CFTC, and consequently a
temporary lag in production of the Commission's weekly Commitments of
Traders report.\22\ The incident was initially so concerning that Japan
cut off all connectivity with ION.\23\ Within a couple days of the
attack, however, regulators, including the CFTC, coordinated efforts to
determine that the attack was limited to a small number of software
applications relied on within the cleared derivatives space by about
forty-two (42) institutions, with no significant impact to systemically
important banks.\24\
---------------------------------------------------------------------------
\21\ See Luke Clancy, Risk.net, ``One-fifth of CME clearing
members hit by Ion hack'' (Mar. 9, 2023); see also Statement of Todd
Conklin, Deputy Assistant Secretary, Department of the Treasury
(Treasury), Office of Cybersecurity and Critical Infrastructure
Protection (OCCIP), The Cyber Threat Landscape for Financial
Markets: Lessons Learned from ION Markets, Cloud Use in Financial
Services, and Beyond, CFTC Technology Advisory Committee Meeting
Transcript at 160-166 (Mar. 22, 2023) (Conklin TAC Presentation)
(describing the potential ``sprawling impact zone'' had the ION
incident not been limited to its derivatives software services),
available at https://www.cftc.gov/sites/default/files/2023/07/1688400024/tac_032223_transcript.pdf.
\22\ CFTC, Statement on ION and the Impact to the Derivatives
Markets (Feb. 2, 2023), available at https://www.cftc.gov/PressRoom/SpeechesTestimony/cftcstatement020223. The Commitment of Traders
report is widely relied on by market participants for insight into
positions held on exchange-traded futures and options.
\23\ See Conklin TAC Presentation (Mar. 22, 2023).
\24\ Id.
---------------------------------------------------------------------------
During a March 8, 2023, meeting of the CFTC's Market Risk Advisory
Committee (MRAC), panelists discussed how the collaborative work of the
CFTC, industry, and self-regulatory organizations (including CME, the
National Futures Association (NFA), and the Financial Industry
Regulatory Authority (FINRA)) helped mitigate the impact of the ION
incident, allowing affected firms to return to business as usual within
a couple weeks.\25\ Nevertheless, panelists agreed that the incident
highlighted the interconnectedness of the derivatives markets and the
need for firms to continue to adapt safeguards to address the ever-
evolving threat landscape.\26\ As the ION incident demonstrates, a
[[Page 4709]]
disruptive cyber event can reach beyond particular financial
institutions directly experiencing events to other institutions in the
financial markets or to others doing business with an impacted
financial institution, and could potentially impact financial
stability.\27\
---------------------------------------------------------------------------
\25\ See CFTC, The Market Risk Advisory Committee to Meet on
March 8 (Mar. 8, 2023) (MRAC Meeting), available at https://www.cftc.gov/PressRoom/Events/opaeventmrac030823; see also Conklin
TAC Presentation (discussing how Treasury implemented its cyber
incident response playbook in the days following the ION incident to
mitigate the potential for panic after news reports began
circulating information that the incident was more significant than
regulators had initially determined it was).
\26\ See Statement of Walt Lukken, President and Chief Executive
Officer, Futures Industry Association (FIA), MRAC Meeting Transcript
at 41 (``While the number of clearing firms that use ION's suite of
clearing products is limited, the interconnectedness of our markets
made the outage impactful throughout the entirety of our
marketplace.''); see also Statement of Tom W. Sexton, III, President
and Chief Executive Officer, NFA, MRAC Meeting Transcript at 46
(``[O]ur member firms have adopted robust safeguards already that
need to be adapted in light of today's and tomorrow's ongoing
challenges and threats.'').
\27\ See FIA, FIA Taskforce on Cyber Risk, After Action Report
and Findings at 3 (Sept. 2023) (FIA Taskforce Report) (``The [ION
incident] demonstrated that an outage at a single service provider
can have damaging effects across a wide range of firms and threaten
the orderly functioning of markets. The attack also demonstrated in
vivid detail the complexities of restoring normal service.'').
---------------------------------------------------------------------------
In light of these and other events, the Commission believes that
customer protection and the broader stability of the derivatives
markets at large warrant more targeted CFTC requirements relating to
the management of operational risk designed to promote operational
resilience.\28\ Specifically, the Commission believes that the absence
of CFTC-specific requirements for covered entities that explicitly
address information and technology security, as well as third-party
risk, could impede the Commission's ability to fulfill its regulatory
oversight obligations with respect to covered entities and ultimately
weaken its ability to address systemic risk, protect customer assets,
and promote responsible innovation.\29\ The Commission further believes
that enhanced CFTC oversight of covered entities with respect to
operational resilience would help improve outcomes following
operational disruptions by giving the Commission the ability to ensure
that covered entities have actionable plans in place to address key
operational risks.
---------------------------------------------------------------------------
\28\ Existing CFTC requirements for covered entities relating to
operational risk or information security are more general in nature
or limited in application. See, e.g., 17 CFR 1.11(e)(3)(ii)
(providing, with respect to operational risk, that FCMs have
automated financial risk management controls reasonably designed to
prevent the placing of erroneous orders); Enhancing Protections
Afforded Customers and Customer Funds Held by Futures Commission
Merchants and Derivatives Clearing Organizations, 77 FR 67866, 67906
(Nov. 14, 2012) (describing Commission regulation 1.11(e)(3)(ii) as
requiring an FCM's RMP to include automated financial risk
management controls in order to reduce operational risk that could
result from ``fat finger'' errors when submitting trades, or from
technological ``glitches'' using automated trading); 17 CFR
23.600(c)(4)(vi) (requiring swap entities to take into account,
among other things, secure and reliable operating and information
systems with adequate, scalable capacity, and independence from the
business trading unit; safeguards to detect, identify, and promptly
correct deficiencies in operating and information systems; and
reconciliation of all data and information in operating and
information systems); 17 CFR 162.21 and 17 CFR 160.30 (requiring
covered entities to adopt written policies and procedures addressing
administrative, technical, and physical safeguards with respect to
the information of consumers).
\29\ See 7 U.S.C. 5 (establishing among the purposes of the
Commodity Exchange Act to deter disruptions to market integrity, to
ensure the financial integrity of covered transactions and the
avoidance of systemic risk, and to promote responsible innovation
and fair competition among market participants).
---------------------------------------------------------------------------
II. Proposal
Section 4s(j)(2) of the Commodity Exchange Act (CEA or Act)
expressly requires swap entities to establish robust and professional
risk management systems adequate for managing their day-to-day
business.\30\ Section 4s(j)(7) further directs the Commission to
prescribe rules governing the duties of swap entities, including the
duty to establish risk management systems, which would include the
management of operational risk.\31\ The Commission is authorized to
promulgate operational risk management requirements for FCMs pursuant
to section 8a(5) of the CEA, which authorizes the Commission to make
and promulgate such rules and regulations as, in the judgment of the
Commission, are reasonably necessary to effectuate any of the
provisions of, or to accomplish any of the purposes of, the CEA.\32\
This general rulemaking authority may be used to prevent problems
before they arise in the agency's blind spots,\33\ and may be exercised
to regulate circumstances or parties beyond those explicated in a
statute.\34\ Accordingly, the Commission has broad authority to
promulgate regulations provided that such regulations are supported by
a sufficient nexus to the CFTC's delegated authority. Specifically,
Congress expressly empowered the Commission to prescribe certain
requirements with respect to FCMs, namely, to require FCMs to register
(sections 8a(1), 4d(a)(1), and 4f(a)(1) of the CEA \35\); to segregate
customer funds (section 4d of the CEA \36\); to establish safeguards to
minimize conflicts of interest (section 4d of the CEA \37\); to meet
minimum financial requirements (section 4f of the CEA \38\); to manage
and maintain records and reporting on the financial and operational
risks of affiliates (section 4f of the CEA \39\); and to establish
administrative, technical, and physical safeguards to protect the
security and confidentiality of certain nonpublic personal information
(section 5g of the CEA \40\), among other requirements.
---------------------------------------------------------------------------
\30\ See 7 U.S.C. 6s(j)(2).
\31\ See 7 U.S.C. 6s(j)(7).
\32\ 7 U.S.C. 12a(5).
\33\ Inv. Co. Inst. v. CFTC, 891 F. Supp. 2d 162, 193 (D.D.C.
2012), as amended (Jan. 2, 2013) (citing Stilwell v. Office of
Thrift Supervision, 569 F.3d 514, 519 (D.C. Cir. 2009)).
\34\ Nat'l Ass'n of Mfrs. v. SEC, 748 F.3d 359, 366 (D.C. Cir.
2014), overruled on other grounds by Am. Meat Inst. v. U.S. Dept. of
Agric., 760 F.3d 18 (D.C. Cir. 2014) (en banc).
\35\ 7 U.S.C. 12a(1); 7 U.S.C. 6d(a)(1); 7 U.S.C. 6f(a)(1).
\36\ 7 U.S.C. 6d.
\37\ Id.
\38\ 7 U.S.C. 6f.
\39\ Id.
\40\ See 7 U.S.C. 7b-2; 15 U.S.C. 6801.
---------------------------------------------------------------------------
The Commission believes that more particularized operational risk
management requirements are reasonably necessary to help effectuate
these statutory requirements for FCMs and to accomplish the purposes of
the CEA. FCMs play an important role in the derivatives markets,
serving as both the primary point of access to the cleared commodity
interest markets for customers and the custodian of the funds used to
maintain their positions. Given their position at the center of the
derivatives market ecosystem, FCMs' operational resilience is essential
to well-functioning derivatives markets and to ensuring that customers
receive the protections provided by the CEA. However, as discussed
above, operational risks, notably cyber and third-party risks, have
become an increasing threat to financial institutions, including FCMs.
These risks can cause major disruptions to FCMs' operations, and
consequently impact the ability of FCMs to fulfill their obligations as
Commission registrants. In particular, information security threats and
operational disruptions can place an FCM's financial resources at risk;
disrupt an FCM's ability to segregate and protect customer funds;
impede accurate recordkeeping, including records related to customer
funds; and cause a host of other issues for FCMs, which ultimately
inure to the detriment of their customers and the derivatives markets.
Accordingly, the Commission believes a comprehensive operational
resilience regime is reasonably necessary to ensure that an FCM
adequately addresses and mitigates risks that could adversely impact
its ability to operate and fulfill its statutory obligations and duties
as an FCM.
As discussed in detail in subsequent sections of this release, the
Commission is proposing to require that FCMs and swap entities
establish an Operational Resilience Framework (ORF) that is reasonably
designed to identify, monitor, manage, and assess risks relating to
information and technology security, third-party relationships, and
emergencies or other significant disruptions to normal business
operations. At its core, the ORF would have three key components: an
[[Page 4710]]
information and technology security program, a third-party relationship
program, and a business continuity and disaster recovery plan. The
proposed ORF rule reflects a principles-based approach buttressed by
certain minimum requirements specific to each of the component programs
or plans, such as requiring an annual risk assessment and controls
relating to information and technology security, and due diligence and
monitoring requirements for third-party service providers. Proposed
requirements relating to governance, training, testing, and
recordkeeping would apply broadly and support the ORF as a whole. The
proposed rule would further require covered entities to notify the
Commission (and, in certain instances, customers or counterparties) of
certain ORF-related events. Detailed guidance intended to assist
covered entities in designing and implementing their third-party
relationship program would be included in appendices to the rule.
In developing the proposed rule, the Commission endeavored to
incorporate general directives to federal agencies articulated in the
White House's March 2023 National Cybersecurity Strategy: Leverage
existing standards and guidance, harmonize where sensible and
appropriate to achieve better outcomes, and demonstrate an approach
that is sufficiently nimble to meet the challenges of the ever-evolving
technological threat landscape and fit the unique business and risk
profile of each covered entity.\41\ To that end, the proposal builds on
the Commission's experience establishing system safeguard requirements
for registered entities, as well as the approaches adopted by self-
regulatory organizations and other regulatory authorities.\42\ Notably,
the proposal draws on approaches adopted by NFA, whose rules and
interpretative notices relating to information systems security, third-
party risk, and business continuity and disaster recovery planning
apply to covered entities by virtue of being NFA members, and
prudential regulators, who also regulate many covered entities, and
have recently issued interagency positions on operational resilience
and third-party relationship management.\43\
---------------------------------------------------------------------------
\41\ The White House, National Cybersecurity Strategy at 8-9
(Mar. 2023) (National Cyber Strategy) (``Our strategic environment
requires modern and nimble regulatory frameworks for cybersecurity
tailored for each sector's risk profile, harmonized to reduce
duplication, complementary to public-private collaboration, and
cognizant of the cost of implementation.''). See also FIA Taskforce
Report, supra note 27, at 9 (``[T]he Taskforce encourages regulators
and legislators to take a principles-based approach to cyber risk
and operational resilience. That approach may not be sufficient in
all areas, but such a flexible approach is well suited to a threat
landscape that is likely to continue evolving at a rapid rate.'').
\42\ See 17 CFR 37.1400 and 17 CFR 37.1401 (system safeguard
requirements for swap execution facilities (SEFs)); 17 CFR 38.1050
and 17 CFR 38.1051 (designated contract markets (DCMs)); 17 CFR
39.18 (derivatives clearing organizations (DCOs)); 17 CFR 49.24
(swap data repositories (SDRs)). See also 17 CFR 1.3 (defining
``registered entity'' to include DCMs, DCOs, SEFs, and SDRs). For a
summary of international regulatory efforts related to operational
resilience, see FIA Taskforce Report, supra note 27, at 7-8.
\43\ See NFA Interpretive Notice 9070, NFA Compliance Rules 2-9,
2-36 and 2-49: Information Systems Security (rev. Sept. 30, 2019)
(NFA ISSP Notice); NFA Interpretive Notice 9079, NFA Compliance
Rules 2-9 and 2-36: Members' Use of Third-Party Service Providers
(NFA Third-Party Notice) (effective Sept. 30, 2021); NFA Rule 2-38:
Business Continuity and Disaster Recovery Plan (rev. July 1, 2019);
NFA Interpretive Notice 9052, NFA Compliance Rule 2-38: Business
Continuity and Disaster Recovery Plan (NFA BCDR Notice) (April 7,
2003); Prudential Operational Resilience Paper, supra note 11;
Interagency Guidance on Third-Party Relationships: Risk Management,
88 FR 37920 (Jun. 9, 2023) (Prudential Third-Party Guidance). See
also Computer-Security Incident Notification Requirements for
Banking Organizations and their Bank Service Providers, 86 FR 66424
(Nov. 23, 2021); 12 CFR part 30, app. A (Interagency Guidelines
Establishing Standards for Safety and Soundness), 12 CFR part 30,
app. B (Interagency Guidelines Establishing Information Security
Standards).
---------------------------------------------------------------------------
The Commission also surveyed the work of international standard-
setting bodies, notably the BCBS Principles for Operational
Resilience.\44\ The Commission also conferred with, and reviewed the
standards published by the National Institute of Standards and
Technology (NIST), a part of the U.S. Department of Commerce charged by
Executive Order 13636 in 2013 with developing a framework to reduce
cyber risks to critical infrastructure that incorporates voluntary
consensus standards and industry best practices.\45\ Standards
developed in response to this charge and reviewed by the Commission
include the Framework for Improving Critical Infrastructure
Cybersecurity and the Security and Privacy Controls for Information
Systems and Organizations, among others.\46\ The Commission and other
financial regulators have previously adapted NIST's standards in
regulation and guidance related to operational resilience. The
Commission's system safeguards requirements treat NIST's CSF as a
source for well-established best practices for cybersecurity.\47\ In
Appendix A of the Interagency Sound Resilience Paper, the prudential
regulators presented ``a collection of sound practices for cyber risk
management, aligned to NIST and augmented to emphasize governance and
third-party risk management.'' \48\ The Commission also considered
standards published by equivalent standard setting bodies like the
International Standards Organization (ISO).\49\
---------------------------------------------------------------------------
\44\ See BCBS Operational Resilience Principles, supra note 11.
See also International Organization of Securities Commissions
(IOSCO), Cyber Task Force: Final Report (2019) (identifying
different but comparable core standards or frameworks, including
both NIST and ISO standards); Financial Stability Board (FSB), Final
report on Enhancing Third-Party Risk Management and Oversight--a
toolkit for financial institutions and financial authorities (Dec.
4, 2023) (FSB Third-Party Report). Materials related to the FSB's
work on cyber resilience are available at https://www.fsb.org/work-of-the-fsb/financial-innovation-and-structural-change/cyber-resilience/.
\45\ See The White House, Office of the Press Secretary,
Executive Order--Improving Critical Infrastructure Cybersecurity,
E.O. 13636 (Feb. 12, 2013).
\46\ See NIST, Framework for Improving Critical Infrastructure
Cybersecurity (Version 1.1) at 2 (Apr. 16, 2018) (NIST CSF); NIST,
SP 800-53, Security and Privacy Controls for Information Systems and
Organizations (Sept. 2020, rev. Dec. 10, 2020) (NIST SP 800-53). See
also Cybersecurity & Infrastructure Security Agency (CISA),
Financial Services Sector-Specific Plan--2015 at 16 (rev. Dec. 17,
2020) (``While the [NIST cybersecurity framework] is designed to
manage cybersecurity risks, its core functions of Identify, Protect,
Detect, Respond, and Recover provide a model for considering
physical risks as well. This methodology is increasingly central to
the sector's thinking on security and resilience, and the concept
aligns with existing [Federal Financial Institutions Examination
Council (FFIEC)] guidance.'').
\47\ System Safeguards Testing Requirements for Derivatives
Clearing Organizations, 81 FR 64322, 64329 (Sept. 19, 2016).
\48\ Board of Governors of the Federal Reserve System, the
Office of the Comptroller of the Currency, and the Federal Deposit
Insurance Corporation, Sound Practices to Strengthen Operational
Resilience (Nov. 2, 2020), available at https://www.federalreserve.gov/supervisionreg/srletters/SR2024.html.
\49\ See, e.g., ISO/IEC 27001:2022, Information security,
cybersecurity and privacy protection: Information security controls
(Oct. 2022) (ISO/IEC 27001:2022).
---------------------------------------------------------------------------
Finally, in putting together the proposal, Commission staff engaged
with staff at NFA and various federal agencies, including prudential
regulators, and the SEC.\50\ Based on these efforts, the Commission
preliminarily believes that, if adopted, the proposed rule would strike
an
[[Page 4711]]
appropriate balance between supporting technological and market
innovation and fair competition, ensuring covered entities devote the
necessary thought, planning, and resources to their operational
resilience so as to support the resilience of the U.S. derivatives
markets and the financial sector as a whole.\51\
---------------------------------------------------------------------------
\50\ In accordance with section 712(a) of the Dodd-Frank Act (15
U.S.C. 8302), the Commission has consulted and coordinated, to the
extent possible, with the SEC and the prudential regulators,
including with the FRB, the OCC, and the FDIC, for purposes of
assuring regulatory consistency and comparability. The Securities
Exchange Act of 1934 and existing and proposed SEC regulations
include requirements relating to risk management including
cybersecurity, including requirements for SEC-regulated broker-
dealers and security-based swap dealers. See, e.g. Cybersecurity
Risk Management Rule for Broker-Dealers, Clearing Agencies, Major
Security-Based Swap Participants, the Municipal Securities
Rulemaking Board, National Securities Associations, National
Securities Exchanges, Security-Based Swap Data Repositories,
Security-Based Swap Dealers, and Transfer Agents, 88 FR 20212,
sections IV.C.1.b.i and IV.C.1.b.iii (Apr. 5, 2023).
\51\ See 7 U.S.C. 5.
---------------------------------------------------------------------------
The Commission is proposing to codify the ORF rule for swap
entities in existing Commission regulation 23.603, which currently
contains the Commission's business continuity and disaster recovery
requirements for swap entities.\52\ As discussed in greater detail
below, the Commission is proposing to retain the substance of the
existing business continuity and disaster recovery requirements in
current Commission regulation 23.603 as part of the ORF rule for swap
entities, with certain modifications. Similar requirements would also
be imposed on FCMs. The proposed ORF rule for FCMs would be codified in
new Commission regulation 1.13. The proposed guidance on third-party
relationships would be included in the appendices to parts 1 and 23 for
FCMs and swap entities, respectively.
---------------------------------------------------------------------------
\52\ 17 CFR 23.603.
---------------------------------------------------------------------------
As proposed, the regulatory text of the ORF rule for swap entities
is nearly identical in structure and substance to the ORF rule for
FCMs. Accordingly, to promote readability, when referencing sections of
the regulatory text, this notice generally refers to the relevant
paragraph of the proposed regulations (i.e., ``proposed paragraph (b)''
would refer to paragraph (b) of both proposed Commission regulations
1.13 and proposed Commission regulation 23.603).
The Commission invites comment on all aspects of the proposed rule,
as further detailed below.
A. Generally--Proposed Paragraph (b) 53
---------------------------------------------------------------------------
\53\ Paragraph (a) of proposed Commission regulations 1.13 and
23.603 provides definitions for terms used within the ORF rule. Each
proposed definition is discussed in the context of the relevant
substantive regulatory requirement throughout the remainder of this
notice.
---------------------------------------------------------------------------
1. Purpose and Scope; Components--Proposed Paragraphs (b)(1) and (b)(2)
As previously mentioned, the proposed rule would require covered
entities to establish, document, implement, and maintain an Operational
Resilience Framework, or ORF.\54\ The ORF would need to be reasonably
designed to identify, monitor, manage, and assess risks relating to
three key risk areas that challenge operational resilience: (i)
information and technology security, as defined in the proposed rule
and discussed further below; (ii) third-party relationships; and (iii)
emergencies or other significant disruptions to the continuity of
normal business operations as a covered entity.\55\ Although these risk
areas are often viewed distinctly, as the introduction to this notice
illustrates, they are significantly interrelated, as the relative
strength of information and technology security and third-party risk
management can directly affect recovery activities and improve outcomes
following an emergency or other significant disruption.\56\ Together,
the Commission believes they represent important sources of potential
operational risk, the effective management of which is key to
operational resilience.
---------------------------------------------------------------------------
\54\ See paragraph (b)(1) of proposed Commission regulations
1.13 and 23.603.
\55\ See paragraphs (b)(1)(i)-(iii) of proposed Commission
regulations 1.13 and 23.603.
\56\ See, e.g., ISO/IEC 27031:2011, Information technology--
Security techniques--Guidelines for information and communication
technology readiness for business continuity (Mar. 2011) (``Failures
of [information and communication technology (ICT)] services,
including the occurrence of security issues such as systems
intrusion and malware infections, will impact the continuity of
business operations. Thus, managing ICT and related continuity and
other security aspects form a key part of business continuity
requirements. Furthermore, in the majority of cases, the critical
business functions that require business continuity are usually
dependent upon ICT. This dependence means that disruptions to ICT
can constitute strategic risks to the reputation of the organization
and its ability to operate . . . As a result, effective [business
continuity management] is frequently dependent upon effective ICT
readiness to ensure that the organization's objectives can continue
to be met in times of disruptions.''). See Prudential Operational
Resilience Paper, supra note 11, at 8 (``Secure and resilient
information systems underpin the operational resilience of a firm's
critical operations and core business lines.''); see also Prudential
Third-Party Guidance, 88 FR 37920 (discussing the interplay of
third-party risks and operational resilience).
---------------------------------------------------------------------------
The proposed rule would require covered entities to establish three
written component programs or plans, each dedicated to addressing one
of the three enumerated risks within the ORF. The three component
programs or plans would be: (i) an information and technology security
program, (ii) a third-party relationship program, and (iii) a business
continuity and disaster recovery plan.\57\ Each component program or
plan would need to be supported by written policies and procedures and
meet the requirements set forth in the rule, as discussed in subsequent
sections of this notice.\58\ The definitions and specific requirements
for the information and technology security program, the third-party
relationship program, and the business continuity and disaster recovery
plan are discussed in detail in subsequent sections of this notice
specifically dedicated to discussing each of the three components.\59\
---------------------------------------------------------------------------
\57\ See paragraph (b)(2) of proposed Commission regulations
1.13 and 23.603; see also paragraph (a) of proposed Commission
regulations 1.13 and 23.603 (defining ``information and technology
security program,'' ``third-party relationship program,'' and
``business continuity and disaster recovery plan'').
\58\ See paragraph (b)(2) of proposed Commission regulations
1.13 and 23.603. See paragraphs (d) (information and technology
security program), (e) (third-party relationship program), and (f)
(business continuity and disaster recovery plan) of proposed
Commission regulations 1.13 and 23.603 (describing the requirements
for each program, respectively).
\59\ See sections II.C (information and technology security
program), II.D (third-party relationship program), II.E (business
continuity and disaster recovery plan) of this notice, infra.
---------------------------------------------------------------------------
Although they may go by different names, the Commission understands
that written programs or plans of these types are generally recognized
as common ways to address these risks and are even currently required
of covered entities. NFA, for instance, currently requires members to
adopt a written information systems security program (ISSP), a written
supervisory framework to address outsourcing to third-party service
providers, and a written business continuity and disaster recovery
plan.\60\ The Commission itself requires swap entities to have a
written business continuity and disaster recovery plan.\61\
Accordingly, to the extent that covered entities have existing programs
or plans and policies and procedures that address the requirements of
the ORF rule, by virtue of other regulatory requirements or otherwise,
the Commission would not expect such covered entities to adopt entirely
new component programs or plans. The Commission would only expect that
covered entities review their existing programs and plans to ensure
they meet the minimum requirements of the ORF rule and make any
necessary amendments.
---------------------------------------------------------------------------
\60\ See NFA ISSP Notice, supra note 43; NFA Third-Party Notice,
supra note 43; and NFA BCDR Notice, supra note 43. NFA's requirement
to establish a business continuity and disaster recovery plan does
not currently apply to swap entities, see NFA Rule 2-38, paragraph
(a), supra note 43.
\61\ See 17 CFR 23.603.
---------------------------------------------------------------------------
The Commission appreciates that covered entities may assign
responsibility for the establishment, implementation, and maintenance
of each ORF component program or plan to distinct functions within
their organizations. By structuring the proposed rule to require a
``framework'' directed at operational resilience,
[[Page 4712]]
however, the Commission intends for executive leadership at covered
entities to address the risk areas covered by the ORF as a cohesive and
interrelated whole, breaking down any unnecessary internal silos, and
to consider all aspects of operational resilience in determining their
operational strategies, risk appetite, and risk tolerance limits.\62\
---------------------------------------------------------------------------
\62\ The specific governance requirements of the proposed rule,
which include the requirement to establish risk appetite and risk
tolerance limits with respect to the ORF, further support this view.
See paragraph (c) of proposed Commission regulations 1.13 and
23.603.
---------------------------------------------------------------------------
2. Standard--Proposed Paragraph (b)(3)
The Commission is proposing to require that each covered entity
implement the requirements of the proposed ORF rule in a manner that is
appropriate and proportionate to the nature, scope, complexity, and
risk profile of its business activities as a covered entity, following
generally accepted standards and best practices (the (b)(3)
standard).\63\ The proposed (b)(3) standard reflects the general
principles-based approach underpinning the proposed rule, which the
Commission believes would be appropriate given the increased reliance
on and rapid evolution of technology within the financial industry and
its attendant risks.\64\ This standard incorporates two themes that
have broad support from other governmental and international standard-
setting bodies when addressing matters related to operational
resilience: (i) proportionality; and (ii) reliance on established
standards and best practices.\65\
---------------------------------------------------------------------------
\63\ See paragraph (b)(3) of proposed Commission regulations
1.13 and 23.603.
\64\ See BCBS Operational Resilience Principles, supra note 11,
at 1 (``Recognising that a range of potential hazards cannot be
prevented, the Committee believes that a pragmatic, flexible
approach to operational resilience can enhance the ability of banks
to withstand, adapt to and recover from potential hazards and
thereby mitigate potentially severe adverse impacts.''); see also
Prudential Operational Resilience Paper, supra note 11, at 9
(providing as a sound practice of operational resilience that firms
review information systems ``on a regular basis against common
industry standards and best practices.'').
\65\ See, e.g., BCBS Operational Resilience Principles at 2-3
(``The principles for operational resilience set forth in this
document are largely derived and adapted from existing guidance that
has been issued by the Committee or national supervisors over a
number of years. The Committee recognizes that many banks have well
established risk management processes that are appropriate for their
individual risk profile, operational structure, corporate governance
and culture, and conform to the specific risk management
requirements of their jurisdictions. By building upon existing
guidance and current practices, the Committee is issuing a
principles-based approach to operational resilience that will help
to ensure proportional implementation across banks of various size,
complexity and geographical location.''); FSB Third-Party Report,
supra note 44, at 10-11; IOSCO, Principles on Outsourcing: Final
Report at 10 (IOSCO Outsourcing Report) (Oct. 2021) (providing that
``[t]he application and implementation of these Principles should be
proportional to the size, complexity and risk posed by the
outsourcing'' of tasks, functions, processes, services, or
activities to a service provider that would otherwise be undertaken
by the regulated entity itself).
---------------------------------------------------------------------------
Broadly speaking, the principle of proportionality recognizes that
operational resilience, and information and technology security, in
particular, cannot be addressed with a one-size-fits-all approach.\66\
On the contrary, differences in operational structures and business
strategies among covered entities necessitate a more flexible and
adaptive approach that would allow individual covered entities to best
address their specific risks and evolve to address emerging challenges
as they arise. Covered entities vary widely in terms of their business
structure and risk profiles, such that a covered entity operating
within a large bank holding company group structure and involved in a
broad array of asset classes would likely have a different risk profile
and different resources than an entity that is solely registered with
the CFTC or that has a narrower scope to its CFTC-regulated business.
The Commission would therefore expect that covered entities facing
different operational risks may take different approaches to managing
and monitoring those risks. Designing an operational resilience
framework that would apply uniformly across all covered entities would
not only pose significant challenges, it would likely be ineffective,
imposing operational costs where no risks demand it. Accordingly, the
Commission preliminarily believes that a proportional, risk-based
approach would help ensure that firms, customers, counterparties, and
the financial system at large can appropriately respond to and recover
from operational shocks in context.
---------------------------------------------------------------------------
\66\ See e.g., FINRA, 2018 Report on Selected Cybersecurity
Practices at 1 (Dec. 2018) (FINRA Cybersecurity Report) (``[T]here
is no one-size-fits-all approach to cybersecurity.''); NIST CSF,
supra note 46, at 2 (``The [NIST CSF] is not a one-size-fits-all
approach to managing cybersecurity risk for critical infrastructure.
Organizations will continue to have unique risks--different threats,
different vulnerabilities, different risk tolerances.'').
---------------------------------------------------------------------------
Interpretive notices adopted by NFA reflect a comparable approach.
Specifically, NFA's notices on ISSPs and the use of third-party service
providers establish general, baseline requirements (e.g., assess risks
associated with the use of information technology systems or with
reliance on third-party service providers) and then direct NFA members,
including covered entities, to tailor the specifics to their
businesses.\67\ This approach is also consistent with the CFTC's own
approach with respect to system safeguard requirements for registered
entities,\68\ as well as those of the prudential regulators.\69\
Generally accepted standards and best practices themselves also
generally support a proportional approach.\70\
---------------------------------------------------------------------------
\67\ See NFA ISSP Notice, supra note 43 (requiring each NFA
member to adopt an ISSP appropriate to the its ``size, complexity of
operations, type of customers and counterparties, the sensitivity of
the data accessible within its systems, and its electronic
interconnectivity with other entities''); NFA Third-Party Notice,
supra note 43 (``NFA recognizes that a Member must have flexibility
to adopt a written supervisory framework relating to outsourcing
functions to a [third-party service provider] that is tailored to a
Member's specific needs and business . . .'').
\68\ See, e.g., 17 CFR 37.1401(b) (SEFs); 17 CFR 38.1051(b)
(DCMs); 17 CFR 39.18(b)(3) (DCOs); 17 CFR 49.24(c) (SDRs) (requiring
registered entities to follow generally accepted standards and best
practices with respect to the development, operation, reliability,
security, and capacity of automated systems); see also System
Safeguards Testing Requirements for Derivatives Clearing
Organizations, 81 FR 64322, 64329 (Sept. 19, 2016) (DCO System
Safeguards Testing Requirements) (describing the CFTC's approach to
system safeguards for DCOs as providing DCOs with ``flexibility to
design systems and testing procedures based on the best practices
that are most appropriate for that DCO's risks'').
\69\ 12 CFR part 30, app. B (Interagency Guidelines Establishing
Information Security Standards); id. at II.A. (Information Security
Program) (``Each [financial institution] shall implement a
comprehensive written information security program that includes
administrative, technical, and physical safeguards appropriate to
the size and complexity of the [financial institution] and the
nature and scope of its activities.''); FFIEC Information Technology
Examination Handbook, Information Security at 2 (Sept. 2016) (FFIEC
Information Security Booklet) (``Institutions should maintain
effective information security programs commensurate with their
operational complexities.'').
\70\ The NIST CSF, for example, identifies activities designed
to achieve specific cybersecurity outcomes and tiers practices by
increasing degree of rigor and sophistication. In selecting a tier,
NIST directs entities to consider their ``current risk management
practices, threat environment, legal and regulatory requirements,
information sharing practices, business/mission objectives, supply
chain cybersecurity requirements, and organizational constraints.''
See NIST CSF, supra note 46, at 8.
---------------------------------------------------------------------------
The Commission emphasizes, however, that ``proportional'' does not
mean ``permissive.'' The Commission's proposed standard for the ORF
rule would not support a ``race to the bottom,'' where covered entities
default to the minimum requirements of the proposed rule. On the
contrary, covered entities would be required to implement an ORF that
is reasonably designed to reflect and address their unique risk profile
and activities, consistent with the proposed (b)(3) standard.
Accordingly, the Commission would expect larger, more complex entities
that operate more varied business lines, rely on more technological
platforms, or
[[Page 4713]]
have more complicated agreements with third-party service providers to
arrive at an ORF that is appropriate to their likely increased level of
operational risk.\71\
---------------------------------------------------------------------------
\71\ See National Cyber Strategy, supra note 41, at 4 (``The
most capable and best-positioned actors in cyberspace must be better
stewards of the digital ecosystem.''); see also IOSCO Outsourcing
Report, supra note 65, at 10.
---------------------------------------------------------------------------
The requirement for covered entities to follow generally accepted
standards and best practices serves to ground covered entities'
approaches to operational resilience in practices that are widely
recognized as effective in aiding financial institutions to mitigate
and recover from operational shocks. In adopting system safeguard
requirements for registered entities, which require registered entities
to follow generally accepted standards and best practices, the
Commission identified several sources of standards and best
practices.\72\ NFA and other bodies have compiled similar lists.\73\
Among perhaps the most commonly relied on by financial institutions are
the NIST CSF, ISO, the Center for internet Security (CIS), and FFIEC,
whose examination booklets and Cyber Assessment Tool (CAT) are
specifically designed to guide financial institutions.\74\ The
Commission would expect covered entities to use generally accepted
standards and industry best practices that are appropriate and
proportionate to the nature, size, scope, complexities, and risk
profile of their business activities, in designing or updating an ORF
that would comply with the proposed rule. For instance, in conducting
the risk assessment required under proposed paragraph (c)(1), a covered
entity would need to identify risks to its information and technology
security with reference to risks discussed in an appropriate standard
or based on industry best practices, and then assess and prioritize
those risks using frameworks and metrics recommended by those standards
or practices. Requiring covered entities to follow generally accepted
standards and industry best practices in developing and implementing
the ORF would help ensure that covered entities establish, document,
implement, and maintain ORFs reasonably designed to address their
particular operational resilience-related risks.
---------------------------------------------------------------------------
\72\ See, e.g., DCO System Safeguards Testing Requirements, 81
FR 64322-23; 17 CFR 39.18(b)(3) (requiring DCOs to follow generally
accepted standards and best practices with respect to the
development, operation, reliability, security, and capacity of
automated systems); see also 17 CFR 37.1401(b) (SEFs) (requiring the
same); 17 CFR 38.1051(b) (DCMs) (same); 17 CFR 49.24(c) (SDRs)
(same).
\73\ See, e.g., NFA, Cybersecurity FAQs, ``Does NFA recommend
any particular consultants that can help a Member draft an ISSP or
perform penetration testing?''; see also FFIEC, Cybersecurity
Resource Guide for Financial Institutions (Sept. 2022) (rev. Nov.
2022).
\74\ The Financial Services Sector Coordinating Council (FSSC)
has also developed a NIST CSF profile specifically designed for
financial institutions. The profile is now maintained, updated, and
managed by the Cyber Risk Institute (CRI) and was last updated in
January 2023. See CRI Profile v1.2 (Dec. 14, 2021), available at
https://cyberriskinstitute.org/the-profile/.
---------------------------------------------------------------------------
The proposed rule leverages these standards not only by directing
covered entities to consider them in developing their approaches but by
incorporating common themes contained within them into the substance of
the proposed rule. In the Commission's view, reliance on such standards
supports the use of a common lexicon, facilitating the development of
understandable and transposable practices on a cross-border basis. The
Commission further recognizes that generally accepted standards and
best practices are likely to evolve over time, and the applicability of
any particular standard may vary based on the unique circumstances and
risk profile of each covered entity. Accordingly, the Commission
preliminarily believes requiring covered entities to follow generally
accepted standards and best practices supports the goal of an adaptive
approach that can respond nimbly to rapid changes in emerging
threats.\75\
---------------------------------------------------------------------------
\75\ See National Cyber Strategy, supra note 41, at 9 (``By
leveraging existing international standards in a manner consistent
with current policy and law, regulatory agencies can minimize the
burden of unique requirements and reduce the need for regulatory
harmonization.'').
---------------------------------------------------------------------------
3. Request for Comment
The Commission invites comment on all aspects of proposed paragraph
(b), including the following questions:
1. Applicability to FCMs. In adopting the RMP rule for FCMs in
2013, the Commission determined to limit the rule's applicability to
FCMs that hold or accept customer funds.\76\ The CEA and Commission
regulations define a ``futures commission merchant'' as an entity that
solicits or accepts orders to buy or sell futures contracts, options on
futures, retail off-exchange forex contracts or swaps, and accepts
money or other assets from customers to support such orders.\77\
Although some entities are, for various reasons, currently registered
as FCMs despite not accepting customer funds, as the Commission
explained in the adopting release for the FCM RMP rule, FCMs that do
not accept or hold customer funds to margin, guarantee, or security
commodity interests are generally not operating as FCMs.\78\ With
respect to the proposed ORF rule, the Commission has preliminarily
determined to apply the proposed requirements to all registered FCMs.
Although the customer protection concerns may be mitigated for FCMs
that do not handle customer assets, the Commission preliminarily
believes that the potential systemic risk that can result from failures
to manage information and technology risk, third-party relationships,
emergencies, or other significant disruptions persist for all FCMs,
given their access to customer information and their potential
relationships with and/or connectivity to other regulated entities,
including exchanges and clearinghouses.\79\
---------------------------------------------------------------------------
\76\ See 17 CFR 1.11(a) (Nothing in this section shall apply to
a futures commission merchant that does not accept any money,
securities, or property (or extend credit in lieu thereof) to
margin, guarantee, or secure any trades or contracts that result
from soliciting or accepting orders for the purchase or sale of any
commodity interest.).
\77\ See 7 U.S.C. 1a(28)(A); 17 CFR 1.3 (defining ``futures
commission merchant'') (emphasis added).
\78\ As of July 31, 2023, twelve (12) entities were registered
as FCMs but were not required to segregate any funds on behalf of
customers. See CFTC, Financial Data for FCMs (July 31, 2023),
available at https://www.cftc.gov/MarketReports/financialfcmdata/index.htm. The Commission made clear in the adopting notice for the
FCM RMP rule that it would expect that, prior to changing their
business model to begin accepting customer funds, any registered FCM
that does not currently accept customer funds would need to
establish a risk management program that complies with Commission
regulation 1.11 and file such program with the Commission and with
the FCM's designated self-regulatory organization (DSRO). See Final
FCM RMP Rule, 78 FR 68517.
\79\ The Final FCM RMP rule, by contrast, could be viewed as
more directly targeting the management of specific risks associated
with operating as an FCM.
---------------------------------------------------------------------------
a. Are the risks associated with information and technology
security, third-party relationships, and emergencies or other
significant disruptions substantially different or reduced for FCMs
that do not hold customer funds? If yes, please explain.
b. Should the Commission consider limiting the ORF rule to FCMs
that do not hold customer funds, consistent with the FCM RMP rule? Why
or why not? Please explain.
2. Standard. The proposed rule would require covered entities to
follow ``generally accepted standards and best practices'' in
establishing, implementing, and maintaining their ORFs. Although this
notice identifies various sources of such standards and practices,
including NIST, ISO, CIS, and FFIEC, the proposed rule does not further
define or otherwise limit the scope of ``generally accepted standards
and best practices,'' acknowledging that there are several sources of
recognized standards currently relied on by covered entities and that
standards and practices
[[Page 4714]]
are likely to evolve over time in response to changes in technology or
emerging threats. Nevertheless, the Commission understands that,
particularly in the United States, NIST and ISO standards are heavily
relied on by covered entities and referenced by other regulators,
making them widely recognized as the leading industry standards for
cybersecurity and operational risk management.
a. Should the Commission further define or otherwise limit what
constitutes ``generally accepted standards and best practices''?
Specifically, should the Commission require covered entities to follow
NIST or ISO standards, as some commenters on the RMP ANPRM recommended?
\80\ Why or why not? Please explain.
---------------------------------------------------------------------------
\80\ See, e.g., R.J. O'Brien Letter, supra note 13, at 6 (``The
Commission should also seek to implement the [NIST CSF] as a part of
its standard for managing and mitigating this area of risk. The NIST
CSF is widely accepted throughout many different industries and
would set a universal standard and best practices for registrants to
follow.'').
---------------------------------------------------------------------------
b. Are there any other standards or practices commonly relied on by
covered entities that the Commission did not identify, directly or
indirectly, in this notice? If so, please identify them and specify how
they are currently relied on by covered entities.
B. Governance--Proposed Paragraph (c)
The topic of governance has gained increased attention within the
context of operational resilience, particularly with respect to the
area of information and technology security. As of the date of this
notice, NIST is undergoing a process to update the NIST CSF, and new
governance outcomes are expected to feature prominently.\81\ Prudential
regulators have also emphasized the role of effective governance to
operational resilience.\82\ In the Commission's view, the overall
objective of an effective governance regime for an ORF should be the
integration of operational resilience topics into existing reporting
lines and operational structures, including the entity's overall
operational strategy, to ensure active executive engagement and
oversight in the management of operational risk that could challenge a
covered entity's operational resilience.\83\
---------------------------------------------------------------------------
\81\ See NIST, NIST Cybersecurity Framework 2.0 Concept Paper:
Potential Significant Updates to the Cybersecurity Framework at 10-
11 (Jan. 19, 2023) (discussing how the update ``will emphasize the
importance of cybersecurity governance'' by adding a new govern
function); see also CRI, The Profile Workbook: Guidance for
Implementing the CRI Profile v1.2.1 and Responding to its Diagnostic
Statements at 16 (rev. Jan. 2023) (CRI Profile Workbook) (providing
guidance on governance outcomes that have already been incorporated
into the NIST CSF financial services sector profile).
\82\ See Prudential Operational Resilience Paper, supra note 11,
at 3.
\83\ See BCBS Operational Resilience Principles, supra note 11,
at 4 (``Principle 1: Banks should utilise their existing governance
structure to establish, oversee and implement an effective
operational resilience approach that enables them to respond and
adapt to, as well as recover and learn from, disruptive events in
order to minimise their impact on delivering critical operations
through disruption.'') (internal citation omitted).
---------------------------------------------------------------------------
1. Approval of Components--Proposed Paragraph (c)(1)
Accordingly, to ensure that a covered entity's senior leadership is
involved in key decision-making around operational resilience, and is
ultimately held accountable for implementation of the ORF, the proposed
rule would require covered entities to have their senior leadership
annually approve the ORF.\84\ In recognition of the wide variety of
corporate structures represented among covered entities, however, the
proposed rule would give covered entities broad flexibility and
discretion to identify the appropriate senior-level individual or body
to provide such approval.
---------------------------------------------------------------------------
\84\ See paragraph (c)(1) of proposed Commission regulations
1.13 and 23.603.
---------------------------------------------------------------------------
Specifically, paragraph (c)(1) of the proposed rule would require
that each ORF component program or plan required by paragraph (b)(2) of
the proposed rule is approved in writing, on at least an annual basis,
by either the senior officer, an oversight body, or a senior-level
official of the covered entity.\85\ The term ``oversight body'' itself
would be broadly defined to encompass any board, body, or committee of
a board or body of the covered entity specifically granted the
authority and responsibility for making strategic decisions, setting
objectives and overall direction, implementing policies and procedures,
or overseeing the management of operations for the covered entity.\86\
Consistent with Commission regulation 3.1(j), ``senior officer'' would
mean the chief executive officer or other equivalent officer of the
covered entity.\87\ As an example, under the proposed rule, a covered
entity could elect to have its information and technology security
program annually approved by its chief executive officer, its chief
information security officer, or a committee with oversight authority
over information and technology security.\88\ Again, the intention
behind offering this flexibility is to ensure that covered entities
would be able to rely on and incorporate operational resilience into
their existing governance structures when complying with the proposed
ORF rule, while ensuring that each component program or plan would be
approved by an individual or group of individuals with senior-level
responsibilities and authority.
---------------------------------------------------------------------------
\85\ Id.
\86\ See paragraph (a) of proposed Commission regulations 1.13
and 23.603 (defining ``oversight body'').
\87\ See paragraph (a) of proposed Commission regulations 1.13
and 23.603 (defining ``senior officer''). See also 17 CFR 3.1(j)
(defining ``senior officer'').
\88\ Other possible senior-level officials could be the covered
entity's chief risk officer or chief operating officer, as
appropriate.
---------------------------------------------------------------------------
2. Risk Appetite and Risk Tolerance Limits--Proposed Paragraph (c)(2)
The proposed rule would further require covered entities to
establish and implement appropriate risk appetite and risk tolerance
limits with respect to the three risk areas enumerated in paragraph
(b)(1) (information and technology security, third-party relationships,
and emergencies or other significant disruptions to the continuity of
normal business operations).\89\ Although the terms ``risk appetite''
and ``risk tolerance'' are sometimes used interchangeably, the
Commission intends the terms to have distinct meanings within the
context of the proposed rule. Specifically, in the context of the
proposed rule, ``risk appetite'' would mean the aggregate amount of
risk a covered entity is willing to assume to achieve its strategic
objectives.\90\ Risk appetite is typically documented through a risk
appetite statement, which establishes qualitative and quantitative
measures designed to help identify when risk appetite has been exceeded
and what appropriate mitigating strategies that can be taken.\91\
[[Page 4715]]
With its proposed definition of ``risk tolerance limit,'' the
Commission intends to capture a more focused measure of acceptable
risk. Specifically, ``risk tolerance limit'' would mean the amount of
risk, beyond its risk appetite, that a covered entity is prepared to
tolerate through mitigating actions.\92\ Thus, risk tolerance limits
assume a particular type of risk has materialized (e.g., an operational
disruption has occurred) and identify the amount of disruption a firm
is prepared to tolerate beyond its risk appetite.\93\ Risk tolerance
limits are also more likely to be measured in quantitative terms (e.g.,
number of hours a particular system or application is down).\94\
---------------------------------------------------------------------------
\89\ See paragraph (c)(2)(i) of proposed Commission regulations
1.13 and 23.603. See also paragraph (b)(1) of proposed Commission
regulations 1.11 and 23.603 (identifying the risk areas proposed to
be covered by the ORF).
\90\ See paragraph (a) of proposed Commission regulations 1.13
and 23.603 (defining ``risk appetite''). See also 12 CFR part 30,
app. D, I.E.10 (Definitions) (defining ``risk appetite'' as the
aggregate level and types of risk the board of directors and
management are willing to assume to achieve a covered bank's
strategic objectives and business program, consistent with
applicable capital, liquidity, and other regulatory requirements);
Prudential Operational Resilience Paper, supra note 11, at 14
(defining ``risk appetite'' as ``[t]he aggregate level and types of
risk the board and senior management are willing to assume to
achieve a firm's strategic business objectives, consistent with
applicable capital, liquidity, and other requirements and
constraints''); BCBS Operational Resilience Principles, supra note
11, at 3, n.7 (defining ``risk appetite'' as ``the aggregate level
and types of risk a bank is willing to assume, decided in advance
and within its risk capacity, to achieve its strategic objectives
and business program'').
\91\ See 12 CFR part 30, app. D (requiring covered financial
institutions to have a comprehensive written risk appetite
statement). See also CRI Profile Workbook, supra note 78, at 16
(``Risk appetite statements define certain risk tolerance metrics
that help describe systems and services that the organization may
consider high-risk.'').
\92\ See paragraph (a) of proposed Commission regulations 1.13
and 23.603 (defining ``risk tolerance limit''). See also Prudential
Operational Resilience Paper, at 3, n. 11; 14 (defining ``tolerance
for disruption'' as ``determined by a firm's risk appetite for
weathering disruption from operational risks considering its risk
profile and the capabilities of its supporting operational
environment'' and ``informed by existing regulations and guidance
and by the analysis of a range of severe but plausible scenarios
that would affect its critical operations and core business
lines.''); CRI Profile Workbook at 291 (stating that ``risk
tolerance'' ``reflects the acceptable variation in outcomes related
to specific performance measures linked to objectives the entity
seeks to achieve''). ISACA, Risk IT Framework, 2nd Ed. (July 27,
2020) (defining ``risk tolerance'' as ``the acceptable deviation
from the level set by the risk appetite and business objectives'').
