Cyberattacks are an ever-increasing threat. The rising cost, frequency, and severity of cyber threats represent one of the most critical issues facing city, state, and federal government authorities, businesses in each sector of our economy, educational and philanthropic institutions, and significant energy and transportation infrastructure, and national security resources.

In his remarks at the Cybersecurity and Consumer Protection Summit, former President Obama noted that cybersecurity is “one of the most serious economic and national security challenges we face as a nation.”[1] In March of this year, President Biden released a National Cybersecurity Strategy to secure the “full benefits of a safe and secure digital ecosystem for all Americans.”[2]

According to the press release announcing the National Cyber Strategy,

[i]n this decisive decade, the United States will reimagine cyberspace as a tool to achieve our goals in a way that reflects our values: economic security and prosperity; respect for human rights and fundamental freedoms; trust in our democracy and democratic institutions; and an equitable and diverse society. To realize this vision, we must make fundamental shifts in how the United States allocates roles, responsibilities, and resources in cyberspace.[3]

In endorsing the strategy, President Biden explained that “[c]ybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense.”[4]

The National Cyber Strategy emphasizes the obligation for firms operating in our markets to take a leadership role in identifying, managing, and mitigating cyber threats by introducing appropriate and effective cyber system safeguards. According to the National Cyber Strategy, developing and enforcing effective cyber protections comprises a central component in firms’ business continuity or enterprise risk management plans.

Cyberthreats and Our Markets

Less than a month before the White House released the National Cyber Strategy, international media headlines reported a ransomware attack that demonstrated that “big financial firms” are among the most attractive targets of cyber threats.[5] Even for firms that have successfully developed business continuity plans to identify, assess, or mitigate cyber threats, the networked or interconnected systems that comprise our operational market infrastructure may still render sophisticated, well-resourced firms vulnerable to the knock-on effects of cyberattacks leveled against critical third-party service providers.

The ransomware attack targeted a critical third-party service provider, ION Cleared Derivatives,[6] and disrupted trade settlement and reconciliation in derivatives markets.

ION provides trading, clearing, analytics, treasury, and risk management services for capital markets and futures and derivatives markets. A significant number of market participants, including a notable number of futures commission merchants (FCMs), rely on ION for back-office trade processing and settlement of exchange-traded derivatives.

The cyber-incident that disrupted ION’s operations caused a ripple effect across markets, halting deal matching, requiring affected parties to rely on manual (old school) trade processing, and causing delays in reconciliation and information sharing and reporting.

MRAC Leads on Cyber Reform Discussions

I sponsor the Market Risk Advisory Committee (MRAC). On March 8, 2023, the MRAC held a first-of-its-kind convening focused on the interconnectedness of our markets and the potential for interconnectedness and correlation to amplify contagion in the event of successful cyberattacks against critical infrastructure resources.[7] At the March MRAC meeting, Futures Industry Association (FIA) President Walt Lukken announced the creation of a Cyber Risk Taskforce, charged with “recommend[ing] ways to improve the ability of the exchange-traded and cleared derivatives industry to withstand the disruptive impacts of a cyberattack.”[8]

The After Action Report issued by the FIA at the conclusion of the Taskforce’s work outlines the challenges that both markets and regulators faced as a result of the ION cyber-incident. Trade reconciliation for affected firms continued to lag. For weeks following the ION cyberattack, the Commission continued to work to consistently publish the Commitments of Traders (COT) report on a timely basis because “reporting firms continu[ed] to experience . . . issues submitting timely and accurate data to the CFTC.”[9] The COT report is designed to help the public understand the dynamics of the futures and options on futures markets.[10] The COT report is a reflection of the effectiveness of the Commission’s surveillance of markets; it increases transparency and aids in price discovery. Thus, indirectly, the ION incident disrupted regulatory functions even though the cyberattack was not directed at the Commission nor any of the Commission’s registrants.

As a consequence, it is imperative to begin to examine the scope of our regulations governing cyber-system safeguards not only for registered market participants, but for mission-critical third-party service providers. There is increasing reliance on third parties for the provision of important services, particularly, for example, services that facilitate digital connectivity and cloud-based services.  

While outsourcing may allow companies to rely on outside expertise, reduce operating costs, and enhance operational infrastructure necessary for executing business activities, reliance, may, in some instances, create vulnerability and risks that must be identified, managed, and mitigated.

Building Cyber-Resilience Reforms  

For over a decade, I have advocated for reforms that increase the cyber-resilience of our financial market’s infrastructure. Exactly ten years ago, at a risk management conference alongside then-Commissioner Luis Aguilar of the Securities Exchange Commission, I advocated for Congressional and Executive Branch designation of financial markets infrastructure as critical infrastructure resources.[11] The following year, I joined global thought-leaders investigating the benefits and limits of applying or adapting National Institute of Standards and Technology (NIST) standards for financial institutions. Since I began my term of service as Commissioner, I have frequently met with staff and market participants to discuss the best approach to incorporate cyber reforms in our regulations.

