Public Statements & Remarks

Keynote Address by Commissioner Sharon Y. Bowen before ISDA North America Conference

September 17, 2015

Thank you for that wonderful introduction. It’s a pleasure to be here today at ISDA North America. And it’s especially a pleasure to be here with my former colleague, Scott O’Malia. Scott and I had a fairly short overlapping tenure as Commissioners at the CFTC. Yet, in the short time we worked together, I learned a great deal from him.

In fact, in tribute to Scott’s time at the CFTC, I’m going to be speaking today about a topic that I know is near to his heart: technological changes occurring in our markets. As I suspect you all know, when Scott was a Commissioner at the CFTC, he served as the Sponsor of our Technology Advisory Committee. During his sponsorship, the Committee frequently discussed the myriad changes occurring in our futures and swaps markets, from the need for data standardization1 to the increasing role that high-frequency trading is playing in our markets.2

I share Scott’s belief that technology is a crucial part of our markets. In a world where the vast majority of trades occur entirely electronically and often involve algorithms, you have to understand the technology underpinning our markets to be an effective regulator. So, today, I want to talk about two of these technological changes that are transforming our markets and how I believe regulators should be responding to them. Specifically, I want to talk about algorithmic trading and cybersecurity. Please note that the views I express today are my own and do not represent those of my fellow Commissioners or the CFTC’s staff.

Now, there may be some of you who feel that, given the many pages of rules that we have put out so far, we should not be releasing any more at this time. I believe, however, that there is a need for at least a few more rules, in large part because the stakes of not acting are so high. In today’s automated, integrated financial networks, damage from errors and infections travels instantaneously. There is no warning like the surf retreating from the beach that says “tsunami.” Instead, the tsunami is too often crashing down on you immediately.

The billions of parts making up our financial system, as well as the unpredictability, or in some cases, the predictability, of human beings, create problems that are hard to guard against. To protect our financial system, our jobs, and our economic health, we must be prepared to act. And we have to be prepared to do so with the assumption that algorithms will sometimes misbehave and that there will be efforts to hack our systems. We need to look for higher ground now so that we can stay dry when that big wave comes.

Perhaps the change that has received the most attention in the last few years has been the rise of algorithmic trading. Of course, I suspect many of you are more familiar with a different term, high frequency trading, or HFT, which I regard as a subset of algorithmic trading. In fact, if you’re sitting in the audience today and you haven’t heard of high frequency trading before, I imagine you must follow a very narrow slice of financial news.

It’s becoming common place to say how HFT is roiling our markets. Indeed, the last few years have seen a variety of discussions of HFT’s impact on our markets this topic.3 Regulators have voiced concerns about the practice, including a Federal Reserve Board Governor.4 For instance, the Federal Reserve Bank of New York postulated last month that the rise of algorithmic trading has enhanced the linkages between the cash Treasury market and the Treasury futures market.5 Members of Congress have also introduced bills that would regulate HFT.6 The topic has even been the subject of a widely-read book by Michael Lewis, called “Flash Boys.” I believe just about everyone is familiar with the concept of HFT by now and how algorithms can trade at speeds that move faster than humans can blink, even speeds that even approach the unbelievable.7 I will therefore try not to bore you with another recitation of the basics of this trading technique. While there clearly is disagreement about the impact that algorithmic trading, and HFT in particular, is having on our markets, I think everyone can agree that widespread adoption of this technology has fundamentally changed how the trading of futures works. If you entered the futures trading pits in Chicago or New York in 1998, you would see that futures were still being traded in much the same way they had been traded for decades. I’m sure many of you recall the scene – throngs of traders with jackets and badges using hand-gestures to signal an offer to buy 1000 barrels of oil for March delivery or to set up a put option on August wheat futures. That’s not to say there were no technological innovations during that time – increasingly, orders were being entered electronically for instance and financial screens were reflecting new market data more quickly. But the core trading experience remained the same.

Today, of course, those pits are basically gone. Over the last fifteen years, exchanges have increasingly adopted electronic platforms. In 2012, all of ICE’s markets became electronic when it closed the last of its trading pits.8 When those pits closed, electronic trading accounted for more than 90% of futures and options volume.9 This summer, CME largely followed suit and closed the vast majority of its futures pits, which had declined to the point that they represented only 1% of total volume.10 CME’s S&P futures pit and its options pits remain open for now, and are some of the last remnants of the previous way of trading.11

While these traditional means of trading were fading and electronic trading was becoming dominant, algorithmic trading started to play a substantial role in the trading of financial instruments.12 According to a few estimates I’ve seen, algorithmic trading comprised a small fraction of volume in our equities and futures markets around the start of the millennium, probably less than 10%.13 Now I want to point out that electronic trading is not inherently algorithmic trading or HFT. It’s easy to think of people who simply use a computer to manually enter trades without the assistance of an algorithm. And I believe that’s how the vast majority of retail investors trade across most markets. However, the ability to trade most products electronically made it possible for people to craft algorithms to create and enter orders into the system with minimal human involvement.