\93\ The Commission recognizes that Commission regulations 1.11
and 23.600 incorporate the term ``risk tolerance limits.'' See 17
CFR 1.11(e)(1), 17 CFR 23.600(c)(1). As proposed to be defined in
the ORF rule, however, ``risk tolerance limits'' would be limited to
the context of the risks identified in paragraph (b)(1) of the
proposed rule and associated disruptions. Accordingly, if adopted,
the defined use of the term ``risk tolerance limit'' in the proposed
rule would not be intended to affect how covered entities use or
interpret the term in the context of the Commission's RMP rules.
\94\ The Commission believes its proposed definitions are in
line with proposed definitions of ``risk appetite'' and ``risk
tolerance'' used by NIST. For example, in NIST Interagency or
Internal Report 8286 (NIST IR 8286), NIST explains that a statement
of risk appetite might be that ``[e]mail shall be available during
the large majority of a 24-hour period,'' while the associated risk
tolerance would be narrower, stating something like ``[e]mail
services shall not be interrupted more than five minutes during core
hours.'' See NIST IR 8286 at 5-6 (Oct. 2020). Accordingly, any
existing risk appetite and risk tolerance limits established by
covered entities pursuant to NIST or prudential regulator standards
would be considered consistent with the proposed rule.
---------------------------------------------------------------------------
As with each component ORF program or plan, the proposed rule would
require that a covered entity's risk appetite and risk tolerance limits
be reviewed and approved in writing on at least an annual basis by
either the senior officer, an oversight body, or a senior-level
official of the covered entity.\95\ This proposed requirement is
intended to ensure that the risk appetite and risk tolerance limits are
consistent with the covered entity's operational strategy and
objectives, as established by senior leadership, and that senior
leadership is involved in, and ultimately held accountable for, how
operational risks faced by the covered entity are internalized by the
covered entity.
---------------------------------------------------------------------------
\95\ See paragraph (c)(2)(ii) of proposed Commission regulations
1.13 and 23.603.
---------------------------------------------------------------------------
The setting and approval of risk appetite and risk tolerance limits
for operational risk is a well-recognized key component of effective
governance and oversight.\96\ The Commission therefore preliminarily
believes the setting and approval of risk appetite and risk tolerance
limits for operational risks captured by the ORF would be helpful to
ensuring effective governance and oversight of the ORF. Specifically,
the Commission believes that the process of identifying appropriate
risk appetite and risk tolerance limits would have a disciplining
effect, encouraging covered entities to think critically about the
risks they face and their ability to comfortably manage them without
incurring intolerable harm to themselves or their customers or
counterparties. The Commission further believes that operating within
set risk appetite and risk tolerance limits would help support a
culture where senior leaders at covered entities can make more informed
decisions about the risks they are willing to take and the mitigation
measures they would need to employ to manage these risks, which would
further support operational resilience.
---------------------------------------------------------------------------
\96\ See, e.g., BCBS Operational Resilience Principles, supra
note 11, at 4 (``The board of directors should review and approve
the bank's operational resilience approach considering the bank's
risk appetite and tolerance for disruption to its critical
operations. In formulating the bank's tolerance for disruption, the
board of directors should consider the bank's operational
capabilities given a broad range of severe but plausible scenarios
that would affect its critical operations. The board of directors
should ensure that the bank's policies effectively address instances
where the bank's capabilities are insufficient to meet its stated
tolerance for disruption.''); CRI Profile v1.2, supra note 74.
---------------------------------------------------------------------------
3. Internal Escalations--Proposed Paragraph (c)(3)
To further ensure that senior leadership remains involved in and
accountable for the ORF as it is implemented, the proposed rule would
require either the senior officer, an oversight body, or a senior-level
official of the covered entity to be notified of: (i) circumstances
that exceed the risk tolerance limits established pursuant to paragraph
(c)(2)(i) of the proposed rule; and (ii) incidents that require
notification to the Commission, customers, or counterparties under the
proposed rule, as further discussed in subsequent sections of this
notice.\97\
---------------------------------------------------------------------------
\97\ See paragraph (c)(3) of proposed Commission regulations
1.13 and 23.603. See also paragraphs (i) and (j) of proposed
Commission regulations 1.13 and 23.603, discussed in section II.G of
this notice, infra.
---------------------------------------------------------------------------
The Commission believes that circumstances that would push a
covered entity outside of its risk tolerance limits or trigger a
Commission notification requirement would be extraordinary, non-
business-as-usual events, and would likely require the involvement of
senior leadership to direct responsive actions to preserve or mitigate
damage to operational resilience and prevent situations of intolerable
harm. Ensuring that appropriate senior leadership, as determined by the
covered entity, is apprised of instances where expected risk tolerance
limits have been exceeded would further help senior leadership
determine whether the risk appetite and risk tolerance limits are
appropriately calibrated and whether identified mitigation strategies
are working, creating opportunities to update either as necessary.
4. Consolidated Program or Plan--Proposed Paragraph (c)(4)
The Commission is aware that many covered entities function as a
division or affiliate of a larger entity or holding company structure;
and that, in such instances, operational risks stemming from
information and technology security, third-party relationships, and
emergencies or other significant disruptions are generally monitored
and managed at the enterprise level to address the risks holistically
and to achieve economies of scale.\98\ The proposed rule recognizes the
benefits of such a consolidated approach and is not intended to
interfere with covered entities' operational structures. Accordingly,
the proposed rule would allow covered entities to satisfy the component
program or plan requirement in paragraph (b)(2) through its
participation in a consolidated program or plan, provided the
consolidated program or plan meets the
[[Page 4716]]
requirements of the proposed rule.\99\ As defined in the proposed rule,
a ``consolidated program or plan'' would mean any information and
technology security program, third-party relationship program, or
business continuity and disaster recovery plan in which a covered
entity participates with one or more affiliates and is managed and
approved at the enterprise level.\100\
---------------------------------------------------------------------------
\98\ In responding to the RMP ANPRM, several commenters noted
how cybersecurity risk is generally managed at the enterprise level
and should not be managed at the level of the entity regulated by
the Commission. See FIA Letter at 11 (Sept. 18, 2023); International
Swaps and Derivatives Association, Inc. (``ISDA'') and the
Securities Industry and Financial Markets Association (``SIFMA'')
Letter at 9 (Sept. 18, 2023).
\99\ See paragraph (c)(4)(i) of proposed Commission regulations
1.13 and 23.603.
\100\ See paragraph (a) of proposed Commission regulations 1.13
and 23.603 (defining ``consolidated program''). Again, the specific
definitions and minimum requirements of each program are discussed
in sections II.C, II.D, and II.E of this notice, infra.
---------------------------------------------------------------------------
Nevertheless, the Commission does have a strong regulatory interest
in ensuring that operational shocks, such as cyber incidents or
technological failures, having an impact on the discrete interests and
operations of the covered entity are appropriately considered through
the unique lens of the covered entity, which is regulated by the
Commission. Accordingly, for a covered entity to satisfy the component
program or plan requirement through its participation in a consolidated
program or plan, the consolidated program or plan would need to meet
the requirements of the proposed rule, as discussed in this notice.
Those requirements include the establishment of appropriate risk
appetite and risk tolerance limits that address the covered entity, as
well as testing and other requirements, as discussed further below.
With respect to the requirements in proposed paragraphs (c)(1) and
(c)(2)(i) that senior leadership of the covered entity approve,
respectively, the component program or plan and the risk appetite and
risk tolerance limits at least annually, the Commission recognizes that
such a requirement might be challenging in the context of a
consolidated program or plan, which is likely to address matters
related to affiliates that are not within the scope of knowledge or
responsibility of the covered entity. Accordingly, the proposed rule
would allow covered entities relying on a consolidated program or plan
to satisfy the approval requirements in paragraphs (c)(1) and (c)(2)(i)
of the proposed rule, provided that either the senior officer, an
oversight body, or a senior-level official of the covered entity
attests in writing, on at least an annual basis, that the consolidated
program or plan meets the requirements of this section and reflects the
risk appetite and risk tolerance limits appropriate to the covered
entity.\101\ Notably, the senior officer, an oversight body, or a
senior-level official at the covered entity would still need to be
notified when the risk appetite and risk tolerance limits related to
the covered entity are exceeded.\102\ The Commission believes that such
an attestation requirement would promote efficiency by allowing covered
entities to continue to rely on an enterprise-level ORF and governance
structures that have acknowledged benefits while also ensuring that
such enterprise-level ORF appropriately addresses the risks specific to
the covered entity, and would ensure that the requirements of the
Commission's proposed rule are addressed for those covered entities in
the same way as they would for a covered entity that is not a part of a
larger enterprise.\103\
---------------------------------------------------------------------------
\101\ See paragraph (c)(4)(ii) of proposed Commission
regulations 1.13 and 23.603.
\102\ See paragraph (c)(3)(i) of proposed Commission regulations
1.13 and 23.603.
\103\ The Commission also believes this approach would be
consistent with NFA's current interpretive notice on ISSPs. See NFA
ISSP Notice, supra note 43 (``[T]o the extent a Member firm is part
of a holding company that has adopted and implemented privacy and
security safeguards organization-wide, then the Member firm can meet
its supervisory responsibilities imposed by Compliance Rules 2-9, 2-
36 and 2-49 to address the risks associated with information systems
through its participation in a consolidated entity ISSP.'').
---------------------------------------------------------------------------
5. Request for Comment
The Commission invites comment on all aspects of the proposed
governance requirements for the ORF, including the following questions:
1. Governance structures. The proposed rule is intended to provide
covered entities sufficient flexibility to integrate the proposed
operational resilience requirements into existing reporting lines and
operational structures, as well as to select the individual or body
with senior-level responsibilities and authority to approve the
component programs or plans of the ORF. Does the proposed rule
accomplish this goal? If not, what other governance structure(s) should
the Commission consider? Alternatively, should the Commission consider
a more prescriptive, bright-line approach where only the senior officer
or board of directors of the covered entity may provide any approvals
required under the proposed rule? Please explain.
2. Internal escalations. The proposed rule would require that the
senior officer, an oversight body, or other senior-level official(s) of
the covered entity be notified of circumstances that exceed risk
tolerance limits or that require reporting to the Commission or
counterparties or customers under the proposed rule. Should the
Commission require internal escalation to any other specific personnel
or under any other circumstances? Please identify and explain why.
3. Consolidated program or plan. The proposed rule would allow
covered entities relying on a consolidated program or plan to satisfy
certain governance requirements by requiring the senior officer, an
oversight body, or another senior-level official of the covered entity
to attest in writing, on at least an annual basis, that the
consolidated program or plan meets the requirements of the rule and
reflects a risk appetite and risk tolerance limits appropriate to the
covered entity. Is this standard workable for covered entities that
function as a division or affiliate of a larger entity or holding
company? Why or why not? Do such covered entities typically set their
own risk appetite and risk tolerance limits, or are setting such limits
conducted at the enterprise level? If they are set at the enterprise
level, how is senior leadership of the covered entity typically
involved in setting risk appetite and risk tolerance limits?
C. Information and Technology Security Program--Proposed Paragraph (d)
As mentioned above, the proposed rule would require each covered
entity's ORF to include an information and technology security program,
defined as a written program reasonably designed to identify, monitor,
manage, and assess risks relating to information and technology
security and that meets the minimum requirements for the program, as
set forth in the proposed rule and discussed below.\104\ The proposed
rule would define ``information and technology security'' as the
preservation of (a) the confidentiality, integrity, and availability of
covered information and (b) the reliability, security, capacity, and
resilience of covered technology.\105\ ``Covered information'' would be
defined to mean any sensitive or confidential data or information
maintained by a covered entity in connection with its business
activities as a covered entity.\106\ ``Covered technology'' would be
defined to mean any application, device, information technology asset,
network service,
[[Page 4717]]
system, and other information-handling component, including the
operating environment, that is used by a covered entity to conduct its
business activities, or to meet its regulatory obligations, as a
covered entity.\107\
---------------------------------------------------------------------------
\104\ See paragraph (d) of proposed Commission regulations 1.13
and 23.603. See also paragraph (a) of proposed Commission
regulations 1.13 and 23.603 (defining ``information and technology
security program'').
\105\ See paragraph (a) of proposed Commission regulations 1.13
and 23.603 (defining ``information and technology security'').
\106\ See paragraph (a) of proposed Commission regulations 1.13
and 23.603 (defining ``covered information'').
\107\ See paragraph (a) of proposed Commission regulations 1.13
and 23.603 (defining ``covered technology'').
---------------------------------------------------------------------------
The proposed definition of ``covered information'' is intended to
focus the requirements of the ORF on protecting data and information
that are sensitive or otherwise intended to be kept confidential,
whether by law or for business purposes. Notably, such data and
information would include position, order, and account information, all
of which covered entities have an obligation to keep confidential and
which if made public could result in harm to customers, counterparties,
or the markets more broadly. Often referred to as the ``CIA triad,''
confidentiality, integrity, and availability represent the three
pillars of information security: preserving authorized restrictions on
information access and disclosure, including means for protecting
personal privacy and proprietary information; guarding against the
improper modification or destruction of data and information, ensuring
its authenticity; and ensuring the timely and reliable access to and
use of information.\108\ The Commission therefore believes that
compromising any aspect of the CIA triad with respect to covered
information would have meaningful consequences for customers,
counterparties, the covered entity, or even the market.
---------------------------------------------------------------------------
\108\ See NIST, SP 1800-26, Data Integrity: Detecting and
Responding to Ransomware and Other Destructive Events (Dec. 2020)
(discussing the CIA triad).
---------------------------------------------------------------------------
The proposed definition of ``information and technology security''
is likewise intended to ensure that the ORF is designed to address
risks to two key facets of a covered entities' business for which they
are registered with the Commission: the technology they use to conduct
their regulated business activities and the sensitive information
stored or transmitted therein. The proposed definition of ``covered
technology'' is sufficiently broad to capture all types of technology
(and related components) but is tailored to focus on the technology
that is used by covered entities in the context of their regulated
business activities, such that its disruption would have an impact on
regulated business activities. The Commission preliminarily believes
that reliability, security, capacity, and resilience are all key
attributes of covered technology that must be preserved for it to
function as intended without posing a disruption to operations.
Accordingly, the Commission believes that having a program designed to
preserve the confidentiality, integrity, and availability of covered
information and the reliability, security, capacity, and resilience of
covered technology is key to ensuring operational resilience.
Under the proposed rule, each covered entity's information and
technology security program would need to meet the (b)(3) standard,
i.e., be appropriate and proportionate to the nature, size, scope,
complexities and risk profiles of the covered entity's business
activities, following generally accepted standards and best
practices.\109\ The proposed rule would nevertheless establish certain
minimum requirements for the information and technology security
program, including a periodic risk assessment, effective controls, and
an incident response plan. Each proposed minimum requirement is
discussed in turn below.
---------------------------------------------------------------------------
\109\ See paragraph (b)(3) of proposed Commission regulations
1.13 and 23.603.
---------------------------------------------------------------------------
1. Risk Assessment--Proposed Paragraph (d)(1)
As part of the information and technology security program, covered
entities would be required to conduct and document the results of a
periodic and comprehensive risk assessment reasonably designed to
identify, assess, and prioritize risks to information and technology
security.\110\ Risk assessments are widely recognized as a necessary
and effective first step to monitoring and managing risks to
information and technology security.\111\ According to NIST, the
purpose of a risk assessment is to inform decision makers and support
risk responses by identifying: (i) relevant threats to organizations or
threats directed through organizations against other organizations;
(ii) vulnerabilities both internal and external to organizations; (iii)
impact (i.e., harm) to organizations that may occur given the potential
for threats exploiting vulnerabilities; and (iv) the likelihood that
harm will occur.\112\ Given this broad and important purpose, the
Commission believes conducting a comprehensive risk assessment would be
reasonably necessary for covered entities to have a thorough
understanding of their information and technology security risks,
including the types of threats the covered entities face, internal and
external vulnerabilities, the impact of such risks, and their relative
priorities, to guide mitigation efforts.
---------------------------------------------------------------------------
\110\ See paragraph (d)(1)(i) proposed Commission regulations
1.13 and 23.603.
\111\ See, e.g., ISO/IEC 27001:2022, supra note 48 (requiring a
risk assessment to help organizations identify, analyze, and
evaluate weaknesses in their information systems); ISO/IEC
31010:2019, Risk management: Risk assessment techniques (July 2,
2019); NIST, SP 800-39, Managing Information Security Risk:
Organization, Mission, and Information System View at 37 (Mar. 2011)
(NIST SP 800-39) (``Risk assessment identifies, prioritizes, and
estimates risk to organizational operations (i.e., mission,
functions, image, and reputation), organizational assets,
individuals, other organizations, and the Nation, resulting from the
operation and use of information systems. Risk assessments use the
results of threat and vulnerability assessments to identify and
evaluate risk in terms of likelihood of occurrence and potential
adverse impact (i.e., magnitude of harm) to organizations, assets,
and individuals.''); NIST, SP 800-30, Guide for Conducting Risk
Assessments, Rev. 1, at ix (Sept. 2012) (NIST SP 800-30) (``Risk
assessments are a key part of effective risk management and
facilitate decision making . . .''). See also 12 CFR part 30, app. B
(establishing a requirement to assess risk by identifying reasonably
foreseeable threats, assessing the likelihood and potential damage
of the threats, and assessing the sufficiency of arrangements to
control risks); Prudential Operational Resilience Paper, supra note
11, at 4 (``The firm's operational risk management function
implements and maintains risk identification and assessment
approaches that adequately capture business processes and their
associated operational risks, including technology and third-party
risks.'').
\112\ See NIST SP 800-30 at 1.
---------------------------------------------------------------------------
As stated, the risk assessment would need to identify, assess, and
prioritize risks to information and technology security.\113\ In broad
terms, the Commission anticipates that conducting the assessment could
first involve taking an inventory of covered technology and then
identifying and assessing the likelihood and potential impact of
reasonably foreseeable threats and vulnerabilities to information and
technology security (i.e., to the confidentiality, integrity, and
availability of covered information, or to the reliability, security,
capacity or resilience of covered technology) in light of the existing
operational environment. Identified threats and vulnerabilities could
derive from a wide array of sources, including both external cyber
threats and internal gaps in existing systems or controls.
---------------------------------------------------------------------------
\113\ See paragraph (d)(1)(i) proposed Commission regulations
1.13 and 23.603.
---------------------------------------------------------------------------
The Commission would then expect the risks to be prioritized in
light of the covered entity's stated risk appetite and risk tolerance
limits to help direct resources and other activities in order to best
support information and technology security. If the proposal is adopted
as final, the Commission would expect covered entities to use the
results of each risk assessment as a basis for designing, implementing,
and refining other elements of its information and technology security
program, including
[[Page 4718]]
but not limited to, the development of controls, testing protocols, and
the incident response plan, as discussed further below.\114\ In this
way, a well-conducted risk assessment should support the development of
a more rational, effective, and valuable information and technology
security framework, especially as the assessment is repeated and built
upon over time.
---------------------------------------------------------------------------
\114\ See NIST SP 800-39 at 34 (``Information generated during
the risk assessment may influence the original assumptions, change
the constraints regarding appropriate risk responses, identify
additional tradeoffs, or shift priorities.'').
---------------------------------------------------------------------------
The proposed rule would not prescribe a specific process or
methodology for the risk assessment, but the risk assessment would need
to be consistent with the proposed (b)(3) standard.\115\ Following
generally accepted standards and best practices, covered entities would
need to implement processes and methodologies that ensure the risk
assessment reflects the nature, size, scope, complexities, and risk
profile of its business activities as a covered entity. Any such
processes or methodologies should also be sufficient to identify,
assess, and prioritize risks to information and technology security and
to evaluate their potential impact on covered technology and covered
information.\116\
---------------------------------------------------------------------------
\115\ See paragraph (b)(3) of proposed Commission regulations
1.13 and 23.603, discussed supra. The Commission is aware of several
sources for industry standards and best practices regarding
information security risk assessments. See, e.g., NIST SP 800-39;
see also FFIEC Information Security Booklet, supra note 69.
\116\ See paragraph (d)(1)(i) of proposed Commission regulations
1.13 and 23.603.
---------------------------------------------------------------------------
To ensure that the risk assessment is conducted objectively, the
proposal would require that the personnel involved in conducting the
assessment are not responsible for the development or implementation of
the covered technology or related controls.\117\ Such personnel could
be employees of the covered entity, an affiliated entity, or a third-
party service provider. To ensure that senior leadership is aware of
risks to information security, and can appropriately prioritize them
within the covered entity's broader strategy and risk management
framework, the proposed rule would expressly require that the results
of the risk assessment be provided to the senior officer, oversight
body, or other senior-level official who approves the information and
technology security program upon the risk assessment's completion.\118\
The Commission believes the results of the risk assessment would be key
information for senior leadership in determining whether to approve an
information and technology security program.
---------------------------------------------------------------------------
\117\ See paragraph (d)(1)(ii) of proposed Commission
regulations 1.13 and 23.603.
\118\ See paragraph (d)(1)(iii) of proposed Commission
regulations 1.13 and 23.603. See also NIST SP 800-30, supra note
111, at 1 (``The purpose of risk assessments is to inform decision
makers and support risk responses . . .'').
---------------------------------------------------------------------------
The proposed rule would require that the covered entity conduct the
risk assessment at a frequency consistent with the (b)(3) standard
(i.e., a frequency appropriate and proportionate to the nature, scope,
and complexities of its business activities as a covered entity,
following generally accepted standards and best practices) but, in any
case, no less frequently than annually.\119\ Given the rapidly evolving
nature of technological developments and related threats, the
Commission preliminarily believes that a uniform requirement to conduct
a risk assessment on at least an annual basis would support the
development of a strong, foundational level of information and
technology security across the industry, thereby mitigating the overall
threat of systemic risk. However, the Commission understands that
generally accepted standards and best practices may encourage more
frequent risk assessments for covered entities that engage in broader
or more complex business activities and would expect covered entities
to conduct risk assessments more frequently if the circumstances so
require.
---------------------------------------------------------------------------
\119\ See paragraph (d)(1)(ii) of proposed Commission
regulations 1.13 and 23.603.
---------------------------------------------------------------------------
As mentioned above, the proposed rule would allow covered entities
to satisfy the requirement to have an information and technology
security program through its participation in a consolidated
information and technology security program.\120\ Accordingly, such
covered entities would be allowed to rely on a risk assessment that is
conducted at an enterprise level. In such cases, the Commission would
expect that the covered entities review the program and supporting
policies and procedures for conducting the risk assessment to ensure it
captures and assesses the risks to the covered entity consistent with
the proposed rule so as to support the related attestation
requirement.\121\
---------------------------------------------------------------------------
\120\ See paragraph (c)(4)(i) of proposed Commission regulations
1.13 and 23.603.
\121\ See paragraph (c)(4)(ii) of proposed Commission
regulations 1.13 and 23.603.
---------------------------------------------------------------------------
2. Effective Controls--Proposed Paragraph (d)(2)
The proposed rule would require that the information and technology
security program establish, document, implement, and maintain controls
reasonably designed to prevent, detect, and mitigate identified risks
to information and technology security.\122\ An essential component of
any information and technology security program, and a critical
component of a covered entity's overall ORF, controls (also referred to
as ``countermeasures'' or ``safeguards'') include any measures
(actions, devices, procedures, techniques) designed to promote
information and technology security.\123\ The selection, design, and
implementation of controls can therefore have significant implications
for a covered entity's information and technology security and overall
operational resilience.\124\ Accordingly, the Commission believes
effective controls would be a critical component of a covered entity's
overall ORF.
---------------------------------------------------------------------------
\122\ See paragraph (d)(2) of proposed Commission regulations
1.13 and 23.603.
\123\ See Committee on Payments and Market Infrastructures
(CPMI), IOSCO, Guidance on cyber resilience for financial market
infrastructures at 7 (Jun. 2016) (CPMI IOSCO Cyber Resilience
Guidance) (noting that a strong information and communications
technologies control environment is a fundamental and critical
component of overall cyber resilience). See also NIST SP 800-53,
supra note 46, at 8 (``Controls can be viewed as descriptions of the
safeguards and protection capabilities appropriate for achieving the
particular security and privacy objectives of the organization and
reflecting the protection needs of organizational stakeholders.
Controls are selected and implemented by the organization in order
to satisfy the system requirements. Controls can include
administrative, technical, and physical aspects.''); ISO/IEC
27001:2022, supra note 48, Annex A (Information security management
systems) (providing guidelines for 93 objectives and controls).
\124\ See Prudential Operational Resilience Paper, supra note
11, at 8 (identifying as a sound practice for operational resilience
routinely applying and evaluating the effectiveness of processes and
controls to protect confidentiality, integrity, availability, and
overall security of data and information systems).
---------------------------------------------------------------------------
Although the proposed rule would not mandate that covered entities
implement specific controls, it would require covered entities to
consider, at a minimum, certain categories of controls, discussed
below, and adopt those consistent with the (b)(3) standard.\125\ If the
proposal is adopted as final, the Commission would further expect that
a particular covered entity's determination of which controls to
implement would be guided by the results of its risk assessment,
considering the covered entity's risk appetite and risk tolerance
limits.\126\
[[Page 4719]]
Adopted controls would also need to address risks to information and
technology security identified through other means, including outcomes
of continuous monitoring of threats and vulnerabilities, actual and
attempted cyber-attacks, threat intelligence, scenario analysis, and
the likelihood and realistic impact of such attacks. In other words,
the controls would need to be linked to and address the identified and
prioritized risks to information and technology security. The
Commission would advise covered entities to document their
consideration of controls within each of the enumerated categories and
their reasoning for adopting specific controls within any given
category, or for declining to adopt any controls within a particular
category. Further, the Commission would expect those controls to be
reviewed and revised as needed to reflect the results of the covered
entity's most recent risk assessment.
---------------------------------------------------------------------------
\125\ See paragraphs (d)(2)(i)-(xii) of proposed Commission
regulations 1.13 and 23.603 (identifying categories of controls for
covered entities to consider). See also paragraph (b)(3) of proposed
Commission regulations 1.13 and 23.603.
\126\ See paragraph (c)(2) of proposed Commission regulations
1.13 and 23.603 (requiring covered entities to establish and
implement risk appetite and risk tolerance limits).
---------------------------------------------------------------------------
The specific categories of controls the Commission would require
covered entities to consider under the proposed rule include: access
controls; access restrictions; encryption; dual control
procedures,\127\ segregation of duties, and background checks; change
management practices; system development and configuration management
practices; flaw remediation; measures to protect against destruction,
loss, or damage to covered information; monitoring systems and
procedures to detect attacks or intrusions; response programs; and
measures to promptly recover and secure any compromised covered
information.\128\
---------------------------------------------------------------------------
\127\ Dual control procedures refer to a technique that requires
two or more separate persons, operating together, to protect
sensitive data and information. Both persons are equally responsible
for protecting the information and neither can access the
information alone. See Interagency Guidelines Establishing Standards
for Safeguarding Customer Information and Rescission of Year 2000
Standards for Safety and Soundness, 66 FR 8616, 8622 (Feb. 1, 2001)
(Interagency Guidelines Safeguarding Customer Information).
\128\ See paragraphs (d)(2)(i)-(xi) of proposed Commission
regulations 1.13 and 23.600.
---------------------------------------------------------------------------
The Commission preliminarily believes that these categories of
controls collectively represent a comprehensive array of controls for
ensuring the information and technology security. Access controls,
access restrictions, encryption, and background checks would limit
access to covered technology and covered information to individuals
with a legitimate business need in both physical and digital
environments. Dual control procedures, segregation of duties,
procedures relating to modifications to covered technology, and
measures to protect against destruction, loss, or damage to covered
information, would support the integrity and availability of covered
information from accidental or intentional damage or disclosure to
unauthorized recipients. Change management practices would ensure that
the information and technology security program, and associated
controls, continue to operate as intended over time as systems and
processes are updated. Systems development, configuration management,
and flaw remediation practices would operate to ensure the integrity
and availability of covered technology throughout any updates to
covered technology or following a vulnerability analysis.\129\ Measures
to protect against destruction of covered information due to
environmental hazards would further ensure that covered information
remains available even following a physical disruption. Monitoring
systems and procedures, response programs, and measures to promptly
recover and secure any compromised covered information would serve to
detect unauthorized access to covered information and to recover it if
the covered entity's access to the covered information were impaired
(e.g., through a ransomware attack).
---------------------------------------------------------------------------
\129\ Based on its experience, the Commission further believes
that that failures in change management, systems development, and
vulnerability patching practices are common sources of disruption
among financial institutions and are often neglected control areas.
---------------------------------------------------------------------------
The proposed rule is modeled after an approach adopted by
prudential regulators. Since the early 2000s, prudential regulators
have required financial institutions to consider a similar list of
categories of controls when designing their information security
programs.\130\ In adopting their list of categories, prudential
regulators described them as designed to control identified risks and
to achieve the overall objective of ensuring the security and
confidentiality of customer information.\131\ Prudential regulators
further emphasized that the categories were broad enough to be adapted
by institutions of varying sizes, scope of operations, and risk
management structures, such that the manner of implementing the
guidelines would vary from institution to institution.\132\ Given that
the list of control categories developed by prudential regulators, many
of which are included in the Commission's proposed rule, has a
longstanding history of being effective and adaptable to the financial
industry at large, the Commission preliminarily believes that
incorporating a similar approach with respect to covered entities would
also further the Commission's intent to adopt a flexible rule that can
be tailored to each individual covered entity and adapted over time to
respond to changing threat environments and risk profiles.\133\
---------------------------------------------------------------------------
\130\ See Interagency Guidelines Safeguarding Customer
Information, 66 FR 8616; see also 12 CFR part 30, app. B. The
guidelines were expanded and retitled, ``Interagency Guidelines
Establishing Information Security Standards'' in 2004, see Proper
Disposal of Consumer Information Under the Fair and Accurate Credit
Transactions Act of 2003, 69 FR 77610 (Dec. 28, 2004).
\131\ See Interagency Guidelines Safeguarding Customer
Information, 66 FR 8621.
\132\ Commenters further supported the level of detail, see id.
at 8622.
\133\ NIST has compiled a comprehensive catalog of security and
privacy controls for all types of computing platforms, including
general purpose computing systems, cyber-physical systems, cloud
systems, mobile systems, and Internet of Things (IoT) devices. See
NIST SP 800-53, supra note 123.
---------------------------------------------------------------------------
3. Incident Response Plan--Proposed Paragraph (d)(3)
The proposed rule would require that the information and technology
security program include a written incident response plan that is
reasonably designed to detect, assess, contain, mitigate the impact of,
and recover from an incident.\134\ A hallmark of operational resilience
is the recognition that although meaningful steps can be taken to
prevent and deter risks to information and technology security, such
risks may never be entirely eliminated.\135\ As the ION incident
illustrated, quick and complete recovery of covered technology and
operations may be key to mitigating the potential systemic impact to
the financial markets. Accordingly, a crucial aspect of any information
and technology security program, and therefore any ORF, is having a
plan to respond to and recover from events that may create risks to
information and technology security.\136\
[[Page 4720]]
The Commission believes, therefore, that an effective incident response
plan would help covered entities minimize the potential impact to their
operations and customers or counterparties when negative events occur,
facilitating their recovery as swiftly and successfully as
possible.\137\ It can also assist in securing against the destruction
or theft of sensitive and important confidential customer or
counterparty information, which could have a very real impact on their
business and assets.
---------------------------------------------------------------------------
\134\ See paragraph (d)(3) of proposed Commission regulations
1.13 and 23.603. The Commission is aware that some covered entities
may have established an incident response plan as a separate
document or as an attachment to another plan, such as a BCDR plan.
If the proposed rule is adopted, the Commission would be agnostic as
to where a covered entity elects to house its incident response plan
provided it otherwise meets the requirements of the proposed rule,
including recordkeeping, furnishing it to the Commission upon
request, and distributing it to personnel.
\135\ See BCBS Operational Resilience Principles, supra note 12,
at 1 (stating that, in recognition that ``the range of potential
hazards cannot be prevented,'' the focus should be on ``the ability
of banks to withstand, adapt to and recover from potential hazards
and thereby mitigate potentially severe adverse impacts'').
\136\ See, e.g., BCBS Operational Resilience Principles at 7,
n.18 (``The goal of incident management is to limit the disruption
and restore critical operations in line with the bank's risk
tolerance for disruption.''). See also FFIEC Information Security
Booklet, supra note 69, 50-51 (``containing the incident,
coordinating with law enforcement and third parties, restoring
systems, preserving data and evidence, providing assistance to
customers, and otherwise facilitating operational resilience'');
NIST, SP 800-184, Guide for Cybersecurity Event Recovery (Dec. 2016)
(NIST SP 800-184) (``evaluate the potential impact, planned response
activities, and resulting recovery processes long before an actual
cyber event takes place''); CIS, Incident Response Policy Template:
Critical Security Controls (Mar. 8, 2023) at 4 (``The primary goal
of incident response is to identify threats on the enterprise,
respond to them before they can spread, and remediate them before
they can cause harm.'') (CIS Incident Response Template).
\137\ See FFIEC, CAT at 52 (May 2017) (``The incident response
plan is designed to ensure recovery from disruption of services,
assurance of data integrity, and recovery of lost or corrupted data
following a cybersecurity incident''); CPMI IOSCO Cyber Resilience
Guidance, supra note 123, at 16 (recognizing the incident response
plan enables the business ``to resume critical operations rapidly,
safely and with accurate data'').
---------------------------------------------------------------------------
For purposes of the proposed rule, ``incident'' would be defined as
any event, occurrence, or circumstance that could jeopardize
information and technology security, including if it occurs at a third-
party service provider.\138\ The purpose of the incident response plan
is to identify and classify foreseeable types of incidents and to
establish steps to detect, assess, contain, mitigate the impact of, and
recover from incidents. The Commission's proposed definition of
``incident'' is intentionally broad to ensure that the incident
response plan would address any event that could reasonably jeopardize
(i.e., endanger or put at risk) information and technology security,
even if that danger never materializes or the incident response plan is
otherwise successful at preventing or reversing the danger. As defined
in the proposed rule, ``incident'' is broad enough to cover various
types of risks to covered technology (e.g., disruption or modification)
or covered information (e.g., disclosure or destruction), regardless of
the source (e.g., external threat actor or internal staff, physical or
electronic) or whether the event was accidental or malicious in nature,
since intent may not be readily determined at the outset of an
incident. Common examples of incidents would include unauthorized
access to a system or data; unauthorized changes to system hardware,
software, or data; or a failure of controls that could, if not
addressed, endanger information and technology security.
---------------------------------------------------------------------------
\138\ See paragraph (a) of proposed Commission regulations 1.13
and 23.603 (defining ``incident'').
---------------------------------------------------------------------------
Consistent with the general framework for the ORF as a whole, the
proposal would require the incident response plan to meet certain
minimum requirements.\139\ In broad terms, these requirements focus on
identifying persons relevant to an incident response (i.e., personnel
involved in responding to the incident and persons who should be
notified of such incidents) and how and when they should be involved;
documenting the nature of the covered entity's response; and
remediating any weaknesses that lead to the incident.\140\ The
Commission believes that clearly identifying parties who would be
involved in incident response, including external parties like third-
party service providers and law enforcement, and establishing
associated roles and responsibilities would help ensure that incidents
are: (1) resolved in a timely manner and by appropriate personnel; (2)
adequately resourced financially, operationally, and staffing-wise; and
(3) disclosed to appropriate persons either within senior leadership of
the covered entity or externally, where required.\141\ The process of
documenting incidents and management's response, as well as any
subsequent remediation efforts, would assist with any related reporting
obligations and required information sharing, as well as with
subsequent testing of the incident response plan or post-mortem
analysis, which would potentially lead to adjustments in subsequent
risk assessments and provide lessons learned that could serve to help
prevent the occurrence of incidents in the future.\142\
---------------------------------------------------------------------------
\139\ See paragraphs (d)(3)(i)-(vi) of proposed Commission
regulations 1.13 and 23.603.
\140\ See id.
\141\ See also NIST SP 800-61 (``It is important to identify
other groups within the organization that may need to participate in
incident handling so that their cooperation can be solicited before
it is needed. Every incident response team relies on the expertise,
judgment, and abilities of others . . .'').
\142\ See NIST SP 800-184, supra note 132; CIS Incident Response
Template, supra note 136, at 4 (``Without understanding the full
scope of an incident, how it happened, and what can be done to
prevent it from happening again, defenders will just be in a
perpetual `whack-a-mole' pattern.'').
---------------------------------------------------------------------------
Among these minimum requirements for the incident response plan is
the need for it to include escalation protocols, i.e., a process of
identifying when to involve or alert specific personnel, including
senior leadership, of an incident.\143\ Specifically, the proposed rule
would require that the senior officer, oversight body, or other senior-
level official that has primary responsibility for overseeing the
information and technology security program; the Chief Compliance
Officer (CCO); \144\ and any other relevant personnel be timely
informed of incidents that may significantly impact the covered
entity's regulatory obligations or require notification to the
Commission.\145\ This provision is designed to ensure that every
individual who has a role in responding to an incident at a covered
entity would be appropriately notified. CCOs of covered entities in
particular have a duty to take reasonable steps to ensure compliance
with Commission regulations relating to the covered entities' business
as a covered entity.\146\ Timely disclosure of incidents to the CCO
that could impact a covered entity's regulatory obligations or require
disclosure to the Commission would therefore be crucial for a covered
entity CCO to fulfill the duty to take reasonable steps to ensure
compliance. As previously discussed above in the section addressing
governance, the Commission believes that involving senior leadership in
incident response would be particularly important to ensure that they
are apprised of and held accountable for the ultimate effectiveness of
the ORF, and that incidents receive proper attention and are swiftly
addressed.
---------------------------------------------------------------------------
\143\ See paragraph (d)(3)(ii) of proposed Commission
regulations 1.13 and 23.603.
\144\ See 17 CFR 3.3 (establishing the qualifications and duties
of covered entity CCOs).
\145\ See paragraph (d)(3)(ii) of proposed Commission
regulations 1.13 and 23.603. See also paragraph (i) of proposed
Commission regulations 1.13 and 23.603 (requiring notification of
certain incidents to the Commission), discussed in section II.H of
this release, infra.
\146\ See 17 CFR 3.3(d)(3).
---------------------------------------------------------------------------
4. Request for Comment
The Commission invites comment on all aspects of the proposed
information and technology security program requirement, including the
following questions:
1. Risk Assessment.
a. The proposed rule would require that the risk assessment be
provided to relevant senior leadership of the covered entity upon its
completion but would not require that such senior leadership certify in
writing that they have received the results of the risk assessment or
approve the results of the risk assessment. Such approvals and
certifications may be required in other contexts to ensure that senior
leadership
[[Page 4721]]
is aware of risk assessments and consider them in establishing
strategic goals, risk appetite, and risk tolerance limits. Should the
Commission require such a certification or approval? Why or why not?
Please explain.
b. Given the rapidly evolving technological and threat landscape,
the proposed rule would require risk assessments to be performed on at
least an annual basis to support the mitigation of systemic risk and
develop a strong baseline standard across covered entities. The
Commission is aware of standards imposing risk assessments as
frequently as every six months and as infrequently as every two years.
Should the Commission consider a shorter or longer baseline frequency
for risk assessments? Why or why not? Please explain.
2. Effective controls. The proposed rule would require covered
entities to consider broad categories of controls and determine which
to adopt consistent with the proposed (b)(3) standard. The Commission
is also aware that certain controls, including firewalls, antivirus,
and multifactor authentication (MFA) are commonly recommended within
the industry. With respect to MFA, which requires users to present two
or more authentication factors at login to verify their identity before
they are granted access, CISA advises that implementing MFA is
important because it makes it more difficult for threat actors to gain
access to information systems, even if passwords or PINs are
compromised through phishing attacks or other means.\147\ In 2021,
FFIEC issued guidance advising financial institutions that MFA or
controls of equivalent strength, including for those employees, could
help more effectively mitigate risks when a financial institution's
risk assessment indicates that single-factor authentication with
layered security is inadequate.\148\ The guidance added that MFA
factors, which may include memorized secrets, look-up secrets, out-of-
band devices, one-time-password devices, biometrics identifiers, and
cryptographic keys, can vary in terms of usability, convenience, and
strength and their ability to be exploited.\149\ That same year, the
Federal Trade Commission updated its rule for safeguarding customer
information to mandate financial institutions to adopt MFA for all
users.\150\ The Commission preliminarily believes that requiring
covered entities to implement such widely recommended controls, such as
and including MFA, would help reduce cyber security risks and clarify
expectations. Should the Commission mandate the use of any specific
controls, including firewalls, antivirus, and/or MFA? Why or why not?
Please explain.
---------------------------------------------------------------------------
\147\ CISA, Multi-Factor Authentication Fact Sheet (Jan. 2022),
available at https://www.cisa.gov/sites/default/files/publications/MFA-Fact-Sheet-Jan22-508.pdf. NIST defines MFA as ``[a]n
authentication system that requires more than one distinct
authentication factor for successful authentication. Multi-factor
authentication can be performed using a multi-factor authenticator
or by a combination of authenticators that provide different
factors. The three authentication factors are something you know,
something you have, and something you are.'' NIST, SP 800-63-3,
Digital Identity Guidelines at 49 (June 2017).
\148\ FFIEC, Authentication and Access to Financial Institution
Services and Systems at 7 (rev. Jan. 5, 2022).
\149\ Id.
\150\ See Standards for Safeguarding Customer Information, 86 FR
70272 (Dec. 9, 2021); see also 16 CFR 314.4(c)(5) (requiring
financial intuitions to ``[i]mplement multi-factor authentication
for any individual accessing any information system unless [a
qualified individual, as defined in the rule] has approved in
writing the use of reasonably equivalent or more secure access
controls.'').
---------------------------------------------------------------------------
3. Incident response plan. As proposed, covered entities would be
required to notify their CCOs of incidents that they have determined
may significantly impact regulatory obligations or require notification
to the Commission. Commission staff are aware of instances where
covered entity CCOs have not been notified of incidents sufficiently
early to play a meaningful role in determining whether the incident
implicates any CFTC requirements and in developing an appropriate
remediation plan. Should covered entities be required to notify their
CCOs of all incidents, only incidents that may require notification
under the proposed rule, or incidents that may require notification
under the proposed rule to other financial regulatory authorities? Why
or why not?
D. Third-Party Relationship Program--Proposed Paragraph (e)
The second program required to be included as part of the proposed
ORF would be a third-party relationship program, defined as a written
program reasonably designed to identify, monitor, manage, and assess
risks relating to third-party relationships that meets the requirements
of the proposed rule.\151\ The Commission understands that covered
entities currently routinely rely upon third parties for a wide variety
of products, services, and activities, including, for example,
information technology, counterparty or customer relationship
management, accounting, compliance, human resources, margin processing,
trading, and risk management. Reliance on third-party service providers
carries many potential benefits, including a reduction in operating
costs and access to technological advancements that can improve
operations and regulatory compliance.\152\
---------------------------------------------------------------------------
\151\ See paragraph (e) of proposed Commission regulations 1.13
and 23.603. See also paragraph (a) of proposed regulations 1.13 and
23.603 (defining ``third-party relationship program'').
\152\ See Prudential Third-Party Guidance, 88 FR 37927 (``The
use of third parties can offer banking organizations significant
benefits, such as access to new technologies, human capital,
delivery channels, products, services, and markets.''); IOSCO
Outsourcing Report, supra note 65, at 4 (``The benefits of
outsourcing include lowering costs, increasing automation to speed
up tasks and reduce the need for manual intervention, and providing
flexibility to allow regulated entities to rapidly adjust both to
the scope and scale of their activities.''); FFIEC, Information
Technology Examination Handbook, Outsourcing Technology Services
Booklet at 1 (June 2004) (``The ability to contract for technology
services typically enables an institution to offer its customers
enhanced services without the various expenses involved in owning
the required technology or maintaining the human capital required to
deploy and operate it.'').
---------------------------------------------------------------------------
But that reliance is not riskless.\153\ As the ION incident
illustrated, operational disruptions of third-party services,
particularly of those important to a firm's operations or regulatory
obligations, can present challenges for individual firms and even the
financial system as a whole.\154\ The risks may vary from minor to
significant, depending on the nature of the provider or the service
being rendered, but they are inherent in the nature of a third-party
service provider relationship, in which a firm relies on the
performance of another entity and the quality and reliability of that
performance is not in the direct control of the firm.\155\ The
Commission accordingly believes that, in order to support their
operational resilience, covered entities should have a plan in place to
identify, monitor, manage, and assess the risks associated with third-
party relationships.\156\
---------------------------------------------------------------------------
\153\ See Prudential Third-Party Guidance, 88 FR 37927 (``[T]he
use of third parties can reduce a banking organization's direct
control over activities and may introduce new risks or increase
existing risks, such as operational, compliance, and strategic
risks.'').
\154\ See supra note 20 and accompanying text.
\155\ See Prudential Third-Party Guidance, 88 FR 37927
(``Increased risk often arises from greater operational or
technological complexity, newer or different types of relationships,
or potential inferior performance by the third party. A banking
organization can be exposed to adverse impacts, including
substantial financial loss and operational disruption, if it fails
to appropriately manage the risks associated with third-party
relationships.'').
\156\ For purposes of the proposed rule, the Commission would
construe ``third-party service provider'' broadly and consistently
with the terms ``third-party'' and ``business arrangement'' as used
in the Prudential Third-Party Relationship Guidance. See id.
(``Third-party relationships can include, but are not limited to,
outsourced services, use of independent consultants, referral
arrangements, merchant payment processing services, services
provided by affiliates and subsidiaries, and joint ventures. Some
banking organizations may form third-party relationships with new or
novel structures and features--such as those observed in
relationships with some financial technology (fintech)
companies.'').
---------------------------------------------------------------------------
[[Page 4722]]
As mentioned above, the Commission appreciates that the risks
presented by individual third-party relationships may vary depending on
the firm, the provider, or service. For instance, risks may be more
elevated if the service provider is a new entrant to the marketplace or
the service relates to a new, untested technology, and covered entities
with more numerous or intricate third-party relationships may
experience greater overall risk from third parties by virtue of the
number and complexity of their relationships. Accordingly, the proposed
rule would not require third-party relationship programs to apply an
identical degree of scrutiny and oversight to all third-party
relationships. Instead, consistent with the principles-based focus of
the proposed rule, and the proposed (b)(3) standard, the Commission
would expect covered entities to adopt a third-party relationship
program that helps them identify and assess the risks of their existing
and future third-party relationships and adapt their risk management
practices consistent with those risks, their risk appetite and risk
tolerance limits, and the nature, size, scope, complexity, and risk
profile of their business activities, following generally accepted
standards and best practices.\157\
---------------------------------------------------------------------------
\157\ See paragraph (b)(3) of proposed Commission regulations
1.13 and 23.603. See also NFA Third-Party Notice, supra note 43
(``NFA recognizes that a Member must have flexibility to adopt a
written supervisory framework relating to outsourcing functions to a
Third-Party Service Provider that is tailored to a Member's specific
needs and business . . .''); Prudential Third-Party Guidance, 88 FR
37924 (``[I]t is the responsibility of the banking organization to
identify and evaluate the risks associated with each third-party
relationship and to tailor its risk management practices,
commensurate with the banking organization's size, complexity, and
risk profile, as well as with the nature of its third-party
relationships.'').
---------------------------------------------------------------------------
1. Third-Party Relationship Lifecyle Stages--Proposed Paragraph (e)(1)
To guide covered entities in developing their third-party
relationship programs, and to ensure that the programs address the full
scope of risks that third-party relationships can present, the proposed
rule would require the third-party relationship program to describe how
the covered entity would address the risks attendant to each stage of
the third-party relationship lifecycle.\158\ Specifically, the proposed
rule would require the program to address: (i) pre-selection risk
assessment; (ii) the due diligence process for prospective third-party
relationships; \159\ (iii) contractual negotiations; (iv) ongoing
monitoring during the course of the relationship; and (v) termination
of the relationship, including preparations for planned and unplanned
terminations.\160\
---------------------------------------------------------------------------
\158\ See paragraph (e)(1) of proposed Commission regulations
1.13 and 23.603.
\159\ The proposed rule is not intended to interfere with the
obligation in Commission regulation 1.11(e) for FCMs to conduct
onboarding and ongoing due diligence on depositories carrying
customer funds. See 17 CFR 1.11(e)(3)(i)(A)-(B).
\160\ See paragraphs (e)(1)(i)-(v) of proposed Commission
regulations 1.13 and 23.603. See also NFA Third-Party Notice
(requiring NFA members to establish a written supervisory framework
that includes an initial risk assessment, onboarding due diligence,
ongoing monitoring, termination, and recordkeeping); 12 CFR part 30,
app. B, III.D. (Oversee Service Provider Arrangements) (requiring
financial institutions to exercise appropriate due diligence in
selecting service providers, contract with service providers to
implement ``appropriate measures designed to meet the objectives
of'' prudential guidelines for information security; and, where
indicated by its risk assessment, monitor service providers to
confirm they have satisfied their obligations).