In addition to these commitments, my staff and I met at the White House with the Director of the National Office of Cyber earlier this year. During this visit, we carefully outlined existing cyber regulations for the Director and began a continuing dialogue regarding a comprehensive whole-of-government response to cyber threats. Most recently, earlier this week, the MRAC once again demonstrated significant leadership by beginning to develop and consider the need to examine cyber resilience reforms for central clearing counterparties (CCPs) and the critical third-party service providers who support these firms.

Operational Resilience Proposed Rulemaking

Today, the Market Participants Division (MPD) has introduced a robust and comprehensive proposed rulemaking that addresses: business continuity and disaster planning, cybersecurity, and assessment of the risk posed by reliance on third parties. I want to commend MPD, in particular Pamela Geraghty, Elise Bruntel, Fern Simmons, and Amanda Olear.

The Commission has the authority to direct swap entities (swap dealers and major swap participants) to establish this operational resilience framework under Section 4s(j)(2) and (7) of the Commodity Exchange Act (CEA), which require swap entities to establish risk management systems over their day-to-day business and their operational risk.[12] Likewise, the Commission may require operational resilience framework of FCMs (collectively with swap entities, “covered entities”) under Section 8a(5) of the CEA,[13] which authorizes the Commission to promulgate regulations sufficient to accomplish the purposes of the CEA, including, for example, the need to maintain records of the operational risk of affiliates,[14] and to establish safeguards to protect the confidentiality of nonpublic personal information.[15]

The proposed rulemaking sets out three major pillars of its operational resilience framework: (1) information and technology security; (2) a third-party relationship program to manage risks presented by mission-critical third-party service providers; and (3) a business continuity and disaster recovery plan.[16]

Layered on top of the of the three pillars are corporate governance reforms that will dictate how each covered entity will incorporate the components of the plan into existing organizational structures. Each of the components of the operational resilience framework must be reviewed by senior leadership.[17] Covered entities must also establish a risk appetite—the level of risk acceptable on an ongoing basis—and risk tolerance limits—the level of excess risk the entity is willing to accept should a particular risk materialize[18]—and the entities will be required to escalate incidents that exceed their risk tolerance limit.[19] The rule also allows for flexibility for entities that function as a division or affiliate of a larger organization; such entities will be allowed to operate under the umbrella company’s operational resilience plan so long as that plan meets the rule’s requirements and considers the covered entity’s particular risks.[20]

The information and technology security program requires the covered entities to comprehensively assess, on at least an annual basis, the types of threats the entity faces, the entity’s internal and external vulnerabilities, the likely impact of those threats or the exploitation of those vulnerabilities, and appropriate priorities for addressing those risks.[21] With that background, covered entities must then implement controls reasonably designed to prevent, detect, and mitigate the identified risks, threats, and vulnerabilities.[22] The program then requires the covered entities to develop a written incident response plan, reasonably designed to detect incidents where risks to information and technology are realized, and then provide for how the entity will mitigate the impact of and recover from such an incident.[23]

The third-party relationship plan requires covered entities to understand the risks posed by all third-party service providers at each stage of the relationship: pre-selection, diligence, contract negotiation, ongoing monitoring, and termination.[24] The proposed rule then imposes a heightened level of required diligence and monitoring for “critical” third parties, defined as those parties for whom disruption of performance on their service contract would either “significantly disrupt” the covered entity’s business operations, or “significantly and adversely impact” the entity’s counterparties or customers.[25] Covered entities will also have to maintain an inventory of their critical and non-critical third-party service providers.[26] Finally, regardless of any decision to rely on a third-party service provider, each covered entity remains responsible for meeting its obligations under the CEA and Commission regulations.[27]

Each entity’s business continuity and disaster recovery plan (BCDR plan) must “outline[] the procedures to be followed in the event of an emergency or other disruption of its normal business activities.”[28] The goal of a BCDR plan will be to enable covered entities to continue or resume business operations with minimal disruption to customers, counterparties, or the markets, and recover any affected data or information.[29] At minimum, the BCDR plan must define backup plans for covered information and data; identify essential technology, facilities, infrastructure, and personnel; identify potential disruptions to critical third-party service providers; and identify supervisory personnel responsible for carrying out the plan in the event of an emergency.[30] Covered entities must also maintain the plan at one or more off-site locations.[31]

To support the pillars of the operational resilience framework, the proposed rule also lays out training,[32] review, and testing requirements to ensure the framework evolves with newly generated risks. Covered entities must review their framework annually,[33] and engage in regular independent and documented testing, including penetration testing, vulnerability assessments, and testing of the incident response and BCDR plans.[34] Results of that testing must be reported to the entity’s chief compliance officer and other relevant senior personnel.[35] Finally, the proposed rule lays out the instances in which the Commission must be notified of incidents and of activation of the BCDR plan.[36]

This proposed rulemaking is both expansive and thoroughly considered. It galvanizes much of the preexisting guidance on these subjects, recognizing that the vast majority of our market participants already have programs in place to address these risks and often already are subject to other regulators’ rules and obligations, both domestically and internationally. The rule also recognizes the vast range in the size of the operations of our registered market participants—from some of the world’s largest financial institutions acting as swap dealers to small, independent futures commissions merchants—and consequently builds flexibility into the proposed rule to allow businesses to tailor their operational resilience frameworks to the realities of their business needs.