Today, it is clear that there has been massive growth in algorithmic trading over the last fifteen years. According to our staff’s concept release on the subject of automated trading, “algorithmic trading first accounted for at least 50% of orders in 2009, and accounted for over 40% of total trading volume in 2010.”14 This growth applies not just to volume in the markets overall, but also to specific key products. In fact, trading systems using algorithms are believed to have accounted for approximately 51% of trade volume in the critical E-mini S&P 500 futures contract as of 2010.15 Some other product classes, such as EuroFX futures, had an even greater proportion of their volume come from this kind of trading.16 Subsequent research suggests that algorithmic trading has continued to comprise a major part of futures market volume.17 While algorithmic trading in the swaps market is rare, there have been efforts in the last few years to open that market up to more algorithmic trading.18

Other market watchers, besides the CFTC, have noted the massive increase in algorithmic trading. I’ve seen a variety of estimates regarding the percentage of futures market volume that algorithmic trading has comprised over the last few years.19

Now, it’s worth pausing to note that this data is, unfortunately, not precise. Beyond the difficulties that researchers and observers have had obtaining data across multiple exchanges, we have a definitional problem about what constitutes algorithmic trading. Not only are there are varying definitions for algorithmic trading, but there are even questions over the degree to which algorithmic trading is distinct from high frequency trading and automated trading.20 As a result, it’s hard to precisely say exactly what percent of the market algorithmic trading represents. For what it’s worth, I regard high frequency trading as a subset of algorithmic trading, and algorithmic trading as a subset of automated trading. You can visualize the concepts as akin to a series of nesting dolls. That said, per CFTC staff’s estimates, for the most liquid U.S. futures contracts which account for over 75% of total trading volume, more than 90 percent of all trades make use of algorithms or some other form of automation.

I know that there have been unsuccessful efforts, including by our Technology Advisory Committee, to create some firm definitions for these concepts. That’s not surprising. Many people are using this new technology, from banks and proprietary firms to even a few individuals, and they’re using it in many different ways. Just last month, the Wall Street Journal ran a story about how individuals building their own trading algorithms “has become the latest [do it yourself] craze,” with more than 170,000 people enrolling in a popular online course on computerized trading.21 I do think we can provide some assistance, perhaps by defining what constitutes algorithmic trading at least.

I would also urge researchers and industry stakeholders to continue to collect data regarding the percentage of our markets that automated trading comprises. An activity that comprises sixty or even seventy percent of trading volume in the futures market could merit different regulations than one that comprises approximately twenty or thirty percent. And if there is a researcher or any one of you here in the audience today who can come up with a bright-line distinction between algorithmic trading and HFT, that would be very helpful and I wish you the best of luck.

Even though the amount of algorithmic trading and definitions of these various terms are not crystal clear, what is clear is trades involving algorithms make up a substantial portion of our markets, and algorithms can and do malfunction at times, with negative effects on the markets. As a result, I believe we are obligated to consider if it is prudent to establish some regulations on algorithmic trading in our markets.

Now that I’ve said that, let me be clear, I do not think we should ban algorithmic trading. In fact, I am not even calling for restrictions on the speed with which one can trade using algorithms or restrictions on the number of algorithms an individual, principal trading firm, or other entity can control.

What I am saying is that algorithmic trading is a nascent technology that is changing the way our markets operate, and it is advancing at a ferocious clip. I think we should continue to allow this technology to develop. However, if it becomes apparent that there is a need to limit how this trading is used, then we can take such steps. And let me be clear, I certainly am not ruling out that action may be needed even in the near future. If you think we need additional regulations, including restrictions on how algorithms trade, please send us your thoughts.

But for now, I think we can and should set some reasonable ground rules on the entities using this trading strategy. In other words, we want to make sure that, before you turn on an algorithm, you have taken measures to both prevent the algorithm from malfunctioning and have processes in place to take the algorithm offline if it goes haywire. We need algorithmic traders to take these precautions because we want to ensure that users of this technology do not act in ways that manipulate the markets or cause undue danger to the broader financial system, other investors, or consumers.