---------------------------------------------------------------------------
Each of these stages offers covered entities opportunities to
assess and take steps to mitigate the potential risks associated with
reliance on third-party service providers. At the outset, covered
entities should determine whether it is appropriate for a third-party
service provider to perform a particular service and evaluate the
associated risks.\161\ For instance, the determination to secure a
third-party service provider may carry greater risks where the service
directly impacts a regulatory requirement, where the third-party
service provider would be given direct access to covered information,
or where a disruption of services could impact regulatory compliance or
have a negative impact on customers or counterparties. Due diligence
provides covered entities with information to assess whether a
prospective third-party service provider is equipped, operationally and
otherwise, to perform as expected.\162\ Contractual negotiations offer
a possibility to mitigate potential risks by including provisions to
assign specific responsibilities or liabilities, but may also
contribute to risks, especially where a covered entity may have more
limited negotiating power.\163\ Ongoing monitoring of a third-party
service provider's performance likewise aids covered entities in
identifying whether selected third-party service providers remain able
to perform as expected throughout the duration of the
relationship.\164\ Finally, the manner in which the relationship ends
can have a major impact on the covered entity, particularly if it ends
due to a breach of performance. Plans to address the termination,
through contingencies or otherwise, could therefore prove important to
ensuring the covered entity's ongoing operations.\165\ The Commission
therefore preliminarily believes that effective management of third-
party risks would require covered entities to have a program that
establishes methodologies and practices to assess and manage the risks
of third-party relationships throughout each of these five stages of
the third-party relationship lifecycle.\166\
---------------------------------------------------------------------------
\161\ See NFA Third-Party Notice (``At the outset, a Member
should determine whether a particular regulatory function is
appropriate to outsource and evaluate the risks associated with
outsourcing the function.''); Prudential Third-Party Guidance, 88 FR
37928 (``As part of sound risk management, effective planning allows
a banking organization to evaluate and consider how to manage risks
before entering into a third-party relationship.'').
\162\ See IOSCO Outsourcing Report, supra note 65, at 18 (``It
is important that regulated entities exercise due care, skill, and
diligence in the selection of service providers. The regulated
entity should be satisfied that the service provider has the ability
and capacity to undertake the provision of the outsourced task
effectively at all times.''); Prudential Third-Party Guidance, 88 FR
37929 (``Conducting due diligence on third parties before selecting
and entering into third-party relationships is an important part of
sound risk management. It provides management with the information
needed about potential third parties to determine if a relationship
would help achieve a banking organization's strategic and financial
goals. The due diligence process also provides a banking
organization with the information needed to evaluate whether it can
appropriately identify, monitor, and control risks associated with
the particular third-party relationship.'').
\163\ See IOSCO Outsourcing Report at 21 (``Contractual
provisions can reduce the risks of non-performance or aid the
resolution of disagreements about the scope, nature, and quality of
the service to be provided.'').
\164\ See id. at 18 (``The regulated entity should also
establish appropriate processes and procedures for monitoring the
performance of the service provider on an ongoing basis to ensure
that it retains the ability and capacity to continue to provide the
outsourced task.'').
\165\ See id. at 33 (``Where a task is outsourced, there is an
increased risk that the continuity of the particular task in terms
of daily management and control of that task, related information
and data, staff training, and knowledge management, is dependent on
the service provider continuing in that role and performing that
task.'').
\166\ See Prudential Third-Party Guidance, 88 FR 37928
(``Effective third-party risk management generally follows a
continuous life cycle for third-party relationships.'').
---------------------------------------------------------------------------
2. Heightened Requirements for Critical Third-Party Service Providers--
Proposed Paragraph (e)(2)
Although the Commission appreciates that third-party risks are not
uniform, it nevertheless believes that certain circumstances warrant
enhanced risk management practices across all covered entities.
Specifically, the proposed rule would require that the third-party
relationship program establish heightened due diligence and ongoing
[[Page 4723]]
monitoring practices with respect to third-party service providers
deemed critical third-party service providers.\167\ The proposed rule
would define ``critical third-party service provider'' to mean a third-
party service provider, the disruption of whose performance would be
reasonably likely to either (a) significantly disrupt a covered
entity's businesses operations or (b) significantly and adversely
impact the covered entity's counterparties or customers.\168\ The
Commission understands that it is common practice for financial
institutions, whether by regulatory mandate or otherwise, to identify a
subset of services or providers more central to their operations and
apply greater scrutiny and oversight to them to ensure the services are
provided without disruption. The proposed rule's definition of
``critical third-party service provider'' focuses on the potential
impact a disruption to performance would have on the covered entity's
regulated business operations, customers, or counterparties. Where such
an impact would be significant, as assessed in light of the covered
entity's business activities, risk appetite, and risk tolerance limits,
the Commission believes heightened due diligence for potential critical
third-party service providers and ongoing monitoring for onboarded
critical third-party service providers are warranted to both mitigate
the potential for such an occurrence and to promote the ability for
covered entities to take early and effective action if a critical
third-party service provider's performance is disrupted to mitigate the
impact and effectively recover.\169\
---------------------------------------------------------------------------
\167\ See paragraph (e)(2) of proposed Commission regulations
1.13 and 23.603.
\168\ See paragraph (a) of proposed Commission regulations 1.13
and 23.603 (defining ``critical third-party service provider'').
\169\ See NFA Third-Party Notice, supra note 43 (``Additionally,
a Member's onboarding due diligence process should be heightened for
Third-Party Service Providers that obtain or have access to a
Member's critical and/or confidential data and those that support a
Member's critical regulatory-related systems (e.g., handling
customer segregated funds, keeping required records, filing
financial reports, etc.).'').
---------------------------------------------------------------------------
3. Third-Party Service Provider Inventory--Proposed Paragraph (e)(3)
To help ensure that covered entities implement a comprehensive and
consistent approach to identifying their critical third-party service
providers, covered entities would be required to create, maintain, and
regularly update an inventory of third-party service providers they
have engaged to support their activities as a covered entity,
identifying whether each third-party service provider in the inventory
is a critical third-party service provider.\170\ The Commission
preliminarily believes that the process of creating an inventory of
service providers, particularly the deliberative process involved in
designating certain providers as critical third-party service
providers, would help covered entities assess and evaluate the risks
they face from their third-party service providers, and determine when
to apply heightened monitoring. Maintaining such an inventory would
also reflect that not all third-party service providers present the
same level and types of risks to a covered entity, and would help
covered entities assess and evaluate who is providing services and the
attendant risk that any disruption of those services would have on a
covered entity's business. The inventory would also provide covered
entities a holistic view of their third-party service providers, which
would help them better understand how risks identified during due
diligence and ongoing monitoring may interact or require additional
management. Having a clear understanding of who is providing services,
particularly those services identified as critical, would further
assist covered entities in identifying potential interconnections that
may not be readily apparent if the entities are not assembled and
reviewed collectively.\171\
---------------------------------------------------------------------------
\170\ See paragraph (e)(3) of proposed Commission regulations
1.13 and 23.603.
\171\ Prudential Third-Party Guidance, 88 FR 37927
(``Maintaining a complete inventory of its third-party relationships
and periodically conducting risk assessments for each third-party
relationship supports a banking organization's determination of
whether risks have changed over time and to update risk management
practices accordingly.'').
---------------------------------------------------------------------------
Covered entities relying on a consolidated third-party relationship
program would be able to rely on an enterprise-wide third-party service
provider inventory provided that the inventory meets the requirements
of the proposed rule, including identifying critical third-party
service providers specific to the covered entity.\172\
---------------------------------------------------------------------------
\172\ See paragraph (c)(4)(i) of proposed Commission regulations
1.13 and 23.603 (allowing covered entities to rely on consolidated
programs).
---------------------------------------------------------------------------
4. Retention of Responsibility--Proposed Paragraph (e)(3)
For the avoidance of doubt, the proposed rule would make clear
that, notwithstanding their determination to rely on a third-party
service provider, covered entities remain responsible for meeting their
obligations under the CEA and Commission regulations.\173\ This
provision reflects the principle, widely recognized among financial
regulatory authorities, including the Commission, that while financial
institutions may be able to delegate functions to third-party service
providers, they cannot delegate their responsibility to comply with
applicable laws and regulations.\174\ This provision is intended to
ensure that covered entities are aware that they remain responsible for
the performance of all applicable regulatory functions, whether
performed by the covered entity or by a third-party service provider,
and are accordingly fully subject to the Commission's jurisdiction,
including its examination and enforcement authorities.
---------------------------------------------------------------------------
\173\ See paragraph (e)(3) of proposed Commission regulations
1.13 and 23.603.
\174\ See NFA Third-Party Notice, supra note 43 (``If a Member
outsources a regulatory function, however, it remains responsible
for complying with NFA and/or CFTC Requirements and may be subject
to discipline if a Third-Party Service Provider's performance causes
the Member to fail to comply with those Requirements.''); Prudential
Third-Party Guidance, 88 FR 37927 (``A banking organization's use of
third parties does not diminish its responsibility to meet these
requirements to the same extent as if its activities were performed
by the banking organization in-house.''); IOSCO Outsourcing Report,
supra note 65, at 12 (``The regulated entity retains full
responsibility, legal liability, and accountability to the regulator
for all tasks that it may outsource to a service provider to the
same extent as if the service were provided in-house.''). See also
17 CFR 37.204 (SEFs); 17 CFR 38.154 (DCMs); 17 CFR 39.18(d) (DCOs)
(providing that such registered entities retain responsibility for
meeting relevant regulatory requirements when entering into
contractual outsourcing arrangements).
---------------------------------------------------------------------------
5. Application to Existing Third-Party Relationships
Should the proposed rule be adopted as final, the Commission would
expect covered entities to apply their third-party relationship
programs across all stages of the relationship lifecycle on a going-
forward basis. Although the Commission would not require covered
entities to renegotiate or terminate existing agreements, it would
expect covered entities to conduct ongoing monitoring of existing
third-party service providers consistent with the program and this
regulation and, to the extent possible, to rely on its program with
respect to termination. For any third-party service providers
contemplated or onboarded after the effective date of the proposed
rule, or for any contracts renegotiated or renewed after the effective
date of the rule, however, the Commission would expect covered entities
to apply the entirety of the third-party relationship program from pre-
selection through termination.
[[Page 4724]]
6. Guidance on Third-Party Relationship Programs--Proposed Paragraph
(e)(4); Appendix A to Part 1; Appendix A to Subpart J of Part 23
To assist covered entities in developing third-party relationship
programs that adequately address risks from third-party relationships,
the Commission is proposing guidance outlining potential risks,
considerations, and strategies for covered entities to consider.\175\
The proposed guidance addresses all five stages of the relationship
lifecycle and, if adopted, would be codified as appendices to parts 1
and 23 of the Commission's regulations for FCMs and swap entities,
respectively.\176\ Designed to be broadly applicable to all covered
entities, the proposed guidance identifies actions and factors for
covered entities to consider. The factors and actions identified are
not exhaustive, nor should they be viewed as a required checklist. The
nonbinding guidance would merely be intended to aid covered entities as
they design third-party relationship programs tailored to their own
unique circumstances, consistent with the general ORF ``appropriate and
proportionate standard'' discussed above.
---------------------------------------------------------------------------
\175\ See paragraph (e)(4) of proposed Commission regulations
1.13 and 23.603.
\176\ See proposed Appendix A to part 1 and proposed Appendix A
to Subpart J of part 23.
---------------------------------------------------------------------------
In developing the proposed guidance, the Commission considered the
recommendations of international standard-setting bodies, including
IOSCO and FSB, in light of observations and lessons derived from its
own oversight activities.\177\ In an effort to incorporate as much
consensus as possible, the Commission also gave special consideration
to existing guidance from NFA and the guidance on third-party
relationships recently adopted by prudential regulators, both of which
currently apply to at least some covered entities.\178\
---------------------------------------------------------------------------
\177\ See IOSCO Outsourcing Report, supra note 65; FSB Third-
Party Report, supra note 44.
\178\ See NFA Third-Party Notice; Prudential Third-Party
Guidance, 88 FR 37920.
---------------------------------------------------------------------------
The full text of the guidance is included at the end of this notice
as proposed appendix A to part 1 for FCMs and proposed appendix A to
subpart J of part 23. The guidance is identical in substance for FCMs
and swap entities.
7. Request for Comment
The Commission invites comment on all aspects of the proposed
third-party relationship program requirement and associated guidance,
including the following questions:
1. Scope of Application. NFA's interpretive notice on third-party
relationships is limited in scope to ``outsourcing,'' which NFA defines
as third-party relationships in which an NFA member has a third-party
service provider or vendor perform certain functions that would
otherwise by undertaken by the member itself to comply with NFA and
CFTC requirements.\179\ The proposed rule would follow the approach
taken by prudential regulators in their third-party guidance, which
more broadly addresses any circumstances where banking organizations
rely on third parties for products, services, or activities to
``capture[ ] the full range of third-party relationships that may pose
risk to banking organizations.'' \180\ Should the Commission consider
limiting the scope of its guidance to outsourcing of CFTC regulatory
obligations? Why or why not? Please explain.
---------------------------------------------------------------------------
\179\ See NFA Third-Party Notice, supra note 43.
\180\ See Prudential Third-Party Guidance, 88 FR 37921-22.
---------------------------------------------------------------------------
2. Critical third-party service provider. The proposed rule
includes a definition of ``critical third-party service provider.'' The
Commission understands it is common practice for financial institutions
to identify and apply heightened oversight of third-party service
providers they deem critical. NFA's interpretive notice related to
third-party relationships, for instance, advises members to tailor the
frequency and scope of ongoing monitoring reviews to the criticality of
and risk associated with the outsourced function but does not define
``criticality'' for covered entities. Is the Commission's proposed
definition consistent with existing standards or definitions of
``criticality'' applied by covered entities? If not, how is it
different? Should the Commission consider allowing covered entities to
generate and apply their own definition of ``critical third-party
service provider''? Why or why not? Please explain.
3. Guidance--Affiliated Third-Party Service Providers. The proposed
third-party relationship program requirement would apply to all third-
party relationships, including where the third-party is an affiliate of
the covered entity. This position is consistent with both NFA and
prudential guidance related to third-party relationships.\181\
Nevertheless, the Commission recognizes that arrangements with
affiliates may present different or lower risks than with unaffiliated
third parties. Should the Commission consider including any additional
guidance with respect to the management of third-party service
providers that are affiliated entities? If so, what factors should
covered entities consider when evaluating relationships with affiliated
third-party service providers?
---------------------------------------------------------------------------
\181\ See NFA Third-Party Notice at n.1 (``Further, even if a
Member outsources a regulatory obligation to an affiliate, . . . a
Member should comply with this Notice's requirements.''); Prudential
Third-Party Guidance, 88 FR 37927 (``Third-party relationships can
include, but are not limited to, . . . services provided by
affiliates and subsidiaries. . .'').
---------------------------------------------------------------------------
4. Guidance--Due Diligence. The proposed guidance recommends that
covered entities perform due diligence on prospective third-party
service providers to assess their ability to deliver contracted
services to an acceptable standard (i.e., consistent with risk appetite
and risk tolerance limits) and provides examples of information that
covered entities should review and sources for obtaining that
information.
a. Are there any additional due diligence tasks that should be
conducted by the covered entity beyond reviewing information about the
potential third-party service provider? Are there additional risks that
should be included in the guidance for the covered entity to inquire
into? If yes, please identify and explain.
b. Are there additional sources of due diligence information beyond
those listed in the guidance (see section B of the guidance) that
should be included in the guidance? If yes, please identify and
explain.
c. Should covered entities be advised to periodically refresh their
due diligence, or upon the occurrence of specific triggers (e.g., a
material change to the service outsourced)? Why or why not? Would such
a recommendation be duplicative of the covered entity's ongoing
monitoring activities, or would the subsequent due diligence provide
additional valuable information to the covered entity beyond that
provided by ongoing monitoring? Why or why not? Please explain.
d. The proposed guidance does not recommend that covered entities
perform due diligence directly on any subcontractors secured by third-
party service providers. Rather, the Commission's guidance suggests
that covered entities review the operational risk management practices
of the potential third-party service provider with respect to their
subcontractors. Should the Commission recommend more enhanced due
diligence of subcontractors? Why or why not? What
[[Page 4725]]
means are practicable for covered entities to conduct due diligence on
subcontractors to their third-party service providers? Please identify
and explain.
E. Business Continuity and Disaster Recovery Plan--Proposed Paragraph
(f)
The third component of the ORF would be a business continuity and
disaster recovery (BCDR) plan, defined as a written plan outlining the
procedures to be followed in the event of an emergency or other
significant disruption to the continuity of a covered entity's normal
business operations and that meets the requirements of the proposed
rule.\182\ Similar to the incident response plan (and, in extreme
cases, possibly triggered by an incident covered by the incident
response plan), the proposed BCDR plan requirement recognizes the
operational reality that not all operational disruptions can be
prevented or immediately mitigated and asks covered entities to
strategize and implement plans for how to minimize the impact to
operations, customers, and counterparties when such adverse events
occur.
---------------------------------------------------------------------------
\182\ See paragraph (f) proposed Commission regulations 1.13 and
23.603. See also paragraph (a) of proposed Commission regulations
1.13 and 23.603 (defining ``business continuity and disaster
recovery plan'').
---------------------------------------------------------------------------
Although NFA requires FCMs to establish and maintain a BCDR plan,
if adopted, the proposed rule would create a new CFTC BCDR plan
requirement for FCMs.\183\ Current Commission regulation 23.603
contains an active BCDR plan requirement for swap entities.\184\ In
essence, the proposal would make certain amendments to the CFTC BCDR
plan requirement for swap entities and expand the requirement to
include FCMs. The proposed amendments to the swap entity BCDR plan
requirement have two general purposes. For the most part, the proposal
would streamline and simplify some of the language to help it further
conform to the proposed ORF rule more broadly, in ways the Commission
intends to be non-substantive. The proposal would also make a few
substantive changes, informed either by the Commission's review of
NFA's and CME's current BCDR requirements for their members or by its
decade of experience applying current Commission regulation 23.603 to
swap entities.\185\ The proposed substantive changes, each subsequently
discussed in this notice, relate to either the defined scope of and
recovery objective for the BCDR plan or the testing and audit
requirements for the plan.
---------------------------------------------------------------------------
\183\ See NFA Rule 2-38, supra note 43.
\184\ See 17 CFR 23.603.
\185\ See NFA Rule 2-38; CME Rule 983 (Disaster Recovery and
Business Continuity).
---------------------------------------------------------------------------
Current Commission regulation 23.603 includes requirements that the
proposed rule would apply to the entirety of the proposed ORF more
broadly. Those requirements include requirements to: distribute the
BCDR plan to relevant employees (current Commission regulation
23.603(c)); notify the Commission of emergencies or disruptions
(current Commission regulation 23.603(d)); identify emergency contacts
(current Commission regulation 23.603(e)); review, test, and update the
BCDR plan (current Commission regulation 23.603(f) and (g)); and
recordkeeping (current Commission regulation 23.603(i)). Each of these
requirements is discussed in the relevant sections of this notice that
follow.\186\ Accordingly, the Commission's proposed amendment to the
current BCDR audit requirement is discussed in the context of the ORF's
broader proposed review and testing requirements.\187\
---------------------------------------------------------------------------
\186\ See sections II.F (Training), G (Review and Testing), H
(Required Notifications), and I (Emergency Contacts, Recordkeeping)
of this notice, infra. The proposed rule would not retain Commission
regulation 23.603(h), which merely articulates the fact that swap
entities are required to comply with Commission's BCDR requirements
in addition to any other applicable BCDR requirements from other
regulatory bodies. See 17 CFR 23.603(h). The Commission accordingly
views this amendment as non-substantive.
\187\ See paragraph (h) of proposed Commission regulations 1.13
and 23.603 and section II.G, infra.
---------------------------------------------------------------------------
1. Definition of ``Business Continuity and Disaster Recovery Plan''
The proposed definition of ``business continuity and disaster
recovery plan'' is slightly modified from the language in the current
BCDR plan requirement for swap entities. Current Commission regulation
23.603 requires swap entities to establish and maintain a BCDR plan
that ``outlines the procedures to be followed in the event of an
emergency or other disruption of its normal business activities.''
\188\ As stated above, the proposed rule would specify that the BCDR
plan would need to address ``significant'' disruptions to the
continuity of a covered entity's normal business operations, which the
Commission preliminarily believes is more in line with what would
constitute an ``emergency'' that would result in activation of a BCDR
plan and how Commission regulation 23.603 has operated in
practice.\189\
---------------------------------------------------------------------------
\188\ See 17 CFR 23.603(a).
\189\ See also NFA Rule 2-38, supra note 43 (requiring certain
members, including FCMs, to establish a BCDR plan to be followed in
the event of a ``significant business disruption''). The proposed
language change from ``normal business activities'' to ``the
continuity of normal business operations'' is intended only to bring
the language more in line with the focus of the proposed ORF rule on
the resiliency of operations and is not intended to have substantive
effect. See paragraph (a) of proposed Commission regulations 1.13
and 23.603 (defining ``business continuity and disaster recovery
plan''); 17 CFR 23.603(a).
---------------------------------------------------------------------------
2. Purpose--Proposed Paragraph (f)(1)
Under the proposed rule, the BCDR plan would need to be reasonably
designed to enable covered entities to: (i) continue or resume normal
business operations with minimal disruption to customers or
counterparties and the markets and (ii) recover and make use of all
covered information, as well as any other data, information, or
documentation required to be maintained by law and regulation.\190\ The
Commission preliminarily believes that this standard, which emphasizes
the need to quickly resume regulated activities and to recover all
information kept and required to be kept in connection with those
activities, supports the overall regulatory objectives of the ORF rule
of enhancing the operational resilience of covered entities to promote
the protection of customers and the mitigation of system risk.
---------------------------------------------------------------------------
\190\ See paragraphs (f)(1)(i)-(ii) of proposed Commission
regulations 1.13 and 23.603. See also 17 CFR 23.603(a).
---------------------------------------------------------------------------
Current Commission regulation 23.603 requires swap entities' BCDR
plans to ``be designed to enable the [swap entity] to continue or to
resume any operations by the next business day with minimal disturbance
to its counterparties and the market.'' The proposed rule would modify
this language by requiring that the BCDR plan be ``reasonably''
designed to continue or resume operations with minimal disruption and
by removing the requirement that such operations be resumed ``by the
next business day.'' \191\ The Commission views the qualification that
the BCDR plan be ``reasonably'' designed as simply a more concrete
expression of the Commission's current expectations, in recognition
that what might be necessary to achieve recovery is not an absolute
fact and may vary depending on the circumstances, including the nature,
size, scope, complexity, and risk profile of a covered entity's
business activities.\192\ The
[[Page 4726]]
reasonableness of the plan would thus be viewed in light of the
proposed (b)(3) standard (i.e., what is appropriate and proportional to
the covered entity, following generally accepted standards and best
practices).
---------------------------------------------------------------------------
\191\ The Commission views the use of the phrase ``minimal
disturbance'' in current Commission regulation 23.603 as equivalent
to the phrase ``minimal disruption'' in the proposed rule and
therefore views this change in language with respect to swap
entities to be non-substantive. Compare 17 CFR 23.603(a) with
paragraph (f)(1) of proposed Commission regulations 1.13 and 23.603.
\192\ See also NFA Rule 2-38 (requiring BCDR plans be
``reasonably designed'') (emphasis added).
---------------------------------------------------------------------------
The proposal not to include a next business day recovery time
objective is based in the Commission's preliminary view that, depending
on the circumstances, a next business day recovery standard could be
either too short or too long, to the point where it may be misdirecting
the focus of the rule. The Commission understands that the ``next
business day'' standard has been common for businesses to employ for
BCDR purposes in the context of purely physical disasters, such as
power outages or natural disasters. Based on its experience in recent
years, however, the Commission believes a next-day standard may in some
cases be impractical in an era where rapid innovation has deepened and
expanded reliance on technology among financial institutions, and
pandemics and cyberattacks have become more prevalent or alarming forms
of disruption. With the ION incident, for instance, it took weeks
before back office operations were back to normal. Nevertheless, the
impact to customers and the markets during that time was manageable.
Were even one business day to stretch between FCMs paying and
collecting margin, for example, the Commission does not believe the
impact to customers or the markets could be characterized as minimal.
Accordingly, the Commission preliminarily believes that by not
including a precise recovery time objective, such as next business day,
the emphasis of the proposed BCDR plan standard appropriately lies on
ensuring that any disruption to customers, counterparties, and the
markets is ``minimal.'' \193\ For that standard to be met, however, the
Commission would still expect covered entities to plan for a recovery
that is expeditious. The longer a covered entity is not operating as
usual, the more likely it is that customers and counterparties may be
affected and that a crisis in confidence could develop, potentially
affecting the industry more broadly.
---------------------------------------------------------------------------
\193\ The Commission notes that neither NFA nor CME includes a
specific recovery time objective in its BCDR plan requirements. See
NFA Rule 2-38; CME Rule 938.
---------------------------------------------------------------------------
Current Commission regulation 23.603 requires swap entities' BCDR
plans to be designed ``to recover all documentation and data required
to be maintained by applicable law and regulation.'' The proposal to
require covered entities to reasonably design their BCDR plans to
``recover and make use of all covered information, as well as any other
data, information, or documentation required to be maintained by law
and regulation'' is intended to both incorporate the proposed defined
term ``covered information,'' and make clear the need to also preserve
the availability of the recovered data and information (i.e., reliable
access to and use of information), which the Commission believes is an
integral component of information and technology security.\194\ The
Commission believes that making plans to ensure covered information--
sensitive or confidential information and data the proposed ORF rule is
designed, at its core, to ensure covered entities protect--as well as
any other information covered entities are legally required to
maintain, is recovered and accessible following an emergency is key to
ensuring the protection of customers and counterparties and the ongoing
orderly functioning of the commodity interest markets, as this
information is vital to a covered entity's ability to assess its
ongoing compliance with the Commission's regulations governing the
requirements for covered entities.\195\
---------------------------------------------------------------------------
\194\ See supra note 108 and accompanying text (discussing the
``CIA triad'' of confidentiality, integrity, and availability).
\195\ In designing a BCDR plan that would meet this recovery
standard, the Commission would advise covered entities to identify a
broad range of events that could constitute emergencies or pose
significant disruptions, including natural events (e.g., hurricanes,
wildfires), technical events (e.g., power failures, system
failures), malicious activity (e.g., fraud, cyberattacks), failures
of controls, and low likelihood but high impact events (e.g.,
terrorist attacks, pandemics), and consider potential impact on
business operations and data and information.
---------------------------------------------------------------------------
3. Minimum Contents--Proposed Paragraph (f)(2)
Consistent with the proposed (b)(3) standard for the ORF as a
whole, the BCDR plan would need to be appropriate and proportionate to
the covered entity, following generally accepted standards and best
practices.\196\ Accordingly, should the proposal be adopted as final,
the Commission would expect each BCDR plan to be highly tailored to
each specific covered entity. However, the proposed rule would also
require the BCDR plan to include certain minimum contents, which are
generally comparable to the current requirements in Commission
regulation 23.603.\197\
---------------------------------------------------------------------------
\196\ See paragraph (b)(3) of proposed Commission regulations
1.13 and 23.603.
\197\ See paragraph (f)(2) of proposed Commission regulations
1.13 and 23.603. See also 17 CFR 23.603(b). Although the exact
language of the proposed minimum contents in paragraph (f)(2) may
diverge somewhat from that of current Commission regulation
23.603(b), the modifications were intended to streamline language
and incorporate the proposed terms ``covered information'' and
``covered technology.'' The Commission does not intend any of the
changes to have a substantive impact on compliance with the
Commission's BCDR plan requirement for swap entities.
---------------------------------------------------------------------------
First, the proposed rule would require the BCDR plan to identify
its covered information, as well as any other data or information
required to be maintained by law or regulation, and to establish and
implement procedures to backup or copy it with sufficient frequency and
to store it offsite in either hard-copy or electronic format.\198\ The
BCDR plan would also need to identify any resources, including covered
technology, facilities, infrastructure, personnel, and competencies,
essential to the operations of the swap entity or to fulfill the
regulatory obligations of the swap entity, and establish and maintain
procedures and arrangements to provide for their backup in a manner
that is sufficient to meet the requirements of the rule (i.e., to
continue or resume operations with minimal disruption, to recover and
make use of information).\199\ These minimum requirements are intended
to ensure that the BCDR plan meets the proposed recovery standard by
ensuring covered entities have gone through the process of cataloging
everything they need (information, technology, infrastructure, human
capital, etc.) to operate as a covered entity, and have established
ways to recover them and to continue or resume operations with minimal
disruption to customers, counterparties, or the markets. Furthermore,
in establishing arrangements for backup resources, the Commission would
want covered entities to consider diversification to the greatest
extent possible to reduce the likelihood that an emergency that affects
a primary operating resource affects any planned backups. Accordingly,
the proposed rule would require covered entities to establish backup
arrangements for resources that are in one or more areas geographically
separate from the covered entity's primary resources (e.g., a different
power grid than the primary facility).\200\ The proposed rule would
make clear those resources could be
[[Page 4727]]
provided by third-party service providers.\201\
---------------------------------------------------------------------------
\198\ See paragraph (f)(2)(i) of proposed Commission regulations
1.13 and 23.603. See also 17 CFR 23.603(b)(1), (b)(6).
\199\ See paragraph (f)(2)(ii) of proposed Commission
regulations 1.13 and 23.603. See also 17 CFR 23.603(b)(2), (b)(4),
(b)(5).
\200\ See paragraph (f)(2)(ii) of proposed Commission
regulations 1.13 and 23.603. See also 17 CFR 23.603(b)(5).
\201\ See id.
---------------------------------------------------------------------------
To ensure that critical third-party service providers are given
particular consideration when planning for disruptions, the proposed
rule would specifically require the BCDR plan to identify potential
disruptions to critical third-party service providers and establish a
plan to minimize the impact of such potential disruptions.\202\
Additionally, given the importance of internal and external
communication in times of crisis, and for duties and responsibilities
to be well established, the proposed rule would require the BCDR plan
to identify supervisory personnel responsible for implementing the BCDR
plan, along with the covered entity's required ORF emergency contacts,
and establish a procedure for communicating with relevant persons in
the event of an emergency or significant disruption.\203\
---------------------------------------------------------------------------
\202\ See paragraph (f)(2)(iii) of proposed Commission
regulations 1.13 and 23.603. See also 17 CFR 23.603(b)(7) (identify
``potential business interruptions encountered by third parties that
are necessary to the continued operations of the swap dealer or
major swap participant and a plan to minimize the impact of such
disruptions'').
\203\ See paragraphs (f)(2)(iv)-(v) of proposed Commission
regulations 1.13 and 23.603. See also paragraph (k) of proposed
Commission regulations 1.13 and 23.603 (requiring emergency
contacts), discussed in section II.I.1 of this notice, infra; 17 CFR
23.603(b)(3).
---------------------------------------------------------------------------
The minimum contents of the proposed BCDR plan requirement were
designed to align with the substance of the ``essential components'' of
a BCDR plan identified in current Commission regulation 23.603(b), with
certain modifications.\204\ The changes are intended to streamline
language, incorporate the proposed BCDR plan standard and defined terms
(e.g., covered information, covered technology, critical third-party
service provider), and reorder and combine elements to improve
readability and application. Key changes include:
---------------------------------------------------------------------------
\204\ See 17 CFR 23.603(b).
---------------------------------------------------------------------------
Replacing the identification or backup of documents and
information essential to the continued operations of the swap entity
and/or to fulfill the regulatory obligations of the swap dealer or
major swap participant with covered information, as well as any other
data or information required to be maintained by law and
regulation.\205\ This change is intended to align the information
required to be identified in the proposed BCDR plan with its purpose
(recover and make use of all covered information, as well as any other
data, information, or documentation required to be maintained by law
and regulation).
---------------------------------------------------------------------------
\205\ See proposed paragraph (f)(2)(i) of Commission regulations
1.13 and 23.603; 17 CFR 23.603(b)(1) (Identification of the
documents and data essential to the continued operations of the swap
entity and to fulfill the obligations of the swap entity); (b)(6)
(Back-up or copying of documents and data essential to the
operations of the swap entity or to fulfill the regulatory
obligations of the swap entity'').
---------------------------------------------------------------------------
Specifying that data and information must be backed up or
copied with sufficient frequency ``to meet the requirements of this
section,'' to make clear that the backup frequency should be linked to
the broader purpose of the BCDR plan (i.e., to continue or resume
operations with minimal disruption and to recover and make use of in-
scope information).\206\
---------------------------------------------------------------------------
\206\ Cf. 17 CFR 23.603(b)(6) (Back-up or copying, with
sufficient frequency, of documents and data).
---------------------------------------------------------------------------
Removing the qualification that resource backups be
designed to achieve the timely recovery of data and documentation and
to resume operations as soon as reasonably possible and generally
within the next business day.\207\ This language could be viewed as in
contradiction with the overall proposed purpose of the BCDR plan, which
would not include a ``next business day'' recovery time objective.
---------------------------------------------------------------------------
\207\ See 17 CFR 23.603(b)(4) (Procedures for, and the
maintenance of, back-up facilities, systems, infrastructure,
alternative staffing and other resources to achieve the timely
recovery of data and documentation and to resume operations as soon
as reasonably possible and generally within the next business day.).
---------------------------------------------------------------------------
Replacing third parties that are necessary to the
continued operations of the swap dealer or major swap participant with
critical third-party service provider, as defined in the proposed rule,
as the Commission believes these terms are intended to capture similar
concepts.\208\
---------------------------------------------------------------------------
\208\ See 17 CFR 23.603(b)(7) (Identification of potential
business interruptions encountered by third parties that are
necessary to the continued operations of the swap dealer or major
swap participant and a plan to minimize the impact of such
disruptions.).
---------------------------------------------------------------------------
4. Accessibility--Proposed Paragraph (f)(3)
Finally, to ensure that the BCDR plan is available in the event of
an emergency or other significant disruption that prevents a covered
entity from accessing its primary office location, the proposed rule
would require each covered entity to maintain copies of its BCDR plan
at one or more accessible off-site locations.\209\
---------------------------------------------------------------------------
\209\ See paragraph (e)(3) of proposed Commission regulations
1.13 and 23.603. See also 17 CFR 23.603(c).
---------------------------------------------------------------------------
5. Request for Comment
The Commission invites comment on all aspects of the proposed
business continuity and disaster recovery plan requirement, including
the following question:
1. Recovery time objective. Under current Commission regulation
23.603, the Commission requires swap entities to establish and maintain
a BCDR plan that is designed to enable the swap entity to continue or
resume any operations ``by the next business day'' with minimal
disturbance to is counterparties.\210\ Noting that such a standard may
pose some challenges, the Commission has proposed to not include a
recovery time objective, relying on covered entities to establish a
BCDR plan that allows for sufficiently exigent recovery so as to impose
``minimal disruption'' to customers, counterparties, or the markets.
---------------------------------------------------------------------------
\210\ See 17 CFR 23.603(a).
---------------------------------------------------------------------------
a. Has a next business day standard posed challenges for swap
entities to implement? Would such a standard be achievable for FCMs?
Why or why not? Please explain.
b. Should the Commission consider including additional language to
ensure covered entities design BCDR plans that enable quick recovery
(e.g., ``as soon as possible'' or ``as soon as practicable'')? Why or
why not? Please explain.
2. Transfer of business to another entity. NFA and CME rules allow
for BCDR plans to include the possibility of transferring their
business to another regulated entity in the event of an emergency or
disruption. NFA Rule 2-38 provides that a BCDR plan ``shall be
reasonably designed to . . . transfer its business to another Member
with minimal disruption to its customers, other members, and the
commodity futures markets.'' \211\ CME Rule 983 provides that clearing
members must have procedures in place to allow them to continue to
operate during periods of stress ``or to transfer accounts to another
fully operational clearing member with minimal disruption to either
[CME] or their customers.'' \212\ Do any covered entities currently
have arrangements with other covered entities to transfer business or
accounts in the event of an emergency or disruption? Should the
Commission consider adding the option to transfer business to another
regulated entity into its proposed BCDR rule? Why or why not? How would
such a transfer function in practice? Please explain.
---------------------------------------------------------------------------
\211\ See NFA Rule 2-38, supra note 43.
\212\ See CME Rule 983, supra note 185.
---------------------------------------------------------------------------
F. Training and Plan Distribution--Proposed Paragraph (g)
To support the effectiveness of the ORF by ensuring personnel are
aware of relevant policies, procedures, and
[[Page 4728]]
practices, the proposed rule would require that each covered entity
establish, implement, and maintain training with respect to all aspects
of the ORF.\213\ Relevant training is important to ensuring the ORF
operates as intended, and to supporting a firm culture that promotes
and prioritizes operational resilience.\214\ The training would
therefore need to include, at a minimum, (i) cybersecurity awareness
training for all personnel and (ii) role-specific training for
personnel involved in establishing, documenting, implementing, and
maintaining the ORF.\215\ The importance of cybersecurity training is
widely recognized, as incidents commonly occur because well-intentioned
employees or other users make preventable mistakes.\216\ The Commission
would further expect that role-specific training would include not only
training on relevant policies and procedures but additional relevant
threat and vulnerability response training for personnel involved in
the development and maintenance of the information and technology
security program (e.g., system administration courses for IT
professionals, secure coding training for web developers).\217\
---------------------------------------------------------------------------
\213\ See paragraph (g) of proposed Commission regulations 1.13
and 23.603.
\214\ See FFIEC Information Security Booklet, supra note 69, at
17 (``Training ensures personnel have the necessary knowledge and
skills to perform their job functions.''); CIS Critical Security
Controls v.8., Control no. 14 (Security Awareness and Skills
Training) at 43 (May 2021) (CIS Control 14) (training helps
``influence behavior among the workforce to be security conscious
and properly skilled to reduce cybersecurity risks to the
enterprise'').
\215\ See paragraphs (g)(1)(i)-(ii) of proposed Commission
regulations 1.13 and 23.603. Proposed paragraph (g)(1)(ii) would
supplant the current requirement in Commission regulation 23.603 for
swap entities to train relevant employees on applicable components
of the BCDR plan. See 17 CFR 23.603(c). The Commission does not
intend any substantive difference in the BCDR plan training for swap
entities.
\216\ The FSB found that most successful cyberattacks involved
human error, which is why training is important for all personnel.
See FSB, Summary Report on Financial Sector Cybersecurity
Regulations, Guidance and Supervisory Practices at 7 (Oct. 13,
2017), available at https://www.fsb.org/wp-content/uploads/P131017-1.pdf. See also CIS Control 14 (``Users themselves, both
intentionally and unintentionally, can cause incidents as a result
of mishandling sensitive data, sending an email with sensitive data
to the wrong recipient, losing a portable end-user device, using
weak passwords, or using the same password they use on public site .
. .); Prudential Operational Resilience Paper, supra note 11, at 11
(``The firm provides cybersecurity awareness education especially to
personnel engaged in the operations of critical operations and core
business lines, . . . and adequately trains them to perform their
information security-related duties and responsibilities consistent
with related processes and agreements.'').
\217\ See CISA, Incident Response Plan (IRP) Basics (advising
that all staff need to understand their role in maintaining and
improving the security of the organization), available at https://www.cisa.gov/sites/default/files/publications/Incident-Response-Plan-Basics_508c.pdf.
---------------------------------------------------------------------------
As with all aspects of the ORF, if the proposal is adopted as
final, the Commission would expect each covered entity's ORF training
to meet the (b)(3) standard (i.e., be appropriate and proportionate to
the nature, scope, and complexities of its business activities as a
covered entity, following generally accepted standards and best
practices).\218\ To ensure the training remains relevant overtime and
that personnel are adequately informed with respect to the ORF, covered
entities would also be required to provide and update their ORF
training as necessary, but no less frequently than annually.\219\
Requiring that the training occur annually would be a new CFTC
requirement with respect to the BCDR plan training requirement for swap
entities.\220\ The Commission nevertheless believes an annual training
requirement is necessary for staff involved in BCDR planning to ensure
they remain up-to-date on changes to the BCDR plan following the annual
reviews and testing of the plan.\221\
---------------------------------------------------------------------------
\218\ See paragraph (b)(3) of proposed Commission regulations
1.13 and 23.603; supra note 63 and accompanying text.
\219\ See paragraph (g)(2) of proposed Commission regulations
1.13 and 23.603.
\220\ See 17 CFR 23.603(c).
\221\ See paragraph (h) of proposed Commission regulations 1.13
and 23.603, discussed in section II.G, infra.
---------------------------------------------------------------------------
To further support the proposed training requirement and ensure
relevant personnel have access to and are aware of the current
information and technology security, third-party relationships, and
BCDR plans that form the ORF, the proposed rule would require that
covered entities distribute copies of those plans to relevant personnel
and promptly provide any significant revisions thereto.\222\ This
proposed plan distribution requirement is consistent with the current
BCDR plan distribution requirement for swap entities in current
Commission regulation 23.603.\223\
---------------------------------------------------------------------------
\222\ See paragraph (g)(3) of proposed Commission regulations
1.13 and 23.603.
\223\ See 17 CFR 23.603(c) (Each swap entity shall distribute a
copy of its business continuity and disaster recovery plan to
relevant employees and promptly provide any significant revision
thereto.).
---------------------------------------------------------------------------
Request for Comment
The Commission invites comment on all aspects of the proposed
training requirement.
G. Reviews and Testing--Proposed Paragraph (h)
To ensure the ORF remains viable and effective over time, the
proposed rule would require covered entities to establish, implement,
and maintain a plan reasonably designed to assess its adherence to, and
the effectiveness of, the ORF through regular reviews and risk-based
testing.\224\ As discussed above, the purpose of the proposed ORF would
be to identify, monitor, manage, assess, and report on risks relating
to information and technology security, third-party relationships, and
emergencies or other significant business disruptions.\225\ Monitoring
and managing these risks is a dynamic, ever-evolving process,
especially given the increased reliance on and rapid evolution of
technological advancements and related cyber risks.\226\ The Commission
believes regular reviews and testing are an important tool needed to
confirm that systems and information remain protected, controls are
working as expected, and policies and procedures are being
followed.\227\ Accordingly, the Commission preliminarily believes that
regular reviews and testing would provide covered entities with
essential information about the actual quality, performance, and
reliability of the ORF in relation to its objectives and regulatory
requirements. The Commission further expects that reviews and testing
would be key to revealing unknown gaps or weaknesses in systems or
controls that could then be analyzed to identify corrective actions
designed to improve overall operational resilience over time.\228\ The
results of the reviews and testing should be used to support sound
decision-making at the covered entity regarding prioritization and
funding of resources in a manner
[[Page 4729]]
that furthers operational resilience.\229\ Without such regular reviews
and testing, the Commission is concerned that the ORF would quickly
grow stale and ineffective, allowing unseen vulnerabilities to go
unaddressed and potentially weaken the stability of the covered entity
or the financial system at large.
---------------------------------------------------------------------------
\224\ See paragraph (h) of proposed Commission regulations 1.13
and 23.603.
\225\ See paragraph (b)(1) of proposed Commission regulations
1.13 and 23.603, supra note 55 and accompanying text.
\226\ See Prudential Operational Resilience Paper, supra note
11, at 9 (``The firm also regularly reviews and updates its systems
and controls for security against evolving threats including cyber
threats and emerging or new technologies.'').
\227\ See, e.g., 17 CFR 37.1401 (SEFs); 17 CFR 38.1051 (DCMs);
17 CFR 39.18 (DCOs); 17 CFR 49.24 (SDRs) (requiring system safeguard
testing). See also FFIEC Information Security Booklet, supra note 69
(providing that entities should have a documented testing and
evaluation plan).
\228\ See also CPMI IOSCO Cyber Resilience Guidance, supra note
123, at 18 (``Sound testing regimes produce findings that are used
to identify gaps in stated resilience objectives and provide
credible and meaningful inputs to the [entity's] cyber risk
management process. Analysis of testing results provides direction
on how to correct weaknesses or deficiencies in the cyber resilience
posture and reduce or eliminate identified gaps.'').
\229\ See id. at 18 (``The results of the testing programme
should be used by the [entity] to support the ongoing improvement of
its cyber resilience.'').
---------------------------------------------------------------------------
1. Reviews--Proposed Paragraph (h)(1)
Under the proposed rule, reviews would need to include an analysis
of the adherence to, and the effectiveness of, the ORF, as well as any
recommendations for modifications or improvements that address root
causes of issues identified by the review.\230\ Again, the Commission
believes that the process of reviewing the ORF to evaluate both its
current effectiveness and make recommendations for prospective
improvements that relate to deficiencies found through the review would
help ensure that the ORF remains effective at managing operational
resilience as circumstances change over time.
---------------------------------------------------------------------------
\230\ See paragraph (h)(1) of proposed Commission regulations
1.13 and 23.603.
---------------------------------------------------------------------------
The proposed rule would require covered entities to conduct such
reviews at least annually and in connection with any material change to
the activities or operations of the covered entity that is reasonably
likely to affect the risks addressed by the ORF.\231\ An annual review
standard is consistent with the Commission's existing review
requirement for the RMP for covered entities, the BCDR plan for swap
entities, and NFA's ISSP Interpretive Notice.\232\ Although the
Commission would expect the ORF to be reviewed at least annually in its
entirety, including not only the required plans but training and
governance, the reviews could be broken into phases, staged over the
course of the year. The Commission preliminarily believes that
requiring the ORF to be reviewed on at least an annual basis and in
connection with any relevant, material business change is sufficiently
frequent to help ensure that the ORF remains effective and continues to
meet its objectives over time.
---------------------------------------------------------------------------
\231\ Id.
\232\ See 17 CFR 1.11(f)(1); 17 CFR 23.600(e)(1) (requiring
covered entities to review their RMPs on an annual basis or upon any
material change in the business reasonably likely to alter their
risk profile); 17 CFR 23.603(f) (requiring an annual review of swap
entities' BCDR plan); NFA ISSP Notice, supra note 43 (providing that
members should perform a regular review of their information systems
security program at least once every twelve months).
---------------------------------------------------------------------------
The proposed review requirement for the ORF would replace the
similar annual review requirement for swap entities' BCDR plans
contained in current Commission regulation 23.603. Current Commission
regulation 23.603(f) requires that a member of senior management for a
swap entity review the BCDR plan annually or upon any material change
to the business and to document any deficiencies found or corrective
action taken.\233\ The Commission preliminarily believes that the
proposed annual review of the ORF, which would encompass a review of
the BCDR plan, is sufficient to ensure the ORF's effectiveness and that
it would no longer be necessary for a separate review of the BCDR plan
to be conducted by senior management.
---------------------------------------------------------------------------
\233\ See 17 CFR 23.603(f).
---------------------------------------------------------------------------
2. Testing--Proposed Paragraph (h)(2)
With respect to risk-based testing of the ORF, the proposed rule
would generally provide that covered entities determine the frequency,
nature, and scope of the testing consistent with the proposed (b)(3)
standard.\234\ Covered entities have available to them a wide range of
testing tools, techniques, and methodologies, particularly with respect
to information and technology security. Those tools and techniques
include open source analysis, network security assessments, physical
security reviews, source code reviews, compatibility testing,
performance testing, and end-to-end testing, just to name a few.\235\
Such testing methods can vary significantly in terms of what they test
and how, and in the degree of sophistication and sensitivity they need
to run them correctly and reliably.\236\ Covered technology among
covered entities varies, both in terms of the sensitivity of the data
and information it contains and transmits, as well as its operational
importance and risk profile.
---------------------------------------------------------------------------
\234\ See paragraph (h)(2) of proposed Commission regulations
1.13 and 23.603. See also paragraph (b)(3) of proposed Commission
regulations 1.13 and 23.603; supra note 63 and accompanying text.
\235\ See NIST, SP 800-115, Technical Guide to Information
Security Testing and Assessment (Sept. 2008).
\236\ Id.
---------------------------------------------------------------------------
The Commission therefore preliminarily believes that leaving the
specifics of the design and implementation of ORF testing to the
reasonable judgment of each covered entity would help ensure that such
testing protocols remain nimble as operations and recommended testing
techniques change progressively over time.\237\ Covered entities would,
however, need to ensure that the testing is reasonably designed to test
the effectiveness of the function or system being tested.\238\ Covered
entities should determine which particular tests to incorporate,
consistent with the (b)(3) standard and their risk assessments, to
ensure the testing effectively targets their particular business lines,
activities, operations, and risk profile. Covered entities would
accordingly be encouraged to document the decision-making regarding how
it determined the nature, scope, and frequency of testing.
---------------------------------------------------------------------------
\237\ See also Interagency Guidelines Safeguarding Customer
Information, 66 FR 8623 (``The Agencies believe that a variety of
tests may be used to ensure the controls, systems, and procedures of
the information security program work properly and also recognize
that such tests will progressively change over time''); FINRA
Cybersecurity Report, supra note 66, at 13 (``Many firms determined
the systems to be tested and the frequency with which they should be
tested based on a risk assessment where higher risk systems were
tested more frequently.'').
\238\ See paragraph (h) of proposed Commission regulations 1.13
and 23.603 (requiring that the testing plan be reasonably designed
to assess the adherence to, and the effectiveness of, the ORF).
---------------------------------------------------------------------------
Although the proposed rule would generally not mandate the use of
any specific techniques, it would establish certain minimum testing
frequencies with respect to a few testing categories that have broad
consensus. With respect to testing of the information and technology
security program, the proposed rule would require testing of key
controls and the incident response plan at least annually.\239\
Consistent with the definition in the Commission's system safeguard
rules for registered entities, the proposal would define ``key
controls'' as those controls that an appropriate risk analysis
determines are either critically important for effective information
and technology security, or are intended to address risks that evolve
or change more frequently and therefore require more frequent review to
ensure their continuing effectiveness in addressing such risks.\240\
Given their importance to preserving information and technology
security and recovering from incidents, the Commission believes that
regular testing of the incident response plan and key controls on at
least an annual basis is an important baseline requirement to ensure
the continued effectiveness of
[[Page 4730]]
the information and technology security program.\241\
---------------------------------------------------------------------------
\239\ See paragraph (h)(2)(i)(A) of proposed Commission
regulations 1.13 and 23.603.
\240\ See paragraph (a) of proposed Commission regulations 1.13
and 23.603 (defining ``key controls''). See also 17 CFR
37.1401(h)(1) (SEFs); 17 CFR 38.1051(h)(1) (DCMs); 17 CFR 39.18(a)
(DCOs); 17 CFR 49.24(j)(1) (SDRs) (defining ``key controls'' for
purposes of system safeguard requirements).
