Statement of Commissioner J. Christopher Giancarlo Regarding Proposed Rule on System Safeguards Testing Requirements
December 16, 2015
In one of our very first conversations over a year and a half ago, Chairman Massad and I discussed the many risks that cyber threats pose to trading markets. We agreed that cyber and overall system security is one of the most important issues facing markets today in terms of trading integrity and financial stability.
Earlier this year, I called for a “bottom-up” approach to combating cyber threats.1 This approach involves a close and dynamic relationship between regulators and the marketplace. It also requires the continuous development of best practices, defensive strategies and response tactics through the leadership of market participants, operators and self-regulatory organizations. The job of the Commodity Futures Trading Commission (CFTC) as a regulator is to encourage, support, inform and empower this continuous development so that market participants adopt fully optimized and up-to-date cyber defenses.
It is appropriate that we are now taking up the subject of system safeguards. I commend Chairman Massad and CFTC staff for putting forth today’s proposal. I believe it generally reflects the “bottom-up” approach I have advocated for market participants to follow industry adopted standards and best practices. I support its publication for notice and comment.
I believe it is right that the proposal covers not just designated contract markets (DCMs), but also swap execution facilities (SEFs). From my experience, SEFs are as concerned with cyber security as are DCMs. Nevertheless, it is true that the proposed rules will impose additional costs on some SEFs at a time when they are struggling to implement the myriad new Dodd-Frank requirements and obligations. Because system and cyber security should be a priority on our registrants’ precious time and resources, the CFTC must find ways to alleviate unnecessary regulatory costs.
As I have said many times before, the best way to reduce unnecessary costs for SEFs is to correct the CFTC’s flawed swaps trading rules that remain fundamentally mismatched to the distinct liquidity and trading dynamics of global swaps markets.2 Attempting to accommodate this misbegotten regulatory framework restricts the SEF industry’s ability to deploy adequate resources for cyber defense. I also believe that the CFTC should provide a sufficient implementation period for any final rules so that market operators, especially smaller DCMs and SEFs, have adequate time to meet the new requirements.
Given the constantly morphing nature of cyber risk, the best defenses provide no guarantee of protection. Therefore, it would be a perverse and unfortunate result if any final system safeguards rule were to have a chilling effect on robust cyber security efforts. Market participants who abide by the rule should not be afraid of a “double whammy” of a destructive cyber-attack followed shortly thereafter by a CFTC enforcement action. Being hacked, by itself, cannot be considered a rule violation subject to enforcement. The CFTC should offer clear guidance to market participants regarding their obligations under the rule and designate safe harbors for compliance with it.3 The CFTC should also indicate how it will measure market operators’ compliance against industry standards given that the exact requirements of best practices can be open to interpretation.
In October, I called on the CFTC to add value to ongoing industry cyber security initiatives by designating a qualified cyber security information coordinator.4 This individual would work with our registered entities to help them navigate the maze of Federal national security agencies and access the most up-to-date cyber security information available. I ask market participants to comment on the value and utility of such a designation.
As market regulators, we can have no naïve illusions that cyber belligerents – foreign and domestic – view the world’s financial markets as anything other than 21st century battlefields. Cyber-attacks on trading markets will not diminish anytime soon. They will be relentless for years, if not decades, to come. Cyber risk is a threat for which Dodd-Frank provides no guidance whatsoever. Together, market regulators and the regulated community must make cyber and system security our first priority in time and attention. Today’s proposal is a constructive step towards that goal. I look forward to reviewing thoughtful comments from market participants and the public.
1 See Guest Lecture of Commissioner J. Christopher Giancarlo, Harvard Law School, Fidelity Guest Lecture Series on International Finance (Dec. 1, 2015), http://www.cftc.gov/PressRoom/SpeechesTestimony/opagiancarlo-11; see also Keynote Address of CFTC Commissioner J. Christopher Giancarlo before the 2015 ISDA Annual Asia Pacific Conference, Top Down Financial Market Regulation: Disease Mislabeled as Cure (Oct. 26, 2015), http://www.cftc.gov/PressRoom/SpeechesTestimony/opagiancarlo-10.
2 See CFTC Commissioner J. Christopher Giancarlo, Pro-Reform Reconsideration of the CFTC Swaps Trading Rules: Return to Dodd-Frank, White Paper (Jan. 29, 2015), available at http://www.cftc.gov/idc/groups/public/@newsroom/documents/file/sefwhitepaper012915.pdf (noting that this mismatch – and the application of this framework worldwide – has caused numerous harms, foremost of which is driving global market participants away from transacting with entities subject to CFTC swaps regulation, resulting in fragmented global swaps markets); see also Statement of Commissioner J. Christopher Giancarlo, Six Month Progress Report on CFTC Swaps Trading Rules: Incomplete Action and Fragmented Markets (Aug. 4, 2015), http://www.cftc.gov/PressRoom/SpeechesTestimony/giancarlostatement080415. See also International Swaps and Derivatives Association, Cross-Border Fragmentation of Global Interest Rate Derivatives: The New Normal? First Half 2015 Update, ISDA Research Note (Oct. 28, 2015), http://www2.isda.org/functional-areas/research/research-notes/ (concluding that the market for euro interest rate swaps continues to remain fragmented in U.S. and non-U.S. liquidity pools ever since the introduction of the U.S. SEF regime in October 2013).
3 The proposal requires market operators to follow industry adopted standards and best practices. Given the many organizations and U.S. government agencies (such as the U.S. Treasury Department’s Financial Crimes Enforcement Network, the Office of Domestic Finance’s Financial Sector Cyber Intelligence Group and the Office of Terrorist Financing and Financial Crimes) issuing cyber security procedures and advisories, there may be some question as to which procedures and advisories fall within industry best practices for purposes of complying with this rule proposal. To provide clarity, the CFTC should offer guidance to market participants regarding their obligations under the rule and designate safe harbors for compliance, as needed.
4 See supra note 1.
Last Updated: December 16, 2015