While algorithmic trading may be new, I do not think this kind of regulation is novel. Instead, I view setting some reasonable ground rules as furthering the regulatory goals that already underpin the traditional trading of many products. After all, we expect that people will understand their obligations under the Commodity Exchange Act before they trade futures and that people will not manipulate the markets. These regulations on algorithmic trading would similarly inform those who employ trading strategies that use algorithms and ensure that the trading activity that flows from those algorithms complies with their obligations under the Commodity Exchange Act.

To draw a rough analogy, if you think of algorithmic trading as driving a car, these ground rules would be the precautions people take before they drive the car, things like making sure the lights and brakes work beforehand and that they understand the traffic laws. Conversely, proscriptions on algorithmic trading would be things like speed limits or restrictions on what kind of car can be on the road. For the moment, I’m not talking about establishing such proscriptions. Instead, I want people to have checked their code, determined that it complies with the law, and have the ability to turn it off before they turn the key in their algorithmic engines.

So, with that in mind, here are a few of the things that I think we should be requiring of people who use algorithmic trading software in the markets the CFTC regulates. First, we need to ensure that there are sufficient risk controls in place on algorithmic trading. It is my hope that just about everyone at least has some risk controls at present, but we’ve seen evidence over the last few years that there is disagreement over what constitutes sufficient risk controls. At some firms, the risk controls might currently include alerts that trigger notice to accountable staff when an algorithm malfunctions. At others, there might not currently be an alert system formally in place or it might not be standardized across the office.

I think it would be wise to require everyone to set pre-trade risk controls and craft processes for immediately disconnecting any algorithm from the market when needed. These protocols don’t have to be identical at every firm. Given the issues surrounding cybersecurity at present, there’s no need to create a common route for a hacker to use at multiple firms. But these risk controls should be robust, including that there is redundant notification to multiple individuals when something goes wrong. Also, as I’ve said before, I think we should require that the people designing and maintaining trading algorithms either know their obligations under the Commodity Exchange Act and the CFTC’s rules themselves or consult with someone who does.22 What may seem to a programmer like an elegant way to respond to certain market dynamics might also run afoul of the law.

Additionally, I think any rules on algorithmic trading should try and foster increased communication, both internally and to exchanges and regulators. In the event of an algorithm malfunctioning, it is critical that the people monitoring that algorithm immediately contact their supervisors and their exchange, and then deal with the problem as quickly as possible. Given the speed of many algorithms, every second literally counts. A failure to notify someone about a problem for even a minute could be the difference between a minor issue and a major threat to the markets. We also need to ensure that there are established lines of communication between the staff handling the algorithms and the compliance department. Compliance should not simply be trusting that the algorithms are working properly – they should be involved regularly. The compliance staff needs to understand the particular risks involved in algorithmic trading. They need to also make sure that appropriate measures are in place to manage their algorithms. Ideally, I would hope that compliance staff would even know something about crafting algorithms. That level of involvement could prevent a lot of issues from becoming problems down the road.

We should also be requiring greater transparency of this market in general. That doesn’t mean we need to ask firms that use algorithms to turn their source code or trading methods over to the general public. But I do think we need greater disclosure about the amount of algorithmic trading that is occurring in the markets and its impact on those markets. In particular, I think we should require exchanges that allow the use of algorithmic trading to disclose information about the proportion of their orders that are self-trades.

Now, self-trades are trades that occur between two entities that are either commonly controlled or for the common benefit of the same entities. It’s worth noting that self-trades are not a synonym for wash trades, which are prohibited under the Commodity Exchange Act. Wash trading requires, among other things, that an entity intended to engage in a self-trade. In that regard, wash trading can be thought of as a subset of self-trading. All wash trades may be self-trades, but not all self-trades are wash trades.

Yet, even if self-trading is not illegal, I believe that people have a right to know the percentage of trades occurring on an exchange that are self-trades. If self-trading accounts for a significant percentage of trades on an exchange, that information may cause investors to change their strategies or where they trade. In fact, if the percentage is high enough, many investors may choose not to trade on that exchange at all. I think it’s more than reasonable for exchanges to publish such data on their websites with regularity – and if the exchanges are unwilling to disclose this information themselves, I think the Commission should mandate that information’s disclosure. An exchange is always free to restrict or even ban self-trading entirely. While I do not think the Commission needs to mandate that self-trading be banned at this time, perhaps traders will choose to place more of their investments on exchanges that have less self-trading. I also think we need greater transparency on market maker programs. In fact, I would support requiring that exchanges running market maker programs provide a fairly granular level of information about these programs on websites that can be accessed by both exchange members and the general public. Among the information disclosed about these programs should be the date that a given program will run, the products involved, the nature of the program, who is eligible to take part in this program, and even why some persons are not eligible. This information should be accessible during the entire period that the program is running and for some amount of time after the program has ended or at least until after the last obligation is fulfilled.