\241\ See 17 CFR 37.1401(h)(5) (SEFs); 17 CFR 38.1051(h)(5)
(DCMs); 17 CFR 39.18(e)(5) (DCOs); 17 CFR 49.24(j)(5) (SDRs) (annual
testing of incident response plans and key controls); see also
FFIEC, Information Technology Handbook, Audit Booklet at A-15 (Apr.
2012) (including testing of key controls at least annually as an
examination point
---------------------------------------------------------------------------
The proposed rule would also require that testing of the
information and technology security program include vulnerability
assessments and penetration testing.\242\ Vulnerability assessments
include methods and techniques to identify, diagnose, and prioritize
vulnerabilities in the security of covered technology.\243\ Technical
vulnerabilities can be identified through scanner tools, which can be
run continuously or periodically, often daily, and may include checking
servers for security patches to ensure they are current.\244\
Penetration testing (or ``pen testing''), meanwhile, attempts to
identify ways to exploit vulnerabilities and circumvent or defeat
security features, mimicking potential real-world attacks. Experts have
developed a wide variety of penetration tests (e.g., wireless, network,
web application, cloud, client side, social engineering, physical,
threat-led) and approaches to or modes of completing them (e.g., black
box, white box, gray box).\245\ Some tests go further by using cyber-
threat intelligence in designing these simulated attacks, a testing
referred to as threat-led penetration testing or ``red teaming.'' \246\
---------------------------------------------------------------------------
\242\ See paragraphs (h)(2)(i)(B)-(C) of proposed Commission
regulations 1.13 and 23.603.
\243\ See FFIEC Information Security Booklet, supra note 69, at
8.
\244\ Id.
\245\ See FINRA Cybersecurity Report, supra note 66, at 13.
\246\ See FSI, FSI Insights on policy implementation No. 21,
Varying shades of red: how red team testing frameworks can enhance
the cyber resilience of financial institutions (Nov. 2019).
---------------------------------------------------------------------------
With respect to vulnerability assessments, the proposed rule would
require covered entities to test their information and technology
security programs using vulnerability assessments, including daily or
continuous automated vulnerability scans.\247\ The Commission
preliminarily believes that some degree of vulnerability assessment is
considered standard cybersecurity hygiene in order to monitor systems
and controls for vulnerabilities, and that the availability of
automated vulnerability scanning tools help provide a base level of
monitoring that is easily accessible to all covered entities.\248\
---------------------------------------------------------------------------
\247\ See paragraph (h)(2)(i)(B) of proposed Commission
regulations 1.13 and 23.603. See also 17 CFR 37.1401(h)(2) (SEFs);
17 CFR 38.1051(h)(2) (DCMs); 17 CFR 39.18(e)(2) (DCOs); 17 CFR
49.24(j)(2) (SDRs) (requiring automated vulnerability scanning).
\248\ For instance, CISA makes available a free vulnerability
scanner. See CISA, Cyber Hygiene Services, available at https://www.cisa.gov/cyber-hygiene-services.
---------------------------------------------------------------------------
With respect to penetration testing, the proposed rule would not
require covered entities to undertake specific types of testing. Given
the diverse nature of entities registered as FCMs and swap entities,
the Commission believes that determination of the type and method of
penetration testing would be best left to the reasoned judgement of
each covered entity after conducting its own assessment. The Commission
would, however, require that covered entities conduct some penetration
testing at least annually.\249\ The Commission preliminarily believes
that annual penetration testing of some type, determined consistent
with the proposed (b)(3) standard, would be important for covered
entities to have knowledge and awareness of the actual vulnerability of
their covered technology to internal or external threats. According to
FINRA's 2018 cyber risk report, firms with strong cybersecurity
programs conducted penetration tests at least annually and more
frequently for mission critical, high risk systems such as for an
online trading system.\250\ Covered entities would also be encouraged
to consider additional risk-based penetration testing after key events,
such as any time a significant change is made to important elements of
the firm's applications and systems infrastructure, in addition to any
other regular compliance testing.
---------------------------------------------------------------------------
\249\ See paragraph (h)(2)(i)(C) of proposed Commission
regulations 1.13 and 23.603.
\250\ FINRA Cybersecurity Report, supra note 66, at 13-14.
FFIEC's exam book also appears to contemplate at least some degree
of penetration testing among financial institutions. See FFIEC
Information Security Booklet, supra note 69, at 55 (noting that
independent testing, including penetration testing and vulnerability
scanning, is conducted according to the risk assessment for
external-facing systems and the internal network).
---------------------------------------------------------------------------
Current Commission regulation 23.603 includes a testing requirement
for the BCDR plan for swap entities.\251\ The proposed ORF testing
provision would replace that requirement in current Commission
regulation 23.603 and specify that, as part of the testing, covered
entities would need to conduct a walk-through or tabletop exercise
designed to test the effectiveness of backup facilities and
capabilities at least annually.\252\ The Commission preliminarily
believes that swap entities currently test their BCDR plans through
such exercises and that they are an important way to test the
effectiveness of a BCDR plan in practice. Unlike current Commission
regulation 23.603, however, the proposed rule would not require that
covered entities' BCDR plans be audited every three years by a
qualified third-party service provider.\253\ Based on the Commission's
experience, this audit requirement has proven redundant and unnecessary
in light of the requirements to review and test the plan annually.
---------------------------------------------------------------------------
\251\ See 17 CFR 23.603(g) (requiring the BCDR plan to tested
annually by qualified, independent internal personnel or a qualified
third-party service).
\252\ Current Commission regulation 23.603 does not specify the
nature of the BCDR testing, see id.
\253\ See id. (``Each business continuity and disaster recovery
plan shall be audited at least once every three years by a qualified
third party service. The date the audit was performed shall be
documented, together with the nature and scope of the audit, any
deficiencies found, any corrective action taken, and the date that
corrective action was taken.'').
---------------------------------------------------------------------------
3. Independence--Proposed Paragraph (h)(3)
To support the reliability and objectivity of the review and
testing results, the proposed rule would require the reviews and
testing to be conducted by qualified personnel who are independent of
the aspect of the ORF being reviewed or tested.\254\ The personnel
conducting the testing could be employees of the covered entity itself,
an affiliate, or of a third-party service provider, provided that such
personnel are sufficiently trained and not responsible for the
development, installation, operation, or maintenance of the ``object''
of the testing (e.g., covered technology, key controls, training,
etc.). For example, a covered entity's internal audit department may be
sufficiently trained and independent to test certain key controls but
may need to secure a third-party to test certain systems or program
installations if it does not have sufficient capabilities in-house.
Covered entities would therefore be permitted under the proposal to
determine whether a particular test should be conducted in-house or by
a third-party service provider, provided that the qualification and
independence requirements are met.\255\
---------------------------------------------------------------------------
\254\ See paragraph (h)(3) of proposed Commission regulations
1.13 and 23.603.
\255\ If a covered entity determines to use a third-party
service provider, the proposed requirements and guidance with
respect to the management of third-party relationships would apply.
See supra note 153 and accompanying text.
---------------------------------------------------------------------------
This proposed independence requirement is consistent with the
testing requirement for swap entity
[[Page 4731]]
BCDR plans in current Commission regulation 23.603.\256\
---------------------------------------------------------------------------
\256\ See 17 CFR 23.603(g) (requiring the BCDR plan to tested
annually by qualified, independent internal personnel or a qualified
third-party service).
---------------------------------------------------------------------------
4. Documentation--Proposed Paragraph (h)(4)
The proposed rule would require covered entities to document all
reviews and testing of the ORF. The documentation would need to
include, at a minimum: (i) the date the review or testing was
conducted; (ii) the nature and scope of the review or testing,
including methodologies employed; (iii) the results of the review or
testing, including any assessment of effectiveness; (iv) any identified
deficiencies and recommendations for remediation; and (v) any
corrective action(s) taken, including the date(s) such actions were
taken.\257\ The Commission primarily believes documenting these key
aspects of the testing and related results would not only assist in
ensuring accountability for the testing, but would help covered
entities take full advantage of any insights the testing may provide
and to build upon their resiliency from lessons learned. Such
documentation would also assist the Commission in performing its
oversight duties with respect to covered entities and their
implementation of their ORF.
---------------------------------------------------------------------------
\257\ See paragraph (h)(4)(i)-(v) of proposed Commission
regulations 1.13 and 23.603.
---------------------------------------------------------------------------
This proposed documentation requirement is consistent with the
requirement for swap entity BCDR plans in current Commission regulation
23.603.\258\
---------------------------------------------------------------------------
\258\ See 17 CFR 23.603(g) (``The date the testing was performed
shall be documented, together with the nature and scope of the
testing, any deficiencies found, any corrective action taken, and
the date that corrective action was taken.'').
---------------------------------------------------------------------------
5. Internal Reporting--Proposed Paragraph (h)(5)
To support covered entities' compliance with the ORF rule and
ensure that senior leadership is apprised of and held accountable for
the effectiveness of the ORF, the proposed rule would expressly require
covered entities to report on the results of their reviews and testing
to the CCO and any other relevant senior-level official(s) and
oversight body(ies).\259\ The proposed rule would not mandate the form,
method, or frequency of such reporting, but the Commission would
encourage the reporting to be provided in a sufficiently timely manner
so as to allow the CCO and senior leadership to act upon the
information to take steps to improve compliance and the overall
effectiveness of the ORF.
---------------------------------------------------------------------------
\259\ See paragraph (h)(5) of proposed Commission regulations
1.13 and 23.603.
---------------------------------------------------------------------------
This requirement does not exist with respect to the swap entity
BCDR plan requirement in current Commission regulation 23.603 and would
therefore be a new requirement.
6. Request for Comment
The Commission invites comment on all aspects of the proposed
review and testing requirements, including the following question:
1. Key Controls. The proposed rule would require covered entities
to test key controls on at least an annual basis and includes a
definition of ``key controls'' that is comparable to how the term is
defined for purposes of the Commission's system safeguard requirements
for registered entities.\260\ Are covered entities currently testing
key controls? How are they determining what controls should be
regularly tested? Should the Commission consider allowing covered
entities to define ``key controls'' for themselves consistent with the
proposed (b)(3) standard?
---------------------------------------------------------------------------
\260\ See, e.g., 17 CFR 37.1401(h)(1) (SEFs); 17 CFR
38.1051(h)(1) (DCMs); 17 CFR 39.18(a) (DCOs); 17 CFR 49.24(j)(1)
(SDRs) (defining ``key controls'' for purposes of system safeguard
requirements).
---------------------------------------------------------------------------
H. Required Notifications--Proposed Paragraphs (i) and (j)
The proposed rule would require covered entities to notify the
Commission, customers, or counterparties of certain events within the
scope of the ORF. Notifications to the Commission would relate to
incidents that have an adverse impact, or a covered entity's decision
to activate its BCDR plan.\261\ Notifications to customers or
counterparties would relate to incidents that adversely impact their
interests.\262\ These notification provisions are discussed in turn
below.
---------------------------------------------------------------------------
\261\ See paragraph (i) of proposed Commission regulations 1.13
and 23.603.
\262\ See paragraph (j) of proposed Commission regulations 1.13
and 23.603.
---------------------------------------------------------------------------
1. Commission Notification of Incidents--Proposed Paragraph (i)(1)
The proposed rule would require covered entities to notify the
Commission of any incident that adversely impacts, or is reasonably
likely to adversely impact, (A) information and technology security,
(B) the ability of the covered entity to continue its business
activities as a covered entity, or (C) the assets or positions of a
customer or counterparty.\263\ The notification would need to include
any information available to the covered entity at the time of the
notification that could assist the Commission in assessing and
responding to the incident, including the date the incident was
detected, possible cause(s) of the incident, its apparent or likely
impacts, and any actions the covered entity has taken or is taking to
mitigate or recover from the incident, including measures to protect
customers or counterparties.\264\ Covered entities would need to
provide the notification as soon as possible, but no later than 24
hours after such incident has been detected.\265\
---------------------------------------------------------------------------
\263\ See paragraph (i)(1)(A)-(C) of proposed Commission
regulations 1.13 and 23.603.
\264\ See paragraph (i)(1)(ii) of proposed Commission
regulations 1.13 and 23.603.
\265\ See paragraph (i)(1)(iii) of proposed Commission
regulations 1.13 and 23.603.
---------------------------------------------------------------------------
The purpose of this proposed notification provision is multifold.
At a fundamental level, the proposed rule would allow the Commission to
exercise its oversight function with respect to the ORF, offering the
Commission a real-world, real-time insight into the effectiveness of a
particular covered entity's ORF and whether it is operating as
intended. Early warning of impactful incidents would also enable the
Commission to be more responsive, providing guidance or appropriate
relief to help the covered entity withstand and recover from the
incident. The Commission would also expect such early warnings to aid
it in identifying and reacting to events that could pose a more
systemic threat, either to the markets due to the severity of the
impact of the incident or to other covered entities due to the nature
of the incident (e.g., a ransomware attack against multiple covered
entities or a third-party service provider engaged by more than one
covered entity). In such potentially systemic circumstances, early
awareness of the incident is expected to facilitate the Commission's
role in coordinating industry efforts and information sharing, allowing
it to help forestall the impact of potential broad-scale threats by
sharing information with other regulators through its involvement in
Financial and Banking Information Infrastructure Committee (FBIIC),
issue timely statements to stabilize public confidence, and potentially
take emergency regulatory action. Over time, the Commission
preliminarily believes that the knowledge and experience gained from
these incident reports could provide the Commission a vantage point
from which to identify trends and lessons learned that could improve
its supervisory guidance supporting industry efforts to
[[Page 4732]]
enhance their ORF practices, or lead to other regulatory improvements.
As discussed above, the proposed rule would define ``incident'' as
any event, occurrence or circumstance that could jeopardize (i.e., put
into danger) information and technology security.\266\ This standard
would include events that have the potential to harm information and
technology security regardless of whether a harm actually materializes.
The proposed notification standard, by contrast, would limit the scope
of incidents required to be reported to the Commission to those where
there is an observable negative impact or harm, or such negative impact
or harm is reasonably likely. Covered entities would not, for instance,
need to notify the Commission of unsuccessful attempts at unauthorized
access, as the detection and deterrence of such an attempt would not
require Commission action and would appear to be suggestive of an ORF
that is operating as expected. If, however, a covered entity determines
that an unauthorized person did access covered information, the
Commission would need to be notified, regardless of how much
information was accessed or whether the covered entity believes it has
been used. The Commission would similarly want to know of any
successful distributed denial-of-service attack that disrupts business
operations, regardless of the length of time of that disruption.\267\
---------------------------------------------------------------------------
\266\ See paragraph (a) of proposed Commission regulations 1.13
and 23.603 (defining ``incident'').
\267\ Covered entities would not need to notify the Commission
of routine testing or planned maintenance.
---------------------------------------------------------------------------
The Commission appreciates that, at the outset, information
regarding an incident is likely to be incomplete and in flux, and the
full impact and root cause of an incident may take some time to reveal
itself. Covered entities may also not be able to detect incidents
immediately after their occurrence, and with sophisticated malicious
attacks, culprits often take steps to hide their intrusions.
Nevertheless, the Commission preliminarily believes that delays in
reporting an incident to the Commission could impede its ability to
make timely assessments and take appropriate action. The Commission is
concerned that such delays could have broad implications, especially
when there are potential sector-wide ramifications or spill-over
effects to other regulated entities that the Commission could assist in
managing.
Accordingly, the proposed rule would not prescribe a specific form
or content for the notification or include a materiality limiter. The
proposed rule would only require that covered entities provide whatever
information they have on hand at the time that could assist the
Commission in its assessment and response activities.\268\ If the
proposed rule is adopted, the Commission would simply expect that as an
incident progresses, covered entities would continue to engage with the
Commission and provide updates as needed.\269\
---------------------------------------------------------------------------
\268\ See paragraph (i)(1)(ii) of proposed Commission
regulations 1.13 and 23.603.
\269\ For avoidance of doubt, the proposed rule would not have
any impact on covered entities' obligations to notify criminal
authorities as appropriate or required by other law or regulation.
---------------------------------------------------------------------------
The proposed rule would not prescribe a particular form for the
notification but would require notification via email.\270\
---------------------------------------------------------------------------
\270\ See paragraph (i)(2)(iii) of proposed Commission
regulations 1.13 and 23.603.
---------------------------------------------------------------------------
2. Commission Notification of BCDR Plan Activation--Proposed Paragraph
(i)(2)
For similar reasons, the proposed rule would also require covered
entities to notify the Commission of any determination to activate its
BCDR plan.\271\ Consistent with the proposed incident notification,
covered entities would need to notify the Commission of its
determination to activate their BCDR plan within 24 hours of making
that determination.\272\ Current Commission regulation 23.603 requires
swap entities to notify the Commission ``promptly'' of any emergency or
other disruption that may affect the ability of a swap entity to
fulfill its regulatory obligations or would have a significant adverse
effect on the swap entity, its counterparties, or the market.\273\
Based on the Commission's experience with this provision, which became
particularly relevant during the onset of the COVID-19 pandemic, the
Commission believes this standard has been open to wide interpretation
among swap entities, leading to broad variations in the timeliness of
the notifications to the Commission regarding their decisions to
implement their BCDR plans and employ a remote work posture. The
Commission therefore preliminarily believes that a more bright-line
test that centers on the decision to activate the BCDR plan, an action
that presumably would not occur absent an emergency or significant
disruption impacting the covered entity, would be easier to apply. The
Commission also believes such a standard would facilitate the prompt
delivery of information to the Commission so that it may consider
whether any action to support the continued integrity of the markets
during the course of the emergency is necessary to continue to fulfill
its oversight obligations. For that purpose, the Commission believes
that 24 hours from activation of the BCDR plan would both encourage
covered entities to inform the Commission with sufficient time for it
to take any needed action and encourage covered entities to focus
initial efforts on resuming or continuing operations.
---------------------------------------------------------------------------
\271\ See paragraph (i)(2)(i) of proposed Commission regulations
1.13 and 23.603.
\272\ See paragraph (i)(2)(iii) of proposed Commission
regulations 1.13 and 23.603.
\273\ See 17 CFR 23.603(d) (``Each swap dealer and major swap
participant shall promptly notify the Commission of any emergency or
other disruption that may affect the ability of the swap dealer or
major swap participant to fulfill its regulatory obligations or
would have a significant adverse effect on the swap dealer or major
swap participant, its counterparties, or the market.'').
---------------------------------------------------------------------------
Under the proposed rule, the notification would need to include all
information available to the covered entity at that time, including the
date of the emergency or disruption, a brief description thereof, its
apparent impact, and any actions the covered entity has taken or is
taking to mitigate or recover from the incident, including measures to
protect customers and counterparties, as the Commission believes this
information would be necessary for it to perform its oversight
obligations and take responsive action if needed.\274\ The proposed
rule would not prescribe a particular form for the notification but
would require notification via email.\275\
---------------------------------------------------------------------------
\274\ See paragraph (i)(2)(ii) of proposed Commission
regulations 1.13 and 23.603.
\275\ See paragraph (i)(2)(iii) of proposed Commission
regulations 1.13 and 23.603. Current Commission regulation 23.603
does not prescribe the contents of the notification or the method of
notification, so these would be new requirements for swap entities.
See 17 CFR 23.603(d) (``Each swap dealer and major swap participant
shall promptly notify the Commission of any emergency or other
disruption that may affect the ability of the swap dealer or major
swap participant to fulfill its regulatory obligations or would have
a significant adverse effect on the swap dealer or major swap
participant, its counterparties, or the market.'').
---------------------------------------------------------------------------
3. Notifications to Customers or Counterparties--Proposed Paragraph (j)
Finally, the proposed rule would require covered entities to notify
customers or counterparties as soon as possible of any incident that
could have adversely affected the confidentiality or integrity of such
customer or counterparty's covered information or their assets or
positions.\276\ Such incidents could include the identification of a
longstanding vulnerability that left exposed covered information,
regardless of whether the covered entity has determined that a
[[Page 4733]]
bad actor has obtained access to that information. The Commission
preliminarily believes that covered entities owe an enhanced duty to
protect the covered information provided to them by their customers and
counterparties in order to ensure market integrity and support customer
protections. The proposed notification standard therefore encompasses
incidents where an impact on customers or counterparties may not be
definite so that they may have an opportunity to take whatever actions
they deem necessary to protect their interests.
---------------------------------------------------------------------------
\276\ See paragraph (j)(1) of proposed Commission regulations
1.13 and 23.603.
---------------------------------------------------------------------------
Unlike with the proposed notifications to the Commission, however,
the Commission preliminarily believes that the accuracy of information
provided to customers and counterparties should be prioritized over
early delivery to avoid causing unnecessary panic that could have
potentially negative and irreversible spill-over effects. Accordingly,
the proposed customer/counterparty notification provision does not
include a specific minimum timing requirement for the notification
other than to require the notification to be provided to customers and
counterparties as soon as possible.\277\ The proposed rule would
further require covered entities to disclose to customers and
counterparties information necessary for them to understand and assess
the potential impact of the incident on their information, assets, or
positions and take any necessary actions (e.g., closing accounts,
changing passwords).\278\ Such information would include, at a minimum,
a description of the incident, the particular way in which the customer
or counterparty may have been adversely impacted, measures taken by the
covered entity to protect against further harm, and contact information
for the covered entity where the customer or counterparty may learn
more or ask questions.\279\
---------------------------------------------------------------------------
\277\ See id.
\278\ See paragraphs (j)(2)(i)-(iv) of proposed Commission
regulations 1.13 and 23.603.
\279\ See id.
---------------------------------------------------------------------------
4. Request for Comment
The Commission invites comment on all aspects of its proposed ORF
notification provisions, including the following questions:
1. Incident notification to Commission. The proposed rule would
require covered entities to notify the Commission of any incident that
``adversely impacts, or is reasonably likely to adversely impact,''
information and technology security, the ability of the covered entity
to continue its business activities as a covered entity, or the assets
or positions of a customer or counterparty. As discussed above, the
Commission believes this standard would give the Commission an early
warning of incidents that do result in an observable negative impact or
harm, or such negative impact or harm is reasonably likely, i.e., where
information and technology security, business operations, or customers/
counterparties is harmed or compromised. Given the purpose of the
proposed rule as providing the Commission an early warning so that it
may act to help mitigate the potential impacts of the event, the
proposed rule does not include a materiality limiter. Should the
Commission consider including changing the requirement to further limit
the incident notice to the incidents with a ``material'' or
``significant'' adverse impact, or where such a material or significant
adverse impact would be reasonably likely? If yes, how would including
such a materiality limiter change the scope of incidents that would be
reported to the Commission? In other words, what types of incidents
would not be reported to the Commission under a standard that includes
a materiality limiter, and why should the Commission not receive an
early warning of those types of incidents? Please explain and provide
examples.
2. BCDR notification to Commission. The Commission is proposing to
change the notification requirement in Commission regulation 23.603 to
trigger upon a covered entity's determination to activate its BCDR
plan, rather than ``promptly'' after an emergency or other disruption.
Do covered entities typically make a specific determination before
activating the BCDR plan? What is the process for making that
determination and who makes it? Are there aspects of the BCDR plan that
may become active before any formal determination is made? Should the
Commission instead require notification ``when'' or ``as soon as'' a
BCDR plan is activated? Why or why not? Please explain.
3. Notifications to customers or counterparties. The proposed rule
would require covered entities to provide affected customers and
counterparties information necessary for the affected customer/
counterparty to understand and assess the potential impact of the
incident on its information, assets, or positions and to take any
necessary action. Does the proposed rule provide sufficient information
for covered entities to assess and comply with that standard?
I. Amendment and Expansion of Other Provisions in Current Commission
Regulation 23.603
As mentioned in previous sections of this notice, the proposed rule
would expand and apply the substance of existing provisions in current
Commission regulation 23.603 to all covered entities and the ORF in its
entirety. Such provisions not yet addressed include (1) the
establishment of emergency contacts for the Commission and (2)
recordkeeping obligations.\280\
---------------------------------------------------------------------------
\280\ See 17 CFR 23.603(e) and (i). The Commission would not
retain Commission regulation 23.603(h) (business continuity and
disaster recovery plans required by other regulatory authorities) as
superfluous, see supra note 198.
---------------------------------------------------------------------------
1. Emergency Contacts--Proposed Paragraph (k)
To assist the Commission in responding to a reported incident, or
an emergency or other significant disruption causing a covered entity
to activate its BCDR plan, the proposed rule would require each covered
entity to provide the Commission the name and contact information for
two employees with knowledge of the covered entity's incident response
plan and two employees with knowledge of the covered entity's BCDR
plan.\281\ Each identified employee would need to be authorized to make
key decisions on behalf of the covered entity in the event of either an
incident or the BCDR plan activation, as applicable, as the Commission
would want to be sure to be contacting personnel with appropriate
knowledge and authority.\282\ Any updates to the ORF contacts would
need to be made to the Commission as necessary to ensure the
Commission's contact information remains accurate and up to date.\283\
---------------------------------------------------------------------------
\281\ See paragraph (k)(1) of proposed Commission regulations
1.13 and 23.603. See also 17 CFR 23.603(e) (requiring the
designation of two emergency contacts with respect to the BCDR plan
for swap entities).
\282\ See paragraph (k)(2) of proposed Commission regulations
1.13 and 23.603. The two employee contacts identified with respect
to the information and technology security program could be the same
as the employee contacts for the BCDR plan, provided that they have
the requisite authority. See id.
\283\ See paragraph (k)(3) of proposed Commission regulations
1.13 and 23.603.
---------------------------------------------------------------------------
This provision is consistent with the existing emergency contacts
requirement in the swap entity BCDR plan requirement in current
Commission regulation 23.603.\284\
---------------------------------------------------------------------------
\284\ See 17 CFR 23.603(e) (``Each swap dealer and major swap
participant shall provide to the Commission the name and contact
information of two employees who the Commission can contact in the
event of an emergency or other disruption. The individuals
identified shall be authorized to make key decisions on behalf of
the swap dealer or major swap participant and have knowledge of the
firm's business continuity and disaster recovery plan. The swap
dealer or major swap participant shall provide the Commission with
any updates to this information promptly.'').
---------------------------------------------------------------------------
[[Page 4734]]
2. Recordkeeping--Proposed Paragraph (l)
To aid the Commission in fulfilling its oversight responsibilities,
the proposed rule would require each covered entity to maintain all
records required pursuant to the proposed ORF rule, including the
information and technology security program, the third-party
relationship program, and the BCDR plan, in accordance with Commission
regulation 1.31 and to make them available promptly upon request to
representatives of the Commission and to representations of applicable
prudential regulators as defined in section 1a(39) of the CEA.\285\
This provision is consistent with the existing recordkeeping
requirement in the swap entity BCDR plan requirement in current
Commission regulation 23.603.\286\
---------------------------------------------------------------------------
\285\ See paragraph (l) of proposed Commission regulations 1.13
and 23.603. See 7 U.S.C. 1(a)(39).
\286\ See 17 CFR 23.603(i) (``The business continuity and
disaster recovery plan of the swap dealer and major swap participant
and all other records required to be maintained pursuant to this
section shall be maintained in accordance with Commission Regulation
Sec. 1.31 and shall be made available promptly upon request to
representatives of the Commission and to representatives of
applicable prudential regulators.'').
---------------------------------------------------------------------------
3. Request for Comment
The Commission invites comment on all aspects of the proposed
emergency contacts and recordkeeping requirements.
J. Cross-Border Application for Swap Entities
In September 2020, the Commission published a final rule addressing
the cross-border application of certain provisions of the CEA
applicable to swap entities.\287\ The rule addresses the application of
the registration thresholds and certain requirements applicable to swap
entities and establishes a formal process for requesting comparability
determinations for such requirements from the Commission.\288\ Therein,
the Commission classified current Commission regulation 23.603 (BCDR
requirements for swap entities) as a group A requirement.\289\ The
Commission described the group A requirements as helping swap entities
``implement and maintain a comprehensive and robust system of internal
controls to ensure the financial integrity of the firm, and, in turn,
the protection of the financial system'' and as ``constitut[ing] an
important line of defense against financial, operational, and
compliance risks that could lead to a firm's default.'' \290\ Pursuant
to Commission regulation 23.23(f)(1), a non-U.S. swap entity may
satisfy any applicable group A requirement on an entity-wide basis by
complying with the applicable standards of a foreign jurisdiction to
the extent permitted by, and subject to any conditions specified in, a
comparability determination issued by the Commission.\291\ In
determining to offer substituted compliance for group A requirements
broadly to all non-U.S. swap entities, the Commission explained its
belief that group A requirements cannot be effectively applied on a
fragmented jurisdictional basis, such that it would not be practical to
limit substituted compliance for group A requirements to transactions
involving only non-U.S. persons.\292\
---------------------------------------------------------------------------
\287\ See Cross-Border Application of the Registration
Thresholds and Certain Requirements Applicable to Swap Dealers and
Major Swap Participants, 85 FR 56924 (Sept. 14, 2020) (Final Cross
Border Rule); 17 CFR 23.23.
\288\ Id.
\289\ Id. at 56964-65; 17 CFR 23.23(a)(6) (defining ``group A
requirements'').
\290\ Final Cross-Border Rule, 85 FR 56964 (providing that
``requiring swap entities to rigorously monitor and address the
risks they incur as part of their day-to-day businesses lowers the
registrants' risk of default--and ultimately protects the public and
the financial system.'').
\291\ See 17 CFR 23.23(f)(1). See also 17 CFR 23.23(a)(11)
(defining ``non-U.S. swap entity''); 17 CFR 23.23(g) (describing the
process for the issuance of comparability determinations).
\292\ See Final Cross-Border Rule, 85 FR 56977.
---------------------------------------------------------------------------
As discussed above, the proposed rule would amend current
Commission regulation 23.603 to contain the entirety of the ORF
requirements applicable to swap entities, which would include
requirements not only relating to BCDR but also those relating to
information and technology security and third-party relationships. The
Commission preliminarily believes that the same rationale for
classifying BCDR requirements as a group A requirement would apply to
the ORF rule more broadly. As discussed in detail above, the Commission
preliminarily believes that the proposed information and technology
security and third-party risk relationship requirements would also
serve to help swap entities implement and maintain a comprehensive and
robust system of internal controls, serving as an important line of
defense against the threat of failure at the firm level and of the
financial system more broadly. Accordingly, should the ORF rule be
adopted, the Commission would continue to classify Commission
regulation 23.603 in its entirety as a group A requirement, for which
substituted compliance would broadly be available pursuant to the
requirements of Commission regulation 23.23(f)(1).
As mentioned above, Commission regulation 23.23(f)(1) only allows
substituted compliance ``to the extent permitted by, and subject to any
conditions specified in, a comparability determination issued by the
Commission under [Commission regulation 23.23(g)].'' \293\ Current
Commission comparability determinations do not address the entirety of
the proposed ORF rule, as it has yet to be adopted. Rather, they only
address the requirements in current Commission regulation 23.603, which
are limited to the BCDR plan requirement.
---------------------------------------------------------------------------
\293\ See 17 CFR 23.23(f)(1).
---------------------------------------------------------------------------
The Commission appreciates that non-U.S. swap entities have come to
rely on existing comparability determinations with respect to the
current BCDR requirements in Commission regulation 23.603. Accordingly,
in the interest of comity and good governance, should the proposed rule
be adopted, the Commission has preliminarily determined to permit non-
U.S. swap entities to continue to rely on current comparability
determinations with respect to the Commission's BCDR requirements, even
as amended. However, for substituted compliance to be available for the
ORF rule in its entirety, an eligible swap entity or foreign regulatory
authority would need to submit a request for a comparability
determination pursuant to Commission regulation 23.23(g). The
submission would need to address the full complement of the provisions
of the ORF rule, however codified in amended Commission regulation
23.603, including the BCDR requirements. The Commission would then
evaluate the request, considering amended Commission regulation 23.603
in its entirety, and, if the Commission were to conclude it appropriate
to do so, issue updated comparability determinations that would
supersede any pre-existing comparability determinations with respect to
BCDR requirements for swap entities.
Request for Comment
The Commission invites comment on all aspects of the cross-border
implications of the proposed rule.
[[Page 4735]]
K. Implementation Period
Should the proposed rule be adopted, the Commission recognizes that
covered entities may need time to establish an ORF or review and update
existing plans and procedures for compliance with the proposed ORF
rule. The Commission preliminarily believes that, given existing and
applicable NFA, prudential, and foreign requirements, six months from
the rule's adoption would be a sufficient amount of time for covered
entities to achieve compliance with the ORF rule.
The Commission invites comment on the Commission's proposed
implementation period for the proposed ORF rule, including the
following questions:
1. Would six months be as sufficient amount of time for covered
entities to develop compliant ORFs? If not, why not? Please explain.
2. If covered entities would need more than six months to implement
the ORF as proposed, how much more time would they estimate to need,
and what would they be doing with that time? Please be as detailed as
possible.
III. Related Matters
A. Regulatory Flexibility Act
The Regulatory Flexibility Act (RFA) requires Federal agencies, in
promulgating regulations, to consider the impact of those regulations
on small entities--whether the rules will have a significant economic
impact on a substantial number of small entities--and if so, to provide
a regulatory flexibility analysis reflecting the impact.\294\ The
Commission has established certain definitions of ``small entities'' to
be used by the Commission in evaluating the impact of its rules on
small entities in accordance with the RFA.\295\ The proposed
regulations would affect FCMs, SDs, and MSPs. The Commission has
previously determined that FCMs, SDs, and MSPs are not small entities
for purposes of the RFA.\296\ Accordingly, the Chairman, on behalf of
the Commission, hereby certifies pursuant to 5 U.S.C. 506(b) that the
proposed rule and rule amendments would not have a significant economic
impact on a substantial number of small entities.
---------------------------------------------------------------------------
\294\ 5 U.S.C. 601 et seq.
\295\ See Policy Statement and Establishment of Definitions of
``Small Entities'' for Purposes of the Regulatory Flexibility Act,
47 FR 18618 (Apr. 30, 1982) (RFA Definitions of ``Small Entities'').
\296\ See RFA Definitions of ``Small Entities,'' 47 FR 18619
(FCMs); Final Swap Entities RMP Rule, 77 FR 20193-94 (SDs and MSPs).
---------------------------------------------------------------------------
B. Paperwork Reduction Act
The Paperwork Reduction Act (PRA) imposes certain requirements on
federal agencies, including the Commission, in connection with
conducting or sponsoring any ``collection of information,'' as defined
by the PRA.\297\ The PRA is intended, in part, to minimize the
paperwork burden created for individuals, businesses, and other persons
as a result of the collection of information by federal agencies, and
to ensure the greatest possible benefit and utility of information
created, collected, maintained, used, shared, and disseminated by or
for the Federal Government.\298\ The PRA applies to all information,
regardless of form or format, whenever the Federal Government is
obtaining, causing to be obtained, or soliciting information, and
includes required disclosure to third parties or the public, of facts
or opinions, when the information collection calls for answers to
identical questions posed to, or identical reporting or recordkeeping
requirements imposed on, ten or more persons.\299\
---------------------------------------------------------------------------
\297\ 44 U.S.C. 3501 et seq.
\298\ Id.
\299\ See 44 U.S.C. 3502(3).
---------------------------------------------------------------------------
This proposed rulemaking would result in new collection of
information requirements within the meaning of the PRA. The Commission
is therefore submitting this proposal to the Office of Management and
Budget (OMB) for review.\300\ The title for this collection of
information is ``Operational Resilience Framework for Futures
Commission Merchants, Swap Dealers, and Major Swap Participants.'' The
OMB has not yet assigned this collection a control number. An agency
may not conduct or sponsor, and a person is not required to respond to,
a collection of information unless it displays a currently valid
control number.\301\
---------------------------------------------------------------------------
\300\ See 44 U.S.C. 3507(d); 5 CFR 1320.11.
\301\ See 44 U.S.C. 3507(a)(3); 5 CFR 1320.5(a)(3).
---------------------------------------------------------------------------
If the proposed regulations are adopted, responses to this
collection of information would be mandatory. The Commission will
protect proprietary information according to the Freedom of Information
Act and part 145 of the Commission's regulations, ``Commission Records
and Information.'' \302\ In addition, section 8(a)(1) of the CEA
strictly prohibits the Commission, unless specifically authorized by
the CEA, from making public ``data and information that would
separately disclose the business transactions or market positions of
any person and trade secrets or names of customers.'' \303\ The
Commission is also required to protect certain information contained in
a government system of records according to the Privacy Act of
1974.\304\
---------------------------------------------------------------------------
\302\ See 5 U.S.C. 552. See also 17 CFR part 145.
\303\ 7 U.S.C. 12(a)(1).
\304\ See 5 U.S.C. 552a.
---------------------------------------------------------------------------
1. Information Provided by Reporting Entities/Persons
The proposed regulations would require each covered entity to
establish, document, implement, and maintain an ORF that includes an
information and technology security program, a third-party relationship
program, and a BCDR plan, each of which would need to be supported by
written policies and procedures. In addition, the proposed regulations
would impose the following reporting, recordkeeping, and disclosure
obligations on each covered entity: (1) on an annual basis, written
approval of each component program or plan of the ORF and of risk
appetite and risk tolerance limits, or in the case of covered entities
relying on a consolidated program or plan, written attestation; (2) on
an annual basis, documenting review and testing of the ORF; (3) as
applicable, notifying the Commission of certain ``incidents,'' as
defined in the proposed rule; (4) as applicable, notifying the
Commission upon activation of the BCDR plan; (5) as applicable,
notifying customers or counterparties of certain ``incidents,'' as
defined in the proposed rule; and (6) providing emergency contact
information to the Commission in connection with the information and
technology security program and the BCDR plan. These requirements will
result in new PRA burdens for covered entities.
For purposes of the PRA, the term ``burden'' means the ``time,
effort, or financial resources expended by persons to generate,
maintain, or provide information to or for a Federal Agency.'' \305\
This total includes the anticipated burden associated with the
development of the required written policies and procedures,
satisfaction of various reporting, recordkeeping, and disclosure
obligations, the documentation of required ORF testing and review, and
the documentation of risk appetite and risk tolerance limits approval.
---------------------------------------------------------------------------
\305\ 44 U.S.C. 3502(2).
---------------------------------------------------------------------------
As of October 31, 2023, there are 160 covered entities that would
become subject to the proposed rule (100 registered swaps dealers, 54
registered futures commission merchants, and 6 dually-registered swap
dealers/futures commission merchants). The estimated burden associated
with the proposed
[[Page 4736]]
information collections is calculated as follows:
a. Recordkeeping Requirements
The proposed regulation contains recordkeeping requirements that
would result in a collection of information from ten or more persons
over a 12-month period.
Establishing, documenting, implementing, and maintaining
information and technology security program: As part of an overall ORF,
proposed Commission regulations 1.13(d) and 23.603(d) would require
covered entities to establish an information and technology security
program reasonably designed to identify, monitor, manage, and assess
risks relating to information and technology security, including
through conducting and documenting risk assessments at least annually.
Upon the risk assessment's completion, the results would need to be
provided to the oversight body, senior officer, or other senior-level
official who approves the information and technology security program.
As part of the information and technology security program, the
proposed rule would require the covered entity to establish, document,
implement, and maintain controls to prevent, detect, and mitigate
identified risks to information and technology security. In addition,
the proposed rule would require that the information and technology
security program include a written incident response plan reasonably
designed to detect, assess, contain, mitigate the impact of, and
recover from an incident.
The Commission anticipates that a covered entity would require an
estimated 200 hours to develop their information and technology
security program, including conducting and documenting an annual risk
assessment and developing an incident response plan. This yields a
total annual burden of 32,000 burden hours (160 respondents x 200 hours
= 32,000 hours).
Accordingly, the aggregate annual estimate for the recordkeeping
burden associated with this proposal would be as follows:\306\
---------------------------------------------------------------------------
\306\ This estimate reflects the aggregate information
collection burden estimate associated with the proposed
recordkeeping requirement for the first annual period following
implementation of the proposed regulations. Because proposed
Commission regulations 1.13(d) and 23.603(d) would require the one-
time recordkeeping requirement as to developing the information and
technology security program, Commission staff estimates that for
each subsequent annual period, the number of burden hours would be
reduced accordingly.
---------------------------------------------------------------------------
Number of registrants: 160.
Estimated number of responses: 1.
Estimated total annual burden per registrant: 200 hours.
Frequency of collection: Annually.
Total annual burden: 32,000 burden hours [160 registrants x 200
hours].
Establishing, documenting, implementing, and maintaining third-
party relationship program: Proposed Commission regulations 1.13(e) and
23.603(e) would require covered entities to develop a program
reasonably designed to identify, monitor, manage, and assess risks
relating to third-party relationships. The program would be required to
address the risks attendant to each stage of the third-party
relationship lifecycle and would be required to include an inventory of
third-party service providers the covered entity has engaged to support
its activities as a covered entity.
The Commission anticipates that a covered entity would require an
estimated 160 hours annually to develop their third-party relationship
program, including creating and maintaining a third-party service
provider inventory. This yields a total annual burden of 25,600 hours
(160 respondents x 160 hours = 25,600 burden hours). The aggregate
annual estimate for the recordkeeping burden associated with this
proposal would be as follows: \307\
---------------------------------------------------------------------------
\307\ This estimate reflects the aggregate information
collection burden estimate associated with the proposed
recordkeeping requirement for the first annual period following
implementation of the proposed regulations. Because proposed
Commission regulations 1.13(e) and 23.603(e) would require the one-
time recordkeeping requirement as to developing the third-party
relationship program, Commission staff estimates that for each
subsequent annual period, the number of burden hours would be
reduced accordingly.
---------------------------------------------------------------------------
Number of registrants: 160.
Estimated number of responses: 1.
Estimated total annual burden per registrant: 160 hours.
Frequency of collection: Annually.
Total annual burden: 25,600 burden hours [160 registrants x 160
hours].
Establishing, documenting, implementing, and maintaining BCDR plan:
Proposed Commission regulations 1.13(f) and 23.603(f) would require
covered entities to establish a written BCDR plan reasonably designed
to identify, monitor, manage, and assess risks relating to emergencies
or other significant disruptions to the continuity of normal business
operations as a covered entity.\308\ The proposed rule would require
the BCDR plan be reasonably designed to enable the covered entity to:
(1) continue or resume any activities as a covered entity with minimal
disruption to customers, counterparties, and markets; and (2) recover
and make use of covered information, in addition to any other data,
information, or documentation required to be maintained by law and
regulation. These plans would be required to, among other things,
establish procedures for data backup and establish and maintain
arrangements to provide for redundancies or their backup for covered
technology, facilities, infrastructure, personnel, and competencies.
---------------------------------------------------------------------------
\308\ As discussed in section II.E (Continuity and Disaster
Recovery Plan) of this notice, swap entities are already required to
establish a written BCDR plan pursuant to current Commission
regulation 23.603. The existing burdens for current Commission
regulation 23.603 are found in the following information collection,
Regulations Establishing and Governing the Duties of Swap Dealers
and Major Swap Participants (OMB Control No. 3038-0084). The burden
of swap entities updating their BCDR plan is included in the new
collection of information established by the proposed rule, but the
Commission is retaining its existing burden estimates under Control
No. 3038-0084 at this time to avoid undercounting. The Commission
will adjust its burden estimates associated with OMB Control No.
3038-0084 at a later date, as necessary.
---------------------------------------------------------------------------
The Commission anticipates that a covered entity would require an
estimated 50 hours annually to develop or to update their existing
written BCDR plan. This yields a total annual burden of 8,000 burden
hours (160 respondents x 50 hours = 8,000 hours).
Accordingly, the aggregate annual estimate for the recordkeeping
burden associated with this proposal would be as follows:\309\
---------------------------------------------------------------------------
\309\ This estimate reflects the aggregate information
collection burden estimate associated with the proposed
recordkeeping requirement for the first annual period following
implementation of the proposed regulations. Because proposed
Commission regulations 1.13(f) and 23.603(f) would require the one-
time recordkeeping requirement, as to developing the BCDR plan,
Commission staff estimates that for each subsequent annual period,
the number of burden hours would be reduced accordingly.
---------------------------------------------------------------------------
Number of registrants: 160.
Estimated number of responses: 1.
Estimated total annual burden per registrant: 50 hours.
Frequency of collection: Annually.
Total annual burden: 8,000 burden hours [160 registrants x 50
hours].
Documentation of ORF review: Proposed Commission regulations
1.13(h) and 23.603(h) would require covered entities to establish,
implement, and maintain plans reasonably designed to assess their
adherence to, and the effectiveness of, their ORF through regular
reviews and risk-based testing.
The proposed rule would require that reviews be conducted at least
annually and when any material change to covered entities' activities
or operations occurs that is reasonably likely to affect
[[Page 4737]]
the risks identified in the ORF. With regard to testing, the proposed
rule would require that the testing of information and technology
security program include, at a minimum, the testing of key controls and
the incident response plan at least annually; daily or continuous
automated vulnerability scans; and penetration testing at least
annually. Additionally, the proposed rule would require that testing of
the BCDR plan must include, at a minimum, a walk-through or tabletop
exercise designed to test the effectiveness of backup facilities and
capabilities at least annually.
The proposed rule would also require covered entities to document
all reviews and testing of their ORFs. The proposed rule would require
that documentation to include, at a minimum, (i) the date the review or
testing was conducted; (ii) the nature and scope of the review or
testing, including methodologies employed; (iii) the results of the
review or testing, including any assessment of effectiveness; (iv) any
identified deficiencies and recommendations for remediation; and (v)
any corrective action(s) taken or initiated, including the date(s) of
such action(s).
The Commission anticipates that covered entities would require an
estimated 80 hours annually to establish a plan to assess adherence to,
and the effectiveness of, its ORF, as well as documenting all reviews
and testing of the ORF. This yields a total annual burden of 12,800
hours (160 respondents x 80 hours = 12,800 burden hours).
The aggregate annual estimate for the recordkeeping burden
associated with this proposal would be as follows: \310\
---------------------------------------------------------------------------
\310\ This estimate reflects the aggregate information
collection burden estimate associated with the proposed
recordkeeping requirement for the first annual period following
implementation of the proposed regulations. Because proposed
Commission regulations 1.13(h) and 23.603(h) would require the one-
time recordkeeping requirement as to developing a plan to assess the
effectiveness of the ORF, Commission staff estimates that for each
subsequent annual period, the number of burden hours would be
reduced accordingly.
---------------------------------------------------------------------------
Number of registrants: 160.
Estimated number of responses: 1.
Estimated total annual burden per registrant: 80 hours.
Frequency of collection: Annually.
Total annual burden: 12,800 burden hours [160 registrants x 80
hours].
Documentation of approval of the component programs or plan, risk
appetite, and risk tolerance limits: Proposed Commission regulations
1.13(c)(1) and 23.603(c)(1) would require covered entities to ensure
that the information and technology security program, third-party
relationship program, and BCDR plan are approved in writing on at least
an annual basis by either the senior officer, an oversight body, or a
senior-level official with primary responsibility for the component
programs or plan. Proposed Commission regulations 1.13(c)(2) and
23.603(c)(2) would require the risk appetite and risk tolerance limits
established by covered entities be approved in writing at least
annually by either the senior officer, an oversight body, or a senior-
level official. Proposed Commission regulations 1.13(c)(4)(ii) and
23.603(c)(4)(ii) would allow covered entities that rely on a
consolidated program or plan for its ORF to meet the annual approval
requirement for the component programs or plan of the ORF, risk
appetite, and risk tolerance limits through an annual written
attestation by either the senior officer, an oversight body, or a
senior-level official.
The Commission anticipates that covered entities would require an
estimated 20 hours annually to document approval of the ORF, risk
appetite, and risk tolerance limits or to prepare the written
attestation. This yields a total annual burden of 3,200 hours (160
respondents x 20 hours = 3,200 burden hours).
The aggregate annual estimate for the recordkeeping burden
associated with this proposal would be as follows:
Number of registrants: 160.
Estimated number of responses: 1.
Estimated total annual burden per registrant: 20 hours.
Frequency of collection: Annually.
Total annual burden: 3,200 burden hours [160 registrants x 20
hours].
b. Reporting Requirements
The proposed regulation contains reporting requirements that would
result in a collection of information from ten or more persons over a
12-month period.
Notification of incidents to the Commission: Proposed Commission
regulations 1.13(i)(1) and 23.603(i)(1) would require covered entities
to notify the Commission regarding incidents that adversely impact or
are reasonably likely to adversely impact: (1) information technology
and security; (2) the covered entity's ability to continue its business
activities; or (3) the assets or positions of a customer or
counterparty. These notifications would be required to include
information that may assist the Commission in assessing and responding
to the incident, including the date the incident was detected, possible
cause(s) of the incident, its apparent or likely impacts, and any
actions the covered entity has taken or is taking to mitigate or
recover from the incident. Notifications would be required to be
submitted via email as soon as possible, but no later than 24 hours
after an incident is detected.
The Commission anticipates that covered entities may experience one
reportable incident per year and that covered entities would expend
approximately 10 hours to gather the information required and provide
the required notification to the Commission. This would result in an
estimated total annual burden of 1,600 hours (160 respondents x 1
reportable incident per year x 10 hours per reportable incident = 1,600
hours).
The aggregate annual estimate for the reporting burden associated
with this proposal would be as follows:
Number of registrants: 160.
Estimated number of responses: 1.
Estimated total annual burden per registrant: 10 hours.
Frequency of collection: As needed.
Total annual burden: 1,600 burden hours [160 registrants x 10
hours].