The Need for Operational Resilience for Other Commission Registrants

This rule is necessarily limited in scope to FCMs and the swap entities overseen by MPD. The risks that this rule intends to mitigate, however, are not similarly siloed. Designated Contract Markets (DCM), Swap Execution Facilities (SEF), and Swap Data Repositories (SDR), overseen by the Division of Market Oversight, and Derivative Clearing Organizations (DCO), overseen by the Division of Clearing and Risk, similarly rely on mission-critical third-party service providers, similarly are targeted by cyberattacks, and similarly risk business disruption caused by unforeseen disaster scenarios.

Rulemakings completed in 2016 created system safeguard testing requirements for each of these entities, currently codified in Parts 37, 38, 39, and 49 of the CFR.[37] These rules include obligations for business continuity and disaster recovery and cybersecurity. Since 2016, however, the core issues surrounding the concept of operational resilience have shifted, most importantly around the ideas of mission-critical third parties. DCOs are increasingly contracting with third parties to manage and conduct aspects of their regulatory obligations, and just like with the covered entities subject to the rule at issue today, the onboarding of these new third parties also onboards new risks. The proposed rulemaking today considers the system safeguards provisions already on the books[38]; the Commission now needs to continue to press forward by considering this proposed rule for future parallel regulations, for DCOs in particular.

The pandemic underscored the importance of business operational resilience, namely the ability of our registrants to react to and withstand unforeseen disasters. The FIA conducted its annual Disaster Recovery Exercise this fall with the stated goal of probing participants’ ability to “conduct critical business functions” in the wake of a large-scale disaster.[39] Last year’s exercise saw participation from 19 major U.S. and international futures exchanges and clearinghouses, who indicated that this type of probing helped them to: “Exercise their business continuance/disaster resilience plans[, i]dentify internal and external single points of failure . . . [, and t]ighten up and improve the documentation of their business continuity procedures.”[40]

In 2021, the International Organization of Securities Commissions (IOSCO) initiated a consultation examining business continuity planning.[41] IOSCO’s initial recommendations to member jurisdictions stated that all regulators should require firms to have in place “mechanisms to help ensure the resiliency, reliability and integrity (including security) of critical systems” including an appropriate “Business Continuity Plan.”[42]

Every industry advisory board and oversight group to have studied cybersecurity has reached the same conclusion: risks to financial institutions from cyberattacks continue to grow. The Financial Stability Oversight Council noted in its 2022 annual report that from 2015 to 2020 the finance and insurance industries were subject to the most cyberattacks of any industry, and that the current global geopolitical climate has only increased the need for vigilance against cyber threats.[43] In April 2020, the Financial Stability Board (FSB) issued a guide on cyber incident response that explained that “[a] significant cyber incident, if not properly contained, could seriously disrupt the financial system, including critical financial infrastructure, leading to broader financial stability implications.”[44] Similarly, in its 2019 Cyber Task Force report, IOSCO reiterated that cyber risk is one of the top threats to financial markets today given the “economic costs of such events can be immense . . . and could potentially undermine the integrity of global financial markets.”[45] IOSCO went further in their recommendations to the crypto industry earlier this year that “[r]egulators should require a [crypto-asset service provider] to put in place sufficient measures to address cyber and system resiliency.”[46]

Next Steps for Derivatives Clearing Organizations

At the MRAC meeting this past Monday, I announced a new workstream for the CCP Risk and Governance subcommittee that will focus on third-party risk for central clearing counterparties. Work will begin imminently, with the goal of presenting a proposal for vote by the parent committee in the first quarter of 2024. DCOs already retain responsibility for meeting regulatory requirements when entering into contractual outsourcing arrangements[47]; the question now is how DCOs should be required to assess and monitor the risks associated with doing so.

Such a rule should in my view broadly track the rule for FCMs and swap entities proposed today, but deep consideration must be given to the ways in which the core DCO business differs. For example, DCOs already occupy a quasi-oversight role with respect to their clearing members; should a rule on third-party risk require DCOs to consider not only the risk posed by their own outsourcing contracts, but also require that DCOs consider their clearing members’ third-party risks, perhaps as an aspect of a DCO’s assessment of its counterparty risk? How else might the rule differ given the disparity between DCOs’ and FCMs’ relative frequency of interaction with end users? How might these rules coordinate with prudential regulators?

A cyberattack on a third party that affected FCMs last winter was already disruptive enough, but given their status as SIFMUs some DCOs are quite literally systemically important entities. DCOs serve irreplaceable market functions, and we need to update their operational resilience requirements to take into account this new conception of third-party risk. I look forward to the new MRAC workstream diving into this critical issue, and of course to what Division of Clearing and Risk staff might bring forward in an eventual proposed rulemaking.

I once again commend the staff of MPD on their tremendous effort bringing forth this proposed rule, and look forward to hearing the thoughts of my fellow Commissioners.