Market maker programs obviously play an important role in supporting liquidity by providing incentives to trade certain products. I do not think there is anything inherently wrong with such programs. My hope is that greater transparency will enhance these programs, including by creating the possibility for more informed choices for investors and allowing for a greater understanding of these programs by market participants.

Finally, I also think we should set more concrete restrictions on market maker programs and disallow entities from receiving market maker program incentives for self-trades. Given that self-trades are, I believe, typically unintentional, I would hope that self-trades are also quite rare. After all, if an algorithm is consistently causing self-trades and the algorithm’s monitor knows it and does nothing about it, that poses a problem. In fact, it seems like that algorithm could be coming dangerously close to wash trading territory.

Regardless, the exchanges shouldn’t pay people to trade with themselves. We want market makers to provide real liquidity, and trades with and between me, myself, and I represent phantom liquidity at best.

Now that I’ve likely exhausted your interest in the topic of algorithmic trading, allow me to briefly talk about the second issue that is causing rapid change in our markets: cybersecurity. This issue might be more discussed even than algorithmic trading at present, and with good reason. It seems that notable cybersecurity breaches at major international companies or even governments are becoming a regular occurrence. And this trend obviously has implications for our markets too, as hackers can attempt to infiltrate systems to gain non-public information that can be the foundation of illicit trading. Just last month, the Securities and Exchange Commission and federal prosecutors announced a major enforcement action against a number of individuals who were allegedly involved in a successful effort to hack wire services to gain access to press releases prior to their release and then used the non-public information in those press releases to trade.23 While insider trading may not be new, we have to be on the lookout for such traditional threats dressed up in 21st century clothing.

I also understand that cybersecurity is occupying a great deal of compliance officers’ attention at major financial firms. The National Futures Association, the self-regulatory organization for the futures industry, recently proposed a new interpretive notice on information security.24 This notice would require its members to, among other things, establish and maintain a written information systems security program,25 perform security and risk analyses of its information technology systems,26 and provide ongoing training for personnel on information security.27 And a regulator at a different agency has even stated that cyber security risks are what keep him awake at night.28 I have also expressed concern about this issue in the past, and it continues to really concern me.29

I think we’re all aware of the risks that insufficient cybersecurity protections can pose to firms. Allow me to share one statistic with you though. According to staff at a notable company I met with earlier this year, in a cybersecurity event, the invaders can attack a system one hundred fifty times faster than the system’s protectors can defend. As a result, it’s difficult for a company to foil an attack just with aggressive rapid response – the structural impediments to such a strategy are too great. Instead, we need both multi-layered defenses at each major firm and coordination between stakeholders and regulators before, during, and after attacks.

Establishing that kind of layered, mutual defense system should provide greater overall defense against cybersecurity attacks. To create such a system, however, regulators need to create some standardized processes for dealing with cybersecurity. I’m not saying we need proscriptions on network defenses or even mandating any proscriptions at all. As I’ve said before, we don’t want to create a system of identical cybersecurity protections that make it easier for hackers to infiltrate multiple systems.30 But I do think we should start by requiring that companies create processes in advance for building and testing their cybersecurity systems and a clearer process for sharing information about cybersecurity threats with regulators. The overall goal is to make sure that everyone involved in our markets has a minimum level of cybersecurity protections.

To that end, here are a few ideas that I think are worth considering if and when we propose a rule on improving system safeguards. First, we should consider requiring each CFTC registrant to designate an employee as a Cybersecurity Expert or Chief Information Security Officer. My hope is that many registrants already have such a person. Requiring a particular person to be designated could make it easier to establish lines of communication between companies and regulators. It’s always easier to share information when there is a known primary point of contact at each registrant.

Second, we could require that registrants provide the CFTC with regular reports regarding the state of their cybersecurity program. These reports could be submitted annually or quarterly and would obviously be confidential. Having access to this information would help the Commission perceive how the industry is moving to deal with this issue. Ideally, requiring these reports would also help the industry share information amongst itself and assist with the development of best practices that the industry could then self-implement absent additional government regulations. These reports could be either done internally by a registrant’s staff, outside counsel, or even an independent auditor.

