Public Statements & Remarks

Statement of Commissioner Christy Goldsmith Romero on Proposed Rule on Cybersecurity Incident Reporting

Proposal for Expanded Cybersecurity Incident Notification

November 10, 2022

I support the Commission considering expanding requirements for clearing house notifications to the CFTC of cybersecurity incidents and clearing system malfunctions.  The proposal is informed by the CFTC’s experience, which involves around 120 recent reportable events, in addition to some clearing houses who have not reported cybersecurity incidents and clearing system malfunctions as required.  I look forward to public comment on whether the proposed rule will be sufficient to hold clearing houses accountable for reporting delays or failures.  I also look forward to public comment on whether the proposed rule sufficiently adapts to the ever-evolving cybersecurity threat landscape and adequately addresses changing technologies and risks, including those related to cryptocurrencies.

I thank the staff for their hard work on the proposal.

Cyber attacks are one of the most persistent and severe threats facing companies

Cyber attacks are one of the most persistent and severe threats facing companies today.  In 2012, then-Director of the Federal Bureau of Investigation (“FBI”), Robert Mueller, warned, “There are only two types of companies:  those that have been hacked and those that will be.  And even they are converging into one category:  companies that have been hacked and will be hacked again.[1]

Since then, cyber attacks have evolved dramatically.  In March 2022, FBI Director Christopher Wray said that last year, 14 of 16 critical infrastructure sectors saw ransomware incidents.[2]  High profile cyber attacks such as at the Colonial Pipeline and JBS, the world’s largest meat supplier, significantly affected supply chains.[3]

“The rapid digitization of financial services, which accelerated with the pandemic, has led to an increase in global cyber threats,” according to the Financial Services Information Sharing and Analysis Center.[4]  A 2022 survey of chief information security officers at 130 global financial institutions found that 74% experienced at least one ransomware attack over the past year and 63% experienced an increase in destructive attacks designed to counter incident responses.[5]

Adapting and evolving to meet the changing threat

The threat of cyber attacks is so severe that it requires the CFTC and our registrants to adapt and evolve to meet the changing threat.  A major cyber incident involving U.S. clearing houses carries the potential to create disruptions—if not short-term chaos—throughout our financial markets.  Imagine the equivalent of the Colonial Pipeline attack on a clearing house or major clearing member.

Additionally, given the nature of the technology and pseudo-anonymity, cryptocurrencies present significant and novel vulnerabilities to cyber attacks, with more than $2 billion stolen this year alone.[6]  The chief executive officer of Binance, which suffered a $570 million hack last month, acknowledged on CNBC that the industry has to make their code more secure, adding “in the blockchain world, whenever there is a bug, it can result in large losses.”[7]

An immediate two-way flow of information will help the CFTC contain the threat and safeguard markets.  The response to the Colonial Pipeline incident is instructive.  The five-day shut down of Colonial after a ransomware attack could have been much longer but for Colonial calling the FBI, which had an open investigation into DarkSide.  The FBI had the expertise to coordinate with the Cybersecurity & Infrastructure Security Agency, give Colonial technical information and remediation techniques, identify the intrusion vector, and ultimately, seize the virtual currency wallet of the criminals involved.[8]  The CFTC, too, can be helpful in navigating the aftermath of cyber incidents or systems malfunctions alongside our clearing houses. 

The proposed CFTC notification requirements would account for a clearing house’s lack of initial detailed knowledge, while requiring critical information.  The CFTC could combine that information with threat information learned through federal partnerships to assess the impact of the threat, including at the clearing house and whether it extends to others.[9]  A clearing house would have to provide, in addition to notifications of cybersecurity incidents, Commission notifications of clearing system malfunctions.  These notifications can help the Commission determine the clearing house’s ability to perform its critical market infrastructure role.

We endeavor to work with clearing houses to address cyber events and issues as they happen—not to receive after-the-fact notice, when most of the damage has been done and when a useful, coordinated response may be too late.  Also, it is possible that multiple firms within an industry are subject to the same vulnerabilities given increased reliance on third party providers and suppliers.

This is an important practical consideration.  Clearing houses must take immediate protective steps when faced with cyber incidents.  But they very often detect an intrusion or other anomaly long before they are prepared to identify a specific cause or avenue for the attack, the severity of the event, or the scope of information impacted. 

I support removing the “materiality” requirement that an incident rises to a reporting threshold for severity or scope.  This requirement can be associated with failures to notify the Commission or delays.

Holding clearing houses accountable and strengthening the ability to enforce notification requirements

The threat of cyber attacks has evolved to be so severe, as is the damage that can flow from a clearing system malfunction, that it is critical for the Commission to hold clearing houses accountable to the new notification requirements, if and when they are enacted.  This can include through supervisory methods and enforcement actions for reporting failures and delays.