Notification of BCDR plan activation: Proposed Commission
regulations 1.13(i)(2) and 23.603(i)(2) would require covered entities
to notify the Commission of any determination to activate the BCDR
plan. Covered entities would be required to provide such notices via
email and include any information available at the time of the
notification that may assist the Commission in assessing or responding
to the emergency or disruption, including the date of the emergency or
disruption, a description thereof, the possible cause(s), its apparent
or likely impacts, and any actions the covered entity has taken or is
taking to mitigate or recover from the emergency or disruption,
including measures taken or being taken to protect customers.
The Commission anticipates that approximately 3 covered entities
may activate their BCDR plan per year and that such covered entities
would expend approximately 10 hours to gather the information required
and to provide the required notification to the Commission. This would
result in an estimated total annual burden of 30 burden hours (3 BCDR
activations per year x 10 hours per BCDR activation = 30 hours).
The aggregate annual estimate for the reporting burden associated
with this proposal would be as follows:
Number of registrants: 3.
Estimated number of responses per respondent: 1.
Estimated total annual burden per registrant: 10 hours.
Frequency of collection: As needed.
[[Page 4738]]
Total annual burden: 30 burden hours [3 BCDR activations per year x
10 hours].
Filing emergency contact information: Proposed Commission
regulations 1.13(k) and 23.603(k) would require covered entities to
provide the Commission with emergency contact information for employees
to serve as contacts in connection with required incident notifications
under the ORF and the activation of the covered entity's BCDR plan.
The Commission anticipates that covered entities would require an
estimated 1 hour annually to provide the Commission with emergency
contact information. This yields a total annual burden of 160 burden
hours (160 respondents x 1 hour = 160 burden hours).
The aggregate annual estimate for the reporting burden associated
with this proposal would be as follows: \311\
---------------------------------------------------------------------------
\311\ This estimate reflects the aggregate information
collection burden estimate associated with the proposed reporting
requirement for the first annual period following implementation of
the proposed regulations. Because proposed Commission regulations
1.13(k) and 23.603(k) would require the emergency contact
information provided to the Commission to be updated only as
necessary, Commission staff estimates that for each subsequent
annual period, the number of burden hours would be reduced
accordingly.
---------------------------------------------------------------------------
Number of registrants: 160.
Estimated number of responses: 1.
Estimated total annual burden per registrant: 1 hour.
Frequency of collection: As needed.
Total annual burden: 160 burden hours [160 registrants x 1 hour].
c. Disclosure Requirements
The proposed regulation contains disclosure requirements that would
result in a collection of information from ten or more persons over a
12-month period.
Notification of incidents to affected customers and counterparties:
Proposed Commission regulations 1.13(j) and 23.603(j) would require
covered entities to notify their customers and counterparties as soon
as possible of any incident that is reasonably likely to have adversely
affected the confidentiality or integrity of the customer's or
counterparty's covered information, assets, or positions. The proposed
rule would require that notifications include information necessary for
the affected customer or counterparty to understand and assess the
potential impact of the incident on its information, assets, or
positions and to take any necessary action. Such notifications shall
include, at a minimum, a description of the incident; the way the
customer or counterparty, or its covered information, may have been
adversely impacted; measures being taken by the covered entity to
protect against further harm; and contact information for the covered
entity where the customer or counterparty may learn more about the
incident or ask questions.
The Commission anticipates that covered entities may experience 17
reportable incidents per year and that covered entities would expend
approximately 50 hours to gather the required information necessary to
provide notice of an incident and to prepare and deliver the required
notification. This would result in an estimated total annual burden of
850 burden hours (17 reportable incidents per year x 50 hours per
reportable incident = 850 burden hours).
The aggregate annual estimate for the disclosure burden associated
with this proposal would be as follows:
Number of registrants: 17.
Estimated number of responses per respondent: 1.
Estimated total annual burden per registrant: 50 hours.
Frequency of collection: As needed.
Total annual burden: 850 burden hours [17 reportable incidents per
year x 50 hours].
d. Total Burden
Based upon the estimates above, the aggregate annual cost for all
covered entities is 84,240 burden hours.
It is expected that covered entities will utilize existing
software, information technology and systems. Thus, the Commission
believes any additional capital/startup costs or operational/
maintenance costs incurred by respondents to report the information
required by the proposed regulations to the Commission would be
negligible, if any.
2. Request for Comment
The Commission invites the public and other federal agencies to
comment on any aspect of the reporting, recordkeeping, and disclosure
burdens discussed above. Pursuant to 44 U.S.C. 3506(c)(2)(B), the
Commission will consider public comments on this proposed collection of
information in:
(1) Evaluating whether the proposed collection of information is
necessary for the proper performance of the functions of the
Commission, including whether the information will have practical
utility;
(2) Evaluating the accuracy of the Commission's estimate of the
burden of the proposed collection of information, including the degree
to which the methodology and the assumptions that the Commission
employed were valid;
(3) Enhancing the quality, utility, and clarity of the information
proposed to be collected; and
(4) Minimizing the burden of the collection of information on
covered entities, including through the use of appropriate automated,
electronic, mechanical, or other technological information collection
techniques, e.g., permitting electronic submission of responses.
A copy of the supporting statements for the collections of
information discussed above are available from the CFTC Clearance
Officer, 1155 21st Street NW, Washington, DC 20581, 202-418-5714, or
from https://www.RegInfo.gov. Organizations and individuals desiring to
submit comments on the proposed information collection requirements
should send those comments to:
The Office of Information and Regulatory Affairs, Office
of Management and Building, Room 10235, New Executive Office Building,
Washington, DC 20503, Attn: Desk Officer of the Commodity Futures
Trading Commission;
202-395-6566 (fax);
[email protected] (email).
Please provide the Commission with a copy of submitted comments so
that all comments can be summarized and addressed in the final
rulemaking. Please refer to the ADDRESSES section of this notice of
proposed rulemaking for comment submission instructions to the
Commission. OMB is required to decide concerning the collection of
information between 30 and 60 days after publication of this document
in the Federal Register. Therefore, a comment is best assured of
receiving full consideration if OMB (and the Commission) receives it
within 30 calendar days of publication of this notice. Nothing in the
foregoing affects the deadline enumerated above for public comment to
the Commission on the proposed rule.
C. Cost-Benefit Considerations
Section 15(a) of the CEA requires the Commission to consider the
costs and benefits of its discretionary actions before promulgating a
regulation under the CEA or issuing certain orders.\312\ Section 15(a)
further specifies that the costs and benefits shall be evaluated in
light of five broad areas of market and public concern: (1) Protection
of market participants and the public; (2) efficiency, competitiveness,
and financial integrity of swaps markets; (3) price discovery; (4)
sound risk
[[Page 4739]]
management practices; and (5) other public interest
considerations.\313\ In conducting its analysis, the Commission may, in
its discretion, give greater weight to any one of the five enumerated
areas of concern. The Commission considers the costs and benefits
resulting from its discretionary determinations with respect to the
considerations of section 15(a) of the CEA.
---------------------------------------------------------------------------
\312\ See 7 U.S.C. 19(a).
\313\ Id.
---------------------------------------------------------------------------
As detailed above, the proposed rule would require covered entities
(FCMs, SDs, and MSPs) to establish, document, implement, and maintain
an ORF reasonably designed to identify, monitor, manage, and assess
risks relating to (i) information and technology security, (ii) third-
party service providers, and (iii) emergencies or other significant
disruptions to the continuity of their normal business operations.\314\
The ORF would accordingly need to include a program or plan directed at
each of these three risk areas (an information and technology security
program, a third-party relationship program, and a business continuity
and disaster recovery plan), as well as a plan for the review and
testing of the ORF, each of which would need to meet certain specified
minimum requirements.\315\ The proposed rule would further establish
governance, training, and recordkeeping requirements related to the
ORF, as well as require notification of certain ORF-related events to
the Commission and customers or counterparties.\316\ The main purpose
of the proposed ORF, as discussed above, is to promote sound practices
for managing risks relating to information and technology security,
third-party relationships, and emergencies or other significant
disruptions, so as to support covered entity operational resilience, to
the benefit of customers, counterparties, and the derivatives markets
more broadly.
---------------------------------------------------------------------------
\314\ See paragraph (b)(1) of proposed Commission regulations
1.13 and 23.603.
\315\ See paragraphs (b)(2) (components), (d) (information and
technology security program), (e) (third-party relationship
program), (f) (business continuity and disaster recovery plan), and
(h) (reviews and testing) of proposed Commission regulations 1.13
and 23.603.
\316\ See paragraphs (c) (governance), (g) (training), (i)
(notifications to the Commission), (j) (notification of incidents to
affected customers or counterparties), (k) (emergency contacts), and
(l) (recordkeeping) of proposed Commission regulations 1.13 and
23.603.
---------------------------------------------------------------------------
The Commission identifies and considers the benefits and costs of
the proposed amendments relative to the baseline of the current status
quo. As discussed above, all of the proposed requirements would be new
CFTC requirements for covered entities, with the exception of the BCDR
plan requirement for swap entities, which the proposed rule would amend
in certain respects.\317\ Nevertheless, the Commission preliminarily
believes that many, if not all, covered entities currently registered
with the Commission have likely adopted documents, policies, and
practices consistent with the proposed ORF rule. Current NFA rules and
interpretive notices, for instance, address the core risks at the
center of the ORF--information and technology security, third-party
risks, and BCDR planning--and establish related requirements that apply
to covered entities, including a BCDR plan requirement for FCMs.\318\
Additionally, many covered entities are subject to prudential
regulation, which includes requirements relating to information
security and notifications of related incidents.\319\ Prudential
regulators have also provided guidance relating to operational
resilience and third-party relationships.\320\ Furthermore, based on
its oversight activities, the Commission preliminarily believes that
certain aspects of the proposed rule requirements are already employed
by many covered entities as recommended best practices.
---------------------------------------------------------------------------
\317\ See 17 CFR 23.603.
\318\ See supra note 43; see also supra note 60 (noting that
NFA's requirement to establish a business continuity and disaster
recovery plan does not apply to swap entities).
\319\ See Computer-Security Incident Notification Requirements
for Banking Organizations and their Bank Service Providers, 86 FR
66424 (Nov. 23, 2021); 12 CFR part 30, app. A (Interagency
Guidelines Establishing Standards for Safety and Soundness); 12 CFR
part 30, app. B (Interagency Guidelines Establishing Information
Security Standards).
\320\ See supra note 43. See also supra note 50. The Commission
notes that the Prudential Operational Resilience Paper was ``written
for use by the largest and most complex domestic firms,'' including
financial institutions with average total consolidated assets
greater than or equal to (a) $250 billion or (b) $100 billion and
have $75 billion or more in average weighted short-term wholesale
funding, average nonbank assets, or average off-balance-sheet
exposure. See Prudential Operational Resilience Paper, supra note
11, at 1.
---------------------------------------------------------------------------
The Commission acknowledges that, no matter the degree to which a
covered entity currently operates in a manner consistent with the
requirements of the proposed rule, covered entities would all incur
some level of costs in reviewing the proposed rule and comparing their
existing practices and procedures against it to ensure they meet the
minimum requirements and make any necessary updates. Nevertheless, the
Commission preliminarily believes that the actual costs and benefits of
the proposed rule as realized by most current covered entities may not
be as significant as they would be for entities not already subject to
NFA or prudential authority or that have not already adopted
operational resilience practices in line with general standards and
best practices. The Commission also preliminarily believes that
leveraging existing standards and guidance and aligning with other
applicable authorities to the degree sensible and appropriate, as
recommended by the National Cyber Strategy, in itself is a benefit to
covered entities and the markets more broadly, by reducing compliance
burdens while promoting practices that have proven to support
operational resilience and positive regulatory outcomes. Customers,
counterparties, and the public more generally would likely benefit as
well, as the proposed rule would allow the Commission to exercise its
oversight authority to foster compliance with the ORF requirements that
are currently absent from its regulations.
By its terms, section 15(a) does not specifically require the
Commission to quantify the costs and benefits of a new rule or to
determine whether the benefits of the adopted rule outweigh its costs.
Rather, section 15(a) requires the Commission to ``consider the costs
and benefits'' of a subject rule.\321\ The Commission has endeavored to
assess the expected costs and benefits of the proposed amendments in
quantitative terms, including PRA related costs, where possible. In
situations where the Commission is unable to quantify the costs and
benefits, the Commission identifies and considers the costs and
benefits of the applicable proposed amendments in qualitative terms.
However, the Commission lacks the data necessary to reasonably quantify
all of the costs and benefits considered below. Additionally, any
initial and recurring compliance costs for any particular covered
entity would depend on its size, existing infrastructure, practices,
and cost structures, as well as the nature, size, scope, complexity,
and risk profile of its operations as a covered entity. It is
impossible to place a reliable dollar figure on potential future
incidents that might be prevented through this rulemaking because the
threats are too varied. The constantly changing nature of technology
exacerbates this difficulty.\322\
---------------------------------------------------------------------------
\321\ See 7 U.S.C. 19(a).
\322\ FSI Cybersecurity Paper, supra note 15, at 1 (``The cyber
threat landscape is also characterised by a significant and
continuous rise in the cost of cyber incidents. Statista (2023)
estimated the global cost of cyber crime in 2022 at $8.4 trillion
and expects this to go beyond $11 trillion in 2023. This reflects an
annual increase of 30% in the cost of cyber crime during the 2021-23
period. Moreover, the average cost of a data breach between 2020 and
2022 increased by 13%, with the financial industry scoring the
second highest average cost after healthcare at $6 million.
According to Chainalysis (202[3]), 2022 was the biggest year ever
for crypto hacking, with $3.8 billion stolen from cryptocurrency
businesses. Cyber insurance demand continues to outweigh supply and
that the cyber protection gap appears to be widening amid a market
characterised by rising premiums, narrowing coverage and tighter
underwriting standards.'').
---------------------------------------------------------------------------
[[Page 4740]]
Regarding covered entities' costs, while the Commission generally
believes--based on anecdotal information and its general
understanding--that covered entities have already instituted, to a
large degree, the practices called for in the proposed rule, the
Commission lacks empirical evidence or data to verify that belief
(including the number of covered entities whose practices currently
meet the requirements being proposed) and quantify what, if any,
material costs covered entities would incur to comply with the proposed
regulations. To the extent covered entities would need to make
operational changes to comply with the proposed amendments, the
Commission expects they would be proportionate to the nature, size,
scope, complexity, and risk profile of their operations as covered
entities. The Commission therefore invites comments providing data and
other empirical information to allow it to quantify the degree to
which: (1) covered entities currently have implemented (or independent
of the proposed amendments, otherwise plan to implement) practices that
are compliant with the Commission's proposed regulations and (2) the
expected additional costs for any covered entities that, to date, have
not completely done so or are otherwise moving independently towards
doing so.
The Commission notes that this cost-benefit consideration is based
on its understanding that the derivatives markets regulated by the
Commission function internationally with: (1) transactions that involve
U.S. entities occurring across different international jurisdictions;
(2) some entities organized outside of the United States that are
registered with the Commission; and (3) some entities that typically
operate both within and outside the United States and that follow
substantially similar business practices wherever they are located.
Where the Commission does not specifically refer to matters of
location, the discussion of costs and benefits below refers to the
effects of the proposed regulations on all relevant derivatives
activity, whether based on their actual occurrence in the United
States, or on their connection with, or effect on, U.S. commerce.
In the sections that follow, the Commission discusses the costs and
benefits associated with the proposed rule, as well as reasonable
alternatives, relative to the baseline. The Commission generally
requests comment on all aspects of its cost-benefit consideration,
including the baseline; assumptions and methodology employed; the
identification and measurement of costs and benefits relative to the
baseline; the identification, measurement, and assessment of any costs
and benefits not discussed herein; data and any other information to
assist or otherwise inform the Commission's ability to better quantify
or qualitatively understand and describe the costs and benefits of the
proposed amendments; whether and what specific alternatives would be
more reasonable in terms of their costs and benefits and why; and
substantiating data, statistics, and any other information to support
positions posited by commenters with respect to the Commission's
discussion and/or requests for comments.
1. Costs and Benefits
The following sections discuss the costs and benefits that the
Commission preliminarily expects to result from the requirements in the
proposed rule.
e. Generally--Proposed Paragraph (b)
The proposed rule would require covered entities to establish,
document, implement, and maintain an ORF reasonably designed to
identify, monitor, manage, and assess risks relating to: (i)
information and technology security; (ii) third-party relationships;
and (iii) emergencies or other significant disruptions to the
continuity of normal business operations as covered entities.\323\ The
ORF would need to, at a minimum, include an information and technology
security program, a third-party relationship program, and a business
continuity and disaster recovery plan, and each component program or
plan would need to be supported by written policies and
procedures.\324\ Covered entities would further need to ensure that
their ORF is appropriate and proportionate to the nature, size, scope,
complexity, and risk profile of their business activities as covered
entities, following generally accepted standards and best
practices.\325\
---------------------------------------------------------------------------
\323\ See paragraph (b)(1) of proposed Commission regulations
1.13 and 23.603.
\324\ See paragraph (b)(2) of proposed Commission regulations
1.13 and 23.603.
\325\ See paragraph (b)(3) of proposed Commission regulations
1.13 and 23.603.
---------------------------------------------------------------------------
The Commission anticipates that the main source of costs associated
with establishing, documenting, implementing, and maintaining the ORF,
as required, would derive from creating and implementing the necessary
core component programs and plan, the detailed requirements and costs
and benefits of which are discussed in greater detail in the sections
that follow. As discussed above, although the Commission expects that
most covered entities have already established at least some of
elements of the ORF in place by virtue of NFA or other requirements,
covered entities would, at minimum, need to devote time and resources
to reviewing their existing programs to ensure they meet the
requirements of the proposed rule and making any necessary amendments.
Accordingly, the Commission anticipates all covered entities would
incur at least a one-time fixed cost associated with reviewing their
existing programs to ensure compliance, and to identify and make any
potential required updates. Specifically, the Commission expects
covered entities would incur a one-time initial cost of $41,000 (410
hours \326\ x $100/hour) to review their existing programs and identify
and make any necessary changes, or an estimated aggregate dollar cost
of $6,560,000 (160 covered entities x $41,000).\327\
---------------------------------------------------------------------------
\326\ This hour estimate reflects the aggregate amount of time
the Commission estimates covered entities will expend establishing,
documenting, implementing and maintaining the core component
programs and plan of their ORF (i.e., information and technology
security program, third-party relationship program, and business
continuity and disaster recovery plan). See section III.B (Paperwork
Reduction Act) of this notice, supra.
\327\ The cost estimates in this section were determined using
an average salary of $100.00 per hour. The Commission believes that
this is an appropriate salary estimate for purposes of the proposed
rule based upon the May 2022 Bureau of Labor Statistics' average
hourly rate for the following positions: (1) $63.08 for management
occupations; (2) $41.39 for business and financial operations
occupations; (3) $51.99 for computer and mathematical occupations;
(4) $67.71 for computer engineering occupations; (5) $59.87 for
legal occupations; and (6) $21.90 for office and administrative
support occupations. Based on this data, the Commission took the
mean hourly wage for these positions and increased it to $100 in
recognition that some covered entities are large financial
institutions whose employees' salaries may exceed the mean wage. See
U.S. Bureau of Labor Statistics, May 2022 National Occupational
Employment and Wage Estimates (last updated Apr. 25, 2023),
available at https://www.bls.gov/oes/current/oes_nat.htm#43-0000.
---------------------------------------------------------------------------
To the extent that covered entities' current operational resilience
practices do not meet the minimum requirements
[[Page 4741]]
of the proposed rule, they may incur more and other forms of costs in
updating the programs. Such costs could include fixed costs associated
with securing new technology or other services (e.g., upgrading
technology, incorporating penetration testing), or even adding new
staffing to support new required functions, as well as new ongoing
costs related to monitoring and training. By requiring that the ORF,
and consequently the associated programs and plan, are appropriate and
proportionate to the covered entity, the Commission expects that the
extent of those costs should be reasonably mitigated, such that covered
entities should be able to tailor their ORFs to their unique
circumstances and not incur costs to adopt practices or technologies
that would not be recommended or necessary for them.
Additionally, to the extent costs in updating programs are
unavoidable, the Commission believes the proposed ORF rule is
reasonably designed to ensure that the costs would support covered
entities' operational resilience, and the broader security of the
derivatives markets as a whole, as discussed in greater detail below.
More specifically, the Commission believes the proposed ORF rule is
reasonably designed to ensure customer and counterparty information and
assets remain protected, and that the derivatives markets remain stable
and functioning, particularly as covered entities become ever more
reliant on rapidly evolving technology and/or third-party service
providers to support their operations. Requiring all covered entities
to have a framework directed at operational resilience that meets
certain minimum requirements, including governance, training, and
testing requirements, would give the CFTC, customers, counterparties,
and covered entities themselves confidence that there exists among all
covered entities a certain foundational level of security and
resilience. Requiring covered entities to base their ORFs on generally
accepted standards and best practices further buttresses that assurance
by making sure adopted practices are grounded in standards that are
commonly known and accepted, widely recognized as effective, and
require adaptation as risk profiles change. Relying on existing known
standards should also help mitigate implementation costs compared to
complying with specific and detailed requirements created by the
Commission and applied more uniformly. Furthermore, as the Commission
engages in oversight of ORFs, it would expect to be able to identify
additional recommended best practices unique to covered entities that
it could share through guidance or future rulemakings, which would
operate to further support the stability of the derivatives markets.
f. Governance--Proposed Paragraph (c)
The proposed rule would require that each of the three required
component programs and plan (the information and technology security
program, the third-party relationship program, and the business
continuity and disaster recovery plan) be approved in writing, on at
least an annual basis, by either the senior officer, an oversight body,
or a senior-level official of the covered entity.\328\ Covered entities
would likely experience some costs associated with selecting the
responsible official or body to provide the approval and associated
costs to obtain their approval, including the time and resources needed
to develop any explanatory materials, making amendments in light of any
comments from leadership, and ministerial costs associated with
obtaining signatures. More specifically, the Commission estimates that
covered entities would incur an initial cost of $4,000 (40 hours x
$100/hour) to select the responsible official or body to approve the
component programs and plan of the ORF,\329\ or an estimated aggregate
dollar cost of $640,000 (160 covered entities x $4,000). Additionally,
the Commission estimates that covered entities will incur an ongoing
annual cost of $1,000 for the approval of the component programs or
plan of the ORF (10 hours x $100/hour),\330\ or an estimated aggregate
dollar cost of $160,000 (160 covered entities x $1,000).
---------------------------------------------------------------------------
\328\ See paragraph (c)(1) of proposed Commission regulations
1.13 and 23.603.
\329\ Covered entities may also incur subsequent costs in the
event there is a change in official or body responsible for the
approval of the ORF component programs or plan.
\330\ As discussed supra in section III.B (Paperwork Reduction
Act) of this notice, the Commission expects covered entities will
expend a total of 20 burden hours to approve the component programs
and plan of the ORF, risk appetite, and risk tolerance limits, or to
prepare a written attestation.
---------------------------------------------------------------------------
However, the Commission anticipates that providing a covered entity
broad discretion to select whomever it deems appropriate to provide the
approval would serve to mitigate some of those costs by allowing the
covered entity to embed the approval process within its existing
operational structures. The Commission further believes that requiring
regular and formal approval of the ORF component programs and plan by
senior leadership would help ensure that the ORF is in line with
operational strategy and risk capacity, improving the chances that the
covered entity would be adequately prepared for, and able to withstand
and recover from operational shocks, that could otherwise significantly
harm customers, counterparties, or even have spillover effects into the
derivatives market as a whole.
The proposed rule would further require covered entities to
establish risk appetite and risk tolerance limits with respect to the
risk areas underlying the ORF (information and technology security,
third-party relationships, and emergencies or other significant
disruptions to the continuity of normal business operations).\331\ The
Commission believes that establishing and operating within established
risk appetite and risk tolerance limits would help ensure that covered
entities do not engage in activities that would present risks beyond
those they can comfortably manage, helping to mitigate the potential
for covered entities to take on risk that could lead to intolerable
harm to customers or disruption to the financial system at large.
---------------------------------------------------------------------------
\331\ See paragraph (c)(2)(i) of proposed Commission regulations
1.13 and 23.603.
---------------------------------------------------------------------------
Covered entities that do not currently have a practice of creating
a risk appetite statement and establishing and monitoring metrics for
risk tolerance limits would likely incur costs associated with
establishing a methodology to identify them, which would involve time
and staffing resources, or perhaps even the use of consultants, but the
Commission anticipates such costs should be reduced year over year as
such covered entities gain experience and streamline processes.
Nevertheless, the Commission understands that establishing risk
appetite and tolerance limits is common practice in the financial
industry, and is included as a recommended part of governance in the
NIST financial sector profile.\332\ To the extent that covered entities
already follow this practice, such covered entities would incur general
costs associated with reviewing their risk appetite and risk tolerance
limits against the rule requirements to ensure they cover the full
scope of the rule, but they would avoid the heavier resource burdens of
developing risk appetite and risk tolerance limits from whole cloth.
---------------------------------------------------------------------------
\332\ See CRI Profile Workbook, supra note 81, at 16 (``An
appropriate governing authority . . . endorses and periodically
reviews the cyber risk appetite and is regularly informed about the
status of and material changes in the organization's inherent cyber
risk profile).
---------------------------------------------------------------------------
The risk appetite and risk tolerance limits would further need to
be
[[Page 4742]]
reviewed and approved in writing on at least an annual basis by the
oversight body, senior officer, or other senior-level official with
primary responsibility for the relevant risk area.\333\ Similar to the
broad approval of the ORF component programs and plan in general,
covered entities would likely incur some costs preparing information
for approval, making amendments in response to comments, and obtaining
signatures. Specifically, the Commission estimates covered entities
would incur an ongoing annual cost of $1,000 for the approval of risk
appetite and risk tolerance limits (10 hours x $1,000),\334\ or an
estimated aggregate dollar cost of $160,000 (160 covered entities x
$1,000). The Commission believes that the process of securing formal
approval would encourage covered entities to think critically about the
risk appetite and risk tolerance limits they establish and to justify
them in light of operational strategy. This exercise should bring more
awareness to activities that create operational risk and lead to better
outcomes from an operational resilience standpoint, with attendant
benefits to customers, counterparties, and the market more broadly.
---------------------------------------------------------------------------
\333\ See paragraph (c)(2)(ii) of proposed Commission
regulations 1.13 and 23.603.
\334\ As discussed in section III.B (Paperwork Reduction Act) of
this notice, the Commission expects covered entities will expend a
total of 20 burden hours annually to document approval of the
component plans of the ORF, risk appetite, and risk tolerance
limits, or to prepare a written attestation.
---------------------------------------------------------------------------
Relatedly, the proposed rule would require covered entities to
notify selected senior leadership of circumstances that exceed risk
tolerance limits and incidents requiring notification to either the
Commission or customers and counterparties.\335\ The Commission
understands that such an internal escalation requirement would require
covered entities to incur some costs in developing policies and
procedures that reflect this requirement, or reviewing existing
escalation protocols to ensure they meet the terms of the rule, but the
Commission believes the requirement is sufficiently flexible to allow
covered entities to rely on existing operational structures and
reporting lines, and does not anticipate that any organizational
changes, or attendant costs, would be necessary. Additionally, the
Commission views the involvement and awareness of senior leadership in
cases where risk tolerance limits are exceeded, or where significant
incidents have occurred that clearly threaten operational resilience,
as critical to ensuring recovery efforts are coordinated and thus more
likely to be successful.
---------------------------------------------------------------------------
\335\ See paragraphs (c)(3)(i)-(ii) of proposed Commission
regulations 1.13 and 23.603.
---------------------------------------------------------------------------
The proposed rule would allow covered entities that form a part of
a larger enterprise to satisfy the requirements of the proposed rule
through their participation in a consolidated program or plan that
meets the requirements of the proposed rule.\336\ Additionally, a
covered entity relying on a consolidated program or plan would be able
to satisfy the requirements for senior leadership to approve both the
component program or plan and risk appetite and risk tolerance limits
by having senior leadership attest on an annual basis that the
consolidated program or plan meet the requirements of the proposed ORF
rule, and reflects risk appetite and risk tolerance limits appropriate
to the covered entity.\337\ The Commission estimates that covered
entities would incur an ongoing annual cost of $2,000 (20 hours x $100/
hour) to prepare an written attestation,\338\ or an estimated aggregate
dollar cost of $320,000 (160 covered entities x $2,000). The Commission
believes allowing covered entities to rely on a consolidated program or
plan would mitigate costs for such entities, specifically by benefiting
from economies of scale present in relying on shared corporate
infrastructure and a larger parent company's resources to manage
operational risk at a broader enterprise level, and through using
existing practices that meet the requirements of the proposed rule.
---------------------------------------------------------------------------
\336\ See paragraph (c)(4)(i) of proposed Commission regulations
1.13 and 23.603.
\337\ See paragraph (c)(4)(ii) of proposed Commission
regulations 1.13 and 23.603.
\338\ As discussed supra in section III.B (Paperwork Reduction
Act) of this notice, the Commission expects covered entities will
expend a total of 20 burden hours annually to document approval of
the component programs or plans of the ORF, risk appetite, and risk
tolerance limits, or to prepare a written attestation.
---------------------------------------------------------------------------
Nevertheless, the Commission expects that such covered entities
would incur at least some costs associated with reviewing the
consolidated program or plan to ensure it meets the requirements of the
proposed rule and reflect risk appetite and risk tolerance limits
appropriate to the covered entities. Such covered entities may face
challenges in ensuring that their consolidated programs or plans, which
may be written with the parent corporate entity as the primary focus,
appropriately address the risks as they relate more specifically to the
business and operations of the covered entity, which may be a
relatively small line of business for the parent. Accordingly, a
covered entity may incur some costs, in terms of time and staffing
resources, associated with amending any consolidated program or plan to
ensure it reflects the proposed rule's requirements and risk appetite
and risk tolerance limits appropriate to the covered entity. The
Commission cannot accurately quantify such costs, as these costs could
range from minimal to more substantial depending on the complexity of
the organization and how closely the current consolidated program or
plan meets the requirements of the proposed rule, including how
particularized they are with respect to identifying and managing the
risks specific to the covered entity. The Commission believes that such
requirements are important to ensuring that all covered entities,
regardless of their operational structure, have a baseline level of
operational risk management that is tailored to the entity itself,
helping reduce risk to the overall financial system and the commodity
derivatives markets in particular. The Commission also preliminarily
believes that the overall costs of the proposed rule are reduced,
without any loss of benefit, by allowing covered entities to rely on
consolidated programs or plans over requiring them to duplicate
existing larger corporate entity efforts to produce programs or plans
that are independent and unique to the covered entity.
g. Information and Technology Security Program--Proposed Paragraph (d)
The proposed rule would require covered entities to have an
information and technology security program, defined as a written
program reasonably designed to identify, monitor, manage, and assess
risks relating to information and technology security and that meets
certain requirements.\339\ Specifically, the information and technology
security program would need to include (1) a risk assessment, conducted
at least annually; (2) effective controls; and (3) an incident response
plan.\340\ The proposed risk assessment requirement would require
covered entities to identify and devote resources to planning and
performing the risk assessment and then analyzing its results. These
resources would need to include reliance on personnel not responsible
for the development or implementation of covered technology or related
controls, which could impose additional staffing needs on some
[[Page 4743]]
covered entities.\341\ The amount of time and resources expended would
likely vary depending on the size, complexity, and risk profile of the
covered entity and its degree of reliance on covered technology. The
Commission believes that larger covered entities with more complex
business operations and broader risk profiles would likely need to
devote more permanent and extensive resources, staffing and otherwise,
to performing and analyzing their risk assessments. Presenting the
results of the assessment to selected senior leadership would also
require the devotion of time and staffing resources to prepare for and
respond to leadership feedback.
---------------------------------------------------------------------------
\339\ See paragraphs (a) (defining ``information and technology
security program'') and (b)(2) (components) of proposed Commission
regulations 1.13 and 23.603.
\340\ See paragraph (d) of proposed Commission regulations 1.13
and 23.603.
\341\ See paragraph (d)(1)(ii) of proposed Commission
regulations 1.13 and 23.603.
---------------------------------------------------------------------------
In establishing effective controls, covered entities would be
required to consider a broad range of categories of controls, determine
which to implement in line with identified risks, implement them, and
then review and revise the controls as needed over time in response to
continued risk assessments. Depending on the types of controls they
would need to implement, covered entities may take on additional costs
to acquire new security technology and/or hire additional staff or
third-party service providers to oversee and implement the controls.
Again, the Commission would expect any outlays to be appropriate and
proportionate to the covered entity and its risk profile, so the exact
costs would vary by covered entity. Nevertheless, given that the
approach of the proposed rule, and list of required categories, closely
aligns with the longstanding approach adopted by prudential regulators
with respect to information and technology security controls, the
Commission believes that costs for at least prudentially regulated
covered entities may be reduced compared to other covered entities that
have not been required to apply and consider such categories of
controls.\342\
---------------------------------------------------------------------------
\342\ See supra note 130 and accompanying text.
---------------------------------------------------------------------------
Development of an incident response plan would likely require a
noticeable devotion of resources at the outset, as staff would need to
dedicate time and effort to forming and documenting the plan, including
creating policies and procedures for identifying the types of incidents
that need to be reported and to whom. Should an incident occur, the
plan would require staff at the covered entity to devote time to
documenting and responding to the incident, as well as identifying and
taking on remediation efforts.
Nevertheless, the Commission expects that, given the NFA's ISSP
Notice, covered entities would likely not need to expend resources to
develop an information and technology security program from scratch.
Notably, NFA requires its members to adopt and enforce a written ISSP,
assess and prioritize the risks associated with its use of information
technology systems, document and describe in their ISSPs safeguards
deployed in light of identified and prioritized threats and
vulnerabilities, and create an incident response plan.\343\
Accordingly, some of the compliance burdens associated with
implementing an information and technology security program should be
reduced. Covered entities overseen by prudential regulators are also
required to consider similar categories of controls to those in the
proposed rule, so compliance costs as realized by prudentially
regulated covered entities may be even further reduced.\344\ Notably,
however, NFA does not mandate that a risk assessment be conducted at
least annually by personnel not responsible for the development or
implementation of covered technology or related controls. Although the
Commission believes these requirements to be consistent with generally
accepted standards and best practices, such that covered entities may
be following them anyway, some covered entities may nevertheless
experience some additional costs associated with ensuring or otherwise
acquiring staff sufficiently independent to conduct the risk assessment
and in potentially conducting the risk assessment more frequently than
they currently do. The Commission also recognizes that, if adopted, the
proposed rule would at minimum require covered entities to expend
resources to review the ISSPs they established pursuant to NFA rules to
ensure they meet the requirements of the information and technology
security program.
---------------------------------------------------------------------------
\343\ See NFA ISSP Notice, supra note 43.
\344\ See 12 CFR part 30, app. B.
---------------------------------------------------------------------------
Notwithstanding the potential operational and staffing costs to
covered entities associated with the proposed rule, the Commission
believes the benefits of the requirements of the proposed information
and technology security program are well established. Risk assessments
are crucial to identifying threats and vulnerabilities, which is key to
directing resources to mitigate those risks in a way that increases the
effectiveness of security efforts. The Commission likewise believes the
benefits of an independent risk assessment (a more unbiased and
reliable assessment) and conducting it at least annually (ensuring the
information and technology security program is up-to-date and
responsive in light of current threat landscape and vulnerabilities at
the covered entity) are important to supporting covered entity
operational resilience. Likewise, controls are the methods or
techniques for monitoring and managing those risks and safeguarding
information, operations, and assets. Without them, the potential for a
system weakness to be exploited, and for customers and counterparties,
covered entities, or the market at large to be harmed is increased, as
the interconnected nature of the commodity derivatives markets enhances
the possibility for spillover effects. Incident response plans operate
to reduce the potential magnitude of the harm should a safeguard fail
by creating a concrete plan, known in advance, for how the covered
entity should respond, thereby shortening response times following an
incident. Accordingly, the Commission believes the proposed minimum
requirements of the information and technology security program, in
combination with the Commission's oversight, would further support the
development of a foundational level of operational risk management
practices with respect to information and technology security that
would benefit customers, counterparties, and the market at large.
h. Third-Party Relationship Program--Proposed Paragraph (e)
The proposed rule would require covered entities to have a third-
party relationship program, defined as a written program reasonably
designed to identify, monitor, manage, and assess risks relating to
third-party relationships.\345\ The program would need to describe how
covered entities address the risks attendant to each of the five
identified stages of the third-party relationship lifestyle, ranging
from pre-selection to termination, with heightened due diligence and
monitoring required for critical third-party service providers.\346\
The proposed rule would further require covered entities to create,
maintain, and regularly update an inventory of third-party service
providers engaged to support their activities as covered entities,
identifying whether each is a critical third-party service
provider.\347\
---------------------------------------------------------------------------
\345\ See paragraphs (a) (defining ``third-party relationship
program'') and (e) (third-party relationship program) of proposed
Commission regulations 1.13 and 23.603.
\346\ See paragraphs (e)(1)(i)-(v) and (e)(2) of proposed
Commission regulations 1.13 and 23.603.
\347\ See paragraph (e)(3) of proposed Commission regulations
1.13 and 23.603.
---------------------------------------------------------------------------
[[Page 4744]]
As with the information and technology security program, complying
with this aspect of the proposed rule would require covered entities to
expend staff resources at the outset to develop the program and put it
into writing. Although NFA requires its members, including covered
entities, to have a written supervisory framework for its third-party
service providers, which could help mitigate these costs, NFA's written
supervisory framework only extends to outsourcing functions, i.e.,
regulatory functions that would otherwise be undertaken by the NFA
member itself to comply with NFA and CFTC requirements.\348\
Accordingly, covered entities would likely experience at least some
staffing burdens expanding their NFA frameworks to fit the broader
scope of third-party relationships covered by the proposed rule and
implementing it across their third-party service providers more
broadly. However, applying the proposed (b)(3) standard, covered
entities should be able to align their third-party risk management
practices to the risks presented by each individual third-party service
provider, which would allow covered entities to tailor and fit the
costs of their third-party practices to their unique circumstances.
Covered entities following prudential rules and guidance with respect
to third-party service providers, which applies to all third-party
relationships, would likely experience reduced costs compared to other
covered entities with respect to any need to modify their existing
programs.\349\ Additionally, the proposed rule would not require
covered entities to perform due diligence or renegotiate contracts with
existing third-party service providers, which would avoid a potentially
substantial initial fixed cost from implementing the third-party
relationship program.
---------------------------------------------------------------------------
\348\ See NFA Third-Party Notice, supra note 43.
\349\ See 12 CFR part 30, app. B, III.D. (Oversee Service
Provider Arrangements); Prudential Third-Party Guidance, supra note
43.
---------------------------------------------------------------------------
Creating an initial inventory of third-party service providers, and
assessing whether they meet the definition of ``critical third-party
service provider'' would also require a temporary redirection of staff
resources, with the amount of time and resources required varying
depending on the extent and complexity of a given covered entity's
reliance on third-party service providers. With respect to critical
third-party service providers, the Commission preliminarily believes
that many, if not all, covered entities currently have in place a
process to identify and categorize covered entities as ``critical'' or
otherwise requiring enhanced supervisory activities. Additionally, NFA
requires its members to have heightened due diligence for third-party
service providers that obtain or have access to critical and/or
confidential data and those that support critical regulatory-related
systems, which could potentially reduce burdens on covered entities in
designing and implementing heightened due diligence and monitoring with
respect to critical third-party service providers.\350\ Although the
Commission preliminarily believes that its proposed definition of
``critical third-party service provider'' should identify many, if not
all, of the same providers covered entities would themselves identify
as ``critical,'' the Commission recognizes that the process of applying
the proposed definition to an existing process would, at minimum,
require some initial expenditure of staff resources to ensure existing
practices and taxonomies align with the proposed rule.\351\
Additionally, the process of creating an inventory of third-party
service providers, which is not currently required by NFA or prudential
regulators, could be particularly burdensome, especially for covered
entities with a large number of complex third-party relationships, or
that rely on an affiliate to secure and coordinate third-party service
providers as part of a larger enterprise-wide function, potentially
involving staff from many different departments or the review of
multiple contracts or contract databases.
---------------------------------------------------------------------------
\350\ See NFA Third-Party Notice, supra note 43.
\351\ See paragraph (a) of proposed Commission regulations 1.13
and 23.603 (defining ``critical third-party service provider'').
---------------------------------------------------------------------------
Nevertheless, the Commission believes that requiring covered
entities to have a program to identify, monitor, manage, and assess
risks relating to third-party relationships, and inventory their third-
party service providers, would have meaningful benefits at the
individual covered entity-level, as well as for customers and
counterparties and the derivatives markets at large. Given their roles
and interconnectedness in the derivatives markets, an operational shock
at one covered entity can have ripple effects across the markets.
Requiring covered entities to develop and maintain a program to help
evaluate and address the risk at each stage of the third-party
relationship--from before selecting a third-party service provider to
how such a relationship would be supervised and terminated--may not
only help covered entities be more fully aware of and manage the risks
of their third-party relationships, it could also help increase overall
confidence levels in the derivatives markets by ensuring customers and
counterparties that there is a foundational level of third-party risk
management practices across covered entities.
Additionally, the proposed rule could operate to raise minimum
standards with regards to how third-party risks are managed, by
introducing enhanced due diligence or monitoring practices for critical
third-party service providers, for instance, which could lead to real
and measurable reduction in risk to the financial system. The act of
creating an inventory of third-party service providers would also help
increase the likelihood of identifying interdependencies or
overdependencies, which could cause covered entities to reevaluate
particular relationships (i.e., diversify third-party service providers
to reduce concentration risk) or take on additional activities (e.g.,
insurance) to help mitigate those risks, thereby promoting operational
resilience. Identifying critical third-party service providers should
also help enhance operational awareness of those entities and ensure
they receive the required heightened monitoring to ensure that the risk
of disruption to critical services, which could have a broader impact
on the markets or customers and counterparties, is mitigated.
i. Business Continuity and Disaster Recovery Plan--Proposed Paragraph
(f)
The proposed rule would require covered entities to have a BCDR
plan, defined as a written plan outlining the procedures to be followed
in the event of an emergency or other significant disruption to the
continuity of normal business operations and that meets certain
requirements.\352\ This would be a new CFTC requirement for FCMs, but
current Commission regulation 23.603 imposes a BCDR plan requirement on
swap entities that is substantially similar to the proposed rule, as
the proposed rule was modeled after the current BCDR requirement for
swap entities with certain modifications.\353\ Additionally, although
the CFTC does not currently impose a BCDR plan requirement on FCMs, NFA
and CME do, which the Commission believes should help FCMs mitigate the
costs of establishing a BCDR plan for purposes of complying with the
proposed rule, particularly since some of the amendments to the current
BCDR plan requirement for swap entities have the effect of further
aligning the regulatory
[[Page 4745]]
text with NFA and CME BCDR plan requirements.\354\
---------------------------------------------------------------------------
\352\ See paragraphs (a) (defining ``business continuity and
disaster recovery plan'') and (b)(2) (components) of proposed
Commission regulation 1.13 and 23.603.
\353\ See 17 CFR 23.603.
\354\ See NFA Rule 3-38, supra note 43; CME Rule 983, supra note
185.
---------------------------------------------------------------------------
The proposed rule would require covered entities' BCDR plans to be
reasonably designed to enable the covered entities to continue or
resume any activities as a covered entity with minimal disruption to
counterparties, customers, and the markets, and to recover and make use
of covered information, as well as any other data, information, or
documentation required to be maintained by law and regulation.\355\ The
proposed rule would further require the BCDR plans to include certain
minimum contents, including: identifying and backing up required
information; identifying and developing backups for required resources,
including technology, facilities, and staff; identifying potential
disruptions to critical third-party service providers; identifying
implicated personnel; and establishing a communication plan.\356\
---------------------------------------------------------------------------
\355\ See paragraph (f)(1) of proposed Commission regulation
1.13 and 23.603.
\356\ See paragraph (f)(2) of proposed Commission regulation
1.13 and 23.603.
---------------------------------------------------------------------------
To design a BCDR plan that meets that standard, covered entities
would need to expend resources to establish and preserve backup
resources (staffing, technology, inputs) for use in the event of the
BCDR plan's activation, and to create backups of the information the
BCDR plan would cover. Depending on the size and complexity of a
particular covered entity's business, those costs could be sizeable, as
they may require negotiating and entering into new contracts with
backup resource providers, or other third-party service providers.
Covered entities would also need to expend resources to establish a
plan to minimize the impact of disruptions and establish a
communication plan, which would include identifying implicated persons
and bodies and establishing potential contacts, methods, modes, and
priorities of communication. Finally, the resources to document all of
this work in the plan would likely be more than simply ministerial
effort, as staff would likely have to spend time working through
various deliberative points, at least at the outset in first developing
the BCDR plan. The costs to maintaining the plan would likely be
reduced compared to the initial fixed costs, however, as the plan put
into action over time.
Nevertheless, the Commission expects that most covered entities
have already incurred at least some of these potential costs by virtue
of either the existing CFTC BCDR plan requirements for swap entities,
or the NFA and CME BCDR plan requirements applicable to FCMs. Notably,
the ``essential elements'' of NFA's BCDR Notice aligns closely with the
minimum requirements for the Commission's proposed BCDR plan
requirement, requiring FCMs to establish backups in one more reasonably
separate geographic areas, to backup or copy essential documents and
data and store them off-site, to consider the impact of interruptions
by third-parties and ways to minimize the impact, and to develop a
communication plan.\357\ Accordingly, although the Commission expects
FCMs would incur at least some costs reviewing their BCDR plans to
ensure they meet the proposed CFTC requirements, the Commission
preliminarily believes most FCMs would be able to avoid the more
substantial initial costs of developing a BCDR plan from scratch.
---------------------------------------------------------------------------
\357\ See NFA BCDR Notice, supra note 43.
---------------------------------------------------------------------------
The Commission further believes that the expenditure of resources
required to create the proposed plan would help give the derivatives
markets and customers and/or counterparties confidence that covered
entities' operations would be able to be quickly reestablished
following an emergency or significant disruption, improving the overall
resilience of the market and perhaps lowering customer/counterparty
risk and its associated costs. Having a plan that centralizes key
information related to an emergency--including identifying core
information, personnel, systems, and resources needed to resume
operations--should also help facilitate covered entities in achieving
the recovery time objective of being back up and running with minimal
disruption to counterparties, customers, and the derivatives markets,
supporting market confidence and reducing overall systemic risk.
Maintaining copies of the plan in accessible off-site locations should
impose no more than ministerial costs and would help ensure that
covered entities can access the plan in a crisis.
The proposed rule would amend the current BCDR plan requirement for
swap entities in a few ways, some of which the Commission expects would
have cost-benefit implications.\358\ For instance, the proposed rule
would require covered entities to ``recover and make use of all covered
information, as well as any other data, information, or documentation
required to be maintained by law and regulation,'' which expands the
information BCDR plans would be required to cover beyond that required
to be maintained by applicable law and regulation, and makes clear the
information should not only be recovered but also accessible and still
useable.\359\ Depending on current BCDR plan practices by swap
entities, the proposal could potentially cause covered entities to
expand the sources of information they need to backup and/or augment
their backup systems to ensure the information stored there is useable.
The proposed rule would also no longer require swap entities to ensure
their BCDR plans are designed to enable swap entities to continue or
resume operations ``by the next business day.'' \360\ Although the
Commission does not believe that this change would have an impact on
the actual recovery time of swap entities following an emergency or
other significant disruption, given that both current Commission
regulation 23.603 and the proposed rule require that the BCDR plan be
designed to ensure recovery with minimal disruption to counterparties
and the market, swap entities could need to dedicate at least some
staff time to review their BCDR plans to ensure that they continue to
meet the rule requirements.
---------------------------------------------------------------------------
\358\ As with the other sections of this notice, portions of the
BCDR plan requirement for swap entities in current Commission
regulation 23.603 that have been expanded in the proposal to apply
to the ORF more broadly, notably testing, are discussed in the
context of the discussion of those specific requirements.
\359\ See 17 CFR 23.603(a).
\360\ Id.
---------------------------------------------------------------------------
j. Training and Distribution--Proposed Paragraph (g)
The proposed rule would require covered entities to establish,
implement, and maintain training with respect to the ORF, including
general cybersecurity awareness training and role-specific training for
personnel involved in the ORF.\361\ If the proposed rule is adopted,
covered entities would need to expend resources to develop and/or
evaluate and acquire externally sourced training. Those outlays would
include the costs associated with establishing the training at the
outset, as well as ongoing costs associated with updating and providing
the training at least every year.\362\ There would also be
administrative costs associated with distributing copies of the
component programs or plan to relevant personnel and providing them
with any significant revisions.\363\ Nevertheless, the
[[Page 4746]]
Commission believes that establishing, implementing, and maintaining a
training program is crucial to realizing the benefits of the proposed
ORF. Not only would it help ensure that employees of covered entities
are kept aware of good cyber hygiene practices, which should reduce the
potential for covered information to be compromised and customers and
counterparties to be negatively impacted, training would help ensure
that the ORF practices covered entities establish are accurately
implemented and maintained by the personnel tasked with
operationalizing the ORF. Although allowing covered entities to provide
training less frequently than annually would reduce compliance costs
for covered entities, the Commission believes that annual training is
needed to preserve its benefits given the rapidly evolving pace of
technology and the potential for human error to result in actual harm
to operations or even customers or counterparties.\364\
---------------------------------------------------------------------------
\361\ See paragraph (g)(1) of proposed Commission regulations
1.13 and 23.603.
\362\ See paragraph (g)(2) of proposed Commission regulations
1.13 and 23.603
\363\ See paragraph (g)(3) of proposed Commission regulations
1.13 and 23.603.
\364\ See supra note 18 and accompanying text.