Third, we could explicitly require that all registrants report any material cybersecurity event to the CFTC promptly. Some of our registrants, such as the exchanges, already have that clear requirement. And I honestly hope that a registrant would contact us within minutes of a significant breach, both so that we can help the company deal with the breach and so that we can work to prevent additional events at other registrants. Yet, that kind of behavior may not consistently happen absent an explicit requirement that people do so. Not because companies may be loath to tell us about an incident, but because the company either may be more focused on addressing the event or because the company may not think the event is material.

That is why I believe we need to ensure that all our registrants always err on the side of reporting cybersecurity breaches. While it may be very different to actively fight a system incursion once it begins, notifying the CFTC might help prevent other registrants from being hacked. Needless to say, that is a very worthy goal.

Fourth, and perhaps most importantly, we could require an independent audit of each registrant or annual penetration testing by an independent auditor to ensure industry-wide adoption of best practices. Such a requirement would have the additional benefit of facilitating the establishment of industry benchmarks. It is worth noting that the National Security Agency recently started a program to accredit US companies for cybersecurity services, the National Security Cyber Assistance Program, or NSCAP.31 This program is similar to one instituted by the Bank of England in 2013. At present, this program has resulted in 10 US companies being accredited,32 which could potentially provide independent audits. In fact, it is my understanding that some financial services companies are already using these accredited companies to perform annual and periodic penetration testing. I think that is a great idea.

In closing, I think there is no question that our markets are experiencing major changes at present. In fact, I wonder whether we are really grasping the full scope and nature of these changes. Algorithmic trading has been with us for a few years at this point, but regulators, and even industry, may not be fully grasping how it continues to evolve. Cybersecurity has been an issue for an even longer amount of time and yet only in the last year or two has it seemed to really reach the front burner. It is hard to fully understand how these issues will transform our financial system, but I think it is clear that these changes present new challenges.

I’ve said before that my biggest fear is that we don’t see the next crisis coming. I certainly don’t think these new issues represent a crisis, but I am slightly worried that the world is changing faster than we perceive. The answer, of course, is not to ask the world to slow down but for regulators to redouble our efforts to understand what is going on. I regard that as challenging for an agency that remains underfunded, but it is a task I gladly accept.

On that note, if any of you here today have thoughts or, even better, hard, empirical data about the changes our market structure is experiencing or ways to strengthen our markets, I hope you would share them with my office. Thank you and I am happy to take a few questions.

1 See CFTC, Technology Advisory Committee Meeting (Dec. 13, 2011), available at

2 See id.; CFTC, Technology Advisory Committee and Renewal of the Committee Charter and Membership (Jun. 20, 2012), available at

3 See e.g., The Economist, The Fast and the Furious: High-Frequency Trading Seems Scary, but What Does the Evidence Show? (Feb. 25, 2012), available at; Bill Conerly, High Frequency Trading Explained Simply, Forbes (Apr. 14, 2014, 2:09 PM), available at; Jerry Adler, Raging Bulls: How Wall Street Got Addicted to Light-Speed Trading, Wired (Aug. 3, 2012, 5:53 PM), available at; Nick Baumann, Too Fast to Fail: How High-Speed Trading Fuels Wall Street Disasters, Mother Jones (Jan./Feb. 2013), available at; Nanex, HFT is Killing the EMini (Apr. 2, 2012), available at

4 See Governor Jerome H. Powell, Speech at the Brookings Institution: Structure and Liquidity in Treasury Markets (Aug. 3, 2015), available at

5 Dobrislav Dobrev & Ernst Schaumburg, High-Frequency Cross-Market Trading in U.S. Treasury Markets, Liberty Street Economics, Fed. Reserve Bank of N.Y. (Aug. 19, 2015), available at

6 See PROTECT Act, H.R. 2292, 113th Cong. (2013), available at; Wall Street Trading and Speculators Tax Act, S. 410, 113th Cong. (2013), available at

7 See Diane Coyle, High Frequency Trading is the New Invisible Hand, The Exchange: Fin. Times (Feb. 17, 2015, 5:30 AM), available at; Mark Buchanan, Physics in Finance: Trading at the Speed of Light, Nature (Feb. 11, 2015), available at

8 Leslie Josephs, Cooling the Pits: ICE Yelling Ends, Wall St. J. (Oct. 19, 2012, 12:01 AM), available at

9 Id.

10 Tom Polansek, Closing Bell Rings on Chicago Futures Pits for Final Time, Reuters (Jul. 6, 2015, 5:47 PM), available at

11 Id.

12 See Gary Shorter & Rena S. Miller, Cong. Research Serv., R43608, High-Frequency Trading: Background, Concerns, and Regulatory Developments 16 (2014), available at (“Since HFT’s emergence in the early and mid-2000s, academics, financial market participants, and other observers have vigorously debated its costs and benefits.”).