Accountability is critical for all clearing houses, but it is particularly important for new clearing houses (now and in the future), including cryptocurrency firms not used to being regulated by a U.S. regulator.  While established clearing houses may be familiar with working with the CFTC to address cyber events and system malfunctions as they happen, new entrants to this space may be less familiar with the requirements and process.  Holding all clearing houses accountable to these new requirements, if and when enacted, will be critical to containing the impact of any threat.

In my experience as a long-standing law enforcement official, clear rules provide the strongest accountability, and strengthen the ability to bring a successful enforcement action.

Triggering events requiring notification

Under our proposed rule, clearing houses would report incidents without having to perform materiality analyses.  They instead follow a list of notice-triggering events.  The proposal states, “the Commission believes that both DCOs and the Division will benefit from having a clear, bright line rule….”

Clarity is important to both accountability and enforceability, and clear, well-considered rules should address the quickly changing environment faced by our clearing houses.  For those reasons, I am interested in public comment on whether the proposed triggering events are sufficiently clear and complete to adapt to the ever-evolving cybersecurity threat landscape.

I am also interested in comment on whether the proposal encompasses incidents that may arise from the use of new or evolving technologies, including digital assets and algorithmic or artificial intelligence systems.  I am similarly interested in public comment on whether our proposal would clearly apply to any cyber attack or other event that compromises, or may compromise, customer assets or property.

With threats that carry such severe harm, the goal for our final rule should be accountability and enforceability.

Timing requirements for notification

Under the existing rule, clearing houses are required to report incidents “promptly.” I am interested in public comment on whether the “promptly” timing requirement for notifications is sufficiently clear and complete as to when the CFTC expects notification.  I am interested in public comment on whether the “promptly” timing requirement sufficiently evolves and adapts to the changing threat landscape, changes in technology, and risks associated with digital assets.

Given the severe threat and the pace at which things in markets change, I am also interested in public comment on whether the “promptly” timing ensures sufficient accountability and enforceability.  I am interested in public comment about whether the Commission should complement the “promptly” timing standard with a defined time period of “but no later than 24-hours after discovery” (or other timeframe) in order to hold accountable, through supervision or enforcement, those clearing houses who delay notification until well after 24 hours and perhaps only after an investigation.  However, I would not want a 24-hour defined time period to provide a reason for a clearing house to delay immediately notifying the Commission until just prior to 24 hours.

We can learn from the experience and approaches of our fellow regulators in this critical area as well.  For example, the U.S. Securities and Exchange Commission recently proposed a four-day, bright-line rule for public disclosure of material cybersecurity incidents, specifically stating that an investigation of such incidents shall not delay disclosure.  I am interested in public comment on whether it is clear that the “promptly” timing requirement means that an investigation shall not cause delay in notification, and if not clear, whether the Commission should explicitly address that in the final rule.[10]

Given the rapidly expanding cybersecurity threat, I am thankful that the Commission is considering expanding notification requirements, and I encourage staff to continue evaluating ways to enhance our regulatory regime to mitigate this threat.

[1] Robert S. Mueller, III, Director, Federal Bureau of Investigation, Remarks as Prepared for Delivery to the RSA Cyber Security Conference, San Francisco, CA (Mar. 1, 2012).

[2] Christopher Wray, Director, Federal Bureau of Investigation, FBI Partnering with the Private Sector to Counter the Cyber Threat — FBI, Detroit, MI (Mar. 22, 2022).

[3] Colonial was responsible for transporting almost half of the fuel to the eastern United States.  After being hit by a ransomware attack from a group called DarkSide, Colonial shut down their pipeline.  Panicked ensued, leading to a run on gas stations.  The Colonial attack followed numerous other cyber incidents that year, including incidents at JBS, the New York City transportation system, and health care facilities.  See, e.g., Cyber Threats in the Pipeline:  Using Lessons from the Colonial Ransomware Attack to Defend Critical Infrastructure, Hearing before the Committee on Homeland Security, House of Representatives, 107th Congress, First Session (June 9, 2021). 

[4] Financial Services Information Sharing and Analysis Center, Navigating Cyber 2022: Annual Cyber Threat Review and Predictions (Q1, 2022).

[6] As Chairwoman Stabenow stated, “$1.9 billion of cryptocurrency was stolen in hacks in the first seven months of this year alone.”  Opening Statement of Sen. Stabenow, Hearing to Review the Digital Commodities Consumer Protection Act, Before the U.S. Senate Committee on Agriculture, Nutrition, & Forestry (Sept. 15, 2022).

[8] Christopher Wray, Director, Federal Bureau of Investigation, FBI Partnering with the Private Sector to Counter the Cyber Threat — FBI, Detroit, MI (Mar. 22, 2022).

[9] Reporting also would provide data on cyber incidents that the CFTC can use to assess risks and trends.

[10] In March 2022, the U.S. Securities and Exchange Commission proposed a rule that issuers file a public Form 8-K within four days of a determination that a security incident is material.  In contrast, the CFTC is not requiring public disclosure, but CFTC notification, which should take far less time.  Securities and Exchange Commission, Proposed Rule, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 87 F.R. 16590 (March 23, 2022).