---------------------------------------------------------------------------
k. Reviews and Testing--Proposed Paragraph (h)
The proposed rule would require covered entities to establish,
implement, and maintain a plan reasonably designed to assess adherence
to, and the effectiveness of, their ORF through regular reviews and
risk-based testing.\365\ At the outset, covered entities would need to
dedicate staff resources to develop a review and testing plan for the
ORF; ongoing staff resources would be needed to conduct reviews at
least annually and risk-based testing at a frequency that is
appropriate and proportionate to each covered entity's nature, size,
scope, complexity, and risk profile, following generally accepted
standards and best practices.\366\ Covered entities would further
assume regular costs associated with documenting the reviews and
testing (e.g., results of testing, assessment of effectiveness,
recommendations for modifications/improvements/corrective actions) and
reporting on them to the CCO and any other relevant senior-level
official(s) and oversight body(ies).\367\ In general, the ongoing costs
of the required testing and reviews are likely to vary by covered
entity, with larger, more complicated covered entities likely expending
significantly more resources to conduct testing consistent with the
proposed (b)(3) standard.\368\
---------------------------------------------------------------------------
\365\ See paragraph (h) of proposed Commission regulations 1.13
and 23.603.
\366\ See paragraph (b)(3) of proposed Commission regulations
1.13 and 23.603.
\367\ See paragraphs (h)(4) and (h)(5) of proposed Commission
regulations 1.13 and 23.603.
\368\ The Commission estimates, on average, that covered
entities will incur an initial annual cost of $8,000 (80 hours x
$100/hour) to establish a plan to assess adherence to, and the
effectiveness of, its ORF, and to document all reviews and testing
of the ORF, or an estimated aggregate dollar cost of $1,280,000 (160
covered entities x $8,000).
---------------------------------------------------------------------------
With respect to the reviews of the ORF, the proposed rule would
require that they be conducted at least annually and in connection with
any material change that is reasonably likely to affect the risks
addressed by the ORF. The proposed rule would further require the
reviews to include an analysis of adherence to, and the effectiveness
of the ORF, as well as any recommendations for improvements.\369\ This
standard is generally consistent with, and would replace, the current
review standard in current Commission regulation 23.603 for swap entity
BCDR plans, such that associated costs for reviewing the BCDR plan
should not be affected by the proposal.\370\ NFA's ISSP Notice and BCDR
Notice also require NFA members to review their ISSPs or BCDR pans on a
regular or periodic basis.\371\ Accordingly, while covered entities may
experience some staffing costs in assuring their reviews are at least
annual, costs associated with establishing a review process more
broadly should have already been realized by most covered entities.
---------------------------------------------------------------------------
\369\ See paragraph (h)(1) of proposed Commission regulations
1.13 and 23.603
\370\ See 17 CFR 23.603(f) (``A member of the senior management
of each swap dealer and major swap participant shall review the
business continuity and disaster recovery plan annually or upon any
material change to the business. Any deficiencies found or
corrective action taken shall be documented.'')
\371\ See NFA BCDR Notice, supra note 43; NFA ISSP Notice, supra
note 43.
---------------------------------------------------------------------------
For testing, the proposed rule would generally require that its
frequency, nature, and scope would be determined consistent with the
proposed (b)(3) standard.\372\ The Commission believes that such a
risk-based standard would allow covered entities to tailor testing to
their unique business and risk profile, focusing testing efforts on
areas that would be the most impactful or revealing and avoiding
unnecessary costs. Nevertheless, with respect to testing of the
information and technology security program, the proposed rule would
require covered entities to assume costs for some specific testing,
including testing of key controls and the incident response plan, as
well as daily or continuous vulnerability assessments and penetration
testing at least annually.\373\ Although regular testing of key
controls and the incident response plan is likely to require time and
staff resources, the Commission believes that without testing, it would
be impossible for covered entities to know whether the controls are
functioning to mitigate risk as expected, and for the incident response
plan to be actionable in times of emergency. Daily or continuous
vulnerability assessments and penetration testing at least annually
could require additional staff and technology outlays.\374\ The exact
cost of testing as realized by each covered entity, however, is likely
to vary depending on the scope and complexity of its operations, and
the degree to which it has already incorporated vulnerability
assessments and penetration testing as part of its ISSP.\375\
---------------------------------------------------------------------------
\372\ See paragraph (h)(2) of proposed Commission regulations
1.13 and 23.603.
\373\ See paragraph (h)(2)(i) of proposed Commission regulations
1.13 and 23.603.
\374\ CISA makes available a free vulnerability scanner, see
supra note 248.
\375\ The NFA ISSP Notice provides that a member ``may include
penetration testing of the firm's systems, the scope and timing of
which is highly dependent upon the Member's size, business,
technology, its electronic interconnectivity with other entities and
the potential threats identified in its risk assessment.'' See NFA
ISSP Notice, supra note 43.
---------------------------------------------------------------------------
The Commission believes that vulnerability assessments and
penetration testing are essential for covered entities to know what
their vulnerabilities are and how they might be exploited, so they can
take steps to mitigate associated risks, including by adapting internal
controls, which are a key component of preserving operational
resilience. Given the dynamic, ever changing nature of technology and
cybersecurity, the Commission believes that continual and active action
and engagement are necessary to ensure controls are operating as
intended, and for covered entities to have an accurate assessment of
the risks to their covered information and technology. By not mandating
specific types of penetration testing, however, the Commission believes
the proposed rule is adapted to allow the wide range of covered
entities subject to the proposed rule to adopt types of testing that
are recommended for and best fit their unique circumstances, so as to
achieve the highest level of improved cybersecurity without incurring
unnecessary costs. The Commission further believes such testing is
essential cyber hygiene and their use among covered entities would help
ensure a base level of monitoring in the derivatives markets that is
readily accessible.
[[Page 4747]]
With respect to testing of the BCDR plan, the proposed rule would
require covered entities to dedicate time and staff resources to
conduct a walk-through or tabletop exercise designed to test the
effectiveness of backup facilities and capabilities at least annually,
which could involve outreach to operators of backup facilities.\376\
Such a periodic effort would likely consume staff time and resources to
put into place, including potentially in designing tabletop exercise
scenarios. The Commission expects that this aspect of the proposed rule
would not have any cost impact on swap entities, as current 23.603
requires annual testing of their BCDR plan, and the Commission does not
believe the clarification that the testing be a walk-through or
tabletop exercise would have substantive effect.
---------------------------------------------------------------------------
\376\ See paragraph (h)(2)(i) of proposed Commission regulations
1.13 and 23.603.
---------------------------------------------------------------------------
Because the proposed rule would require the reviews and testing to
be conducted by qualified personnel who are independent of the aspect
of the ORF being reviewed or tested, the Commission anticipates this
work would either be conducted by internal compliance audit staff,
external independent auditors, or other internal staff, provided they
were not involved in creating the ORF component being tested.\377\
Accordingly, this independence requirement could require covered
entities to reassign duties or secure additional staffing resources,
either of which would impose some additional costs.
---------------------------------------------------------------------------
\377\ See proposed paragraph (h)(3) of proposed Commission
regulations 1.13 and 23.603.
---------------------------------------------------------------------------
Nevertheless, the Commission believes that annual reviews and
testing are essential to ensuring that the ORF is operating as
intended, and thus to ensuring the intended and expected benefits of
the ORF with respect to protecting customers and mitigating systemic
risk are actually realized. Without proper review and testing,
determining whether the intended benefits of the ORF are being achieved
would not be possible. Although eliminating the independence
requirement could alleviate some potential staffing burdens on covered
entities, the Commission believes that independence in reviews and
testing is critical to preserving their benefits by helping to ensure
that the results are reliable and unbiased. The Commission further
believes that by allowing covered entities to adjust the frequency,
nature, and scope of their risk-based testing of the ORF in a manner
that is appropriate and proportionate to the circumstances, following
generally accepted standards and best practices, the proposed rule
would ensure that costs of the rule would be as well tailored to the
covered entity as possible to realize benefits at the least cost.
With respect to the BCDR plan requirement for swap entities in
particular, the Commission believes the proposed rule could reduce
review and testing costs. First, it would eliminate costs associated
with securing an independent auditor to audit the plan every three
years.\378\ Although there may be some benefits to having an
independent audit of a BCDR plan, including having an external party
with fresh eyes identify issues and potential improvements that might
not be readily apparent to internal staff, the Commission preliminarily
believes, based on its experience, that the internal reviews and
testing of the BCDR plan are sufficient to achieve iterative
improvements to the BCDR plan, making the costs associated with the
independent audit unnecessary. Second, the proposed rule would
eliminate the separate requirement that a member of senior management
for a swap entity review the BCDR plan annually or upon any material
change to the business and to document any deficiencies found or
corrective action taken.\379\ While the proposed rule would retain the
annual review requirement for the BCDR plan, not requiring the review
to be undertaken by a member of senior management may result in at
least some burden reduction for senior management.
---------------------------------------------------------------------------
\378\ See 17 CFR 23.603(g).
\379\ See 17 CFR 23.603(f).
---------------------------------------------------------------------------
l. Notification Provisions--Proposed Paragraphs (i) and (j)
The proposed rule would require covered entities to provide certain
notifications to either the Commission or affected customers or
counterparties.\380\ Notifications to the Commission, made
electronically via email, would relate either to the covered entity's
determination to activate the BCDR plan, or an ``incident,'' as defined
in the proposed rule, that adversely impacts, or is reasonably likely
to adversely impact information and technology security, the covered
entity's ability to operate, or the assets or positions of a customer
or counterparty.\381\ In both cases, the notifications to the
Commission would be intended to function as early warnings and thus
would not need to be complete or detailed. Understanding that the
information available to covered entities would be preliminary and
incomplete at the time of the notification, the Commission would not
expect covered entities to expend considerable resources to assemble
notifications that are perfectly accurate and complete. Rather, the
proposed rule would only require that the information provided to the
Commission would be whatever the covered entity has available at the
time that could assist the Commission in its oversight or response,
with the understanding that resources should predominantly be directed
at mitigating and recovering from the incident, emergency, or
significant disruption.\382\ Prioritizing an early warning over
complete information should not only reduce the costs for covered
entities in delivering the notification, but also allow the Commission
the best opportunity to take quick responsive action, if appropriate.
---------------------------------------------------------------------------
\380\ See paragraphs (i) and (j) of proposed Commission
regulations 1.13 and 23.603.
\381\ See paragraph (i) of proposed Commission regulations 1.13
and 23.603.
\382\ See paragraphs (i)(1)(ii) and (i)(2)(ii) of proposed
Commission regulations 1.13 and 23.603.
---------------------------------------------------------------------------
Accordingly, while the Commission recognizes that there would be at
least some information gathering and administrative costs associated
with providing the notice, the Commission does not intend or expect the
resource burden for providing the notification to be significant.\383\
This limited early-warning function for the notice requirement is
further supported by the relatively brief 24-hour time period for
providing the notices.\384\
---------------------------------------------------------------------------
\383\ The Commission estimates that for each ``incident''
requiring notification, covered entities will incur a cost of $1,000
(10 hours x $100/hour) to gather the information required and to
provide notification to the Commission, or an estimated aggregate
dollar cost of $160,000 (160 covered entities x $1,000).
\384\ See paragraphs (i)(1)(iii) and (i)(2)(iii) of proposed
Commission regulations 1.13 and 23.603.
---------------------------------------------------------------------------
With respect to the BCDR plan in particular, the Commission does
not believe covered entities would expend significant resources to
notify the Commission, since the notification trigger (activation of
the BCDR plan) is relatively bright-line. The Commission recognizes
that with respect to the incident notification, however, covered
entities may need to engage in some deliberation to determine whether
an incident has or is reasonably likely to have an adverse impact,
which would consume some staff resources. Preliminarily, the Commission
estimates that covered entities activating their BCDR plan would incur
a cost of $1000 (10 hours x $100/hour) to notify the Commission, or an
estimated aggregate dollar cost of $160,000 (160 covered entities x
$1,000). The Commission believes, however, that these costs may go down
over time, as covered entities
[[Page 4748]]
gain familiarity in applying the notification provision. The Commission
also preliminarily believes that an adverse impact standard would be
potentially easier to apply than one that included a materiality
limiter, which could introduce further need for interpretation and
internal deliberation for covered entities to determine whether the
impact is ``material'' or ``significant.'' Additionally, scoping
notifications to incidents with a likely adverse impact and to BCDR
activation would help focus the Commission's oversight activities and
responsive efforts on cases where it could act to support the
derivatives markets and customers and counterparties, potentially
reducing the potential for ripple effects.
In addition to notifications to the Commission, the proposed rule
would require covered entities to notify affected customers or
counterparties as soon as possible of any incident that is reasonably
likely to have adversely affected the confidentiality or integrity of
their covered information, assets, or positions.\385\ Because the rule
does not contain a specific timing limit for providing this
notification, the Commission does not expect that this notification
requirement would cause covered entities to need to divert any
resources while managing the incident to draft the notification.
Rather, the Commission expects that most of the costs associated with
this notification requirement would be in spending the necessary staff
resources to gather and report facts as accurately as possible to aid
affected customers and counterparties in understanding and assessing
the potential impact of the incident on their information, assets, or
positions and to take any necessary action.\386\ Covered entities may
also need to dedicate staff resources to interacting with customers or
counterparties after the notification is given to provide more
information or answer questions. The Commission estimates that for each
``incident'' requiring notification, covered entities will incur a cost
of $5,000 (50 hours x $100/hour) to gather the required information
necessary to provide notice to customers or counterparties and to
prepare and deliver the required notification, or an estimated
aggregate dollar cost of $800,000 (160 covered entities x $5,000). The
Commission believes that this notification could produce substantial
benefits to customers and counterparties, especially where state or
other federal law does not otherwise require such notifications, as
they would give customers and counterparties the information they would
need to further protect their information and assets and allow them to
seek other avenues of redress.
---------------------------------------------------------------------------
\385\ See paragraph (j)(1) of proposed Commission regulations
1.13 and 23.603.
\386\ See paragraph (j)(2) of proposed Commission regulations
1.13 and 23.603.
---------------------------------------------------------------------------
m. Emergency Contacts and Recordkeeping--Proposed Paragraphs (k) and
(l)
The proposed rule would require covered entities to provide the
Commission with the name and contact information of employees in
connection with incidents triggering notification to the Commission and
in connection with the activation of the covered entity's BCDR
plan.\387\ The identified employees would need to be authorized to make
key decisions on behalf of the covered entity and have knowledge of the
covered entity's incident response plan or BCDR plan, as
appropriate.\388\ Covered entities would also need to update their
contacts with the Commission, as necessary.\389\ The Commission
believes that ensuring it has knowledgeable contacts with whom to
direct communications during a crisis would aid the Commission's
ability to take any necessary responsive action, and that the costs
associated with identifying and updating the appropriate contacts would
be ministerial in nature.\390\ With respect to BCDR plan emergency
contacts for swap entities, the proposed rule is identical in substance
to current Commission regulation 23.603, such that it should impose no
additional costs on swap entities.\391\
---------------------------------------------------------------------------
\387\ See paragraph (k)(1) of proposed Commission regulations
1.13 and 23.603.
\388\ See paragraph (k)(2) of proposed Commission regulations
1.13 and 23.603.
\389\ See paragraph (k)(3) of proposed Commission regulations
1.13 and 23.603.
\390\ The Commission estimates that covered entities will incur
a cost of $100 (1 hour x $100/hour) to provide the Commission with
emergency contact information, or an estimated aggregate dollar cost
of $16,000 (160 covered entities x $100).
\391\ See 17 CFR 23.603(3).
---------------------------------------------------------------------------
The proposed rule would also further require covered entities to
maintain all records required to be maintained pursuant to this section
in accordance with Commission regulation 1.31, and make them available
promptly upon request to representatives of the Commission and to
representatives of applicable prudential regulators.\392\ Covered
entities would incur costs associated with maintaining a recordkeeping
system that allows for easy records retrieval, which would require both
staff resources and likely reliance on electronic recordkeeping
systems. The Commission believes these costs are likely mitigated for
most covered entities, as they would be able to rely on existing
recordkeeping systems designed to maintain other records in accordance
with Commission regulation 1.31, and proper recordkeeping would help
covered entities demonstrate compliance with the ORF rule, and ensure
their ORFs are operating as expected as they conduct required reviews
and testing.
---------------------------------------------------------------------------
\392\ See paragraph (l) of proposed Commission regulations 1.13
and 23.603.
---------------------------------------------------------------------------
2. Section 15(a) Factors
a. Protection of Market Participants and the Public
The Commission believes the proposed rule would support protection
of market participants and the public. The Commission preliminarily
believes the proposed rule will help protect market participants and
the public by increasing the operational resiliency of covered entities
to disruptions caused by natural disasters, cyber-attacks, and failures
at third-party service providers. As covered entities are responsible
for safeguarding customers' accounts, executing trades, maintaining
records, and reporting to relevant agencies, their operational
resiliency will mitigate the negative impact on customers, clients, and
counterparties in case of an incident. The proposed rule may also help
reduce the likelihood of an incident due to proposed proactive measures
such as penetration and vulnerability testing and cyber security
training. For market participants and the public more generally, the
benefits include enhanced market protection against the spread of
contagion risk to the financial system from operational risks.
b. Efficiency, Competitiveness, and Financial Integrity of Markets
The Commission believes the proposed rule would enhance the
financial integrity of CFTC-regulated derivatives markets. SDs, MSPs,
and FCMs are essential intermediaries in the financial markets
regulated by the Commission. Due to the interconnectedness of markets,
disruptions to the business operations of these intermediaries pose
risks to other markets. The Commission believes that increasing and
helping to ensure the operational resiliency of these covered entities
would help improve the financial integrity of the derivatives markets.
The proposed rule's requirement to report to the Commission incidents
and BCDR plan
[[Page 4749]]
activation would assist the Commission effectuate a timely response to
business disruptions, which will help mitigate the impact on other
market participants and promote financial stability and confidence.
Additionally, to the degree that the proposed rule aligns with other
existing applicable requirements, including NFA rules and interpretive
notices, and incorporates generally accepted standards and best
practices currently broadly relied on by covered entities, the proposed
rule would support regulatory convergence and the efficiencies that may
generate.
c. Price Discovery
The Commission does not anticipate the proposed rule directly
impacting the price discovery process. Nevertheless, if a trading
disruption would be prevented or shortened by this proposed rulemaking,
then price discovery would be improved.
d. Sound Risk Management Practices
The Commission believes the proposed rule would promote the
development of sound risk management practices among covered entities.
Programs, plans, policies, and procedures are required for operational
risks, which now explicitly include cybersecurity and third-party risks
that adhere to current best practices. These processes seek to help
covered entities identify, protect, detect, respond, and recover from
such risks. As such, the operational risk management processes of
covered entities may be improved.
e. Other Public Interest Considerations
The proposed rule relies on and incorporates aspects of existing
standards and practices developed by other regulators and standard-
setting bodies, including NFA rules and interpretive notices;
prudential rules and guidance; and NIST, ISO, FFIEC and other sources
of cyber and operational resilience standards. Accordingly, the
proposed rule should support the development of further convergence in
the area of operational resilience and allow covered entities to
develop ORFs that are adaptive and responsive to rapidly changing
circumstances and technology, which the Commission believes could lead
to better protection of markets against the spread of contagion risks
to the financial system from operational risks, in general.
3. Request for Comments
As noted, the Commission invites public comment on all aspects of
its cost-benefit consideration, including, but not limited to the
baseline and the identification and measurement of costs and benefits
relative to it; the identification, measurement, and assessment of any
costs and benefits not discussed herein; whether the Commission has
misidentified any costs or benefits; what, if any, alternatives would
be more reasonable in terms of their costs and benefits; and the
Section 15(a) factors described above. The Commission asks that
commenters explain and support the reasons for positions asserted in
their comment letters and, further, include in them any data or other
information that they may have to assist the Commission's ability to
better quantify the costs and benefits of the Proposal.
1. Has the Commission misidentified any costs or benefits? If so,
please explain.
2. Please explain whether compliance costs would increase or
decrease as a result the proposed rule. Please provide all quantitative
and qualitative costs, including, but not limited to personnel costs
and technological costs.
3. The Commission seeks additional information on the costs and
benefits of the proposed rule's requirement for covered entities to
have a governance regime for their ORF, including risk appetite and
tolerance limits, consolidated programs or plans, and internal
escalation policies. Specifically, to what extent do covered entities
already have or plan to have relevant programs or plans, policies, and
procedures compliant with those prescribed in the proposed rule? To
what practical extent do NFA's requirements, prudential regulation and/
or best practices currently duplicate or differ from the ORF governance
regime, including risk appetite limits, consolidated programs or plans,
and internal escalation policies, being proposed? Will covered entities
experience additional or lowered costs to comply with the proposed
rule, and if so, to what degree?
4. The Commission seeks additional information regarding the costs
and benefits of establishing an information and technology security
program. Specifically, to what extent are covered entities already
conducting comprehensive risk assessments that follow standards
described in the proposed rule? Are these assessments being conducted
on at least an annual basis? Do existing effective controls likewise
meet the standards in the proposed rule? Will covered entities
experience additional or lowered costs relative to current practice to
establish, document, and maintain an incident response plan as called
for in the proposed rule, and if so, to what degree?
5. The Commission seeks additional information regarding the costs
and benefits of establishing a business continuity and disaster
recovery plan. In particular, is the Commission's proposed rule
different from current practice, and, if so, how? Would covered
entities experience additional or lowered costs to comply with the
proposed rule, and, if so, to what degree?
6. The Commission seeks additional information regarding the costs
and benefits of the proposed rule's required notice of ORF events to
the Commission. Will covered entities experience additional or lowered
costs to comply with the proposed rule, and, if so, to what degree?
Will compliance with the 24-hour cap for as-soon-as-possible
notification entail additional costs relative to some shorter or longer
cap and, if so, why and to what degree?
7. The Commission seeks additional information on the costs and
benefits of the proposed rule's requirement that covered entities
provide notification to customers and counterparties following an
incident. In particular, is the Commission's proposed rule different
from current practice, and, if so, how? Would covered entities
experience additional or lowered costs to comply with the proposed
rule, and, if so, to what degree?
8. The Commission seeks additional information regarding the costs
and benefits of ORF review and testing. In particular, to what extent,
if any, does the proposed rule differ from existing procedures? How do
covered entities determine the amount of review and testing that is
appropriate? Do all covered entities currently undertake penetration
and vulnerability testing, and at what frequency? Would covered
entities experience additional or lowered costs to comply with the
proposed rule, and, if so, to what degree?
9. The Commission seeks additional information regarding the costs
and benefits of the cross-border application of the proposed rule.
Would added specificity in the proposed regulations improve the cost-
benefit calculus for those covered entities impacted by their cost-
benefit application? If so, in what areas would more specificity be
helpful and how would costs and benefits be impacted?
D. Antitrust Laws
Section 15(b) of the CEA requires the Commission to ``take into
consideration the public interest to be protected by the antitrust laws
and endeavor to take the least anticompetitive means of achieving the
purposes of the CEA, in
[[Page 4750]]
issuing any order or adopting any Commission rule or regulation
(including any exemption under CEA section 4(c) or 4c(b)), or in
requiring or approving any bylaw, rule, or regulation of a contract
market or registered futures association established pursuant to
section 17 of this Act.'' \393\
---------------------------------------------------------------------------
\393\ 7 U.S.C. 19(b).
---------------------------------------------------------------------------
The Commission preliminarily believes that the public interest to
be protected by the antitrust laws is generally to protect competition.
The Commission invites comment on whether the proposed rule implicates
any other specific public interest to be protected by the antitrust
laws.
The Commission has also assessed the proposal for potential
anticompetitive effects. To the extent that there are substantial fixed
costs associated with improved operational risk management, there may
be competitive implications, though likely anticompetitive impacts have
not been identified. Smaller firms may bear a disproportionate cost
relative to larger firms in total asset size due to this proposed rule.
Nevertheless, smaller firms may be able to realize economies of scope
and scale through outsourcing to third-parties, albeit at the cost of
raising their third-party risk exposure. In addition, the proposed rule
allows smaller firms to choose programs or plans, policies, and
procedures that are appropriate to their businesses, further mitigating
competitive concerns.
The Commission invites comment on its CEA section 15(b) assessment,
including what other means, if any, would be more procompetitive than
what the Commission now proposes and why.
List of Subjects
17 CFR Part 1
Brokers, Commodity futures, Consumer protection, Reporting and
recordkeeping requirements.
17 CFR Part 23
Banks, Banking, Commodity futures, Reporting and recordkeeping
requirements, Swaps.
For the reasons stated in the preamble, the Commodity Futures
Trading Commission proposes to amend 17 CFR parts 1 and 23 as set forth
below:
PART 1--GENERAL REGULATIONS UNDER THE COMMODITY EXCHANGE ACT
0
1. The authority citation for part 1 continues to read as follows:
Authority: 7 U.S.C. 1a, 2, 5, 6, 6a, 6b, 6c, 6d, 6e, 6f, 6g, 6h,
6i, 6k, 6l, 6m, 6n, 6o, 6p, 6r, 6s, 7, 7a-1, 7a-2, 7b, 7b-3, 8, 9,
10a, 12, 12a, 12c, 13a, 13a-1, 16, 16a, 19, 21, 23, and 24 (2012).
0
2. Add Sec. 1.13 to read as follows:
Sec. 1.13 Operational Resilience Framework for Futures Commission
Merchants
(a) Definitions. For purposes of this section:
Affiliate means, with respect to any person, a person controlling,
controlled by, or under common control with, such person.
Business continuity and disaster recovery plan means a written plan
outlining the procedures to be followed in the event of an emergency or
other significant disruption to the continuity of normal business
operations and that meets the requirements of paragraph (f) of this
section.
Consolidated program or plan means any information and technology
security program, third-party relationship program, or business
continuity and disaster recovery plan in which the futures commission
merchant participates with one or more affiliates and that is managed
and approved at the enterprise level.
Covered information means any sensitive or confidential data or
information maintained by a futures commission merchant in connection
with its business activities as a futures commission merchant.
Covered technology means any application, device, information
technology asset, network service, system, and other information-
handling component, including the operating environment, that is used
by a futures commission merchant to conduct its business activities, or
to meet its regulatory obligations, as a futures commission merchant.
Critical third-party service provider means a third-party service
provider, the disruption of whose performance would be reasonably
likely to:
(i) Significantly disrupt a futures commission merchant's business
operations as a futures commission merchant; or
(ii) Significantly and adversely impact the futures commission
merchant's customers.
Information and technology security means the preservation of:
(i) The confidentiality, integrity, and availability of covered
information; and
(ii) The reliability, security, capacity, and resilience of covered
technology.
Incident means any event, occurrence, or circumstance that could
jeopardize information and technology security, including if it occurs
at a third-party service provider.
Information and technology security program means a written program
reasonably designed to identify, monitor, manage, and assess risks
relating to information and technology security and that meets the
requirements of paragraph (d) of this section.
Key controls mean controls that an appropriate risk analysis
determines are either critically important for effective information
and technology security or intended to address risks that evolve or
change more frequently and therefore require more frequent review to
ensure their continuing effectiveness in addressing such risks.
Oversight body means any board, body, or committee of a board or
body of the futures commission merchant specifically granted the
authority and responsibility for making strategic decisions, setting
objectives and overall direction, implementing policies and procedures,
or overseeing the implementation of operations for the futures
commission merchant.
Risk appetite means the aggregate amount of risk a futures
commission merchant is willing to assume to achieve its strategic
objectives.
Risk tolerance limit means the amount of risk, beyond its risk
appetite, that a futures commission merchant is prepared to tolerate
through mitigating actions.
Senior officer means the chief executive officer or other
equivalent officer of the futures commission merchant.
Third-party relationship program means a written program reasonably
designed to identify, monitor, manage, and assess risks relating to
third-party relationships and that meets the requirements of paragraph
(e) of this section.
(b) Generally. (1) Purpose and scope. Each futures commission
merchant shall establish, document, implement, and maintain an
Operational Resilience Framework reasonably designed to identify,
monitor, manage, and assess risks relating to:
(i) information and technology security;
(ii) third-party relationships; and
(iii) emergencies or other significant disruptions to the
continuity of normal business operations as a futures commission
merchant.
(2) Components. The Operational Resilience Framework shall include
an information and technology security program, a third-party
relationship program, and a business continuity and disaster recovery
plan. Each component program or plan shall be supported by written
policies and procedures.
(3) Standard. The Operational Resilience Framework shall be
[[Page 4751]]
appropriate and proportionate to the nature, size, scope, complexity,
and risk profile of its business activities as a futures commission
merchant, following generally accepted standards and best practices.
(c) Governance. (1) Approval of components. Each component program
or plan required by paragraph (b)(2) of this section shall be approved
in writing, on at least an annual basis, by either the senior officer,
an oversight body, or a senior-level official of the futures commission
merchant.
(2) Risk appetite and risk tolerance limits. (i) Each futures
commission merchant shall establish and implement appropriate risk
appetite and risk tolerance limits with respect to the risk areas
identified in paragraph (b)(1) of this section.
(ii) The risk appetite and risk tolerance limits established
pursuant to paragraph (c)(2)(i) of this section shall be reviewed and
approved in writing on at least an annual basis by either the senior
officer, an oversight body, or a senior-level official of the futures
commission merchant.
(3) Internal escalations. The senior officer, an oversight body, or
a senior-level official of the futures commission merchant shall be
notified of:
(i) circumstances that exceed risk tolerance limits established and
approved pursuant to paragraph (c)(2)(i) of this section; and
(ii) incidents that require notification pursuant to paragraphs (i)
or (j) of this section.
(4) Futures commission merchants forming part of a larger
enterprise. (i) Generally. A futures commission merchant may satisfy
the requirements of paragraph (b)(2) of this section through its
participation in a consolidated program or plan, provided that each
consolidated program or plan meets the requirements of this section.
(ii) Attestation. A futures commission merchant that relies on a
consolidated program or plan pursuant to paragraph (c)(4)(i) of this
section may satisfy the requirements in paragraphs (c)(1) and
(c)(2)(ii) of this section provided that either the senior officer, an
oversight body, or a senior-level official of the futures commission
merchant attests in writing, on at least an annual basis, that the
consolidated program or plan meets the requirements of this section and
reflects a risk appetite and risk tolerance limits appropriate to the
futures commission merchant.
(d) Information and technology security program. (1) Risk
assessment.
(i) The information and technology security program shall require
the futures commission merchant to conduct and document the results of
a comprehensive risk assessment reasonably designed to identify,
assess, and prioritize risks to information and technology security.
(ii) Such risk assessment shall be conducted at a frequency
consistent with the standard set forth in paragraph (b)(3) of this
section, but at least annually, and be conducted by personnel not
responsible for the development or implementation of covered technology
or related controls.
(iii) The results of the risk assessment shall be provided to the
oversight body, senior officer, or other senior-level official who
approves the information and technology security program upon the risk
assessment's completion.
(2) Effective controls. The information and technology security
program shall require the futures commission merchant to establish,
document, implement, and maintain controls reasonably designed to
prevent, detect, and mitigate identified risks to information and
technology security. Each futures commission merchant shall consider,
at a minimum, the following types of controls and adopt those
consistent with the standard set forth in paragraph (b)(3) of this
section:
(i) Access controls on covered technology, including controls to
authenticate and permit access only by authorized individuals and
controls preventing misappropriation or misuse of covered information
by employees;
(ii) Access restrictions designed to permit only authorized
individuals to access physical locations containing covered
information, including, but not limited to, buildings, computer
facilities, and records storage facilities;
(iii) Encryption of electronic covered information, including while
in transit or in storage on networks or systems, to which unauthorized
individuals may have access;
(iv) Dual control procedures, segregation of duties, and background
checks for employees or third-party service providers with
responsibilities for or access to covered information;
(v) Change management practices, including defined roles and
responsibilities, logging, and monitoring practices;
(vi) Systems development and configuration management practices,
including practices for initializing, changing, testing, and monitoring
configurations;
(vii) Flaw remediation, including vulnerability patching practices;
(viii) Measures to protect against destruction, loss, or damage of
covered information due to potential environmental hazards, such as
fire and water damage or technological failures;
(ix) Monitoring systems and procedures to detect actual and
attempted attacks on or intrusions into covered technology;
(x) Response programs that specify actions to be taken when the
futures commission merchant suspects or detects that unauthorized
individuals have gained access to covered technology, including
appropriate reports to regulatory and law enforcement agencies; and
(xi) Measures to promptly recover and secure any compromised
covered information.
(3) Incident response plan. The information and technology security
program shall include a written incident response plan that is
reasonably designed to detect, assess, contain, mitigate the impact of,
and recover from an incident. This incident response plan shall
include, at a minimum:
(i) The roles and responsibilities of the futures commission
merchant's management, staff, and third-party service providers in
responding to incidents;
(ii) Escalation protocols, including a requirement to timely inform
the oversight body, senior officer, or other senior-level official that
has primary responsibility for overseeing the information and
technology security program; the chief compliance officer of the
futures commission merchant; and any other relevant personnel of
incidents that may significantly impact the futures commission
merchant's regulatory obligations or require notification to the
Commission;
(iii) The points of contact for external coordination of incident
responses as determined necessary by the futures commission merchant
based on the severity of incidents;
(iv) The required reporting of incidents, whether by internal
policy, contract, or law, including as required in this section;
(v) Procedures for documenting incidents and managements' response;
and
(vi) The remediation of weaknesses in information and technology
security, controls, and training, if any.
(e) Third-party relationship program. (1) Third-party relationship
lifecycle stages. The third-party relationship program shall describe
how the futures commission merchant addresses the risks attendant to
each stage of the third-party relationship lifecycle, including:
(i) Pre-selection risk assessment;
(ii) Due diligence of prospective third-party service providers;
(iii) Contractual negotiations;
[[Page 4752]]
(iv) Ongoing monitoring; and
(v) Termination, including preparations for planned and unplanned
terminations.
(2) Heightened duties for critical third-party service providers.
The third-party relationship program shall establish heightened due
diligence practices for potential critical third-party service
providers and heightened monitoring for critical third-party service
providers.
(3) Third-party service provider inventory. As part of its third-
party relationship program, each futures commission merchant shall
create, maintain, and regularly update an inventory of third-party
service providers the futures commission merchant has engaged to
support its activities as a futures commission merchant, identifying
whether each third-party service provider in the inventory is a
critical third-party service provider.
(3) Retention of responsibility. Notwithstanding a futures
commission merchant's determination to rely on a third-party service
provider, each futures commission merchant remains responsible for
meeting its obligations under the Act and Commission regulations.
(4) Guidance on third-party relationship program. For guidance
outlining potential risks, considerations, and strategies for
developing a third-party relationship program consistent with paragraph
(e), see Appendix A to this part.
(f) Business continuity and disaster recovery plan. (1) Purpose.
The business continuity and disaster recovery plan shall be reasonably
designed to enable the futures commission merchant to:
(i) Continue or resume normal business operations with minimal
disruption to customers and the markets; and
(ii) Recover and make use of covered information, as well as any
other data, information, or documentation required to be maintained by
law and regulation.
(2) Minimum contents. The business continuity and disaster recovery
plan shall, at a minimum:
(i) Identify covered information, as well as any other data or
information required to be maintained by law and regulation, and
establish and implement procedures to backup or copy all such data and
information with sufficient frequency to meet the requirements of this
section, and to store such data and information off-site in either
hard-copy or electronic format;
(ii) Identify any resources, including covered technology,
facilities, infrastructure, personnel, and competencies, essential to
the operations of the futures commission merchant or to fulfill the
regulatory obligations of the futures commission merchant, and
establish and maintain procedures and arrangements to provide for their
backup in a manner that is sufficient to meet the requirements of this
section. Such arrangements must provide for backups that are located in
one or more areas that are geographically separate from the futures
commission merchant's primary systems, facilities, infrastructure, and
personnel, and may include the use of resources provided by third-party
service providers;
(iii) Identify potential disruptions to critical third-party
service providers and establish a plan to minimize the impact of such
disruptions;
(iv) Identify supervisory personnel responsible for implementing
each aspect of the business continuity and disaster recovery plan,
including the emergency contacts required to be provided pursuant to
paragraph (k) of this section; and
(v) Establish a plan for communicating with the following persons
in the event of an emergency or other significant disruption, to the
extent applicable: employees; customers; swap data repositories;
execution facilities; trading facilities; clearing facilities;
regulatory authorities; data, communications and infrastructure
providers and other vendors; disaster recovery specialists; and other
persons essential to the recovery of documentation and data, the
resumption of operations, and compliance with the Act and Commission
regulations.
(3) Accessibility. Each futures commission merchant shall maintain
copies of its business continuity and disaster recovery plan at one or
more accessible off-site locations.
(g) Training and distribution. (1) Training. Each futures
commission merchant shall establish, implement, and maintain training
with respect to all aspects of the Operational Resilience Framework,
including, but not limited to:
(i) Cybersecurity awareness training for all personnel; and
(ii) Role-specific training for personnel involved in establishing,
documenting, implementing, and maintaining the Operational Resilience
Framework.
(2) Frequency. Each futures commission merchant shall provide and
update the training required in paragraph (g)(1) as necessary, but no
less frequently than annually.
(3) Distribution. Each futures commission merchant shall distribute
copies of each component program or plan required by paragraph (b)(2)
of this section to relevant personnel and promptly provide any
significant revisions thereto.
(h) Reviews and Testing. Each futures commission merchant shall
establish, implement, and maintain a plan reasonably designed to assess
its adherence to, and the effectiveness of, its Operational Resilience
Framework through regular reviews and risk-based testing.
(1) Reviews. Reviews of the Operational Resilience Framework shall
be conducted at least annually and in connection with any material
change to the activities or operations of the futures commission
merchant that is reasonably likely to affect the risks identified in
paragraph (b)(1) of this section. Reviews shall include an analysis of
adherence to, and the effectiveness of, the Operational Resilience
Framework and any recommendations for modifications or improvements
that address root causes of any issues identified by the review.
(2) Testing. The frequency, nature, and scope of risk-based testing
of the Operational Resilience Framework shall be determined by the
futures commission merchant, consistent with the standard in paragraph
(b)(3) of this section.
(i) Testing of the information and technology security program
shall include, at a minimum:
(A) Testing of key controls and the incident response plan at least
annually;
(B) Vulnerability assessments, including daily or continuous
automated vulnerability scans; and
(C) Penetration testing at least annually.
(ii) Testing of the business continuity and disaster recovery plan
shall include, at a minimum, a walk-through or tabletop exercise
designed to test the effectiveness of backup facilities and
capabilities at least annually.
(3) Independence. The reviews and testing shall be conducted by
qualified personnel who are independent of the aspect of the
Operational Resilience Framework being reviewed or tested.
(4) Documentation. Each futures commission merchant shall document
all reviews and testing of the Operational Resilience Framework. The
documentation shall, at a minimum, include:
(i) The date the review or testing was conducted;
(ii) The nature and scope of the review or testing, including
methodologies employed;
[[Page 4753]]
(iii) The results of the review or testing, including any
assessment of effectiveness;
(iv) Any identified deficiencies and recommendations for
remediation; and
(v) Any corrective action(s) taken or initiated, including the
date(s) such action(s) were taken.
(5) Internal reporting. Each futures commission merchant shall
report on the results of its reviews and testing to the futures
commission merchant's chief compliance officer and any other relevant
senior-level official(s) and oversight body(ies).
(i) Notifications to the Commission. (1) Incidents. (i)
Notification trigger. Each futures commission merchant shall notify the
Commission of any incident that adversely impacts, or is reasonably
likely to adversely impact:
(A) information and technology security;
(B) the ability of the futures commission merchant to continue its
business activities as a futures commission merchant; or
(C) the assets or positions of a customer of the futures commission
merchant.
(ii) Contents. The notification shall provide any information
available to the futures commission merchant at the time of
notification that may assist the Commission in assessing and responding
to the incident, including the date the incident was detected, possible
cause(s) of the incident, its apparent or likely impacts, and any
actions the futures commission merchant has taken or is taking to
mitigate or recover from the incident, including measures to protect
customers.
(iii) Timing and method. Each futures commission merchant shall
provide the incident notification as soon as possible but in any event
no later than 24 hours after such incident has been detected. The
notification shall be provided via email to [email protected].
(2) Business continuity and disaster recovery plan activation. (i)
Notification trigger. Each futures commission merchant shall notify the
Commission of any determination to activate the business continuity and
disaster recovery plan.
(ii) Contents. The notification shall provide any information
available to the futures commission merchant at the time of
notification that may assist the Commission in assessing or responding
to the emergency or disruption, including the date of the emergency or
disruption, a description thereof, the possible cause(s), its apparent
or likely impacts, and any actions the futures commission merchant has
taken or is taking to mitigate or recover from the emergency or
disruption, including measures taken or being taken to protect
customers.
(iii) Timing and method. Each futures commission merchant shall
provide the business continuity and disaster recovery plan activation
notification within 24 hours of determining to activate the business
continuity and disaster recovery plan. The notification shall be
provided via email to [email protected].
(j) Notification of incidents to affected customers. (1)
Notification trigger. Each futures commission merchant shall notify a
customer as soon as possible of any incident that is reasonably likely
to have adversely affected the confidentiality or integrity of the
customer's covered information, assets, or positions.
(2) Contents. The notification to affected customers shall include
information necessary for the affected customer to understand and
assess the potential impact of the incident on its information, assets,
or positions, and to take any necessary action. Such notification shall
include, at a minimum:
(i) a description of the incident;
(ii) the particular way in which the customer, or its covered
information, may have been adversely impacted;
(iii) measures being taken by the futures commission merchant to
protect against further harm; and
(iv) contact information for the futures commission merchant where
the customer may learn more about the incident or ask questions.
(k) Emergency Contacts. (1) Each futures commission merchant shall
provide the Commission the name and contact information of:
(i) two employees whom the Commission may contact in connection
with incidents triggering notification to the Commission under
paragraph (i)(1) of this section; and
(ii) two employees whom the Commission may contact in connection
with the activation of the futures commission merchant's business
continuity and disaster recovery plan triggering notification to the
Commission under paragraph (i)(2) of this section.
(2) The identified employees shall be authorized to make key
decisions on behalf of the futures commission merchant and have
knowledge of the futures commission merchant's incident response plan
or business continuity and disaster recovery plan, as appropriate.
(3) The futures commission merchant shall update its emergency
contacts with the Commission as necessary.
(l) Recordkeeping. Each futures commission merchant shall maintain
all records required to be maintained pursuant to this section in
accordance with section 1.31 of this chapter and shall make them
available promptly upon request to representatives of the Commission
and to representatives of applicable prudential regulators, as defined
in section 1a(39) of the Act.
0
3. Add appendix A to part 1 to read as follows:
Appendix A to Part 1--Guidance on Third-Party Relationship Programs
The following guidance offers factors, actions, and strategies
for futures commission merchants to consider in preparing and
implementing third-party relationship programs reasonably designed
to identify, monitor, manage, and assess risks relating to third-
party relationships, as required by Commission regulation 1.13. The
guidance is also not intended to reduce or replace the obligation of
futures commission merchants to comply with the requirements in
Commission regulation 1.13, including the requirement to ensure that
each futures commission merchant's Operational Resilience Framework
is appropriate and proportionate to the nature, size, scope,
complexity, and risk profile of its business activities as a futures
commission merchant, following generally accepted standards and best
practices. The guidance is not exhaustive and is nonbinding.
The guidance is written to be broadly relevant to all futures
commission merchants, but it may not be universally applicable. The
degree to which the guidance would be applicable to a particular
futures commission merchant would depend on its unique facts and
circumstances and may vary from relationship to relationship. Each
futures commission merchant should assess the relevance of the
guidance as it applies to its particular risk profile and tailor its
third-party relationship program accordingly.
Comparable guidance for swap dealers and major swap participants
is included in Appendix A to subpart J of part 23 of the
Commission's regulations.
A. Pre-Selection Risk Assessment--Commission Regulation 1.13(e)(1)(i)
Before entering into a third-party relationship, futures
commission merchants should determine which services should be
performed by a third-party and plan for how to manage associated
risks. The Commission appreciates that reliance on third-party
service providers may be unavoidable, particularly given the rapid
pace of technological innovation, which may render it uneconomical
or even infeasible for financial institutions to meet all of their
technological needs in-house.
Nevertheless, given the risks associated with relying on third-
party service providers, and that each additional third-party
relationship a futures commission merchant
[[Page 4754]]
employs is likely to add further risk and complexity, a futures
commission merchant's third-party relationship program should
include a deliberative process for affirmatively determining whether
to source a particular service from a third-party service provider.
In determining whether a particular function should be performed by
a third-party service provider, futures commission merchants should
consider whether:
The service would support the futures commission
merchant's strategic goals and objectives.
The same goals and objectives could be addressed
through an alternative means that may not require reliance on a
third-party service provider.
The futures commission merchant has or could otherwise
secure the resources, financial and otherwise, to effectively
monitor the third-party service provider.
Relevant and reputable third-party service providers
are available.
The provision of the service would implicate
information and technology security concerns, including by requiring
the third-party service provider to obtain access to covered
information or provide covered technology.
A disruption of the service would have a negative
impact on customers or regulatory compliance.
The relationship could be structured to reduce
associated risks, such as by limiting the third-party service
provider's access to covered information or covered technology.
Lack of direct control over performance of the service
would present unacceptable risk, i.e., risk outside the futures
commission merchant's risk tolerance limits.
As the above considerations illustrate, futures commission
merchants should consider ways in which they might structure their
third-party relationships to reduce the associated risks. For
example, where giving a third-party service provider direct access
to its technology or data may be outside a futures commission
merchant's risk tolerance, structuring the relationship to provide
the third-party service provider access on a read-only basis or via
reports delivered by the futures commission merchants could render
the relationship more acceptable. Futures commission merchants
should therefore consider the availability of safer means of
performing the service as part of their assessment.
Changes in technology, businesses practices, regulation, market
structure, market participants (e.g., new entrants to the market),
or service delivery may change the risk profile of the third-party
relationship over time. Accordingly, futures commission merchants
should consider periodically reassessing their selection of services
to be performed by third-party service providers. Futures commission
merchants should stay abreast of these changes by monitoring the
external environment and communicating with current and prospective
service providers and other participants in industry.
B. Due Diligence in Selecting Third-Party Service Providers--Commission
Regulation 1.13(e)(1)(ii)
After a futures commission merchant has determined that a
service is suitable for a third-party to perform, it should conduct
due diligence on prospective third-party service providers. Due
diligence provides futures commission merchants with the information
they need to assess and conclude, with a reasonable level of
assurance, that the prospective third-party service provider is
capable of effectively providing the service as expected, adhering
to the futures commission merchant's policies, maintaining the
futures commission merchant's compliance with Commission
regulations, and protecting covered information. Appropriate due
diligence should also enable futures commission merchants to
evaluate whether they would be able to effectively monitor and
manage the risks associated with a particular third-party
relationship.
Due diligence may be conducted before or contemporaneously with
contractual negotiations with prospective third-party service
providers but should be concluded prior to executing any agreements.
Futures commission merchants should conduct due diligence even in
situations where, for a particular service, there may only be one or
a small number of providers with a dominant market share whose
services are used by all or most of the futures commission
merchants' industry peers, and futures commission merchants should
not rely solely on those providers' reputations or prior experience
with them. The depth and rigor of the due diligence should be
proportionate to the nature of the third-party relationship, with
the required heightened due diligence for potential critical third-
party service providers pursuant to Commission regulation
1.13(e)(2). Specifically, when conducting due diligence for a
potential critical third-party servicer provider, futures commission
merchants should expand the type and sources of information they
rely on, the rigor and scrutiny they apply in reviewing the
information to identify potential risks, and the level of confidence
in their assessment of the third-party service provider's ability to
perform.
When establishing their due diligence protocols, futures
commission merchants should consider the full range of risks that
reliance on the third-party service providers could introduce in
light of the nature of the service they would be performing.
Relevant considerations with respect to the potential third-party
service provider include its:
Financial condition, business experience and
reputation, and business prospects, particularly the third-party
service provider's experience providing services to financial
institutions.
Background, experience, and qualifications with respect
to key personnel.
Information and technology security practices,
including incident reporting and incident management programs, and
whether there are clearly documented processes for identifying and
escalating incidents.
Risk management practices, including governance,
controls, testing, and issue management practices, as well as the
results of any independent risk assessments.
Regulatory environment, including the legal
jurisdiction in which it is based and applicable regulatory or
licensing requirements.
History of disruptions to operations, including whether
the third-party service provider has suffered incidents that would
meet the standard for reporting to the Commission in Commission
regulation 1.13(i).
Violations of legal, compliance, or contractual
obligations, including civil or criminal proceedings or
administrative enforcement actions, including from self-regulatory
organizations.
Understanding of Commission regulatory requirements
applicable to the futures commission merchant.
Use of and reliance on subcontractors, including the
volume and types of subcontracted activities, and the third-party
service provider's process for identifying, assessing, managing, and
monitoring associated risks.
Business continuity and contingency plans.
Financial protections, such as insurance coverage
against losses or liabilities from intentional or negligent acts or
hazards involving physical destruction and data or documentation
losses.
Futures commission merchants should memorialize their assessment
of these factors and identify how the review was heightened for
critical third-party service providers. Futures commission merchants
should not rely solely on their prior knowledge of or experience
with a potential third-party. Potential sources of due diligence
information include:
Audit reports, including pooled audit plans and System
and Organizational Controls (SOC) reports.
Financial statements and projections and relevant
accompanying information (e.g., annual or quarterly reports,
management commentary, auditors' opinions, and investor relations
materials).
Incident response plans, including the results of
recent testing or assessments thereof.
Business continuity and disaster recovery plans, as
well as the result of recent testing or assessments thereof.
Public filings.
News reports, trade publications, and press releases.
Reports from market intelligence providers.
References from current or previous customers, or other
parties which have had business relationships with the third-party
service provider.