13 See Irene Aldridge, High-Frequency Trading: A Practical Guide to Algorithmic Strategies and Trading Systems 12 (2nd ed. 2013); Paul Zubulake & Sang Lee, The High-Frequency Game Change 82–83 (2011); Pavitra Kumar, et al., Trading at the Speed of Light: The Impact of High-Frequency Trading on Market Performance, Regulatory Oversight, and Securities Litigation, The Brattle Grp., at 2 (Issue 2, 2011), available at; Futures & Options World, Feature: HFT Under the Spotlight (Jun. 13, 2011, 12:00 AM), available at

14 CFTC Concept Release on Risk Controls and System Safeguards for Automated Trading Environments, 78 Fed. Reg. 56,542, 56,545 (Sep. 12, 2013), available at

15 Id.

16 Id.

17 See Richard Haynes & John S. Roberts, Automated Trading in Futures Markets (2015), available at

18 Press Release: UBS Launches SwapsDirect: Algorithmic Trading for U.S. Equity Swaps, Reuters (Apr. 30, 2014, 9:30 AM), available at; Neil Shah, High-Frequency Trading’s New Frontier: Currency Derivatives, Wall St. J. (Oct. 18, 2011, 12:00 PM), available at; Peter Madigan, Swap Regulations Hold Key to Future of OTC Algorithmic Trading, Risk Magazine (Mar. 25, 2013), available at

19 See Philip Stafford et al., Virtu Hopes Time Can Heal HFT Furore, Fin. Times (Mar. 5, 2015, 11:35 AM), available at; The Fast and the Furious, supra note 3.

20 See Norges Bank Inv. Mgmt., High Frequency Trading – An Asset Manager’s Perspective, NBIM Discussion Note #1-2013, at 8, available at; CFTC, CFTC Technology Advisory Committee Sub-Committee on Automated and High Frequency Trading – Working Group 1 (Oct. 30, 2012), available at; CFTC Concept Release, supra note 14 (“Effectively, HFT is a form of automated trading, but not all automated trading is HFT.”).

21 Austen Hufford, Algorithmic Trading: The Play-at-Home Version: Building Computer Trading Models has Become the Latest DIY Craze, Wall St. J. (Aug. 10, 2015, 8:51 PM), available at

22 See Remarks of CFTC Commissioner Sharon Y. Bowen before the 17th Annual OpRisk North America (Mar. 25, 2015), available at

23 Keri Geiger, U.S. Identifies Insider Trading Ring with Ukraine Hackers, Bloomberg Bus. (August 11, 2015, 1:20 AM), available at

24 Matthew Perlman, Futures Watchdog Proposes New Cybersecurity Rules, Law360 (Aug. 31, 2015, 6:24 PM), available at

25 Letter from Thomas W. Sexton, Senior Vice President and General Counsel, National Futures Association, to Christopher J. Kirkpatrick, Secretary, Office of the Secretariat, CFTC, Re: National Futures Association: Information Systems Security Programs – Proposed Adoption of the Interpretive Notice to NFA Compliance Rules 2-9, 2-36 and 2-49, at 4 (Aug. 28, 2015), available at

26 Id. at 6.

27 Id. at 9.

28 Sue Lannin, US Securities and Exchange Commissioner Increasingly Concerned about Cyber Security Risks, The ABC (Dec. 17, 2014, 12:38 PM), available at

29 See Remarks of CFTC Commissioner Sharon Y. Bowen, supra note 22; Testimony of Commissioner Sharon Y. Bowen before the U.S. House Committee on Agriculture, Subcommittee on Commodity Exchanges, Energy, and Credit (Apr. 14, 2015), available at

30 See Remarks of CFTC Commissioner Sharon Y. Bowen, supra note 22.

31 National Security Agency, National Security Cyber Assistance Program: People, Processes, Performance, available at (last reviewed May 5, 2015).

32 National Security Agency, CIRA-Accredited Companies, available at (last reviewed Apr. 30, 2015).

Last Updated: December 20, 2017