Informal industry discussions.
Information provided directly by the third-party
service provider, such as internal performance metrics.
Obtaining and reviewing audit reports, including SOC reports,
may be of particular value for conducting heightened due diligence
of critical third-party service providers. In certain circumstances,
futures commission merchants may not be able to gather all the
information necessary to reach an informed conclusion that a
prospective third-party service provider is an adequate provider.
Examples include instances where the third-party service provider is
a new entrant into the market and little information exists; where
information provided by the
[[Page 4755]]
third-party service provider is insufficient or appears unreliable;
or where the third-party service provider is reluctant to provide
internal information. In such cases, the futures commission merchant
should identify and document the limitations of its due diligence,
the attendant risks, and any available methods for mitigating them
(e.g., obtaining alternate information, implementing enhanced
monitoring or controls, negotiating protective contractual
provisions). Ultimately, such factors could weigh against the use of
the potential third-party service provider, particularly a potential
critical third-party service provider. Futures commission merchants
that proceed with the third-party service arrangements
notwithstanding the limited due diligence should do so with caution,
applying heightened scrutiny of the information they do receive, and
consider the implementation of their own mitigating controls to
compensate for the uncertainty.
C. Contractual Negotiations--Commission Regulation 1.13(e)(1)(iii)
After selecting a third-party service provider, futures
commission merchants should proceed to finalizing the agreement,
typically through entering into an enforceable written contract.
Written contracts are an important tool for clarifying the scope of
services to be delivered, establishing standards or performance
benchmarks, allocating risks and responsibilities, and facilitating
resolution of disputes. They can also reduce the risks of non-
performance and assist in monitoring the third-party service
provider. Because of their importance, the Commission recommends
that futures commission merchants enter written agreements with
third-party service providers before services are delivered,
particularly with critical third-party service providers.
In negotiating a written contract, futures commission merchants
should seek to negotiate contractual provisions that would support
their ability to mitigate, manage, and monitor the risks associated
with the relationship, as identified through their initial pre-
selection and due diligence activities. The contractual provisions
should be informed by the nature of the service provided and be
proportionate to the criticality of the services provided. In
particular, futures commission merchants should consider negotiating
for the contract to include the following provisions:
Timely notification to the futures commission merchant
of any incidents suffered by third-party service providers, or of
significant disruptions to the operations of the third-party service
provider.
Timely notification to the futures commission merchant
of any material changes to the services provided.
Required periodic, independent audits of the third-
party service provider, the results of which would be shared with
the futures commission merchant.
Restrictions on the third-party service provider's use
of the futures commission merchant's covered information, except as
necessary to deliver the service or meet legal obligations.
Security measures to protect the futures commission
merchant's covered information and covered technology to which the
third-party service provider has access.
Insurance, guarantees, indemnification, and limitations
on liability.
Dispute resolution procedures.
Performance measures or benchmarks.
Remediation of identified performance issues.
Dispute resolution procedures.
Compliance with regulatory requirements, including
reasonable assurances that the third-party service provider is
willing and able to coordinate with the futures commission merchant
for the purpose of ensuring the futures commission merchant complies
with its legal and regulatory obligations.
Use of subcontractors, including notification or
approval procedures for their use, the extension of contractual
rights of the futures commission merchant against the third-party
service provider to its subcontractors, and contractual obligations
for reporting on or oversight of subcontractors.
Termination provisions, including rights to terminate
following breaches of the third-party service provider's
obligations, notice requirements, obligations of the third-party
service provider to provide support for a successful transition, and
the return or destruction of records or covered information, as
further described in section E of this guidance.
Information sharing necessary to facilitate other
provisions of this proposed guidance (for example, reporting
requirements to support ongoing monitoring, as discussed in section
D of this guidance, or notice requirements for termination, as
discussed in section E of this guidance).
These provisions focus on key risk factors generally associated
with third-party service provider relationships. They are not
exhaustive of all contractual provisions futures commission
merchants should seek to include in their written contracts,
including ordinary commercial contract terms (e.g., choice of law
provisions) and terms that may relate only to specific services,
among other provisions. While third-parties may initially offer a
standard contract, a futures commission merchant may seek to request
modifications, additional contractual provisions, or addendums to
satisfy its needs. Futures commission merchants should work to
tailor the level of detail and comprehensiveness of the contractual
provisions based on the risk and complexity posed by the particular
third-party relationship, contracts with critical third-party
service providers likely being the most tailored.
In some circumstances, a futures commission merchant may be at a
bargaining power disadvantage, which prevents it from negotiating
optimal contractual provisions. For example, a prospective third-
party service provider may be the sole provider of a service or may
have such dominant market share that it can offer its services on a
``take-it-or-leave-it'' basis. In such situations, the futures
commission merchant should work to understand any resulting
limitations in the contract and attendant risks and consider whether
it can achieve outcomes comparable to those provided by contractual
protections through non-contractual means. Examples could include
the futures commission merchant implementing additional controls,
augmenting its monitoring of the third-party service provider using
public sources or market intelligence services, or purchasing
insurance. The futures commission merchant should make an
assessment, however, of whether these alternatives would provide an
adequate substitute for the unobtained contractual protections and
document its assessment and mitigation plan, considering its risk
appetite and risk tolerance limits. Where a third-party service
provider is unable or unwilling to agree to provisions necessary for
the futures commission merchant to meet its obligations under
Commission regulations, particularly a critical third-party service
provider, the futures commission merchant should consider finding an
alternative third-party service provider.
D. Ongoing Monitoring--Commission Regulation 1.13(e)(1)(iv)
After a third-party service provider has initiated performance,
futures commission merchants should engage in ongoing monitoring.
Ongoing monitoring is important to ensure the third-party service
provider is properly carrying out its outsourced function and
contractual obligations, as well as meeting quality or performance
expectations. Effective monitoring can aid futures commission
merchants in the early identification of performance deficits,
allowing for a quicker response that may then mitigate the impact.
Ongoing monitoring should occur throughout the duration of a
third-party relationship, commensurate with the level of risk and
complexity of the relationship and the activity performed by the
third-party. Examples of possible monitoring activities include:
Reviewing reports on performance and effectiveness of
controls, including independent audit reports and SOC reports.
Periodic on-site visits or meetings to discuss open
issues and plans for changes to the relationship.
Reviewing updated due diligence information.
Documenting service-level agreements with the third-
party service provider to establish performance targets.
Establishing measures for the third-party service
provider to identify, record, and remediate instances of failure to
meet contractual obligations or unsatisfactory performance and to
report such instances to the futures commission merchant on a timely
basis.
Direct testing of the third-party service provider's
control environment.
The frequency and depth of the futures commission merchant's
monitoring activities should reflect the nature of the third-party
relationship, including heightened monitoring for critical third-
party service providers, and may change over the duration of the
relationship. The futures commission merchant should dedicate
sufficient staffing
[[Page 4756]]
resources to its monitoring activities and be particularly alert to
any circumstances that could signal that a third-party service
provider may not be able to perform to an acceptable standard. A
futures commission merchant should be cognizant that certain events
may trigger the need for it to take further action, including
terminating its relationship with the third-party service provider.
Such events could include cyberattacks, natural disasters, financial
distress or insolvency, adverse or qualified audit opinions, or
litigation or enforcement actions.
In addition to the continuous monitoring described above,
futures commission merchants should periodically review and
reevaluate their relationships with third-party service providers
holistically. Such reviews should be more thorough than routine
monitoring and may involve additional personnel, such as in-house or
outside auditors, compliance and risk functions, information
technology staff, or by a central function or committee whose
visibility into other third-party relationships could provide
valuable context for the relationship at issue. Additionally, to the
extent a futures commission merchant uses enterprise risk management
techniques, it should seek to integrate the information gathered
from its ongoing monitoring with those practices. For example, to
the extent that a futures commission merchant maintains a
standardized approach across risk types to escalate concerns or
issues to senior management or governance bodies (e.g., through the
use of predefined criteria or escalation paths), the futures
commission merchant should consider using the same protocols for
escalating concerns identified through its ongoing monitoring of
third-party service providers. The ongoing monitoring approach
itself may be subject to enterprise risk management practices, such
as periodic self-assessment for effectiveness, independent testing,
and quality assurance.
To the extent that monitoring activities reveal a change in
their assessment of the risks associated with the third-party
relationship, futures commission merchants should adjust the
frequency and types of monitoring they conduct, including reports,
regular testing, and on-site visits. One example of information that
may change the level of monitoring is a notification that a third-
party service provider has suffered or may suffer from a severe
adverse event that could trigger a material change in the systems or
process used to carry out an outsourced function.
E. Terminating the Third-Party Relationship--Commission Regulation
1.13(e)(1)(v)
Futures commission merchants should ensure that their third-
party service provider relationship programs include advance
preparation for the termination of the third-party relationship to
ensure an orderly transition. Futures commission merchants should
prepare for both planned terminations (i.e., where one or both
parties elects to end the relationship pursuant to their contract)
and unplanned terminations (e.g., following a sudden withdrawal of
the third-party service). The plans should include both the
contractual provisions for terminating the service (termination
provisions), and the futures commission merchant's plan to
facilitate an orderly transition of the function to an alternative
provider or to bring it in-house (exit strategy). The goal of
termination planning is to support an efficient transition to
alternative arrangements for the provision of the service,
regardless of the circumstances of the termination.
Termination provisions include all terms needed by the futures
commission merchant to wind down a third-party service relationship
while ensuring that the futures commission merchant can continue to
serve its customers without interruption and to meet its regulatory
compliance obligations. Because information, data, staff training,
and knowledge may reside in the third-party service provider, there
is an increased risk of disruption during the termination phase.
When negotiating termination provisions, a futures commission
merchant should ensure that the terms negotiated support its exit
strategy. For example, a futures commission merchant should ensure
that termination rights are accompanied by notice periods that leave
the futures commission merchant enough time to find an alternative
provider (or to provide the service itself) to ensure an orderly
transition.
Similarly, the futures commission merchant should ensure that
all customer data or other covered information in the third-party
service provider's possession is promptly returned to the futures
commission merchant or destroyed, as appropriate. The futures
commission merchant should also verify that the third-party's access
to its systems and covered information ceases at termination.
Futures commission merchants should also consider negotiating more
stringent terms for third-party service providers that breach their
obligations under the agreement, other than for ``no-fault''
terminations. Such breaches may signal an inability of the third-
party service provider to provide the services contracted for and
thereby threaten the ability of the futures commission merchant to
serve its customers and meet its regulatory obligations. (See
section C of this guidance for examples of termination provisions.)
Futures commission merchants' exit strategies should include the
steps needed to end the service provision with the third-party
service provider and retain a new service provider or begin
providing the service in-house. Although elements of an exit
strategy may be reflected in termination provisions, not all
elements of the exit strategy may be suitable for the contract.
Examples include approvals, identification of alternative providers,
description of the roles of staff in the futures commission
merchant, and other internal matters. These elements may be
memorialized in a procedure or similar document, such as the third-
party relationship program. The exit strategy should contain the
internal steps to be taken to ensure notification to the third-party
service provider, identification of the proposed new provider, or,
if bringing the function in-house, the hiring and training of
personnel, development of procedures, and launch of new technology,
along with the time periods and responsible personnel for each.
Futures commission merchants should be aware that, in practice,
implementing an exit strategy may be complex and time-consuming and
that the exercise of termination arrangements may be difficult.
Futures commission merchants should also be aware that some third
parties possess expertise that is not readily available and plan
accordingly. Futures commission merchants should ensure that their
plans are flexible enough to account for a range of plausible
termination scenarios, including situations where the third-party
service provider rapidly becomes unviable. Futures commission
merchants may need to design backup or interim procedures sufficient
to meet regulatory requirements in such situations.
PART 23--SWAP DEALERS AND MAJOR SWAP PARTICIPANTS
0
4. The authority citation for part 23 continues to read as follows:
Authority: 7 U.S.C. 1a, 2, 6, 6a, 6b, 6b-1, 6c, 6p, 6r, 6s, 6t,
9, 9a, 12, 12a, 13b, 13c, 16a, 18, 19, 21.
Section 23.160 also issued under 7 U.S.C. 2(i); Sec. 721(b),
Pub. L. 111-203, 124 Stat. 1641 (2010).
0
5. Revise Sec. 23.603 to read as follows:
Sec. 23.603 Operational Resilience Framework for Swap Dealers and
Major Swap Participants.
(a) Definitions. For purposes of this section:
Affiliate means, with respect to any person, a person
controlling, controlled by, or under common control with, such
person.
Business continuity and disaster recovery plan means a written
plan outlining the procedures to be followed in the event of an
emergency or other significant disruption to the continuity of
normal business operations and that meets the requirements of
paragraph (f) of this section.
Consolidated program or plan means any information and
technology security program, third-party relationship program, or
business continuity and disaster recovery plan in which the swap
entity participates with one or more affiliates and that is managed
and approved at the enterprise level.
Covered information means any sensitive or confidential data or
information maintained by a swap entity in connection with its
business activities as a swap entity.
Covered technology means any application, device, information
technology asset, network service, system, and other information-
handling component, including the operating environment, that is
used by a swap entity to conduct its business activities, or to meet
its regulatory obligations, as a swap entity.
Critical third-party service provider means a third-party
service provider, the disruption of whose performance would be
reasonably likely to:
[[Page 4757]]
(1) Significantly disrupt a swap entity's business operations as
a swap entity; or
(2) Significantly and adversely impact the swap entity's
counterparties.
Information and technology security means the preservation of:
(1) The confidentiality, integrity, and availability of covered
information; and
(2) The reliability, security, capacity, and resilience of
covered technology.
Incident means any event, occurrence, or circumstance that could
jeopardize information and technology security, including if it
occurs at a third-party service provider.
Information and technology security program means a written
program reasonably designed to identify, monitor, manage, and assess
risks relating to information and technology security and that meets
the requirements of paragraph (d) of this section.
Key controls mean controls that an appropriate risk analysis
determines are either critically important for effective information
and technology security or intended to address risks that evolve or
change more frequently and therefore require more frequent review to
ensure their continuing effectiveness in addressing such risks.
Oversight body means any board, body, or committee of a board or
body of the swap entity specifically granted the authority and
responsibility for making strategic decisions, setting objectives
and overall direction, implementing policies and procedures, or
overseeing the implementation of operations for the swap entity.
Risk appetite means the aggregate amount of risk a swap entity
is willing to assume to achieve its strategic objectives.
Risk tolerance limit means the amount of risk, beyond its risk
appetite, that a swap entity is prepared to tolerate through
mitigating actions.
Senior officer means the chief executive officer or other
equivalent officer of the swap entity.
Swap entity means a person that is registered with the
Commission as a swap dealer or major swap participant pursuant to
the Act.
Third-party relationship program means a written program
reasonably designed to identify, monitor, manage, and assess risks
relating to third-party relationships and that meets the
requirements of paragraph (e) of this section.
(b) Generally. (1) Purpose and scope. Each swap entity shall
establish, document, implement, and maintain an Operational
Resilience Framework reasonably designed to identify, monitor,
manage, and assess risks relating to:
(i) information and technology security;
(ii) third-party relationships; and
(iii) emergencies or other significant disruptions to the
continuity of normal business operations as a swap entity.
(2) Components. The Operational Resilience Framework shall
include an information and technology security program, a third-
party relationship program, and a business continuity and disaster
recovery plan. Each component program or plan shall be supported by
written policies and procedures.
(3) Standard. The Operational Resilience Framework shall be
appropriate and proportionate to the nature, size, scope,
complexity, and risk profile of its business activities as a swap
entity, following generally accepted standards and best practices.
(c) Governance. (1) Approval of components. Each component
program or plan required by paragraph (b)(2) of this section shall
be approved in writing, on at least an annual basis, by either the
senior officer, an oversight body, or a senior-level official of the
swap entity.
(2) Risk appetite and risk tolerance limits. (i) Each swap
entity shall establish and implement appropriate risk appetite and
risk tolerance limits with respect to the risk areas identified in
paragraph (b)(1) of this section.
(ii) The risk appetite and risk tolerance limits established
pursuant to paragraph (c)(2)(i) of this section shall be reviewed
and approved in writing on at least an annual basis by either the
senior officer, an oversight body, or a senior-level official of the
swap entity.
(3) Internal escalations. The senior officer, an oversight body,
or a senior-level official of the swap entity shall be notified of:
(i) circumstances that exceed risk tolerance limits established
and approved pursuant to paragraph (c)(2)(i) of this section; and
(ii) incidents that require notification pursuant to paragraphs
(i) or (j) of this section.
(4) Swap entities forming part of a larger enterprise. (i)
Generally. A swap entity may satisfy the requirements of paragraph
(b)(2) of this section through its participation in a consolidated
program or plan, provided that each consolidated program or plan
meets the requirements of this section.
(ii) Attestation. A swap entity that relies on a consolidated
program or plan pursuant to paragraph (c)(4)(i) of this section may
satisfy the requirements in paragraphs (c)(1) and (c)(2)(ii) of this
section provided that either the senior officer, an oversight body,
or a senior-level official of the swap entity attests in writing, on
at least an annual basis, that the consolidated program or plan
meets the requirements of this section and reflects a risk appetite
and risk tolerance limits appropriate to the swap entity.
(d) Information and technology security program. (1) Risk
assessment.
(i) The information and technology security program shall
require the swap entity to conduct and document the results of a
comprehensive risk assessment reasonably designed to identify,
assess, and prioritize risks to information and technology security.
(ii) Such risk assessment shall be conducted at a frequency
consistent with the standard set forth in paragraph (b)(3) of this
section, but at least annually, and be conducted by personnel not
responsible for the development or implementation of covered
technology or related controls.
(iii) The results of the risk assessment shall be provided to
the oversight body, senior officer, or other senior-level official
who approves the information and technology security program upon
the risk assessment's completion.
(2) Effective controls. The information and technology security
program shall require the swap entity to establish, document,
implement, and maintain controls reasonably designed to prevent,
detect, and mitigate identified risks to information and technology
security. Each swap entity shall consider, at a minimum, the
following types of controls and adopt those consistent with the
standard set forth in paragraph (b)(3) of this section:
(i) Access controls on covered technology, including controls to
authenticate and permit access only by authorized individuals and
controls preventing misappropriation or misuse of covered
information by employees;
(ii) Access restrictions designed to permit only authorized
individuals to access physical locations containing covered
information, including, but not limited to, buildings, computer
facilities, and records storage facilities;
(iii) Encryption of electronic covered information, including
while in transit or in storage on networks or systems, to which
unauthorized individuals may have access;
(iv) Dual control procedures, segregation of duties, and
background checks for employees or third-party service providers
with responsibilities for or access to covered information;
(v) Change management practices, including defined roles and
responsibilities, logging, and monitoring practices;
(vi) Systems development and configuration management practices,
including practices for initializing, changing, testing, and
monitoring configurations;
(vii) Flaw remediation, including vulnerability patching
practices;
(viii) Measures to protect against destruction, loss, or damage
of covered information due to potential environmental hazards, such
as fire and water damage or technological failures;
(ix) Monitoring systems and procedures to detect actual and
attempted attacks on or intrusions into covered technology;
(x) Response programs that specify actions to be taken when the
swap entity suspects or detects that unauthorized individuals have
gained access to covered technology, including appropriate reports
to regulatory and law enforcement agencies; and
(xi) Measures to promptly recover and secure any compromised
covered information.
(3) Incident response plan. The information and technology
security program shall include a written incident response plan that
is reasonably designed to detect, assess, contain, mitigate the
impact of, and recover from an incident. This incident response plan
shall include, at a minimum:
(i) The roles and responsibilities of the swap entity's
management, staff, and third-party service providers in responding
to incidents;
(ii) Escalation protocols, including a requirement to timely
inform the oversight body, senior officer, or other senior-level
official that has primary responsibility for overseeing the
information and technology security program; the chief compliance
officer of the swap entity; and any other relevant personnel of
incidents that may
[[Page 4758]]
significantly impact the swap entity's regulatory obligations or
require notification to the Commission;
(iii) The points of contact for external coordination of
incident responses as determined necessary by the swap entity based
on the severity of incidents;
(iv) The required reporting of incidents, whether by internal
policy, contract, or law, including as required in this section;
(v) Procedures for documenting incidents and managements'
response; and
(vi) The remediation of weaknesses in information and technology
security, controls, and training, if any.
(e) Third-party relationship program. (1) Third-party
relationship lifecycle stages. The third-party relationship program
shall describe how the swap entity addresses the risks attendant to
each stage of the third-party relationship lifecycle, including:
(i) Pre-selection risk assessment;
(ii) Due diligence of prospective third-party service providers;
(iii) Contractual negotiations;
(iv) Ongoing monitoring; and
(v) Termination, including preparations for planned and
unplanned terminations.
(2) Heightened duties for critical third-party service
providers. The third-party relationship program shall establish
heightened due diligence practices for potential critical third-
party service providers and heightened monitoring for critical
third-party service providers.
(3) Third-party service provider inventory. As part of its
third-party relationship program, each swap entity shall create,
maintain, and regularly update an inventory of third-party service
providers the swap entity has engaged to support its activities as a
swap entity, identifying whether each third-party service provider
in the inventory is a critical third-party service provider.
(3) Retention of responsibility. Notwithstanding a swap entity's
determination to rely on a third-party service provider, each swap
entity remains responsible for meeting its obligations under the Act
and Commission regulations.
(4) Guidance on third-party relationship programs. For guidance
outlining potential risks, considerations, and strategies for
developing a third-party relationship program consistent with
paragraph (e), see Appendix A to Subpart J of this part.
(f) Business continuity and disaster recovery plan. (1) Purpose.
The business continuity and disaster recovery plan shall be
reasonably designed to enable the swap entity to:
(i) Continue or resume normal business operations with minimal
disruption to counterparties and the markets; and
(ii) Recover and make use of covered information, as well as any
other data, information, or documentation required to be maintained
by law and regulation.
(2) Minimum contents. The business continuity and disaster
recovery plan shall, at a minimum:
(i) Identify covered information, as well as any other data or
information required to be maintained by law and regulation, and
establish and implement procedures to backup or copy all such data
and information with sufficient frequency to meet the requirements
of this section and to store such data and information off-site in
either hard-copy or electronic format;
(ii) Identify any resources, including covered technology,
facilities, infrastructure, personnel, and competencies, essential
to the operations of the swap entity or to fulfill the regulatory
obligations of the swap entity, and establish and maintain
procedures and arrangements to provide for their backup in a manner
that is sufficient to meet the requirements of this section. Such
arrangements must provide for backups that are located in one or
more areas that are geographically separate from the swap entity's
primary systems, facilities, infrastructure, and personnel, and may
include the use of resources provided by third-party service
providers;
(iii) Identify potential disruptions to critical third-party
service providers and establish a plan to minimize the impact of
such disruptions;
(iv) Identify supervisory personnel responsible for implementing
each aspect of the business continuity and disaster recovery plan,
including the emergency contacts required to be provided pursuant to
paragraph (k) of this section; and
(v) Establish a plan for communicating with the following
persons in the event of an emergency or other significant
disruption, to the extent applicable: employees; counterparties;
swap data repositories; execution facilities; trading facilities;
clearing facilities; regulatory authorities; data, communications
and infrastructure providers and other vendors; disaster recovery
specialists; and other persons essential to the recovery of
documentation and data, the resumption of operations, and compliance
with the Act and Commission regulations.
(3) Accessibility. Each swap entity shall maintain copies of its
business continuity and disaster recovery plan at one or more
accessible off-site locations.
(g) Training and distribution. (1) Training. Each swap entity
shall establish, implement, and maintain training with respect to
all aspects of the Operational Resilience Framework, including, but
not limited to:
(i) Cybersecurity awareness training for all personnel; and
(ii) Role-specific training for personnel involved in
establishing, documenting, implementing, and maintaining the
Operational Resilience Framework.
(2) Frequency. Each swap entity shall provide and update the
training required in paragraph (g)(1) as necessary, but no less
frequently than annually.
(3) Distribution. Each swap entity shall distribute copies of
each component program or plan required by paragraph (b)(2) of this
section to relevant personnel and promptly provide any significant
revisions thereto.
(h) Reviews and Testing. Each swap entity shall establish,
implement, and maintain a plan reasonably designed to assess its
adherence to, and the effectiveness of, its Operational Resilience
Framework through regular reviews and risk-based testing.
(1) Reviews. Reviews of the Operational Resilience Framework
shall be conducted at least annually and in connection with any
material change to the activities or operations of the swap entity
that is reasonably likely to affect the risks identified in
paragraph (b)(1) of this section. Reviews shall include an analysis
of adherence to, and the effectiveness of, the Operational
Resilience Framework and any recommendations for modifications or
improvements that address root causes of any issues identified by
the review.
(2) Testing. The frequency, nature, and scope of risk-based
testing of the Operational Resilience Framework shall be determined
by the swap entity, consistent with the standard in paragraph (b)(3)
of this section.
(i) Testing of the information and technology security program
shall include, at a minimum:
(A) Testing of key controls and the incident response plan at
least annually;
(B) Vulnerability assessments, including daily or continuous
automated vulnerability scans; and
(C) Penetration testing at least annually.
(ii) Testing of the business continuity and disaster recovery
plan shall include, at a minimum, a walk-through or tabletop
exercise designed to test the effectiveness of backup facilities and
capabilities at least annually.
(3) Independence. The reviews and testing shall be conducted by
qualified personnel who are independent of the aspect of the
Operational Resilience Framework being reviewed or tested.
(4) Documentation. Each swap entity shall document all reviews
and testing of the Operational Resilience Framework. The
documentation shall, at a minimum, include:
(i) The date the review or testing was conducted;
(ii) The nature and scope of the review or testing, including
methodologies employed;
(iii) The results of the review or testing, including any
assessment of effectiveness;
(iv) Any identified deficiencies and recommendations for
remediation; and
(v) Any corrective action(s) taken or initiated, including the
date(s) such action(s) were taken.
(5) Internal reporting. Each swap entity shall report on the
results of its reviews and testing to the swap entity's chief
compliance officer and any other relevant senior-level official(s)
and oversight body(ies).
(i) Notifications to the Commission. (1) Incidents.
(i) Notification trigger. Each swap entity shall notify the
Commission of any incident that adversely impacts, or is reasonably
likely to adversely impact:
(A) Information and technology security;
(B) The ability of the swap entity to continue its business
activities as a swap entity; or
(C) The assets or positions of a counterparty of the swap
entity.
(ii) Contents. The notification shall provide any information
available to the swap entity at the time of notification that may
assist the Commission in assessing and responding to the incident,
including the date the incident was detected, possible cause(s) of
the incident, its apparent or likely impacts, and any actions the
swap entity has taken or is taking to mitigate or recover from the
[[Page 4759]]
incident, including measures to protect counterparties.
(iii) Timing and method. Each swap entity shall provide the
incident notification as soon as possible but in any event no later
than 24 hours after such incident has been detected. The
notification shall be provided via email to [email protected].
(2) Business continuity and disaster recovery plan activation.
(i) Notification trigger. Each swap entity shall notify the
Commission of any determination to activate the business continuity
and disaster recovery plan.
(ii) Contents. The notification shall provide any information
available to the swap entity at the time of notification that may
assist the Commission in assessing or responding to the emergency or
disruption, including the date of the emergency or disruption, a
description thereof, the possible cause(s), its apparent or likely
impacts, and any actions the swap entity has taken or is taking to
mitigate or recover from the emergency or disruption, including
measures taken or being taken to protect counterparties.
(iii) Timing and method. Each swap entity shall provide the
business continuity and disaster recovery plan activation
notification within 24 hours of determining to activate the business
continuity and disaster recovery plan. The notification shall be
provided via email to [email protected].
(j) Notification of incidents to affected counterparties. (1)
Notification trigger. Each swap entity shall notify a counterparty
as soon as possible of any incident that is reasonably likely to
have adversely affected the confidentiality or integrity of the
counterparty's covered information, assets, or positions.
(2) Contents. The notification to affected counterparties shall
include information necessary for the affected counterparty to
understand and assess the potential impact of the incident on its
information, assets, or positions, and to take any necessary action.
Such notification shall include, at a minimum:
(i) A description of the incident;
(ii) The particular way in which the counterparty, or its
covered information, may have been adversely impacted;
(iii) Measures being taken by the swap entity to protect against
further harm; and
(iv) Contact information for the swap entity where the
counterparty may learn more about the incident or ask questions.
(k) Emergency Contacts. (1) Each swap entity shall provide the
Commission the name and contact information of:
(i) Two employees whom the Commission may contact in connection
with incidents triggering notification to the Commission under
paragraph (i)(1) of this section; and
(ii) Two employees whom the Commission may contact in connection
with the activation of the swap entity's business continuity and
disaster recovery plan triggering notification to the Commission
under paragraph (i)(2) of this section.
(2) The identified employees shall be authorized to make key
decisions on behalf of the swap entity and have knowledge of the
swap entity's incident response plan or business continuity and
disaster recovery plan, as appropriate.
(3) The swap entity shall update its emergency contacts with the
Commission as necessary.
(l) Recordkeeping. Each swap entity shall maintain all records
required to be maintained pursuant to this section in accordance
with section 1.31 of this chapter and shall make them available
promptly upon request to representatives of the Commission and to
representatives of applicable prudential regulators, as defined in
section 1a(39) of the Act.
0
6. Add appendix A to subpart J of part 23 to read as follows:
Appendix A to Subpart J of Part 23--Guidance on Third-Party
Relationship Programs
The following guidance offers factors, actions, and strategies
for swap entities to consider in preparing and implementing third-
party relationship programs reasonably designed to identify,
monitor, manage, and assess risks relating to third-party
relationships, as required by Commission regulation 23.603. The
guidance is also not intended to reduce or replace the obligation of
swap entities to comply with the requirements in Commission
regulation 23.603, including the requirement to ensure that each
swap entity's Operational Resilience Framework is appropriate and
proportionate to the nature, size, scope, complexity, and risk
profile of its business activities as a swap entity, following
generally accepted standards and best practices. The guidance is not
exhaustive and is nonbinding.
The guidance is written to be broadly relevant to all swap
entities, but it may not be universally applicable. The degree to
which the guidance would be applicable to a particular swap entity
would depend on its unique facts and circumstances and may vary from
relationship to relationship. Each swap entity should assess the
relevance of the guidance as it applies to its particular risk
profile and tailor its third-party relationship program accordingly.
Comparable guidance for futures commission merchants is included
in Appendix A to part 1 of the Commission's regulations.
A. Pre-Selection Risk Assessment--Commission Regulation 23.603(e)(1)(i)
Before entering into a third-party relationship, swap entities
should determine which services should be performed by a third-party
and plan for how to manage associated risks. The Commission
appreciates that reliance on third-party service providers may be
unavoidable, particularly given the rapid pace of technological
innovation, which may render it uneconomical or even infeasible for
financial institutions to meet all of their technological needs in-
house.
Nevertheless, given the risks associated with relying on third-
party service providers, and that each additional third-party
relationship a swap entity employs is likely to add further risk and
complexity, a swap entity's third-party relationship program should
include a deliberative process for affirmatively determining whether
to source a particular service from a third-party service provider.
In determining whether a particular function should be performed by
a third-party service provider, swap entities should consider
whether:
The service would support the swap entity's strategic
goals and objectives.
The same goals and objectives could be addressed
through an alternative means that may not require reliance on a
third-party service provider.
The swap entity has or could otherwise secure the
resources, financial and otherwise, to effectively monitor the
third-party service provider.
Relevant and reputable third-party service providers
are available.
The provision of the service would implicate
information and technology security concerns, including by requiring
the third-party service provider to obtain access to covered
information or provide covered technology.
A disruption of the service would have a negative
impact on counterparties or regulatory compliance.
The relationship could be structured to reduce
associated risks, such as by limiting the third-party service
provider's access to covered information or covered technology.
Lack of direct control over performance of the service
would present unacceptable risk, i.e., risk outside the swap
entity's risk tolerance limits.
As the above considerations illustrate, swap entities should
consider ways in which they might structure their third-party
relationships to reduce the associated risks. For example, where
giving a third-party service provider direct access to its
technology or data may be outside a swap entity's risk tolerance,
structuring the relationship to provide the third-party service
provider access on a read-only basis or via reports delivered by the
swap entity could render the relationship more acceptable. Swap
entities should therefore consider the availability of safer means
of performing the service as part of their assessment.
Changes in technology, businesses practices, regulation, market
structure, market participants (e.g., new entrants to the market),
or service delivery may change the risk profile of the third-party
relationship over time. Accordingly, swap entities should consider
periodically reassessing their selection of services to be performed
by third-party service providers. Swap entities should stay abreast
of these changes by monitoring the external environment and
communicating with current and prospective service providers and
other participants in industry.
B. Due Diligence in Selecting Third-Party Service Providers--Commission
Regulation 23.603(e)(1)(ii)
After a swap entity has determined that a service is suitable
for a third-party to perform, it should conduct due diligence on
prospective third-party service providers. Due diligence provides
swap entities with the information they need to assess and conclude,
with a reasonable level of assurance, that the prospective third-
party service provider is capable of effectively
[[Page 4760]]
providing the service as expected, adhering to the swap entity's
policies, maintaining the swap entity's compliance with Commission
regulations, and protecting covered information. Appropriate due
diligence should also enable swap entities to evaluate whether they
would be able to effectively monitor and manage the risks associated
with a particular third-party relationship.
Due diligence may be conducted before or contemporaneously with
contractual negotiations with prospective third-party service
providers but should be concluded prior to executing any agreements.
Swap entities should conduct due diligence even in situations where,
for a particular service, there may only be one or a small number of
providers with a dominant market share whose services are used by
all or most of the swap entities' industry peers, and swap entities
should not rely solely on those providers' reputations or prior
experience with them. The depth and rigor of the due diligence
should be proportionate to the nature of the third-party
relationship, with the required heightened due diligence required
for potential critical third-party service providers pursuant to
Commission regulation 23.603(e)(2). Specifically, when conducting
due diligence for a potential critical third-party servicer
provider, swap entities should expand the type and sources of
information they rely on, the rigor and scrutiny they apply in
reviewing the information to identify potential risks, and the level
of confidence in their assessment of the third-party service
provider's ability to perform.
When establishing their due diligence protocols, swap entities
should consider the full range of risks that reliance on the third-
party service providers could introduce in light of the nature of
the service they would be performing. Relevant considerations with
respect to the potential third-party service provider include its:
Financial condition, business experience and
reputation, and business prospects, particularly the third-party
service provider's experience providing services to financial
institutions.
Background, experience, and qualifications with respect
to key personnel.
Information and technology security practices,
including incident reporting and incident management programs, and
whether there are clearly documented processes for identifying and
escalating incidents.
Risk management practices, including governance,
controls, testing, and issue management practices, as well as the
results of any independent risk assessments.
Regulatory environment, including the legal
jurisdiction in which it is based and applicable regulatory or
licensing requirements.
History of disruptions to operations, including whether
the third-party service provider has suffered incidents that would
meet the standard for reporting to the Commission in Commission
regulation 23.603(i).
Violations of legal, compliance, or contractual
obligations, including civil or criminal proceedings or
administrative enforcement actions, including from self-regulatory
organizations.
Understanding of Commission regulatory requirements
applicable to the swap entity.
Use of and reliance on subcontractors, including the
volume and types of subcontracted activities, and the third-party
service provider's process for identifying, assessing, managing, and
monitoring associated risks.
Business continuity and contingency plans.
Financial protections, such as insurance coverage
against losses or liabilities from intentional or negligent acts or
hazards involving physical destruction and data or documentation
losses.
Swap entities should memorialize their assessment of these
factors and identify how the review was heightened for critical
third-party service providers. Swap entities should not rely solely
on their prior knowledge of or experience with a potential third-
party. Potential sources of due diligence information include:
Audit reports, including pooled audit plans, and System
and Organizational Controls (SOC) reports.
Financial statements and projections and relevant
accompanying information (e.g., annual or quarterly reports,
management commentary, auditors' opinions, and investor relations
materials).
Incident response plans, including the results of
recent testing or assessments thereof.
Business continuity and disaster recovery plans, as
well as the result of recent testing or assessments thereof.
Public filings.
News reports, trade publications, and press releases.
Reports from market intelligence providers.
References from current or previous customers, or other
parties which have had business relationships with the third-party
service provider.
Informal industry discussions.
Information provided directly by the third-party
service provider, such as internal performance metrics.
Obtaining and reviewing audit reports, including SOC reports,
may be of particular value for conducting heightened due diligence
of critical third-party service providers. In certain circumstances,
swap entities may not be able to gather all the information
necessary to reach an informed conclusion that a prospective third-
party service provider is an adequate provider. Examples include
instances where the third-party service provider is a new entrant
into the market and little information exists; where information
provided by the third-party service provider is insufficient or
appears unreliable; or where the third-party service provider is
reluctant to provide internal information. In such cases, the swap
entity should identify and document the limitations of its due
diligence, the attendant risks, and any available methods for
mitigating them (e.g., obtaining alternate information, implementing
enhanced monitoring or controls, negotiating protective contractual
provisions). Ultimately, such factors could weigh against the use of
the potential third-party service provider, particularly a potential
critical third-party service provider. Swap entities that proceed
with the third-party service arrangements notwithstanding the
limited due diligence should do so with caution, applying heightened
scrutiny of the information they do receive, and consider the
implementation of their own mitigating controls to compensate for
the uncertainty.
C. Contractual Negotiations--Commission Regulation 23.603(e)(1)(iii)
After selecting a third-party service provider, swap entities
should proceed to finalizing the agreement, typically through
entering into an enforceable written contract. Written contracts are
an important tool for clarifying the scope of services to be
delivered, establishing standards or performance benchmarks,
allocating risks and responsibilities, and facilitating resolution
of disputes. They can also reduce the risks of non-performance and
assist in monitoring the third-party service provider. Because of
their importance, the Commission recommends that swap entities enter
written agreements with third-party service providers before
services are delivered, particularly with critical third-party
service providers.
In negotiating a written contract, swap entities should seek to
negotiate contractual provisions that would support their ability to
mitigate, manage, and monitor the risks associated with the
relationship, as identified through their initial pre-selection and
due diligence activities. The contractual provisions should be
informed by the nature of the service provided and be proportionate
to the criticality of the services provided. In particular, swap
entities should consider negotiating for the contract to include the
following provisions:
Timely notification to the swap entity of any incidents
suffered by third-party service providers, or of significant
disruptions to the operations of the third-party service provider.
Timely notification to the swap entity of any material
changes to the services provided.
Required periodic, independent audits of the third-
party service provider, the results of which would be shared with
the swap entity.
Restrictions on the third-party service provider's use
of the swap entity's covered information, except as necessary to
deliver the service or meet legal obligations.
Security measures to protect the swap entity's covered
information and covered technology to which the third-party service
provider has access.
Insurance, guarantees, indemnification, and limitations
on liability.
Dispute resolution procedures.
Performance measures or benchmarks.
Remediation of identified performance issues.
Compliance with regulatory requirements, including
reasonable assurances that the third-party service provider is
willing and able to coordinate with the swap entity for the purpose
of ensuring the swap entity complies with its legal and regulatory
obligations.
Use of subcontractors, including notification or
approval procedures for their use, the extension of contractual
rights of the
[[Page 4761]]
swap entity against the third-party service provider to its
subcontractors, and contractual obligations for reporting on or
oversight of subcontractors.
Termination provisions, including rights to terminate
following breaches of the third-party service provider's
obligations, notice requirements, obligations of the third-party
service provider to provide support for a successful transition, and
the return or destruction of records or covered information, as
further described in section E of this guidance.
Information sharing necessary to facilitate other
provisions of this proposed guidance (for example, reporting
requirements to support ongoing monitoring, as discussed in section
D of this guidance, or notice requirements for termination, as
discussed in section E of this guidance).
These provisions focus on key risk factors generally associated
with third-party service provider relationships. They are not
exhaustive of all contractual provisions swap entities should seek
to include in their written contracts, including ordinary commercial
contract terms (e.g., choice of law provisions) and terms that may
relate only to specific services, among other provisions. While
third-parties may initially offer a standard contract, a swap entity
may seek to request modifications, additional contractual
provisions, or addendums to satisfy its needs. Swap entities should
work to tailor the level of detail and comprehensiveness of the
contractual provisions based on the risk and complexity posed by the
particular third-party relationship, contracts with critical third-
party service providers likely being the most tailored.
In some circumstances, a swap entity may be at a bargaining
power disadvantage, which prevents it from negotiating optimal
contractual provisions. For example, a prospective third-party
service provider may be the sole provider of a service or may have
such dominant market share that it can offer its services on a
``take-it-or-leave-it'' basis. In such situations, the swap entity
should work to understand any resulting limitations in the contract
and attendant risks and consider whether it can achieve outcomes
comparable to those provided by contractual protections through non-
contractual means. Examples could include the swap entity
implementing additional controls, augmenting its monitoring of the
third-party service provider using public sources or market
intelligence services, or purchasing insurance. The swap entity
should make an assessment, however, of whether these alternatives
would provide an adequate substitute for the unobtained contractual
protections and document its assessment and mitigation plan,
considering its risk appetite and risk tolerance limits. Where a
third-party service provider is unable or unwilling to agree to
provisions necessary for the swap entity to meet its obligations
under Commission regulations, particularly a critical third-party
service provider, the swap entity should consider finding an
alternative third-party service provider.
D. Ongoing Monitoring--Commission Regulation 23.603(e)(1)(iv)
After a third-party service provider has initiated performance,
swap entities should engage in ongoing monitoring. Ongoing
monitoring is important to ensure the third-party service provider
is properly carrying out its outsourced function and contractual
obligations, as well as meeting quality or performance expectations.
Effective monitoring can aid swap entities in the early
identification of performance deficits, allowing for a quicker
response that may then mitigate the impact.
Ongoing monitoring should occur throughout the duration of a
third-party relationship, commensurate with the level of risk and
complexity of the relationship and the activity performed by the
third-party. Examples of possible monitoring activities include:
Reviewing reports on performance and effectiveness of
controls, including independent audit reports and SOC reports.
Periodic on-site visits or meetings to discuss open
issues and plans for changes to the relationship.
Reviewing updated due diligence information.
Documenting service-level agreements with the third-
party service provider to establish performance targets.
Establishing measures for the third-party service
provider to identify, record, and remediate instances of failure to
meet contractual obligations or unsatisfactory performance and to
report such instances to the swap entity on a timely basis.
Direct testing of the third-party service provider's
control environment.
The frequency and depth of the swap entity's monitoring
activities should reflect the nature of the third-party
relationship, including heightened monitoring for critical third-
party service providers, and may change over the duration of the
relationship. The swap entity should dedicate sufficient staffing
resources to its monitoring activities and be particularly alert to
any circumstances that could signal that a third-party service
provider may not be able to perform to an acceptable standard. A
swap entity should be cognizant that certain events may trigger the
need for it to take further action, including terminating its
relationship with the third-party service provider. Such events
could include cyberattacks, natural disasters, financial distress or
insolvency, adverse or qualified audit opinions, or litigation or
enforcement actions.
In addition to the continuous monitoring described above, swap
entities should periodically review and reevaluate their
relationships with third-party service providers holistically. Such
reviews should be more thorough than routine monitoring and may
involve additional personnel, such as in-house or outside auditors,
compliance and risk functions, information technology staff, or by a
central function or committee whose visibility into other third-
party relationships could provide valuable context for the
relationship at issue. Additionally, to the extent a swap entity
uses enterprise risk management techniques, it should seek to
integrate the information gathered from its ongoing monitoring with
those practices. For example, to the extent that a swap entity
maintains a standardized approach across risk types to escalate
concerns or issues to senior management or governance bodies (e.g.,
through the use of predefined criteria or escalation paths), the
swap entity should consider using the same protocols for escalating
concerns identified through its ongoing monitoring of third-party
service providers. The ongoing monitoring approach itself may be
subject to enterprise risk management practices, such as periodic
self-assessment for effectiveness, independent testing, and quality
assurance.
To the extent that monitoring activities reveal a change in
their assessment of the risks associated with the third-party
relationship, swap entities should adjust the frequency and types of
monitoring they conduct, including reports, regular testing, and on-
site visits. One example of information that may change the level of
monitoring is a notification that a third-party service provider has
suffered or may suffer from a severe adverse event that could
trigger a material change in the systems or process used to carry
out an outsourced function.
E. Terminating the Third-Party Relationship--Commission Regulation
23.603(e)(1)(v)
Swap entities should ensure that their third-party service
provider relationship programs include advance preparation for the
termination of the third-party relationship to ensure an orderly
transition. Swap entities should prepare for both planned
terminations (i.e., where one or both parties elects to end the
relationship pursuant to their contract) and unplanned terminations
(e.g., following a sudden withdrawal of the third-party service).
The programs should include both the contractual provisions for
terminating the service (termination provisions), and the swap
entity's plan to facilitate an orderly transition of the function to
an alternative provider or to bring it in-house (exit strategy). The
goal of termination planning is to support an efficient transition
to alternative arrangements for the provision of the service,
regardless of the circumstances of the termination.
Termination provisions include all terms needed by the swap
entity to wind down a third-party service relationship while
ensuring that the swap entity can continue to serve its
counterparties without interruption and to meet its regulatory
compliance obligations. Because information, data, staff training,
and knowledge may reside in the third-party service provider, there
is an increased risk of disruption during the termination phase.
When negotiating termination provisions, a swap entity should ensure
that the terms negotiated support its exit strategy. For example, a
swap entity should ensure that termination rights are accompanied by
notice periods that leave the swap entity enough time to find an
alternative provider (or to provide the service itself) to ensure an
orderly transition.
Similarly, the swap entity should ensure that all customer data
or other covered information in the third-party service provider's
possession is promptly returned to
[[Page 4762]]
the swap entity or destroyed, as appropriate. The swap entity should
also verify that the third-party's access to its systems and covered
information ceases at termination. Swap entities should also
consider negotiating more stringent terms for third-party service
providers that breach their obligations under the agreement, other
than for ``no-fault'' terminations. Such breaches may signal an
inability of the third-party service provider to provide the
services contracted for and thereby threaten the ability of the swap
entity to serve its customers and meet its regulatory obligations.
(See section C of this guidance for examples of termination
provisions.)
Swap entities' exit strategies should include the steps needed
to end the service provision with the third-party service provider
and retain a new service provider or begin providing the service in-
house. Although elements of an exit strategy may be reflected in
termination provisions, not all elements of the exit strategy may be
suitable for the contract. Examples include approvals,
identification of alternative providers, description of the roles of
staff in the swap entity, and other internal matters. These elements
may be memorialized in a procedure or similar document, such as the
third-party relationship program. The exit strategy should contain
the internal steps to be taken to ensure notification to the third-
party service provider, identification of the proposed new provider,
or, if bringing the function in-house, the hiring and training of
personnel, development of procedures, and launch of new technology,
along with the time periods and responsible personnel for each.
Swap entities should be aware that, in practice, implementing an
exit strategy may be complex and time-consuming and that the
exercise of termination arrangements may be difficult. Swap entities
should also be aware that some third parties possess expertise that
is not readily available and plan accordingly. Swap entities should
ensure that their plans are flexible enough to account for a range
of plausible termination scenarios, including situations where the
third-party service provider rapidly becomes unviable. Swap entities
may need to design backup or interim procedures sufficient to meet
regulatory requirements in such situations.
Issued in Washington, DC, on December 22, 2023, by the
Commission.
Robert Sidman,
Deputy Secretary of the Commission.
NOTE: The following appendices will not appear in the Code of
Federal Regulations.
Appendices to Operational Resilience Framework for Futures Commission
Merchants, Swap Dealers, and Major Swap Participants--Voting Summary
and Chairman's and Commissioners' Statements
Appendix 1--Voting Summary
On this matter, Chairman Behnam, Commissioners Johnson,
Goldsmith Romero, Mersinger and Pham voted in the affirmative. No
Commissioner voted in the negative.
Appendix 2--Statement of Support of Chairman Rostin Behnam
I support the Commission's approval of the notice of proposed
rulemaking to require futures commission merchants (FCMs), swap
dealers (SDs), and major swap participants (MSPs) to establish an
operational resilience framework (ORF).
The proposal recognizes that while FCMs, SDs, and MSPs
(collectively, ``covered entities'') have generally withstood
challenging market conditions since the Commission promulgated its
risk management program requirements over a decade ago, the
Commission must bolster that foundational framework to promote
operational resilience in the face of increasingly sophisticated
cyberattacks and heightened technological disruptions. A strong ORF
is especially important as the financial sector increasingly relies
on third-party service providers; the disruption of which can lead
to major interruptions in--and potential corruption of--FCM and SD
operations. In addition to market impacts, events like these may
impact covered entities' ability to comply with the Commission's
statutory and regulatory requirements.
FCMs' customers and SDs' counterparties expect covered entities
to take a 360-degree approach to identify, monitor, manage, and
assess risks for potential vulnerabilities. Similarly, the
Commission must identify, monitor, manage, and assess any potential
gaps in its own risk management requirements that could impede sound
risk management practices, expose the U.S. financial system to
unmanaged risk, or weaken customer protection. Operational
disruptions that place a covered entity's financial resources at
risk; disrupt the segregation and protection of customer funds;
hinder recordkeeping; introduce uncertainty or delay; or otherwise
inject operational risk into the derivatives market must be avoided
to the extent possible to ensure customers, counterparties, and
market participants have confidence in the integrity of our markets.
The operational resilience framework proposal is the product of
many months of in-depth research regarding operational resilience
standards and guidance issued by the prudential regulators, the U.S.
Securities and Exchange Commission, the National Futures
Association, the International Organization of Securities
Commissions, the Financial Stability Board, and other subject matter
experts to avoid those operational disruptions and failures. The
proposal also reflects staff's own observations and lessons learned
from its own oversight activities.
The proposal is a holistic, principles-based approach that is
calibrated with certain minimum requirements. Specifically, the
proposed rule would require covered entities to establish, document,
implement, and maintain an ORF reasonably designed to identify,
monitor, manage, and assess risks relating to three key risk areas:
(1) information and technology security, (2) third-party
relationships, and (3) emergencies and other significant
disruptions. The ORF would also include requirements related to
governance, training, testing, and recordkeeping.
The proposal would require covered entities to establish risk
appetite and risk tolerance limits and would allow these registrants
to rely on an information and technology security program, third-
party relationship program, or business continuity and disaster
recovery plan in which the covered entity participates with one or
more affiliates and that is managed and approved at the enterprise
level. Testing would need to be risk-based and include, at a
minimum, daily or continuous vulnerability assessment and annual
penetration testing, among others. The proposed rule would also
require certain notifications to the Commission and customers or
counterparties. The Commission is also proposing non-binding
guidance that FCMs and SDs could consider to identify factors,
actions, and strategies as they design their third-party
relationship programs.
The Commission recognizes that covered entities subject to this
proposal include many different business models. As a result, the
proposal is tailored to accommodate firms that vary in size and
complexity, including corporate structures in which operational
resilience frameworks may be managed at an enterprise level and have
governance arrangements with different reporting line structures. In
the same vein, the proposed ORF standard would require covered
entities to implement an ORF that is appropriate and proportionate
to the nature, size, scope, complexity, and risk profile of the
firm's business as an FCM or SD, following generally accepted
standards and best practices.
I look forward to reading the public's comments on how the
proposed operational resilience framework requirements and guidance
can strengthen the operational resilience of FCMs, SDs, and MSPs as
well as help protect their respective customers and counterparties
in the derivatives markets. The 75-day comment period will begin
upon the Commission's publication of the release on its website.
I thank staff in the Market Participants Division, Office of the
General Counsel, and the Office of the Chief Economist for all of
their work on the proposal.
Appendix 3--Statement of Commissioner Kristin N. Johnson
Cyberattacks are an ever-increasing threat. The rising cost,
frequency, and severity of cyber threats represent one of the most
critical issues facing city, state, and federal government
authorities, businesses in each sector of our economy, educational
and philanthropic institutions, and significant energy and
transportation infrastructure, and national security resources.
Less than a month before the White House released its National
Cybersecurity Strategy in March of this year, international media
headlines reported a ransomware attack that demonstrated that ``big
financial firms'' are among the most attractive targets of cyber
threats.\1\ Even for firms that have successfully
[[Page 4763]]
developed business continuity plans to identify, assess, or mitigate
cyber threats, the networked or interconnected systems that comprise
our operational market infrastructure may still render
sophisticated, well-resourced firms vulnerable to the knock-on
effects of cyberattacks leveled against critical third-party service
providers.
---------------------------------------------------------------------------
\1\ James Rundle, Wall Street Journal, Cyberattack on ION
Derivatives Unit Had Ripple Effects on Financial Markets (Feb. 10,
2023), https://www.wsj.com/articles/cyberattack-on-ion-derivatives-unit-had-ripple-effects-on-financial-markets-11675979210.
---------------------------------------------------------------------------
The ransomware attack, carried out on a critical third-party
service provider, ION Cleared Derivatives,\2\ disrupted trade
settlement and reconciliation in derivatives markets.
---------------------------------------------------------------------------
\2\ See Press Release, ION Markets, Cleared Derivatives Cyber
Event (Jan. 31, 2023), https://iongroup.com/press-release/markets/cleared-derivatives-cyber-event/.
---------------------------------------------------------------------------
ION provides trading, clearing, analytics, treasury, and risk
management services for capital markets and futures and derivatives
markets. A significant number of market participants, including a
notable number of futures commission merchants (FCMs), rely on ION
for back-office trade processing and settlement of exchange-traded
derivatives.
The cyber-incident that disrupted ION's operations caused a
ripple effect across markets, halting deal matching, requiring
affected parties to rely on manual (old school) trade processing,
and causing delays in reconciliation and information sharing and
reporting.
MRAC Leads on Cyber Reform Discussions
I sponsor the Market Risk Advisory Committee (MRAC). On March 8,
2023, the MRAC held a first-of-its-kind convening focused on the
interconnectedness of our markets and the potential for
interconnectedness and correlation to amplify contagion in the event
of successful cyberattacks against critical infrastructure
resources.\3\ At the March MRAC meeting, Futures Industry
Association (FIA) President Walt Lukken announced the creation of a
Cyber Risk Taskforce, charged with ``recommend[ing] ways to improve
the ability of the exchange-traded and cleared derivatives industry
to withstand the disruptive impacts of a cyberattack.'' \4\
---------------------------------------------------------------------------
\3\ Kristin N. Johnson, Commissioner, CFTC, Opening Statement
Before the Market Risk Advisory Committee Meeting (Mar. 8, 2023),
https://www.cftc.gov/PressRoom/SpeechesTestimony/johnsonstatement030823.
\4\ Futures Industry Association, FIA Taskforce on Cyber Risk,
After Action Report and Findings, at 3 (Sept. 28, 2023), https://www.fia.org/sites/default/files/2023-09/FIA_Taskforce%20on%20Cyber%20Risk_Recommendations_SEPT2023_Final2.pdf
.
---------------------------------------------------------------------------
The After Action Report issued by the FIA at the conclusion of
the Taskforce's work outlines the challenges that both markets and
regulators faced as a result of the ION cyber-incident. Trade
reconciliation for affected firms continued to lag. For weeks
following the ION cyberattack, the Commission continued to work to
consistently publish the Commitments of Traders (COT) report on a
timely basis because ``reporting firms continu[ed] to experience . .
. issues submitting timely and accurate data to the CFTC.'' \5\ The
COT report is designed to help the public understand the dynamics of
the futures and options on futures markets.\6\ The COT report is a
reflection of the effectiveness of the Commission's surveillance of
markets; it increases transparency and aids in price discovery.
Thus, indirectly, the ION incident disrupted regulatory functions
even though the cyberattack was not directed at the Commission nor
any of the Commission's registrants.
---------------------------------------------------------------------------
\5\ Press Release No. 8662-23, CFTC, CFTC Announces Postponement
of Commitments of Traders Report (Feb. 16, 2023), https://www.cftc.gov/PressRoom/PressReleases/8662-23.
\6\ CFTC, Commitments of Traders Reports Descriptions, https://www.cftc.gov/MarketReports/CommitmentsofTraders/index.htm.
---------------------------------------------------------------------------
As a consequence, it is imperative to begin to examine the scope
of our regulations governing cyber-system safeguards not only for
registered market participants, but for mission-critical third-party
service providers. There is increasing reliance on third parties for
the provision of important services, particularly, for example,
services that facilitate digital connectivity and cloud-based
services.
While outsourcing may allow companies to rely on outside
expertise, reduce operating costs, and enhance operational
infrastructure necessary for executing business activities,
reliance, may, in some instances, create vulnerability and risks
that must be identified, managed, and mitigated.
Operational Resilience Proposed Rulemaking
Today, the Market Participants Division (MPD) has introduced a
robust and comprehensive proposed rulemaking that addresses:
business continuity and disaster planning, cybersecurity, and
assessment of the risk posed by reliance on third parties. I want to
commend MPD, in particular Pamela Geraghty, Elise Bruntel, Fern
Simmons, and Amanda Olear.
The Commission has the authority to direct swap entities (swap
dealers and major swap participants) to establish this operational
resilience framework under Section 4s(j)(2) and (7) of the Commodity
Exchange Act (CEA), which require swap entities to establish risk
management systems over their day-to-day business and their
operational risk.\7\ Likewise, the Commission may require
operational resilience framework of FCMs (collectively with swap
entities, ``covered entities'') under Section 8a(5) of the CEA,\8\
which authorizes the Commission to promulgate regulations sufficient
to accomplish the purposes of the CEA, including, for example, the
need to maintain records of the operational risk of affiliates,\9\
and to establish safeguards to protect the confidentiality of
nonpublic personal information.\10\
---------------------------------------------------------------------------
\7\ 7 U.S.C. 6s(j)(2), (7).
\8\ 7 U.S.C. 12a(5).
\9\ 7 U.S.C. 6f.
\10\ 7 U.S.C. 7b-2; 15 U.S.C. 6801.
---------------------------------------------------------------------------
The proposed rulemaking sets out three major pillars of its
operational resilience framework: (1) information and technology
security; (2) a third-party relationship program to manage risks
presented by mission-critical third-party service providers; and (3)
a business continuity and disaster recovery plan.\11\
---------------------------------------------------------------------------
\11\ Proposed Sec. Sec. 1.13(b)(2), 23.603(b)(2).
---------------------------------------------------------------------------
Layered on top of the of the three pillars are corporate
governance reforms that will dictate how each covered entity will
incorporate the components of the plan into existing organizational
structures. Each of the components of the operational resilience
framework must be reviewed by senior leadership.\12\ Covered
entities must also establish a risk appetite--the level of risk
acceptable on an ongoing basis--and risk tolerance limits--the level
of excess risk the entity is willing to accept should a particular
risk materialize \13\--and the entities will be required to escalate
incidents that exceed their risk tolerance limit.\14\ The rule also
allows for flexibility for entities that function as a division or
affiliate of a larger organization; such entities will be allowed to
operate under the umbrella company's operational resilience plan so
long as that plan meets the rule's requirements and considers the
covered entity's particular risks.\15\
---------------------------------------------------------------------------
\12\ Proposed Sec. Sec. 1.13(c)(1), 23.603(c)(1).
\13\ Proposed Sec. Sec. 1.13(c)(1), 23.603(c)(2).
\14\ Proposed Sec. Sec. 1.13(c)(3), 23.603(c)(3).
\15\ Proposed Sec. Sec. 1.13(c)(4), 23.603(c)(4).
---------------------------------------------------------------------------
The information and technology security program requires the
covered entities to comprehensively assess, on at least an annual
basis, the types of threats the entity faces, the entity's internal
and external vulnerabilities, the likely impact of those threats or
the exploitation of those vulnerabilities, and appropriate
priorities for addressing those risks.\16\ With that background,
covered entities must then implement controls reasonably designed to
prevent, detect, and mitigate the identified risks, threats, and
vulnerabilities.\17\ The program then requires the covered entities
to develop a written incident response plan, reasonably designed to
detect incidents where risks to information and technology are
realized, and then provide for how the entity will mitigate the
impact of and recover from such an incident.\18\
---------------------------------------------------------------------------
\16\ Proposed Sec. Sec. 1.13(d)(1), 23.603(d)(1).
\17\ Proposed Sec. Sec. 1.13(d)(2), 23.603(d)(2).
\18\ Proposed Sec. Sec. 1.13(d)(3), 23.603(d)(3).
---------------------------------------------------------------------------
The third-party relationship plan requires covered entities to
understand the risks posed by all third-party service providers at
each stage of the relationship: pre-selection, diligence, contract
negotiation, ongoing monitoring, and termination.\19\ The proposed
rule then imposes a heightened level of required diligence and
monitoring for ``critical'' third parties, defined as those parties
for whom disruption of performance on their service contract would
either ``significantly disrupt'' the covered entity's business
operations, or ``significantly and adversely impact'' the entity's
counterparties or customers.\20\ Covered entities will also have to
maintain an inventory of their critical and non-critical third-party
service providers.\21\ Finally, regardless of any
[[Page 4764]]
decision to rely on a third-party service provider, each covered
entity remains responsible for meeting its obligations under the CEA
and Commission regulations.\22\
---------------------------------------------------------------------------
\19\ Proposed Sec. Sec. 1.13(e)(1), 23.603(e)(1).
\20\ Proposed Sec. Sec. 1.13(e)(2), 23.603(e)(2).
\21\ Proposed Sec. Sec. 1.13(e)(3), 23.603(e)(3).
\22\ Id.
---------------------------------------------------------------------------
Each entity's business continuity and disaster recovery plan
(BCDR plan) must ``outline[ ] the procedures to be followed in the
event of an emergency or other disruption of its normal business
activities.'' \23\ The goal of a BCDR plan will be to enable covered
entities to continue or resume business operations with minimal
disruption to customers, counterparties, or the markets, and recover
any affected data or information.\24\ At minimum, the BCDR plan must
define backup plans for covered information and data; identify
essential technology, facilities, infrastructure, and personnel;
identify potential disruptions to critical third-party service
providers; and identify supervisory personnel responsible for
carrying out the plan in the event of an emergency.\25\ Covered
entities must also maintain the plan at one or more off-site
locations.\26\
---------------------------------------------------------------------------
\23\ See 17 CFR 23.603(a).
\24\ Proposed Sec. Sec. 1.13(f)(1)(i)-(ii), 23.603(f)(1)(i)-
(ii).
\25\ Proposed Sec. Sec. 1.13(f)(2), 23.603(f)(2).
\26\ Proposed Sec. Sec. 1.13(f)(3), 23.603(f)(3).
---------------------------------------------------------------------------
To support the pillars of the operational resilience framework,
the proposed rule also lays out training,\27\ review, and testing
requirements to ensure the framework evolves with newly generated
risks. Covered entities must review their framework annually,\28\
and engage in regular independent and documented testing, including
penetration testing, vulnerability assessments, and testing of the
incident response and BCDR plans.\29\ Results of that testing must
be reported to the entity's chief compliance officer and other
relevant senior personnel.\30\ Finally, the proposed rule lays out
the instances in which the Commission must be notified of incidents
and of activation of the BCDR plan.\31\
---------------------------------------------------------------------------
\27\ Proposed Sec. Sec. 1.13(g), 23.603(g).
\28\ Proposed Sec. Sec. 1.13(h)(1), 23.603(h)(1).
\29\ Proposed Sec. Sec. 1.13(h)(2)-(3), 23.603(h)(2)-(3).
\30\ Proposed Sec. Sec. 1.13(h)(5), 23.603(h)(5).
\31\ Proposed Sec. Sec. 1.13(i)-(j), 23.603(i)-(j).
---------------------------------------------------------------------------
This proposed rulemaking is both expansive and thoroughly
considered. It galvanizes much of the preexisting guidance on these
subjects, recognizing that the vast majority of our market
participants already have programs in place to address these risks
and often already are subject to other regulators' rules and
obligations, both domestically and internationally. The rule also
recognizes the vast range in the size of the operations of our
registered market participants--from some of the world's largest
financial institutions acting as swap dealers to small, independent
futures commissions merchants--and consequently builds flexibility
into the proposed rule to allow businesses to tailor their
operational resilience frameworks to the realities of their business
needs.
The Need for Operational Resilience for Other Commission Registrants
This rule is necessarily limited in scope to FCMs and the swap
entities overseen by MPD. The risks that this rule intends to
mitigate, however, are not similarly siloed. Designated Contract
Markets (DCM), Swap Execution Facilities (SEF), and Swap Data
Repositories (SDR), overseen by the Division of Market Oversight,
and Derivative Clearing Organizations (DCO), overseen by the
Division of Clearing and Risk, similarly rely on mission-critical
third-party service providers, similarly are targeted by
cyberattacks, and similarly risk business disruption caused by
unforeseen disaster scenarios.
Rulemakings completed in 2016 created system safeguard testing
requirements for each of these entities, currently codified in Parts
37, 38, 39, and 49 of the CFR.\32\ These rules include obligations
for business continuity and disaster recovery and cybersecurity.
Since 2016, however, the core issues surrounding the concept of
operational resilience have shifted, most importantly around the
ideas of mission-critical third parties. DCOs are increasingly
contracting with third parties to manage and conduct aspects of
their regulatory obligations, and just like with the covered
entities subject to the rule at issue today, the onboarding of these
new third parties also onboards new risks. The proposed rulemaking
today considers the system safeguards provisions already on the
books; \33\ the Commission now needs to continue to press forward by
considering this proposed rule for future parallel regulations, for
DCOs in particular.
---------------------------------------------------------------------------
\32\ See Final Rule, System Safeguards Testing Requirements, 81
FR 64272 (Sept. 19, 2016) (covering DCMs, SEFs, and SDRs); Final
Rule, System Safeguards Testing Requirements for Derivatives
Clearing Organizations, 81 FR 64322, 64329 (Sept. 19, 2016)
(``System Safeguards for DCOs'') (describing the CFTC's approach to
system safeguards for DCOs as providing DCOs with ``flexibility to
design systems and testing procedures based on the best practices
that are most appropriate for that DCO's risks'').
\33\ C.f., e.g., System Safeguards for DCOs, 81 FR 64322-23; 17
CFR 39.18(b)(3) (requiring DCOs to follow generally accepted
standards and best practices with respect to the development,
operation, reliability, security, and capacity of automated
systems).
---------------------------------------------------------------------------
The pandemic underscored the importance of business operational
resilience, namely the ability of our registrants to react to and
withstand unforeseen disasters. The FIA conducted its annual
Disaster Recovery Exercise this fall with the stated goal of probing
participants' ability to ``conduct critical business functions'' in
the wake of a large-scale disaster.\34\ Last year's exercise saw
participation from 19 major U.S. and international futures exchanges
and clearinghouses, who indicated that this type of probing helped
them to: ``Exercise their business continuance/disaster resilience
plans[, i]dentify internal and external single points of failure . .
. [, and t]ighten up and improve the documentation of their business
continuity procedures.'' \35\
---------------------------------------------------------------------------
\34\ Presentation, Futures Industry Association, Business
Continuity Disaster Recovery Test, at 4 (Aug. 23, 2023), https://www.fia.org/sites/default/files/2023-10/FIA_DR_Test_Briefing_2023_1010_0.pptx.
\35\ Summary Report, Futures Industry Association, 2022 FIA
Industry-Wide Disaster Recovery Test, at 4 (Dec. 16, 2021), https://www.fia.org/sites/default/files/2023-05/2022_DR_Test_Results_v2.pdf.
---------------------------------------------------------------------------
In 2021, the International Organization of Securities
Commissions (IOSCO) initiated a consultation examining business
continuity planning.\36\ IOSCO's initial recommendations to member
jurisdictions stated that all regulators should require firms to
have in place ``mechanisms to help ensure the resiliency,
reliability and integrity (including security) of critical systems''
including an appropriate ``Business Continuity Plan.'' \37\
---------------------------------------------------------------------------
\36\ The Board of The International Organization of Securities
Commissions, Thematic Review on Business Continuity Plans with
respect to Trading Venues and Intermediaries (May 21, 2021), https://www.iosco.org/library/pubdocs/pdf/IOSCOPD675.pdf.
\37\ Id. at 1.
---------------------------------------------------------------------------
Every industry advisory board and oversight group to have
studied cybersecurity has reached the same conclusion: risks to
financial institutions from cyberattacks continue to grow. The
Financial Stability Oversight Council noted in its 2022 annual
report that from 2015 to 2020 the finance and insurance industries
were subject to the most cyberattacks of any industry, and that the
current global geopolitical climate has only increased the need for
vigilance against cyber threats.\38\ In April 2020, the Financial
Stability Board (FSB) issued a guide on cyber incident response that
explained that ``[a] significant cyber incident, if not properly
contained, could seriously disrupt the financial system, including
critical financial infrastructure, leading to broader financial
stability implications.'' \39\ Similarly, in its 2019 Cyber Task
Force report, IOSCO reiterated that cyber risk is one of the top
threats to financial markets today given the ``economic costs of
such events can be immense . . . and could potentially undermine the
integrity of global financial markets.'' \40\ IOSCO went further in
their recommendations to the crypto industry earlier this year that
``[r]egulators should require a [crypto-asset service provider] to
put in place sufficient measures to address cyber and system
resiliency.'' \41\
---------------------------------------------------------------------------
\38\ Financial Stability Oversight Council, 2002 Annual Report,
at 37 (Dec. 16, 2022), https://home.treasury.gov/system/files/261/FSOC2022AnnualReport.pdf.
\39\ The Financial Stability Board, Effective Practices for
Cyber Incident Response and Recovery, at 1 (Oct. 19, 2020), https://www.fsb.org/wp-content/uploads/P191020-1.pdf.
\40\ The Board of The International Organization of Securities
Commissions, Cyber Task Force: Final Report, at 3 (June 19, 2019),
https://www.iosco.org/library/pubdocs/pdf/IOSCOPD633.pdf.
\41\ The Board of The International Organization of Securities
Commissions, Policy Recommendations for Crypto and Digital Asset
Markets Consultation Report, at 39 (Nov. 16, 2023), https://www.iosco.org/library/pubdocs/pdf/IOSCOPD747.pdf.
---------------------------------------------------------------------------
Next Steps for Derivatives Clearing Organizations
At the MRAC meeting this past Monday, I announced a new
workstream for the CCP Risk and Governance subcommittee that will
focus on third-party risk for central clearing counterparties. Work
will begin imminently, with the goal of presenting a proposal for
[[Page 4765]]
vote by the parent committee in the first quarter of 2024. DCOs
already retain responsibility for meeting regulatory requirements
when entering into contractual outsourcing arrangements; \42\ the
question now is how DCOs should be required to assess and monitor
the risks associated with doing so.
---------------------------------------------------------------------------
\42\ 17 CFR 39.18(d) (2022) (providing that registered entities
such as DCOs retain responsibility for meeting relevant regulatory
requirements when entering into contractual outsourcing
arrangements).
---------------------------------------------------------------------------
Such a rule should in my view broadly track the rule for FCMs
and swap entities proposed today, but deep consideration must be
given to the ways in which the core DCO business differs. For
example, DCOs already occupy a quasi-oversight role with respect to
their clearing members; should a rule on third-party risk require
DCOs to consider not only the risk posed by their own outsourcing
contracts, but also require that DCOs consider their clearing
members' third-party risks, perhaps as an aspect of a DCO's
assessment of its counterparty risk? How else might the rule differ
given the disparity between DCOs' and FCMs' relative frequency of
interaction with end users? How might these rules coordinate with
prudential regulators?
A cyberattack on a third party that affected FCMs last winter
was already disruptive enough, but given their status as SIFMUs some
DCOs are quite literally systemically important entities. DCOs serve
irreplaceable market functions, and we need update their operational
resilience requirements to take into account this new conception of
third-party risk. I look forward to the new MRAC workstream diving
into this critical issue, and of course to what Division of Clearing
and Risk staff might bring forward in an eventual proposed
rulemaking.
I once again commend the staff of MPD on their tremendous effort
bringing forth this proposed rule, and look forward to hearing the
thoughts of my fellow Commissioners.
Appendix 4--Statement of Commissioner Christy Goldsmith Romero
Today we have before us our first proposed cyber and operational
resilience rule that would apply to swap dealers (including banks)
and futures commission merchants (FCMs). I'm excited to see the
proposed rule up for vote today. I support the rule and thank the
staff for their more than one year of hard work. I also thank all
who engaged with us in an extensive collaborative effort. I also
thank Chairman Behnam for entrusting me to help with this rule.
This is a critical rule for the CFTC. FBI Director Christopher
Wray recently said ``that today's cyber threats are more pervasive,
hit a wider array of victims, and carry the potential for greater
damage than ever before'' and we face ``some of our most complex,
most severe, and most rapidly evolving threats.'' \1\ This rule
proposes to help advance our markets from a mentality of incident
response to one of cyber resilience. This would further President
Biden's White House National Cybersecurity Strategy and Executive
Order on Improving the Nation's Cybersecurity.\2\
---------------------------------------------------------------------------
\1\ See FBI, Director Wray's Remarks at the Mandiant/mWISE 2023
Cybersecurity Conference (Sept. 18, 2023).
\2\ The E.O.'s policy statement of policy is ``Protecting our
Nation from malicious cyber actors requires the Federal Government
to partner with the private sector. The private sector must adapt to
the continuously changing threat environment, ensure its products
are built and operate securely, and partner with the Federal
Government to foster a more secure cyberspace. In the end, the trust
we place in our digital infrastructure should be proportional to how
trustworthy and transparent that infrastructure is, and to the
consequences we will incur if that trust is misplaced.'' The White
House, Executive Order on Improving the Nation's Cybersecurity (May
12, 2021).
---------------------------------------------------------------------------
Cyber resilience is one of my top priorities, and a critical
issue on which I am engaged. Over the last year, the CFTC staff and
I have been engaged with the White House, other financial
regulators, the Department of Commerce's National Institute of
Standards and Technology (NIST), the National Futures Association
(NFA), swap dealers, FCMs, trade groups like the Futures Industry
Association, the International Swaps and Derivatives Association,
and the Securities Industry and Financial Markets Association,
public interest groups, and third-party vendors. I also sponsor the
Technology Advisory Committee that covers cybersecurity, and has a
dedicated Cybersecurity subcommittee stacked with well-regarded
cybersecurity experts.\3\
---------------------------------------------------------------------------
\3\ See CFTC, Commissioner Goldsmith Romero Announces Technology
Advisory Committee Subcommittee Co-Chairs and Members (July 14,
2023); see also CFTC Technology Advisory Committee July 18 Meeting
(July 18, 2023); CFTC Technology Advisory Committee March 22 Meeting
(March 22, 2023).
---------------------------------------------------------------------------
It takes this type of collective public and private engagement
to thwart cybercrime, stay ahead of the continuously changing
threat, and protect our nation's critical infrastructure. Director
Wray has spoken about how malicious cyber actors seeking to cause
destruction are working to hit us somewhere that's going to hurt--
U.S. critical infrastructure sectors.\4\ According to the FBI, in
2021, there were ransomware incidents against 14 of the 16 U.S.
critical infrastructure sectors.\5\ That includes an attack on
Colonial Pipeline that led to gas shortages, and an attack on the
world's largest meat supplier JBS, that led to meat shortages and
spiking prices.\6\
---------------------------------------------------------------------------
\4\ See FBI, Director's Remarks to the Boston Conference on
Cyber Security 2022 (June 1, 2022).
\5\ See FBI, FBI Partnering with the Private Sector to Counter
the Cyber Threat, Remarks at the Detroit Economic Club (Mar. 22,
2022).
\6\ See Id. (discussing how an attack led to Colonial shutting
down pipeline operations and a panic among people in the Southeast
that led to a run on gas and how an attack on JBS resulted in a
complete stoppage of meat production, leading to spiking prices and
less availability of meat).
---------------------------------------------------------------------------
As Director Wray has said, ``ransomware gangs love to go after
things we can't do without.'' \7\ Our nation cannot do without the
commercial agriculture, energy, metals, and financial markets, on
which derivatives markets are based.
---------------------------------------------------------------------------
\7\ See FBI, Director's Remarks to the Boston Conference on
Cyber Security 2022 (June 1, 2022).
---------------------------------------------------------------------------
In June, I presented five key pillars of cyber resilience,
pillars that are contained in the proposed rule: \8\
---------------------------------------------------------------------------
\8\ Commissioner Christy Goldsmith Romero, Advancing from
Incident Response to Cyber Resilience, (June 20, 2023).
---------------------------------------------------------------------------
1. A proportionate and appropriate approach;
2. Following generally accepted standards and best practices;
3. Elevating responsibility through governance;
4. Building resilience to third-party risk; and
5. Leveraging the important work already done in this space,
including by prudential regulators and NFA.
Taking a Proportionate and Appropriate Approach
There is no one-size fits all approach. The proposed rule would
require swap dealers and FCMs to ensure that their operational
resilience programs are appropriate and proportionate to the nature
and risk profile of their business. This follows the White House
National Cybersecurity Strategy.\9\ Our swap dealers include
Globally Systemically Important Banks (GSIBs). Additionally, some of
our swap dealers and FCMs are involved in U.S. critical
infrastructure such as in the energy or agricultural sectors, or in
supply chains.
---------------------------------------------------------------------------
\9\ See The White House, National Cybersecurity Strategy (March
2023) (recommending that organizations ``demonstrate a principles-
based approach that is sufficiently nimble to adapt to meet the
challenges of the ever-evolving technological threat landscape and
to fit the unique business and risk profile of each individual
covered entity.''
---------------------------------------------------------------------------
FBI Director Wray testified before Congress this month that one
of the most worrisome facets of state-sponsored adversaries is their
focus on compromising U.S. critical infrastructure, especially
during a crisis, and that there is often no bright line that
separates where nation state activity ends and cybercriminal
activity begins.\10\ He testified about the disruptive impact of a
supply chain attack in the SolarWinds attack, conducted by the
Russian Foreign Intelligence Service.\11\ This summer, Director Wray
said that the FBI is seeing the effects of Russia's invasion of
Ukraine here at home, as the FBI has seen Russia conducting
reconnaissance on the U.S. energy sector.\12\
---------------------------------------------------------------------------
\10\ See FBI, Statement of Christopher A. Wray Director Federal
Bureau of Investigation Before the Committee on the Judiciary United
States Senate (Dec. 5, 2023).
\11\ See Id.
\12\ See FBI, Director Wray's Remarks at the FBI Atlanta Cyber
Threat Summit (July 26, 2023).
---------------------------------------------------------------------------
Director Wray also has said that, ``China operates on a scale
Russia doesn't come close to. They've got a bigger hacking program
than all other major nations combined. They've stolen more American
personal and corporate data than all nations combined.'' \13\
Director Wray has said that ``the Chinese government has hacked more
than a dozen U.S. oil and gas pipeline operators, not just stealing
their
[[Page 4766]]
information, but holding them, and all of us, at risk.'' \14\ Swap
dealers and FCMs involved in critical infrastructure sectors will
need to build resilience for these cyber threats.
---------------------------------------------------------------------------
\13\ See FBI, Director's Remarks to the Boston Conference on
Cyber Security 2022 (June 1, 2022).
\14\ See FBI, FBI Partnering with the Private Sector to Counter
the Cyber Threat, Remarks at the Detroit Economic Club (Mar. 22,
2022).
---------------------------------------------------------------------------
The proposal also recognizes that cyber resilience requires
continuous attention. What is appropriate or proportionate may
change with the changing threat vector. It may also change when a
swap dealer or FCM enters a new line of business, onboards a new
vendor, or takes other action that can carry cyber risk.
Following Generally Accepted Standards and Practices
The proposal, like the CFTC's rules for exchanges and
clearinghouses, would require swap dealers and FCMs to follow
generally accepted standards and industry best practices, like NIST
or ISO (for international companies). The NIST Cybersecurity
Framework creates a clear set of cybersecurity expectations that are
risk-and outcome-based rather than prescriptive, and adaptable to
the size and types of businesses.\15\ These standards are regularly
updated to reflect the evolving technology and threat landscape. The
proposed rule also requires at least annual assessment, testing and
updates to the operational resilience framework.
---------------------------------------------------------------------------
\15\ See Presentation of Kevin Stine, Chief of the Applied
Security Division at NIST Information Technology Laboratory,
``Managing Cybersecurity Risks,'' CFTC Technology Advisory Committee
Meeting (March 22, 2023).
---------------------------------------------------------------------------
Elevating Responsibility Through Governance
The vision of the Biden Administration's National Cybersecurity
Strategy is to rebalance the responsibility to defend cyberspace by
shifting the burden for cybersecurity away from individuals and
small businesses, and onto the organizations that are most capable
and best positioned to reduce risks.\16\ This strategy gets away
from vulnerability caused by one person in an organization clicking
on the wrong thing that leads to total disruption. The banks and
commodity firms this rule would apply to are capable and best
positioned to reduce cyber risk and cybercrime losses.
---------------------------------------------------------------------------
\16\ See The White House, National Cybersecurity Strategy (March
2023).
---------------------------------------------------------------------------
Building cyber resilience requires elevating responsibility to
those who make strategic decisions about the business. The stakes
for businesses are high. There is potential legal risk, reputational
risk, risk to national security, as well as financial risk. In 2022,
the FBI reported $10.3 billion in cybercrime losses, shattering the
record from the prior year.\17\ Tone at the top, including the C-
suite's active participation in cyber resilience programs as well as
making cyber resilience a top priority, can determine whether an
organization will successfully be cyber resilient and operationally
resilient.
---------------------------------------------------------------------------
\17\ FBI, Internet Crime Report 2022 (March 22, 2023).
---------------------------------------------------------------------------
The proposed rule would require operational resilience plans to
be approved annually by a senior leader and for incidents to be
escalated promptly. It also would require senior leaders to set and
approve the firm's risk appetite and risk tolerance limit. Leaders
should make strategic decisions about the risk they are willing to
take on, as well as the metrics they will monitor. I am interested
in hearing if the proposal's definitions of these terms set a clear
expectation and align with generally accepted standards.
Building Resilience to Third-Party Risk
Swap dealers and FCMs routinely rely upon third party (as well
as fourth party) service providers to access new technologies and
expertise, and for efficiencies in business functions. The rule
requires building resilience to third party risk, an issue brought
sharply into focus with this year's cyber-attack on third-party
vendor ION Markets.
Because third parties create points of entry that need to be
secured from cyber criminals, the banking regulators released
updated interagency guidance on third party risk management that
would apply to many of the swap dealers subject to the proposed
rule.\18\ The staff and I met with the Federal Reserve, Federal
Deposit Insurance Corporation, and the Office of the Comptroller of
the Currency about their guidance and their efforts to promote cyber
resilience. Like that interagency guidance, the proposed rule
includes an inventory of all third-party service providers,
assessments of risk throughout the lifecycle of the third-party
relationship, the identification of critical third-parties, and
subjects those critical third parties to heightened due diligence
and monitoring.
---------------------------------------------------------------------------
\18\ Board of Governors of the Federal Reserve System, Federal
Deposit Insurance Corporation, and Office of the Comptroller of the
Currency, Interagency Guidance on Third Party Relationships: Risk
Management (Jun. 6, 2023).
---------------------------------------------------------------------------
The proposed definition of who is a critical third-party service
provider takes a flexible approach, asking entities to consider the
impact of a disruption.\19\ At his TAC presentation, Todd Conklin,
Deputy Assistant Secretary of Treasury's Office of Cybersecurity and
Critical Infrastructure Protection (OCCIP) and TAC member discussed
how ION Markets received less scrutiny because it was not treated as
a critical third-party vendor by most firms.\20\ I look forward to
comment.
---------------------------------------------------------------------------
\19\ I heard from many banks and brokers that identifying who is
a critical third-party service provider is an issue they regularly
grapple with, and that it often comes down to specific facts and
circumstances, and not just the products and service they provide.
\20\ See Presentation of Todd Conklin, Deputy Assistant
Secretary of Treasury's Office of Cybersecurity and Critical
Infrastructure Protection (OCCIP), ``The Cyber Threat Landscape for
Financial Markets: Lessons Learned from ION Markets, Cloud Use in
Financial Services, and Beyond,'' CFTC Technology Advisory Committee
Meeting (March 22, 2023) (``many institutions didn't even classify
[ION Markets] necessarily as a `critical' third-party vendor. So
many firms who onboarded ION didn't use the highest-level scrutiny
that they use for their most critical third-party vendors.'').
---------------------------------------------------------------------------
The CFTC also proposes separate guidance on managing third-party
risks. I am interested in commenters' views on this guidance, and
whether we have it right for harmonization.
Leveraging the Important Work of Others, Including Prudential
Regulators and the NFA
The White House's 2023 Cybersecurity Strategy recommends
organizations ``harmonize where sensible and appropriate to achieve
better outcomes.'' \21\ The proposal recognizes that many of our
regulated entities are part of a larger enterprise, with cyber and
operational resilience programs managed at the enterprise level, and
can use those programs under this rule. I am interested in
commenters' views on whether we have achieved appropriate
harmonization or whether we need greater harmonization with bank
regulators' rules and guidance and NFA guidance.\22\
---------------------------------------------------------------------------
\21\ See The White House, National Cybersecurity Strategy,
(March 2023).
\22\ These requirements and guidance include the prudential
regulator's Sound Practices to Strengthen Operational Resilience
paper, the Interagency Guidelines Establishing Standards for
Safeguard Customer Information, and the recently released
Interagency Guidance on Third-Party Relationships: Risk Management,
as well as NFA guidance on information security, third-party service
provider risk management, and notification of regulators and
business continuity and disaster recovery.
---------------------------------------------------------------------------
Stronger Together
We are stronger together. The CFTC is part of coordinated
government efforts to learn about and disseminate information about
emerging cyber threats. We want to work with our swap dealers and
FCMs to help strengthen their operational resilience, especially
prior to any disruptive event.
Should a disruptive event occur, resilience requires rapid
collaboration among the CFTC and all those who are potentially
affected to contain any potential damage and to keep critical market
functions running. The proposed rule includes specific requirements
for notifying the CFTC of an incident as soon as possible, but no
later than 24 hours after detection. I support immediate
notification to the CFTC because if we know, we can work with
regulated entities and markets to assess and minimize damage,
trigger appropriate regulatory and law enforcement action, help in
recovery, and protect customers. I note that this time frame and
reporting standards differs from other regulators, and look forward
to comment.
A two-way flow of information can play a significant role in the
ability to build resilience, which means the ability to recover
quickly after an attack. According to Deputy Assistant Secretary
Conklin, collaboration between the government and industry helped
mitigate the impact of the ION Markets attack.\23\ The proposal
would also require notification to customers and counterparties as
soon as possible of attacks that affect them. Early notice helps
minimize the impact of an
[[Page 4767]]
attack by allowing them to secure their personal data, monitor
affected accounts, and make alternative arrangements for accessing
critical funds or markets.
---------------------------------------------------------------------------
\23\ See Presentation of Todd Conklin, Deputy Assistant
Secretary of Treasury's Office of Cybersecurity and Critical
Infrastructure Protection (OCCIP), ``The Cyber Threat Landscape for
Financial Markets: Lessons Learned from ION Markets, Cloud Use in
Financial Services, and Beyond,'' CFTC Technology Advisory Committee
Meeting (Mar. 22, 2023).
---------------------------------------------------------------------------
If we can all work together, we can harden our defenses, thwart
cyber criminals, and protect critical U.S. infrastructure and
national security. Together, we can build a safer and more resilient
cyberspace.
Appendix 5--Statement of Commissioner Caroline D. Pham
I support the Notice of Proposed Rulemaking on Operational
Resilience Framework for Futures Commission Merchants, Swap Dealers,
and Major Swap Participants (Operational Resilience Proposal) \1\
because I believe this approach is largely consistent with
international standards for operational resilience, as well as U.S.
prudential regulations and non-U.S. regulations, which have been
implemented for several years now. I thank the staff of the Market
Participants Division (MPD), especially Pamela Geraghty, Elise
Bruntel, and Amanda Olear, as well as Chairman Behnam and
Commissioner Goldsmith Romero, for working with me over the past
year to address my concerns.
---------------------------------------------------------------------------
\1\ Because there are no registered major swap participants, as
a practical matter, this statement will refer to swap dealers and
futures commission merchants (FCMs).
---------------------------------------------------------------------------
Background
My discussions with MPD staff, formerly the Division of Swap
Dealer and Intermediary Oversight (DSIO), in fact date back to 2016
when I was in the private sector. MPD staff have been considering
many of the elements of an operational resilience framework for
years, including operational risk and cybersecurity risk. I
appreciate the staff's focus on all of these important issues that
contribute to ensuring that our registrants have robust risk
management and compliance programs, and that the CFTC is doing our
job to uphold financial stability and protect against systemic risk.
I would like to mention my background and experience, as well as
familiarity, with the subject areas covered by the Operational
Resilience Proposal to provide context for my efforts to support the
development of this Proposal and address my concerns that the CFTC's
approach should not be overly prescriptive and generally takes a
principles-based approach in recognition of the extensive years-long
global implementation of operational resilience requirements by U.S.
and non-U.S. regulators and banking organizations.
In my previous roles at a global systemically important bank
(GSIB), I have been involved with operational resilience since 2019,
including the oversight and coordination of global regulatory
advocacy with the Financial Stability Board (FSB) and regulatory
authorities such as the U.S. prudential regulators,\2\ the Bank of
England, and European Union (EU) authorities. I also was on the
enterprise-wide operational resilience program steering committee,
and I have implemented enterprise-wide programs across a global
financial institution across all regions and both institutional or
wholesale and consumer businesses.
---------------------------------------------------------------------------
\2\ U.S. prudential regulators refers to the Board of Governors
of the Federal Reserve System (Fed), the Office of the Comptroller
of the Currency (OCC), and the Federal Deposit Insurance Corporation
(FDIC).
---------------------------------------------------------------------------
Among the specific elements encompassed in the Operational
Resilience Proposal, I have enhanced the swap dealer and futures
commission merchant (FCM) risk management programs. I have drafted
an enterprise-wide risk appetite statement. I have implemented the
National Futures Association's (NFA) update to its information
systems security programs requirements, which addresses
cybersecurity risk. I have participated in tabletop exercises,
drills, and simulations of responses to cyber attacks. I was the
lead from the Compliance department on the third-party risk
management program for cross-asset activities or other programmatic
aspects across the global markets business. I have enhanced the
business continuity and disaster recovery (BCDR) swap dealer
policies and procedures and integration with the enterprise-wide
continuity of business program. I have delivered training for,
respectively, 9,000 and 17,000 employees across nearly 100 countries
and multiple languages. I have had a compliance monitoring team that
reported directly to me. I have advised on the design and
implementation of the enterprise-wide Volcker Rule independent
testing program. I was part of global regulatory notification
protocols for cybersecurity or other incidents. And also, of course,
I have been subject to regulatory examinations on each one of these
areas. This practical experience has informed my engagement on this
significant rulemaking initiative.
The CFTC's Approach to Operational Resilience Must Be Consistent With
International Standards and Prudential Regulations
I am pleased that the CFTC is seeking an approach that is
consistent with international standards and best practices for
regulators in addressing operational resilience. I will reiterate my
previous remarks on the many years of work by policymakers such as
the FSB, the Basel Committee on Banking Supervision (BCBS), the
International Organization of Securities Commissions (IOSCO), and
other regulatory authorities around the world to implement laws,
regulations, and standards for operational resilience. Operational
resilience, as noted by U.S. prudential regulators in 2020,
encompasses governance, operational risk management, business
continuity management, third-party risk management, scenario
analysis, secure and resilient information system management,
surveillance and reporting, and cyber risk management. Regulated
entities, including the vast majority of our swap dealers and FCMs
that are part of banking organizations, have already implemented
comprehensive enterprise-wide operational resilience programs.\3\
---------------------------------------------------------------------------
\3\ Opening Statement of Commissioner Caroline D. Pham before
the Technology Advisory Committee, U.S. Commodity Futures Trading
Commission (Jul. 18, 2023), https://www.cftc.gov/PressRoom/SpeechesTestimony/phamstatement071823.
---------------------------------------------------------------------------
Issuing this Proposal can be beneficial to initiate an open
process to request information and stimulate dialogue with the
public. That is why, although there has been some hesitation or
trepidation around what the Commission might do since we are coming
onto the tail end of operational resilience implementation globally,
I do think it is important that we are taking this step today,
because it is critical that the public has the opportunity to
provide input on any amendment or expansion of our existing
programmatic requirements that is informed by actual experience from
risk management and compliance officers, other control functions,
and practitioners who have implemented and complied with operational
resilience requirements pursuant to other regulations.
Further, as I have noted previously, because the CFTC's rules
are often only one part of a much broader risk governance framework
for financial institutions, the Commission must ensure that it has
the full picture before coming to conclusions to ensure that our
rules not only address any potential regulatory gaps or changes in
risk profiles, but also to avoid issuing rules that are conflicting,
duplicative, or unworkable with other regulatory regimes.\4\
---------------------------------------------------------------------------
\4\ Statement of Commissioner Caroline D. Pham on Risk
Management Program for Swap Dealers and Futures Commission Merchants
Advance Notice of Proposed Rulemaking, U.S. Commodity Futures
Trading Commission (Jun. 1, 2023), https://www.cftc.gov/PressRoom/SpeechesTestimony/phamstatement060123.
---------------------------------------------------------------------------
For example, when I last checked earlier this year, the CFTC
currently has 106 provisionally registered swap dealers. Of these
106 entities, both U.S. and non-U.S., all but a handful are also
registered with and supervised by another agency or authority, such
as a prudential, functional, or market regulator. Most of these swap
dealers are subject to three or more regulatory regimes.\5\
---------------------------------------------------------------------------
\5\ Id.
---------------------------------------------------------------------------
It is imperative that the Commission and the staff consider how
our rules work in practice together with the rules of other
regulators, whether foreign or domestic. This key point is easily
apparent in looking at the CFTC's substituted compliance regime for
non-U.S. swap dealers, where the Commission has expressly found that
non-U.S. swap dealers in certain jurisdictions are subject to
comparable and comprehensive regulation, and therefore, our rules
permit such non-U.S. swap dealers to, for example, substitute
compliance with their home jurisdiction risk management regulations
to satisfy our risk management program rules under CFTC Regulation
23.600.\6\
---------------------------------------------------------------------------
\6\ Id.
---------------------------------------------------------------------------
Specific Areas for Public Comment
As a preliminary matter, regarding discussion of the CFTC's
approach to system safeguards requirements for designated contract
markets (DCMs) and derivatives clearing organizations (DCOs) and its
impact on the development of today's Operational Resilience
Proposal, I note that swap dealers
[[Page 4768]]
and FCMs are very different from exchanges and clearinghouses. The
CFTC should not overly rely upon its approach to the system
safeguards rulesets because it is akin to the difference between,
for example, the Securities and Exchange Commission's (SEC)
Regulation SCI and the U.S. prudential regulators' Heightened
Standards for Risk Governance. I believe that the staff has tried to
balance these considerations, and I welcome public comment on this
approach.
Definitions
Words matter, and it is very important for the Commission to be
precise in the words that we use for defined terms. I encourage all
commenters to review the Proposal's definitions and advise whether
the definitions are appropriate or need to be revised.
Third-Party Relationship Program Guidance
The Operational Resilience Proposal includes an appendix to the
rule text with more prescriptive guidance on third-party
relationships (third-party risk management). This is unusual because
I do not believe that the CFTC has this level of prescriptiveness
for any other category of risk, such as credit risk. I question
whether this heralds a change to the CFTC's approach to setting
forth risk management requirements, and why would the Commission
issue prescriptive guidance for third-party risk, but not other
risks such as operational risk or market risk.
I also question the approach of issuing Commission guidance,
which would have to undergo notice-and-comment rulemaking and that
could take a year or two to update, instead of issuing staff
guidance, which could be updated more flexibly. I believe that any
prescriptive guidance would be more appropriate as staff guidance,
not Commission guidance, because staff guidance can be kept up-to-
date more easily to address changes in best practices or to adapt to
emerging risks. This is similar to how, for example, U.S. prudential
regulators update their bank examiners handbook or circulars.
I am interested in public comment on the CFTC's requirements for
third-party risk management, and whether it should be issued as
Commission guidance or staff guidance.
Risk Appetite
The Operational Resilience Proposal refers to risk appetite,
which is a new concept to CFTC regulations. I am interested in
whether commenters believe risk appetite is workable under the
CFTC's regulatory framework, which is focused on enforcement rather
than ongoing supervision. Indeed, I have repeatedly noted that the
CFTC lacks a swap dealer examination program. As a consequence, non-
material operational or technical issues are the subject of
enforcement actions, rather than addressed more appropriately
through supervisory findings and exam reports like every other
regulatory authority in the world. This makes the CFTC an outlier
amongst U.S. and non-U.S. regulators, and therefore prudential
concepts like risk appetite may not be workable.
Risk Tolerance Limits
Risk tolerance limits are a requirement under the CFTC's risk
management program (RMP) rules for swap dealers and FCMs. The
Operational Resilience Proposal also requires risk tolerance limits,
but sets forth a different definition and does not refer to the risk
tolerance limits under the RMP rules. I am interested in public
comment on whether the two differing requirements may cause
confusion or can be implemented without any issues.
Annual Attestation
The Operational Resilience Proposal requires an annual
attestation by the senior officer, an oversight body, or a senior-
level official of a swap dealer or FCM that relies on a consolidated
operational resilience program. Such attestation is to the effect
that the consolidated program meets CFTC requirements and reflects
the risk appetite and risk tolerance limits appropriate to the swap
dealer or FCM. I encourage commenters to discuss the attestation
requirement and suggest appropriate attestation language.
Substituted Compliance
Under the Operational Resilience Proposal, substituted
compliance would be available for non-U.S. swap dealers subject to a
comparability determination issued by the Commission. I appreciate
the recognition in the Proposal of the importance of a home-host
regulator approach to maintaining regulatory cohesion and addressing
systemic risk and financial stability. I am interested in whether
commenters believe the Proposal presents any cross-border issues in
implementation.
Conclusion
I believe in continuous improvement for not only our market
participants, but also for the Commission and its regulations, and
that is why I would like to thank the MPD staff again for being
proactive in thinking about these issues. I want to particularly
recognize the leadership of Commissioner Goldsmith Romero in first
highlighting these risks and exploring ways to address them through
the work of the CFTC's Technology Advisory Committee, which she
sponsors.
As I have stated before, the benefit of the CFTC's principles-
based regulatory framework is that it can quickly anticipate and
adapt to changes in risk profiles or the operating environment. That
is why I believe our rules must be broad and flexible enough to be
forward-looking and evergreen, because it is simply not possible to
prescribe every last requirement for the unknown future. Consistent
with international standards, I have discussed the importance of
utilizing existing risk governance frameworks and risk management
disciplines to identify, measure, monitor, and control emerging
risks and new technologies. Swap dealers and FCMs must be vigilant
and address new and emerging risks through various risk stripes as
appropriate, whether from changing market conditions, technological
developments, geopolitical concerns, or any other event, and
maintain operational resilience.
With that, I welcome the input from the public comments to
inform the Commission and the staff regarding the application of the
Operational Resilience Proposal to swap dealers and FCMs, especially
those entities that are part of a banking organization and have
already implemented operational resilience requirements pursuant to
U.S. or non-U.S. regulations.
[FR Doc. 2023-28745 Filed 1-23-24; 8:45 am]
BILLING CODE 6351-01-P